November 1, 2011
It was discovered that both Piston and Tastypie share a similar vulnerability with respect to their de-serialization of YAML post data. Both Piston and Tastypie used the yaml.load method, which is unsafe. In certain circumstances this could be used to allow remote execution of arbitrary code. The updated versions, released today, correctly use the yaml.safe_load method, which prevents remote code execution. Servers without the yaml module installed are not affected. Regardless, we recommend that all users of Piston or Tastypie upgrade immediately.
Why are we announcing this here?
It's important to point out that this issue does not affect all users of the Django framework. Piston and Tastypie are third-party modules and are not created by or distributed by the Django core team.
However, we're choosing to publicize this security release here because these modules are in common use on many Django sites. We're hoping that publicizing this fix widely will help protect all Django users.
General notes regarding security
As always, we ask that potential security issues in Django be reported via private email to firstname.lastname@example.org, and not via Django's Trac instance or the django-developers mailing list.
Security issues in third-party modules should be reported to the relevant maintainer(s). When in doubt, we're happy to receive security reports about third-party modules to email@example.com; we can help direct you to the proper venue for the issue.