Upstream support for Django 1.7 has ended on December 1, 2015: https://www.djangoproject.com/download/#supported-versions There are known vulnerabilities (see #576486 and https://docs.djangoproject.com/en/1.9/releases/security/) I guess Django 1.7 and all packages depending on it should be masked?
At some point maintainers will need to either remove or mask the old versions affected by bug 576876, then, all will be handled there *** This bug has been marked as a duplicate of bug 576876 ***