From the upstream advisory at $URL: "Piston and Tastypie, two popular REST API frameworks for Django, today issued security releases for a remote code execution vulnerability. Users of these frameworks should upgrade immediately. Users of Piston should upgrade to version 0.2.3 or 0.2.2.1; Tastypie users should upgrade to version 0.9.10. Details It was discovered that both Piston and Tastypie share a similar vulnerability with respect to their de-serialization of YAML post data. Both Piston and Tastypie used the yaml.load method, which is unsafe. In certain circumstances this could be used to allow remote execution of arbitrary code. The updated versions, released today, correctly use the yaml.safe_load method, which prevents remote code execution. Servers without the yaml module installed are not affected. Regardless, we recommend that all users of Piston or Tastypie upgrade immediately."
dev-python/django-piston-0.2.3 is now in the tree.
Thanks, Mike. Closing noglsa for ~arch only package.
