A flaw in Piston, a popular REST API framework for Django, was reported [1] in how it handles de-serialization of YAML post data. It uses the yaml.load method, which is unsafe and in certain circumstances could be used to allow remote execution of arbitrary code. The updated versions of Piston (0.2.3 and 0.2.2.1) correctly use the yaml.safe_load method which prevents remote code execution. This does not affect Django itself, but any users who have installed and use the django-piston package on Fedora may be vulnerable. The upstream patch [2] is in git. [1] https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases/ [2] https://bitbucket.org/jespern/django-piston/changeset/91bdaec89543
This has been assigned the name CVE-2011-4103: http://www.openwall.com/lists/oss-security/2011/11/01/10
This has been fixed in Fedora/EPEL: fedora:19/python-django-piston-0.2.3-7.fc19 fedora:20/python-django-piston-0.2.3-8.fc20 fedora:epel:6/django-piston-0.2.3-1.el6 fedora:epel:6/python-django-piston-0.2.3-5.el6