A flaw in Piston, a popular REST API framework for Django, was reported  in how it handles de-serialization of YAML post data. It uses the yaml.load method, which is unsafe and in certain circumstances could be used to allow remote execution of arbitrary code. The updated versions of Piston (0.2.3 and 0.2.2.1) correctly use the yaml.safe_load method which prevents remote code execution.
This does not affect Django itself, but any users who have installed and use the django-piston package on Fedora may be vulnerable.
The upstream patch  is in git.
This has been assigned the name CVE-2011-4103:
This has been fixed in Fedora/EPEL: