Django 1.3.6, Django 1.4.4, and Django 1.5 RC 2 have been released today in order to address a number of security holes reported to the Django team over the past period.
The first issue is a host header poisoning that could be exploited by an attacker to cause Django to generate and display links that point to arbitrary domains. A new setting, ALLOWED_HOSTS, has been introduced to address this vulnerability which could be leveraged for phishing attacks.
The second vulnerability can be exploited by cybercriminals to cause a denial-of-service (DOS) attack by abusing the tracking of the number of forms in a formset.
In addition, Django’s serialization framework was vulnerable to attacks via XML entity expansion and external references.
Finally, experts found that an attacker could gain access to hidden information via the history log by leveraging a bug in the admin interface.
Users are advised to update their installations as soon as possible.
Django is available for download here.