Today the Django team is issuing multiple releases
-- Django 1.2.4, Django 1.1.3 and Django 1.3 beta 1 --
to remedy two security issues reported to us. All users
of affected versions of Django are urged to upgrade
immediately.
Information leakage in Django administrative interface
The Django administrative interface, django.contrib.admin
supports filtering of displayed lists of objects by fields
on the corresponding models, including across database-level
relationships. This is implemented by passing lookup arguments
in the querystring portion of the URL, and options on the
ModelAdmin class allow developers to specify particular
fields or relationships which will generate automatic links
for filtering.
Denial-of-service attack in password-reset mechanism
Django's bundled authentication framework,
django.contrib.auth, offers views which allow users to
reset a forgotten password. The reset mechanism involves
generating a one-time token composed from the user's ID,
the timestamp of the reset request converted to a base36
integer, and a hash derived from the user's current password
hash (which will change once the reset is complete, thus
invalidating the token).