Django just released a security update: https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/ Also see bug 777976. We should update ASAP. Given this is a minor version update for us (we are one 1.3.1~ish), I am going to call this a 1pter.
Actually, we were on 1.3.
Also, I think this is in the wrong security group, but I couldnt figure out how to file a websites-security group bug.
Just landed on prod: https://github.com/mozilla/kitsune/commit/bfb0088b324a7272c55c45a64d9ebe3585ce4996
These bugs are all resolved, so I'm removing the security flag from them.