I don't see the usual strong admonition to upgrade ASAP. (For example, the December 10 updates said, "All users are encouraged to upgrade Django immediately." This bulletin does not.)
From a quick skim of the 4 fixes, perhaps not all Django sites may be at risk. For example, if they are: already checking the 'Host' header or not using it; not using Formsets; not using multiple tiers of admin users; not using Django's XML (de-)serialization.
But, I'm least confident of that last one. Do all Django installs use Django's XML deserialization for something internal/everpresent? Or is this just a risk for users whose apps explicitly do extra XML operations?
These aren't "drop everything, take the site down, upgrade now" issues, so yeah we'd like to save the tone for that sort of thing.
... but seriously, please do upgrade as soon as possible! There's really no such thing as a "minor" security issue when it's 2am and you're being woken 'cause the site's down.
No, Django's XML deserialization is not used automatically. It is only used for mass importing objects to the database, which most sites would allow only admin users to do.
From a quick skim of the 4 fixes, perhaps not all Django sites may be at risk. For example, if they are: already checking the 'Host' header or not using it; not using Formsets; not using multiple tiers of admin users; not using Django's XML (de-)serialization.
But, I'm least confident of that last one. Do all Django installs use Django's XML deserialization for something internal/everpresent? Or is this just a risk for users whose apps explicitly do extra XML operations?