AFAIK the XML entity expansion attacks are DoS-only, but the other fixed vulnerability (external entities) may be usable in some cases to gain information about local files (again, presuming Django's XML model deserializer is exposed to untrusted input, which it is not by default and should not be). I'm working on updating the announcement and release notes to characterize that more accurately.