Django 1.6.5 release notes

    Django 1.6.5 fixes two security issues and several bugs in 1.6.4.

    When using Django sessions, Django will set a header to ensure caches do not serve cached data to requests from other sessions. However, older versions of Internet Explorer (most likely only Internet Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server 2003) are unable to handle the Vary header in combination with many content types. Therefore, Django would remove the header if the request was made by Internet Explorer.

    The validation for redirects did not correctly validate some malformed URLs, which are accepted by some browsers. This allows a user to be redirected to an unsafe URL unexpectedly.

    To remedy this, the validation in is_safe_url() has been tightened to be able to handle and correctly validate these malformed URLs.

    • Fixed pgettext_lazy crash when receiving bytestring content on Python 2 ().
    • Avoided overwriting data fetched by select_related() in certain cases which could cause minor performance regressions (#22508).