===========================Django 1.9.13 release notes===========================*April 4, 2017*Django 1.9.13 fixes two security issues and a bug in 1.9.12. This is the finalrelease of the 1.9.x series.CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs============================================================================================Django relies on user input in some cases (e.g.``django.contrib.auth.views.login()`` and :doc:`i18n </topics/i18n/index>`)to redirect the user to an "on success" URL. The security check for theseredirects (namely ``django.utils.http.is_safe_url()``) considered some numericURLs (e.g. ``http:999999999``) "safe" when they shouldn't be.Also, if a developer relies on ``is_safe_url()`` to provide safe redirecttargets and puts such a URL into a link, they could suffer from an XSS attack.CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``=============================================================================A maliciously crafted URL to a Django site using the:func:`~django.views.static.serve` view could redirect to any other domain. Theview no longer does any redirects as they don't provide any known, usefulfunctionality.Note, however, that this view has always carried a warning that it is nothardened for production use and should be used only as a development aid.Bugfixes========* Fixed a regression in the ``timesince`` and ``timeuntil`` filters that causedincorrect results for dates in a leap year (:ticket:`27637`).