We've just put out new, unofficial releases of Django 1.6.11 that contain security fixes backported from the latest versions of Django.
The Django project is no longer maintaining Django 1.6.x, as it has end-of-lifed. However, for many reasons, we're currently dependent on this version. As such, we will be maintaining security releases for Django 1.6.x from here on out, in the form of 1.6.11.x releases.
To upgrade to Django 220.127.116.11, you can run:
$ sudo easy_install \ -f http://downloads.reviewboard.org/releases/Django/1.6/ \ Django==18.104.22.168
or, using pip:
$ sudo pip install \ -f https://s3.amazonaws.com/downloads.reviewboard.org/releases/Django/1.6/index.html \ Django==22.214.171.124
Unfortunately, due to restrictions in the design of pip, we will not be able to automatically upgrade to these versions of Django in our upcoming releases of Review Board. It will be up to you to handle this for now. We will announce instructions along with the releases.
For information on what's in this security release, see Django's announcement.
Please note that Django 1.6.x is the last version to support Python 2.6.x, which has also end-of-lifed. We will be dropping support for Python 2.6 in Review Board 2.6, so we recommend moving to Python 2.7 at your earliest convenience.