Proving the need to upgrade Django
I use Django a good deal and I did need to migrate 1.6 to 1.7 (although it was some 2-3 years ago). During that time the most important difference in terms of security was django.contrib.messages
, which was not aware of HTTPS only cookies in Django 1.6. In other words, if you had something like:
MESSAGE_STORAGE = 'django.contrib.messages.storage.cookie.CookieStorage'
Instead of session storage, and the website was configured to send cookies only for HTTPS connections, then those cookies would be sent over plain HTTP anyway.
Extra note:
The Django release process states that once a version 2 numbers higher is released the security patches for a version cease, unless the given version is a LTS (long time support version). Therefore Django 1.7 is not receiving any security updates anymore since Django 1.9 (and even Django 1.10) has been released.
You should aim to upgrade to Django 1.8 since it is an LTS version of Django. Which will receive security updates 'till April 2018.
Not every framework upgrade is because of security, but if a version is no longer supported, this also impies there will be no bug/hot-fixes. That should be an important reason to upgrade regardless of the 'better' features in newer releases.
Update
As a counter argument, one could say the increase in functionality enlarges the attack surface, or introduce new bugs.
CVE-2016-9013 and CVE-2015-5145 make the Django environment you're running susceptible to a denial of service attack and to information compromise; so poses a formidable information security risk.
With Django 1.6.11 not receiving any security updates anymore there is no way to mitigate these risks (and other risks not mentioned here).