A bug in Django's AuthenticationMiddleware was discovered and patched after the 0.95 release; this bug can cause apparent "caching" of the value of request.user between requests, possibly resulting in inappropriate access when a user is perceived to be "logged in" as someone else. This was fixed in revision 3754 of Django trunk[1], and that changeset applies cleanly to stock Django 0.95. [1] http://code.djangoproject.com/changeset/3754
Django 0.95.1 has been built on the build servers and awaits signing