diff -Nru python-django-1.8.7/debian/changelog python-django-1.8.7/debian/changelog
--- python-django-1.8.7/debian/changelog	2016-09-26 06:31:38.000000000 -0500
+++ python-django-1.8.7/debian/changelog	2016-09-28 14:27:53.000000000 -0500
@@ -1,3 +1,9 @@
+python-django (1.8.7-1ubuntu5.3) xenial; urgency=medium
+
+  * Backport upstream fix for ipv6-formatted ipv4 addresses (LP: #1611923) 
+
+ -- Jon Grimm <jon.grimm@canonical.com>  Wed, 28 Sep 2016 14:27:53 -0500
+
 python-django (1.8.7-1ubuntu5.2) xenial-security; urgency=medium
 
   * SECURITY UPDATE: CSRF protection bypass on a site with Google Analytics
diff -Nru python-django-1.8.7/debian/patches/series python-django-1.8.7/debian/patches/series
--- python-django-1.8.7/debian/patches/series	2016-09-26 06:28:55.000000000 -0500
+++ python-django-1.8.7/debian/patches/series	2016-09-28 14:27:22.000000000 -0500
@@ -7,3 +7,4 @@
 reallow-dashes-in-tld.patch
 CVE-2016-6186.patch
 CVE-2016-7401.patch
+Supported-IPv6-formatted-IPv4-addresses.patch
diff -Nru python-django-1.8.7/debian/patches/Supported-IPv6-formatted-IPv4-addresses.patch python-django-1.8.7/debian/patches/Supported-IPv6-formatted-IPv4-addresses.patch
--- python-django-1.8.7/debian/patches/Supported-IPv6-formatted-IPv4-addresses.patch	1969-12-31 18:00:00.000000000 -0600
+++ python-django-1.8.7/debian/patches/Supported-IPv6-formatted-IPv4-addresses.patch	2016-09-28 14:27:22.000000000 -0500
@@ -0,0 +1,49 @@
+From ff0a5aff4f5eb2f55fa4c45d316084ee4d462d6d Mon Sep 17 00:00:00 2001
+From: Tim Graham <timograham@gmail.com>
+Date: Thu, 11 Aug 2016 10:41:10 -0400
+Subject: [PATCH] Fixed #27046 -- Supported IPv6-formatted IPv4 addresses in
+ host validation.
+
+Thanks LaMont Jones for the report and patch.
+---
+ django/http/request.py  | 2 +-
+ tests/requests/tests.py | 3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/django/http/request.py b/django/http/request.py
+index 1dedf5d..271ab30 100644
+--- a/django/http/request.py
++++ b/django/http/request.py
+@@ -24,7 +24,7 @@ from django.utils.six.moves.urllib.parse import (
+ )
+ 
+ RAISE_ERROR = object()
+-host_validation_re = re.compile(r"^([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9:]+\])(:\d+)?$")
++host_validation_re = re.compile(r"^([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9\.:]+\])(:\d+)?$")
+ 
+ 
+ class UnreadablePostError(IOError):
+diff --git a/tests/requests/tests.py b/tests/requests/tests.py
+index b015e6d..0465f0a 100644
+--- a/tests/requests/tests.py
++++ b/tests/requests/tests.py
+@@ -589,7 +589,7 @@ class HostValidationTests(SimpleTestCase):
+         ALLOWED_HOSTS=[
+             'forward.com', 'example.com', 'internal.com', '12.34.56.78',
+             '[2001:19f0:feee::dead:beef:cafe]', 'xn--4ca9at.com',
+-            '.multitenant.com', 'INSENSITIVE.com',
++            '.multitenant.com', 'INSENSITIVE.com', '[::ffff:169.254.169.254]',
+         ])
+     def test_http_get_host(self):
+         # Check if X_FORWARDED_HOST is provided.
+@@ -641,6 +641,7 @@ class HostValidationTests(SimpleTestCase):
+             'insensitive.com',
+             'example.com.',
+             'example.com.:80',
++            '[::ffff:169.254.169.254]',
+         ]
+ 
+         for host in legit_hosts:
+-- 
+2.9.3
+