Log Message:
Django 1.11.5:

CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page¶

In older versions, HTML autoescaping was disabled in a portion of the template \ 
for the technical 500 debug page. Given the right circumstances, this allowed a \ 
cross-site scripting attack. This vulnerability shouldn’t affect most \ 
production sites since you shouldn’t run with DEBUG = True (which makes this \ 
page accessible) in your production settings.

Bugfixes:

Fixed GEOS version parsing if the version has a commit hash at the end (new in \ 
GEOS 3.6.2).
Added compatibility for cx_Oracle 6.
Fixed select widget rendering when option values are tuples.
Django 1.11 inadvertently changed the sequence and trigger naming scheme on \ 
Oracle. This causes errors on INSERTs for some tables if 'use_returning_into': \ 
False is in the OPTIONS part of DATABASES. The pre-1.11 naming scheme is now \ 
restored. Unfortunately, it necessarily requires an update to Oracle tables \ 
created with Django 1.11.[1-4]. Use the upgrade script in 28451 comment 8 to \ 
update sequence and trigger names to use the pre-1.11 naming scheme.
Added POST request support to LogoutView, for equivalence with the \ 
function-based logout() view.
Omitted pages_per_range from BrinIndex.deconstruct() if it’s None.
Fixed a regression where SelectDateWidget localized the years in the select box.
Fixed a regression in 1.11.4 where runserver crashed with non-Unicode system \ 
encodings on Python 2 + Windows.
Fixed a regression in Django 1.10 where changes to a ManyToManyField weren’t \ 
logged in the admin change history and prevented ManyToManyField initial data in \ 
model forms from being affected by subsequent model changes.
Fixed non-deterministic results or an AssertionError crash in some queries with \ 
multiple joins.
Fixed a regression in contrib.auth’s login() and logout() views where they \ 
ignored positional arguments