Log message:
py-django: updated to 1.11.21

Django 1.11.21 release notes

CVE-2019-12308: AdminURLFieldWidget XSS

The clickable “Current URL” link generated by AdminURLFieldWidget displayed \ 
the provided value without validating it as a safe URL. Thus, an unvalidated \ 
value stored in the database, or a value provided as a URL query parameter \ 
payload, could result in an clickable JavaScript link.

AdminURLFieldWidget now validates the provided value using URLValidator before \ 
displaying the clickable link. You may customise the validator by passing a \ 
validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using \ 
formfield_overrides.

Log message:
py-django: updated to 1.11.20

1.11.20:
Bugfixes
Corrected packaging error from 1.11.19

1.11.19:
CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()

If django.utils.numberformat.format() – used by contrib.admin as well as the \ 
the floatformat, filesizeformat, and intcomma templates filters – received a \ 
Decimal with a large number of digits or a large exponent, it could lead to \ 
significant memory usage due to a call to '{:f}'.format().

To avoid this, decimals with more than 200 digits are now formatted using \ 
scientific notation.

Log message:
py-django: updated to 1.11.18

Django 1.11.18 fixes a security issue in 1.11.17.
CVE-2019-3498: Content spoofing possibility in the default 404 page

Log message:
py-django: updated to 1.11.17

Django 1.11.17 fixes several bugs in 1.11.16 and adds compatibility with Python 3.7.

Bugfixes:
Prevented repetitive calls to geos_version_tuple() in the WKBWriter class in an \ 
attempt to fix a random crash involving LooseVersion since Django 1.11.14.

Log message:
py-django: updated to 1.11.16

Django 1.11.16:
Fixed a race condition in QuerySet.update_or_create() that could result in data loss

Log message:
py-django: updated to 1.11.5

1.11.5:
Fix CVE-2018-14574: Open redirect possibility in CommonMiddleware

If the CommonMiddleware and the APPEND_SLASH setting are both enabled, and if \ 
the project has a URL pattern that accepts any path ending in a slash (many \ 
content management systems have such a pattern), then a request to a maliciously \ 
crafted URL of that site could lead to a redirect to another site, enabling \ 
phishing and other attacks.

CommonMiddleware now escapes leading slashes to prevent redirects to other domains.

Log message:
py-django: updated to 1.11.4

Django 1.11.14:

Bugfixes:
Fixed WKBWriter.write() and write_hex() for empty polygons on GEOS 3.6.1+.
Fixed a regression in Django 1.10 that could result in large memory usage when \ 
making edits using ModelAdmin.list_editable

Log message:
py-django: updated to 1.11.13

1.11.13:
Bugfixes
* Fixed a regression in Django 1.11.8 where altering a field with a unique \ 
constraint may drop and rebuild more foreign keys than necessary.
* Fixed crashes in django.contrib.admindocs when a view is a callable object, \ 
such as django.contrib.syndication.views.Feed.
* Fixed a regression in Django 1.11.12 where QuerySet.values() or values_list() \ 
after combining an annotated and unannotated queryset with union(), \ 
difference(), or intersection() crashed due to mismatching columns

Log message:
py-django: updated to 1.11.12

Django 1.11.12:
Bugfixes:
Fixed a regression in Django 1.11.8 where combining two annotated values_list() \ 
querysets with union(), difference(), or intersection() crashed due to \ 
mismatching columns.
Fixed a regression in Django 1.11 where an empty choice could be initially \ 
selected for the SelectMultiple and CheckboxSelectMultiple widgets

Log message:
py-django: updated to 1.11.11

1.11.11:
CVE-2018-7536: Denial-of-service possibility in urlize and urlizetrunc template \ 
filters
CVE-2018-7537: Denial-of-service possibility in truncatechars_html and \ 
truncatewords_html template filters