Log message:
py-django: updated to 1.11.24

Django 1.11.24 fixes a regression in 1.11.23.

Bugfixes
Fixed crash of KeyTransform() for JSONField and HStoreField when using on \ 
expressions with params

Log message:
py-django: updated to 1.11.23

Django 1.11.23:
* CVE-2019-14232: Denial-of-service possibility in django.utils.text.Truncator
* CVE-2019-14233: Denial-of-service possibility in strip_tags()
* CVE-2019-14234: SQL injection possibility in key and index lookups for \ 
JSONField/HStoreField
* CVE-2019-14235: Potential memory exhaustion in django.utils.encoding.uri_to_iri()

Log message:
py-django: updated to 1.11.22

Django 1.11.22:
Fix CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS

Log message:
py-django: updated to 1.11.21

Django 1.11.21 release notes

CVE-2019-12308: AdminURLFieldWidget XSS

The clickable “Current URL” link generated by AdminURLFieldWidget displayed \ 
the provided value without validating it as a safe URL. Thus, an unvalidated \ 
value stored in the database, or a value provided as a URL query parameter \ 
payload, could result in an clickable JavaScript link.

AdminURLFieldWidget now validates the provided value using URLValidator before \ 
displaying the clickable link. You may customise the validator by passing a \ 
validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using \ 
formfield_overrides.

Log message:
py-django: updated to 1.11.20

1.11.20:
Bugfixes
Corrected packaging error from 1.11.19

1.11.19:
CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()

If django.utils.numberformat.format() – used by contrib.admin as well as the \ 
the floatformat, filesizeformat, and intcomma templates filters – received a \ 
Decimal with a large number of digits or a large exponent, it could lead to \ 
significant memory usage due to a call to '{:f}'.format().

To avoid this, decimals with more than 200 digits are now formatted using \ 
scientific notation.

Log message:
py-django: updated to 1.11.18

Django 1.11.18 fixes a security issue in 1.11.17.
CVE-2019-3498: Content spoofing possibility in the default 404 page

Log message:
py-django: updated to 1.11.17

Django 1.11.17 fixes several bugs in 1.11.16 and adds compatibility with Python 3.7.

Bugfixes:
Prevented repetitive calls to geos_version_tuple() in the WKBWriter class in an \ 
attempt to fix a random crash involving LooseVersion since Django 1.11.14.

Log message:
py-django: updated to 1.11.16

Django 1.11.16:
Fixed a race condition in QuerySet.update_or_create() that could result in data loss

Log message:
py-django: updated to 1.11.5

1.11.5:
Fix CVE-2018-14574: Open redirect possibility in CommonMiddleware

If the CommonMiddleware and the APPEND_SLASH setting are both enabled, and if \ 
the project has a URL pattern that accepts any path ending in a slash (many \ 
content management systems have such a pattern), then a request to a maliciously \ 
crafted URL of that site could lead to a redirect to another site, enabling \ 
phishing and other attacks.

CommonMiddleware now escapes leading slashes to prevent redirects to other domains.

Log message:
py-django: updated to 1.11.4

Django 1.11.14:

Bugfixes:
Fixed WKBWriter.write() and write_hex() for empty polygons on GEOS 3.6.1+.
Fixed a regression in Django 1.10 that could result in large memory usage when \ 
making edits using ModelAdmin.list_editable