Log message:
py-django: updated to 1.11.10

1.11.10:

CVE-2018-6188: Information leakage in AuthenticationForm

A regression in Django 1.11.8 made AuthenticationForm run its \ 
confirm_login_allowed() method even if an incorrect password is entered. This \ 
can leak information about a user, depending on what messages \ 
confirm_login_allowed() raises. If confirm_login_allowed() isn’t overridden, \ 
an attacker enter an arbitrary username and see if that user has been set to \ 
is_active=False. If confirm_login_allowed() is overridden, more sensitive \ 
details could be leaked.

This issue is fixed with the caveat that AuthenticationForm can no longer raise \ 
the “This account is inactive.” error if the authentication backend rejects \ 
inactive users (the default authentication backend, ModelBackend, has done that \ 
since Django 1.10). This issue will be revisited for Django 2.1 as a fix to \ 
address the caveat will likely be too invasive for inclusion in older versions.

Bugfixes:
Fixed incorrect foreign key nullification if a model has two foreign keys to the \ 
same model and a target model is deleted.
Fixed a regression where contrib.auth.authenticate() crashes if an \ 
authentication backend doesn’t accept request and a later one does.
Fixed crash when entering an invalid uuid in ModelAdmin.raw_id_fields

Log message:
py-django: updated to 1.11.9

Bugfixes:
Fixed a regression in Django 1.11 that added newlines between MultiWidget’s \ 
subwidgets.
Fixed incorrect class-based model index name generation for models with quoted \ 
db_table.
Fixed incorrect foreign key constraint name for models with quoted db_table.
Fixed a regression in caching of a GenericForeignKey when the referenced model \ 
instance uses more than one level of multi-table inheritance.

Log message:
REPLACE_PYTHON does not need WRKSRC

Log message:
py-django: updated to 1.11.8

Django 1.11.8 fixes several bugs in 1.11.7:
* Reallowed, following a regression in Django 1.10, AuthenticationForm to raise \ 
the inactive user error when using ModelBackend.
* Added support for QuerySet.values() and values_list() for union(), \ 
difference(), and intersection() queries.
* Fixed incorrect index name truncation when using a namespaced db_table.
* Made QuerySet.iterator() use server-side cursors on PostgreSQL after values() \ 
and values_list().
* Fixed crash on SQLite and MySQL when ordering by a filtered subquery that uses \ 
nulls_first or nulls_last.
* Made query lookups for CICharField, CIEmailField, and CITextField use a citext \ 
cast.
* Fixed a regression in caching of a GenericForeignKey when the referenced model \ 
instance uses multi-table inheritance.
* Fixed “Cannot change column ‘x’: used in a foreign key constraint” \ 
crash on MySQL with a sequence of AlterField and/or RenameField operations in a \ 
migration

Log message:
py-django: updated to 1.11.7

1.11.7:
Bugfixes
* Prevented cache.get_or_set() from caching None if the default argument is a \ 
callable that returns None.
* Fixed the Basque DATE_FORMAT string.
* Made QuerySet.reverse() affect nulls_first and nulls_last.
* Fixed unquoted table names in Subquery SQL when using OuterRef

Log message:
py-django: update to 1.11.6

Bugfixes:
* Made the CharField form field convert whitespace-only values to the \ 
empty_value when strip is enabled.
* Fixed crash when using the name of a model’s autogenerated primary key (id) \ 
in an Index’s fields.
* Fixed a regression in Django 1.9 where a custom view error handler such as \ 
handler404 that accesses csrf_token could cause CSRF verification failures on \ 
other pages

Log message:
Django 1.11.5:

CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page¶

In older versions, HTML autoescaping was disabled in a portion of the template \ 
for the technical 500 debug page. Given the right circumstances, this allowed a \ 
cross-site scripting attack. This vulnerability shouldn’t affect most \ 
production sites since you shouldn’t run with DEBUG = True (which makes this \ 
page accessible) in your production settings.

Bugfixes:

Fixed GEOS version parsing if the version has a commit hash at the end (new in \ 
GEOS 3.6.2).
Added compatibility for cx_Oracle 6.
Fixed select widget rendering when option values are tuples.
Django 1.11 inadvertently changed the sequence and trigger naming scheme on \ 
Oracle. This causes errors on INSERTs for some tables if 'use_returning_into': \ 
False is in the OPTIONS part of DATABASES. The pre-1.11 naming scheme is now \ 
restored. Unfortunately, it necessarily requires an update to Oracle tables \ 
created with Django 1.11.[1-4]. Use the upgrade script in 28451 comment 8 to \ 
update sequence and trigger names to use the pre-1.11 naming scheme.
Added POST request support to LogoutView, for equivalence with the \ 
function-based logout() view.
Omitted pages_per_range from BrinIndex.deconstruct() if it’s None.
Fixed a regression where SelectDateWidget localized the years in the select box.
Fixed a regression in 1.11.4 where runserver crashed with non-Unicode system \ 
encodings on Python 2 + Windows.
Fixed a regression in Django 1.10 where changes to a ManyToManyField weren’t \ 
logged in the admin change history and prevented ManyToManyField initial data in \ 
model forms from being affected by subsequent model changes.
Fixed non-deterministic results or an AssertionError crash in some queries with \ 
multiple joins.
Fixed a regression in contrib.auth’s login() and logout() views where they \ 
ignored positional arguments

Log message:
Follow some redirects.

Log message:
Django 1.11.4:

Bugfixes:

Fixed a regression in 1.11.3 on Python 2 where non-ASCII format values for \ 
date/time widgets results in an empty value in the widget’s HTML.
Fixed QuerySet.union() and difference() when combining with a queryset raising \ 
EmptyResultSet.
Fixed a regression in pickling of LazyObject on Python 2 when the wrapped object \ 
doesn’t have __reduce__().
Fixed crash in runserver’s autoreload with Python 2 on Windows with non-str \ 
environment variables.
Corrected Field.has_changed() to return False for disabled form fields: \ 
BooleanField, MultipleChoiceField, MultiValueField, FileField, ModelChoiceField, \ 
and ModelMultipleChoiceField.
Fixed QuerySet.count() for union(), difference(), and intersection() queries..
Fixed ClearableFileInput rendering as a subwidget of MultiWidget. Custom \ 
clearable_file_input.html widget templates will need to adapt for the fact that \ 
context values checkbox_name, checkbox_id, is_initial, input_text, initial_text, \ 
and clear_checkbox_label are now attributes of widget rather than appearing in \ 
the top-level context.
Fixed queryset crash when using a GenericRelation to a proxy model

Log message:
Changes 1.11.3:

Bugfixes

Removed an incorrect deprecation warning about a missing renderer argument if a \ 
Widget.render() method accepts **kwargs.
Fixed a regression causing Model.__init__() to crash if a field has an instance \ 
only descriptor.
Fixed an incorrect DisallowedModelAdminLookup exception when using a nested \ 
reverse relation in list_filter.
Fixed admin’s FieldListFilter.get_queryset() crash on invalid input.
Fixed invalid HTML for a required AdminFileWidget.
Fixed model initialization to set the name of class-based model indexes for \ 
models that only inherit models.Model.
Fixed crash in admin’s inlines when a model has an inherited non-editable \ 
primary key.
Fixed QuerySet.union(), intersection(), and difference() when combining with an \ 
EmptyQuerySet.
Prevented Paginator’s unordered object list warning from evaluating a QuerySet.
Fixed the value of redirect_field_name in LoginView’s template context. \ 
It’s now an empty string (as it is for the original function-based login() \ 
view) if the corresponding parameter isn’t sent in a request (in \ 
particular, when the login page is accessed directly).
Prevented attribute values in the django/forms/widgets/attrs.html template from \ 
being localized so that numeric attributes (e.g. max and min) of NumberInput \ 
work correctly.
Removed casting of the option value to a string in the template context of the \ 
CheckboxSelectMultiple, NullBooleanSelect, RadioSelect, SelectMultiple, and \ 
Select widgets. In Django 1.11.1, casting was added in Python to avoid \ 
localization of numeric values in Django templates, but this made some use cases \ 
more difficult. Casting is now done in the template using the |stringformat:'s' \ 
filter.
Prevented a primary key alteration from adding a foreign key constraint if \ 
db_constraint=False.
Fixed UnboundLocalError crash in RenameField with nonexistent field.
Fixed a regression preventing a model field’s limit_choices_to from being \ 
evaluated when a ModelForm is instantiated.