1. ===========================

  2. Django 1.11.5 release notes

  3. ===========================

  4. 

  5. *September 5, 2017*

  6. 

  7. Django 1.11.5 fixes a security issue and several bugs in 1.11.4.

  8. 

  9. CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page

  10. =============================================================================

  11. 

  12. In older versions, HTML autoescaping was disabled in a portion of the template

  13. for the technical 500 debug page. Given the right circumstances, this allowed

  14. a cross-site scripting attack. This vulnerability shouldn't affect most

  15. production sites since you shouldn't run with ``DEBUG = True`` (which makes

  16. this page accessible) in your production settings.

  17. 

  18. Bugfixes

  19. ========

  20. 

  21. * Fixed GEOS version parsing if the version has a commit hash at the end (new

  22.   in GEOS 3.6.2) (:ticket:`28441`).

  23. 

  24. * Added compatibility for ``cx_Oracle`` 6 (:ticket:`28498`).

  25. 

  26. * Fixed select widget rendering when option values are tuples (:ticket:`28502`).

  27. 

  28. * Django 1.11 inadvertently changed the sequence and trigger naming scheme on

  29.   Oracle. This causes errors on INSERTs for some tables if

  30.   ``'use_returning_into': False`` is in the ``OPTIONS`` part of ``DATABASES``.

  31.   The pre-1.11 naming scheme is now restored. Unfortunately, it necessarily

  32.   requires an update to Oracle tables created with Django 1.11.[1-4]. Use the

  33.   upgrade script in :ticket:`28451` comment 8 to update sequence and trigger

  34.   names to use the pre-1.11 naming scheme.

  35. 

  36. * Added POST request support to ``LogoutView``, for equivalence with the

  37.   function-based ``logout()`` view (:ticket:`28513`).

  38. 

  39. * Omitted ``pages_per_range`` from ``BrinIndex.deconstruct()`` if it's ``None``

  40.   (:ticket:`25809`).

  41. 

  42. * Fixed a regression where ``SelectDateWidget`` localized the years in the

  43.   select box (:ticket:`28530`).

  44. 

  45. * Fixed a regression in 1.11.4 where ``runserver`` crashed with non-Unicode

  46.   system encodings on Python 2 + Windows (:ticket:`28487`).

  47. 

  48. * Fixed a regression in Django 1.10 where changes to a ``ManyToManyField``

  49.   weren't logged in the admin change history (:ticket:`27998`) and prevented

  50.   ``ManyToManyField`` initial data in model forms from being affected by

  51.   subsequent model changes (:ticket:`28543`).

  52. 

  53. * Fixed non-deterministic results or an ``AssertionError`` crash in some

  54.   queries with multiple joins (:ticket:`26522`).

  55. 

  56. * Fixed a regression in ``contrib.auth``'s ``login()`` and ``logout()`` views

  57.   where they ignored positional arguments (:ticket:`28550`).
About Sign Up Leave Feedback Contact