doc/build/conf.py | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 drop_notfound_page_from_docs

this makes this package FTBFS with Sphinx 1.6

lib/sqlalchemy/sql/compiler.py | 9 4 + 5 - 0 !
lib/sqlalchemy/sql/elements.py | 11 11 + 0 - 0 !
test/orm/test_eager_relations.py | 16 5 + 11 - 0 !
test/orm/test_query.py | 96 31 + 65 - 0 !
test/sql/test_text.py | 47 15 + 32 - 0 !
5 files changed, 66 insertions(+), 113 deletions(-)

 cve-2019-7164 / cve-2019-7548: illustrate fix for #4481 in terms of a 1.2 patch
 Release 1.2 has decided (so far) not to backport 1.3's fix for #4481 as it is
 backwards-incompatible with code that relied upon the feature of automatic text
 coercion in SQL statements.  However, for the specific case of order_by() and
 group_by(), we present a patch that backports the specific change in compiler
 to have 1.3's behavior for order_by/group_by specifically.   This is much more
 targeted than the 0.9 version of the patch as it takes advantage 1.0's
 architecture which runs all order_by() / group_by() through a label lookup that
 only warns if the label can't be matched.
 .
 For an example of an application that was actually impacted by 1.3's change
 and how they had to change it, see:
 .
 https://github.com/ctxis/CAPE/commit/be0482294f5eb30026fe97a967ee5a768d032278
 .
 Basically, in the uncommon case an application is actually using the text
 coercion feature which was generally little-known, within the order_by()
 and group_by() an error is now raised instead of a warning; the application
 must instead ensure the SQL fragment is passed within a text() construct.
 The above application has also been seeing a warning about this since 1.0
 which apparently remained unattended.
 .
 The patch includes adjustments to the tests that were testing for the
 warning to now test that an exception is raised. Any distro that wants
 to patch the specific CVE issue resolved in #4481 to SQLAlchemy 1.0, 1.1
 or 1.2 can use this patch.