|
| 1 | +.. bpo: 29591 |
| 2 | +.. date: 2017-07-11-22-26-48 |
| 3 | +.. nonce: cOeMX- |
| 4 | +.. release date: 2017-07-23 |
| 5 | +.. section: Security |
| 6 | +
|
| 7 | +Update expat copy from 2.1.1 to 2.2.0 to get fixes of CVE-2016-0718 and |
| 8 | +CVE-2016-4472. See https://sourceforge.net/p/expat/bugs/537/ for more |
| 9 | +information. |
| 10 | + |
| 11 | +.. |
| 12 | +
|
| 13 | +.. bpo: 30694 |
| 14 | +.. date: 2017-07-11-22-25-24 |
| 15 | +.. nonce: oOf3Er |
| 16 | +.. section: Security |
| 17 | +
|
| 18 | +Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security |
| 19 | +vulnerabilities including: CVE-2017-9233 (External entity infinite loop |
| 20 | +DoS), CVE-2016-9063 (Integer overflow, re-fix), CVE-2016-0718 (Fix |
| 21 | +regression bugs from 2.2.0's fix to CVE-2016-0718) and CVE-2012-0876 |
| 22 | +(Counter hash flooding with SipHash). Note: the CVE-2016-5300 (Use os- |
| 23 | +specific entropy sources like getrandom) doesn't impact Python, since Python |
| 24 | +already gets entropy from the OS to set the expat secret using |
| 25 | +``XML_SetHashSalt()``. |
| 26 | + |
| 27 | +.. |
| 28 | +
|
| 29 | +.. bpo: 26657 |
| 30 | +.. date: 2017-07-11-22-07-03 |
| 31 | +.. nonce: wvpzFD |
| 32 | +.. section: Security |
| 33 | +
|
| 34 | +Fix directory traversal vulnerability with http.server on Windows. This |
| 35 | +fixes a regression that was introduced in 3.3.4rc1 and 3.4.0rc1. Based on |
| 36 | +patch by Philipp Hagemeister. |
| 37 | + |
| 38 | +.. |
| 39 | +
|
| 40 | +.. bpo: 30500 |
| 41 | +.. date: 2017-07-11-22-02-51 |
| 42 | +.. nonce: wXUrkQ |
| 43 | +.. section: Security |
| 44 | +
|
| 45 | +Fix urllib.parse.splithost() to correctly parse fragments. For example, |
| 46 | +``splithost('//127.0.0.1#@evil.com/')`` now correctly returns the |
| 47 | +``127.0.0.1`` host, instead of treating ``@evil.com`` as the host in an |
| 48 | +authentification (``login@host``). |
| 49 | + |
| 50 | +.. |
| 51 | +
|
| 52 | +.. bpo: 30730 |
| 53 | +.. date: 02 |
| 54 | +.. nonce: ZF8XGV |
| 55 | +.. original section: Library |
| 56 | +.. section: Security |
| 57 | +
|
| 58 | +Prevent environment variables injection in subprocess on Windows. Prevent |
| 59 | +passing other invalid environment variables and command arguments. |
| 60 | + |
| 61 | +.. |
| 62 | +
|
| 63 | +.. bpo: 26617 |
| 64 | +.. date: 2017-07-15-13-55-22 |
| 65 | +.. nonce: Gh5LvN |
| 66 | +.. section: Core and Builtins |
| 67 | +
|
| 68 | +Fix crash when GC runs during weakref callbacks. |
| 69 | + |
| 70 | +.. |
| 71 | +
|
| 72 | +.. bpo: 27945 |
| 73 | +.. date: 04 |
| 74 | +.. nonce: p29r3O |
| 75 | +.. section: Core and Builtins |
| 76 | +
|
| 77 | +Fixed various segfaults with dict when input collections are mutated during |
| 78 | +searching, inserting or comparing. Based on patches by Duane Griffin and |
| 79 | +Tim Mitchell. |
| 80 | + |
| 81 | +.. |
| 82 | +
|
| 83 | +.. bpo: 27850 |
| 84 | +.. date: 01 |
| 85 | +.. nonce: kIVQ0m |
| 86 | +.. section: Library |
| 87 | +
|
| 88 | +Remove 3DES from ssl module's default cipher list to counter measure sweet32 |
| 89 | +attack (CVE-2016-2183). |
| 90 | + |
| 91 | +.. |
| 92 | +
|
| 93 | +.. bpo: 25008 |
| 94 | +.. date: 03 |
| 95 | +.. nonce: CeIzyU |
| 96 | +.. section: Documentation |
| 97 | +
|
| 98 | +Document smtpd.py as effectively deprecated and add a pointer to aiosmtpd, a |
| 99 | +third-party asyncio-based replacement. |
0 commit comments