Merge branch '3.3' into backport-d174d24-3.3

python · ned-deily · Jul 19, 2017 · Jun 23, 2017 · Jul 1, 2017 · Jul 12, 2017
commit b1e2f00946795941d13f6d00f0e1d421273131a7
diff --git a/Misc/NEWS b/Misc/NEWS
@@ -38,6 +38,22 @@ Library
 - [Security] bpo-30730: Prevent environment variables injection in subprocess on
   Windows.  Prevent passing other invalid environment variables and command arguments.
 
+- [Security] bpo-30585: Fix TLS stripping vulnerability in smptlib,
+  CVE-2016-0772.  Reported by Team Oststrom
+
+- [Security] bpo-30694: Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes
+  of multiple security vulnerabilities including: CVE-2017-9233 (External
+  entity infinite loop DoS), CVE-2016-9063 (Integer overflow, re-fix),
+  CVE-2016-0718 (Fix regression bugs from 2.2.0's fix to CVE-2016-0718)
+  and CVE-2012-0876 (Counter hash flooding with SipHash).
+  Note: the CVE-2016-5300 (Use os-specific entropy sources like getrandom)
+  doesn't impact Python, since Python already gets entropy from the OS to set
+  the expat secret using ``XML_SetHashSalt()``.
+
+- [Security] bpo-29591: Update expat copy from 2.1.0 to 2.2.0 to get fixes
+  of CVE-2016-0718 and CVE-2016-4472. See
+  https://sourceforge.net/p/expat/bugs/537/ for more information.
+
 - Issue #28563: Fixed possible DoS and arbitrary code execution when handle
   plural form selections in the gettext module.  The expression parser now
   supports exact syntax supported by GNU gettext.