|
| 1 | +.. bpo: 38945 |
| 2 | +.. date: 2019-12-01-22-44-40 |
| 3 | +.. nonce: ztmNXc |
| 4 | +.. release date: 2019-12-11 |
| 5 | +.. section: Security |
| 6 | +
|
| 7 | +Newline characters have been escaped when performing uu encoding to prevent |
| 8 | +them from overflowing into to content section of the encoded file. This |
| 9 | +prevents malicious or accidental modification of data during the decoding |
| 10 | +process. |
| 11 | + |
| 12 | +.. |
| 13 | +
|
| 14 | +.. bpo: 37228 |
| 15 | +.. date: 2019-11-21-21-36-54 |
| 16 | +.. nonce: yBZnFG |
| 17 | +.. section: Security |
| 18 | +
|
| 19 | +Due to significant security concerns, the *reuse_address* parameter of |
| 20 | +:meth:`asyncio.loop.create_datagram_endpoint` is no longer supported. This |
| 21 | +is because of the behavior of ``SO_REUSEADDR`` in UDP. For more details, see |
| 22 | +the documentation for ``loop.create_datagram_endpoint()``. (Contributed by |
| 23 | +Kyle Stanley, Antoine Pitrou, and Yury Selivanov in :issue:`37228`.) |
| 24 | + |
| 25 | +.. |
| 26 | +
|
| 27 | +.. bpo: 38804 |
| 28 | +.. date: 2019-11-15-00-54-42 |
| 29 | +.. nonce: vjbM8V |
| 30 | +.. section: Security |
| 31 | +
|
| 32 | +Fixes a ReDoS vulnerability in :mod:`http.cookiejar`. Patch by Ben Caller. |
| 33 | + |
| 34 | +.. |
| 35 | +
|
| 36 | +.. bpo: 38243 |
| 37 | +.. date: 2019-09-25-13-21-09 |
| 38 | +.. nonce: 1pfz24 |
| 39 | +.. section: Security |
| 40 | +
|
| 41 | +Escape the server title of :class:`xmlrpc.server.DocXMLRPCServer` when |
| 42 | +rendering the document page as HTML. (Contributed by Dong-hee Na in |
| 43 | +:issue:`38243`.) |
| 44 | + |
| 45 | +.. |
| 46 | +
|
| 47 | +.. bpo: 38174 |
| 48 | +.. date: 2019-09-23-21-02-46 |
| 49 | +.. nonce: MeWuJd |
| 50 | +.. section: Security |
| 51 | +
|
| 52 | +Update vendorized expat library version to 2.2.8, which resolves |
| 53 | +CVE-2019-15903. |
| 54 | + |
| 55 | +.. |
| 56 | +
|
| 57 | +.. bpo: 37461 |
| 58 | +.. date: 2019-07-16-08-11-00 |
| 59 | +.. nonce: 1Ahz7O |
| 60 | +.. section: Security |
| 61 | +
|
| 62 | +Fix an infinite loop when parsing specially crafted email headers. Patch by |
| 63 | +Abhilash Raj. |
| 64 | + |
| 65 | +.. |
| 66 | +
|
| 67 | +.. bpo: 34155 |
| 68 | +.. date: 2019-05-04-13-33-37 |
| 69 | +.. nonce: MJll68 |
| 70 | +.. section: Security |
| 71 | +
|
| 72 | +Fix parsing of invalid email addresses with more than one ``@`` (e.g. |
| 73 | +a@b@c.com.) to not return the part before 2nd ``@`` as valid email address. |
| 74 | +Patch by maxking & jpic. |
| 75 | + |
| 76 | +.. |
| 77 | +
|
| 78 | +.. bpo: 38216 |
| 79 | +.. date: 2019-09-27-15-24-45 |
| 80 | +.. nonce: -7yvZR |
| 81 | +.. section: Library |
| 82 | +
|
| 83 | +Allow the rare code that wants to send invalid http requests from the |
| 84 | +`http.client` library a way to do so. The fixes for bpo-30458 led to |
| 85 | +breakage for some projects that were relying on this ability to test their |
| 86 | +own behavior in the face of bad requests. |
| 87 | + |
| 88 | +.. |
| 89 | +
|
| 90 | +.. bpo: 36564 |
| 91 | +.. date: 2019-04-08-13-00-13 |
| 92 | +.. nonce: _n67m_ |
| 93 | +.. section: Library |
| 94 | +
|
| 95 | +Fix infinite loop in email header folding logic that would be triggered when |
| 96 | +an email policy's max_line_length is not long enough to include the required |
| 97 | +markup and any values in the message. Patch by Paul Ganssle |
0 commit comments