bpo-36384: [doc] Mention CVE-2021-29921 fix in 3.8.12 (GH-27824)

(cherry picked from commit 0fd66e46b2f472d0d206a185dc8892f4f0347cb6)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>

2 files changed, 18 insertions, 0 deletions

diff --git a/Doc/library/ipaddress.rst b/Doc/library/ipaddress.rst
index 1c2263b..2ab4dd8 100644
--- a/Doc/library/ipaddress.rst
+++ b/Doc/library/ipaddress.rst
@@ -132,6 +132,11 @@ write code that handles both IP versions correctly.  Address objects are
       The above change was also included in Python 3.9 starting with
       version 3.9.5.
 
+   .. versionchanged:: 3.8.12
+
+      The above change was also included in Python 3.8 starting with
+      version 3.8.12.
+
    .. attribute:: version
 
       The appropriate version number: ``4`` for IPv4, ``6`` for IPv6.
diff --git a/Doc/whatsnew/3.8.rst b/Doc/whatsnew/3.8.rst
index f1a9036..7c293a5 100644
--- a/Doc/whatsnew/3.8.rst
+++ b/Doc/whatsnew/3.8.rst
@@ -2248,3 +2248,16 @@ separator key, with ``&`` as the default.  This change also affects
 functions internally. For more details, please see their respective
 documentation.
 (Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)
+
+Notable changes in Python 3.8.12
+================================
+
+Starting with Python 3.8.12 the :mod:`ipaddress` module no longer accepts
+any leading zeros in IPv4 address strings. Leading zeros are ambiguous and
+interpreted as octal notation by some libraries. For example the legacy
+function :func:`socket.inet_aton` treats leading zeros as octal notation.
+glibc implementation of modern :func:`~socket.inet_pton` does not accept
+any leading zeros.
+
+(Originally contributed by Christian Heimes in :issue:`36384`, and backported
+to 3.8 by Achraf Merzouki.)