Python 3.9.18v3.9.18

1 files changed, 44 insertions, 0 deletions

diff --git a/Misc/NEWS.d/3.9.18.rst b/Misc/NEWS.d/3.9.18.rst
new file mode 100644
index 0000000..e740322
--- /dev/null
+++ b/Misc/NEWS.d/3.9.18.rst
@@ -0,0 +1,44 @@
+.. date: 2023-08-22-17-39-12
+.. gh-issue: 108310
+.. nonce: fVM3sg
+.. release date: 2023-08-24
+.. section: Security
+
+Fixed an issue where instances of :class:`ssl.SSLSocket` were vulnerable to
+a bypass of the TLS handshake and included protections (like certificate
+verification) and treating sent unencrypted data as if it were
+post-handshake TLS encrypted data.  Security issue reported as
+`CVE-2023-40217
+<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40217>`_ by Aapo
+Oksman. Patch by Gregory P. Smith.
+
+..
+
+.. date: 2023-08-10-17-36-22
+.. gh-issue: 107845
+.. nonce: dABiMJ
+.. section: Library
+
+:func:`tarfile.data_filter` now takes the location of symlinks into account
+when determining their target, so it will no longer reject some valid
+tarballs with ``LinkOutsideDestinationError``.
+
+..
+
+.. date: 2023-08-12-13-18-15
+.. gh-issue: 107565
+.. nonce: Tv22Ne
+.. section: Tools/Demos
+
+Update multissltests and GitHub CI workflows to use OpenSSL 1.1.1v, 3.0.10,
+and 3.1.2.
+
+..
+
+.. date: 2022-11-20-09-52-50
+.. gh-issue: 99612
+.. nonce: eBHksg
+.. section: C API
+
+Fix :c:func:`PyUnicode_DecodeUTF8Stateful` for ASCII-only data:
+``*consumed`` was not set.