diff options
| author | larryhastings <larry@hastings.org> | 2017-09-04 20:30:19 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-09-04 20:30:19 (GMT) |
| commit | f9f17346d722b6f073a048b41ec0d6adf336d1d2 (patch) | |
| tree | 419ced40748802468c84a321be18777a0eb47626 /Misc/NEWS.d/next/Security | |
| parent | 002d64039b60c1a9289f981fe73a5cf91d082136 (diff) | |
| download | cpython-f9f17346d722b6f073a048b41ec0d6adf336d1d2.zip cpython-f9f17346d722b6f073a048b41ec0d6adf336d1d2.tar.gz cpython-f9f17346d722b6f073a048b41ec0d6adf336d1d2.tar.bz2 | |
Blurbify master branch. (#3298)
Blurbify master branch.
Diffstat (limited to 'Misc/NEWS.d/next/Security')
4 files changed, 25 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Security/0338.bpo-29591.ExKblw.rst b/Misc/NEWS.d/next/Security/0338.bpo-29591.ExKblw.rst new file mode 100644 index 0000000..7394ac2 --- /dev/null +++ b/Misc/NEWS.d/next/Security/0338.bpo-29591.ExKblw.rst @@ -0,0 +1,5 @@ +.. original section: Library + +Update expat copy from 2.1.1 to 2.2.0 to get fixes of CVE-2016-0718 and +CVE-2016-4472. See https://sourceforge.net/p/expat/bugs/537/ for more +information. diff --git a/Misc/NEWS.d/next/Security/0342.bpo-30500.1VG7R-.rst b/Misc/NEWS.d/next/Security/0342.bpo-30500.1VG7R-.rst new file mode 100644 index 0000000..adf4645 --- /dev/null +++ b/Misc/NEWS.d/next/Security/0342.bpo-30500.1VG7R-.rst @@ -0,0 +1,6 @@ +.. original section: Library + +Fix urllib.parse.splithost() to correctly parse fragments. For example, +``splithost('//127.0.0.1#@evil.com/')`` now correctly returns the +``127.0.0.1`` host, instead of treating ``@evil.com`` as the host in an +authentification (``login@host``). diff --git a/Misc/NEWS.d/next/Security/0344.bpo-30694.WkMWM_.rst b/Misc/NEWS.d/next/Security/0344.bpo-30694.WkMWM_.rst new file mode 100644 index 0000000..ebbd359 --- /dev/null +++ b/Misc/NEWS.d/next/Security/0344.bpo-30694.WkMWM_.rst @@ -0,0 +1,10 @@ +.. original section: Library + +Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security +vulnerabilities including: CVE-2017-9233 (External entity infinite loop +DoS), CVE-2016-9063 (Integer overflow, re-fix), CVE-2016-0718 (Fix +regression bugs from 2.2.0's fix to CVE-2016-0718) and CVE-2012-0876 +(Counter hash flooding with SipHash). Note: the CVE-2016-5300 (Use os- +specific entropy sources like getrandom) doesn't impact Python, since Python +already gets entropy from the OS to set the expat secret using +``XML_SetHashSalt()``. diff --git a/Misc/NEWS.d/next/Security/0347.bpo-30730.rJsyTH.rst b/Misc/NEWS.d/next/Security/0347.bpo-30730.rJsyTH.rst new file mode 100644 index 0000000..008aa70 --- /dev/null +++ b/Misc/NEWS.d/next/Security/0347.bpo-30730.rJsyTH.rst @@ -0,0 +1,4 @@ +.. original section: Library + +Prevent environment variables injection in subprocess on Windows. Prevent +passing other environment variables and command arguments. |