diff options
| author | Ned Deily <nad@python.org> | 2022-12-06 18:58:45 (GMT) |
|---|---|---|
| committer | Ned Deily <nad@python.org> | 2022-12-06 19:00:00 (GMT) |
| commit | 3f82aa744678620a811927dc4e56ad9c7c3d0c14 (patch) | |
| tree | 01cdee2a8e1eb7bf7c0c87120ea566559a1b6117 /Misc | |
| parent | b5bdf6a90d0c2a9c12b671340f7776e233ef625a (diff) | |
| download | cpython-3.7.16.zip cpython-3.7.16.tar.gz cpython-3.7.16.tar.bz2 | |
Python 3.7.16v3.7.16
Diffstat (limited to 'Misc')
6 files changed, 56 insertions, 18 deletions
diff --git a/Misc/NEWS.d/3.7.16.rst b/Misc/NEWS.d/3.7.16.rst new file mode 100644 index 0000000..8991a1f --- /dev/null +++ b/Misc/NEWS.d/3.7.16.rst @@ -0,0 +1,56 @@ +.. date: 2022-12-05-01-39-10 +.. gh-issue: 100001 +.. nonce: uD05Fc +.. release date: 2022-12-06 +.. section: Security + +``python -m http.server`` no longer allows terminal control characters sent +within a garbage request to be printed to the stderr server log. + +This is done by changing the :mod:`http.server` +:class:`BaseHTTPRequestHandler` ``.log_message`` method to replace control +characters with a ``\xHH`` hex escape before printing. + +.. + +.. date: 2022-11-04-09-29-36 +.. gh-issue: 98433 +.. nonce: l76c5G +.. section: Security + +The IDNA codec decoder used on DNS hostnames by :mod:`socket` or +:mod:`asyncio` related name resolution functions no longer involves a +quadratic algorithm. This prevents a potential CPU denial of service if an +out-of-spec excessive length hostname involving bidirectional characters +were decoded. Some protocols such as :mod:`urllib` http ``3xx`` redirects +potentially allow for an attacker to supply such a name. + +.. + +.. date: 2022-10-26-21-04-23 +.. gh-issue: 98739 +.. nonce: keBWcY +.. section: Security + +Update bundled libexpat to 2.5.0 + +.. + +.. date: 2022-10-21-13-31-47 +.. gh-issue: 98517 +.. nonce: SXXGfV +.. section: Security + +Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454). + +.. + +.. date: 2022-04-27-18-25-30 +.. gh-issue: 68966 +.. nonce: gjS8zs +.. section: Security + +The deprecated mailcap module now refuses to inject unsafe text (filenames, +MIME types, parameters) into shell commands. Instead of using such text, it +will warn and act as if a match was not found (or for test commands, as if +the test failed). diff --git a/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst deleted file mode 100644 index da81a1f..0000000 --- a/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst +++ /dev/null @@ -1,4 +0,0 @@ -The deprecated mailcap module now refuses to inject unsafe text (filenames, -MIME types, parameters) into shell commands. Instead of using such text, it -will warn and act as if a match was not found (or for test commands, as if -the test failed). diff --git a/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst deleted file mode 100644 index 2d23a6a..0000000 --- a/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst +++ /dev/null @@ -1 +0,0 @@ -Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454). diff --git a/Misc/NEWS.d/next/Security/2022-10-26-21-04-23.gh-issue-98739.keBWcY.rst b/Misc/NEWS.d/next/Security/2022-10-26-21-04-23.gh-issue-98739.keBWcY.rst deleted file mode 100644 index b63a54b..0000000 --- a/Misc/NEWS.d/next/Security/2022-10-26-21-04-23.gh-issue-98739.keBWcY.rst +++ /dev/null @@ -1 +0,0 @@ -Update bundled libexpat to 2.5.0 diff --git a/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst b/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst deleted file mode 100644 index 5185fac..0000000 --- a/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst +++ /dev/null @@ -1,6 +0,0 @@ -The IDNA codec decoder used on DNS hostnames by :mod:`socket` or :mod:`asyncio` -related name resolution functions no longer involves a quadratic algorithm. -This prevents a potential CPU denial of service if an out-of-spec excessive -length hostname involving bidirectional characters were decoded. Some protocols -such as :mod:`urllib` http ``3xx`` redirects potentially allow for an attacker -to supply such a name. diff --git a/Misc/NEWS.d/next/Security/2022-12-05-01-39-10.gh-issue-100001.uD05Fc.rst b/Misc/NEWS.d/next/Security/2022-12-05-01-39-10.gh-issue-100001.uD05Fc.rst deleted file mode 100644 index a396e95..0000000 --- a/Misc/NEWS.d/next/Security/2022-12-05-01-39-10.gh-issue-100001.uD05Fc.rst +++ /dev/null @@ -1,6 +0,0 @@ -``python -m http.server`` no longer allows terminal control characters sent -within a garbage request to be printed to the stderr server log. - -This is done by changing the :mod:`http.server` :class:`BaseHTTPRequestHandler` -``.log_message`` method to replace control characters with a ``\xHH`` hex escape -before printing. |