summaryrefslogtreecommitdiffstats
path: root/Misc/NEWS.d/3.6.2rc2.rst
diff options
context:
space:
mode:
Diffstat (limited to 'Misc/NEWS.d/3.6.2rc2.rst')
-rw-r--r--Misc/NEWS.d/3.6.2rc2.rst39
1 files changed, 39 insertions, 0 deletions
diff --git a/Misc/NEWS.d/3.6.2rc2.rst b/Misc/NEWS.d/3.6.2rc2.rst
new file mode 100644
index 0000000..45be03e
--- /dev/null
+++ b/Misc/NEWS.d/3.6.2rc2.rst
@@ -0,0 +1,39 @@
+.. bpo: 30730
+.. date: 9992
+.. nonce: rJsyTH
+.. original section: Library
+.. release date: 2017-07-07
+.. section: Security
+
+Prevent environment variables injection in subprocess on Windows. Prevent
+passing other environment variables and command arguments.
+
+..
+
+.. bpo: 30694
+.. date: 9991
+.. nonce: WkMWM_
+.. original section: Library
+.. section: Security
+
+Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security
+vulnerabilities including: CVE-2017-9233 (External entity infinite loop
+DoS), CVE-2016-9063 (Integer overflow, re-fix), CVE-2016-0718 (Fix
+regression bugs from 2.2.0's fix to CVE-2016-0718) and CVE-2012-0876
+(Counter hash flooding with SipHash). Note: the CVE-2016-5300 (Use
+os-specific entropy sources like getrandom) doesn't impact Python, since
+Python already gets entropy from the OS to set the expat secret using
+``XML_SetHashSalt()``.
+
+..
+
+.. bpo: 30500
+.. date: 9990
+.. nonce: 1VG7R-
+.. original section: Library
+.. section: Security
+
+Fix urllib.parse.splithost() to correctly parse fragments. For example,
+``splithost('//127.0.0.1#@evil.com/')`` now correctly returns the
+``127.0.0.1`` host, instead of treating ``@evil.com`` as the host in an
+authentification (``login@host``).
generated by cgit v0.12 at 2024-12-11 09:24:35 (GMT)