diff options
Diffstat (limited to 'Misc')
12 files changed, 120 insertions, 33 deletions
diff --git a/Misc/NEWS.d/3.8.14.rst b/Misc/NEWS.d/3.8.14.rst new file mode 100644 index 0000000..f13bf32 --- /dev/null +++ b/Misc/NEWS.d/3.8.14.rst @@ -0,0 +1,120 @@ +.. date: 2022-08-07-16-53-38 +.. gh-issue: 95778 +.. nonce: ch010gps +.. release date: 2022-09-06 +.. section: Security + +Converting between :class:`int` and :class:`str` in bases other than 2 +(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) +now raises a :exc:`ValueError` if the number of digits in string form is +above a limit to avoid potential denial of service attacks due to the +algorithmic complexity. This is a mitigation for `CVE-2020-10735 +<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735>`_. + +This new limit can be configured or disabled by environment variable, +command line flag, or :mod:`sys` APIs. See the :ref:`integer string +conversion length limitation <int_max_str_digits>` documentation. The +default limit is 4300 digits in string form. + +Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with +feedback from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and +Mark Dickinson. + +.. + +.. date: 2022-06-15-20-09-23 +.. gh-issue: 87389 +.. nonce: QVaC3f +.. section: Security + +:mod:`http.server`: Fix an open redirection vulnerability in the HTTP server +when an URI path starts with ``//``. Vulnerability discovered, and initial +fix proposed, by Hamza Avvan. + +.. + +.. date: 2022-05-21-23-21-37 +.. gh-issue: 93065 +.. nonce: 5I18WC +.. section: Core and Builtins + +Fix contextvars HAMT implementation to handle iteration over deep trees. + +The bug was discovered and fixed by Eli Libman. See +`MagicStack/immutables#84 +<https://github.com/MagicStack/immutables/issues/84>`_ for more details. + +.. + +.. bpo: 46197 +.. date: 2022-01-03-15-07-06 +.. nonce: Z0djv6 +.. section: Library + +Fix :mod:`ensurepip` environment isolation for subprocess running ``pip``. + +.. + +.. bpo: 36073 +.. date: 2019-06-22-11-01-45 +.. nonce: ED8mB9 +.. section: Library + +Raise :exc:`~sqlite3.ProgrammingError` instead of segfaulting on recursive +usage of cursors in :mod:`sqlite3` converters. Patch by Sergey Fedoseev. + +.. + +.. date: 2022-04-24-22-09-31 +.. gh-issue: 91888 +.. nonce: kTjJLx +.. section: Documentation + +Add a new ``gh`` role to the documentation to link to GitHub issues. + +.. + +.. bpo: 47138 +.. date: 2022-03-28-12-36-17 +.. nonce: TbLXgV +.. section: Documentation + +Pin Jinja to a version compatible with Sphinx version 2.4.4. + +.. + +.. date: 2022-06-27-21-27-20 +.. gh-issue: 94208 +.. nonce: VR6HX- +.. section: Tests + +``test_ssl`` is now checking for supported TLS version and protocols in more +tests. + +.. + +.. bpo: 47016 +.. date: 2022-03-14-23-28-17 +.. nonce: K-t2QX +.. section: Tests + +Create a GitHub Actions workflow for verifying bundled pip and setuptools. +Patch by Illia Volochii and Adam Turner. + +.. + +.. bpo: 46114 +.. date: 2021-12-17-14-46-19 +.. nonce: 9iyZ_9 +.. section: Tests + +Fix test case for OpenSSL 3.0.1 version. OpenSSL 3.0 uses ``0xMNN00PP0L``. + +.. + +.. bpo: 47194 +.. date: 2022-04-01-14-57-40 +.. nonce: IB0XL4 +.. section: Windows + +Update ``zlib`` to v1.2.12 to resolve CVE-2018-25032. diff --git a/Misc/NEWS.d/next/Core and Builtins/2022-05-21-23-21-37.gh-issue-93065.5I18WC.rst b/Misc/NEWS.d/next/Core and Builtins/2022-05-21-23-21-37.gh-issue-93065.5I18WC.rst deleted file mode 100644 index ea80165..0000000 --- a/Misc/NEWS.d/next/Core and Builtins/2022-05-21-23-21-37.gh-issue-93065.5I18WC.rst +++ /dev/null @@ -1,5 +0,0 @@ -Fix contextvars HAMT implementation to handle iteration over deep trees. - -The bug was discovered and fixed by Eli Libman. See -`MagicStack/immutables#84 <https://github.com/MagicStack/immutables/issues/84>`_ -for more details. diff --git a/Misc/NEWS.d/next/Documentation/2022-03-28-12-36-17.bpo-47138.TbLXgV.rst b/Misc/NEWS.d/next/Documentation/2022-03-28-12-36-17.bpo-47138.TbLXgV.rst deleted file mode 100644 index 9dde4de..0000000 --- a/Misc/NEWS.d/next/Documentation/2022-03-28-12-36-17.bpo-47138.TbLXgV.rst +++ /dev/null @@ -1 +0,0 @@ -Pin Jinja to a version compatible with Sphinx version 2.4.4. diff --git a/Misc/NEWS.d/next/Documentation/2022-04-24-22-09-31.gh-issue-91888.kTjJLx.rst b/Misc/NEWS.d/next/Documentation/2022-04-24-22-09-31.gh-issue-91888.kTjJLx.rst deleted file mode 100644 index 4ebca42..0000000 --- a/Misc/NEWS.d/next/Documentation/2022-04-24-22-09-31.gh-issue-91888.kTjJLx.rst +++ /dev/null @@ -1 +0,0 @@ -Add a new ``gh`` role to the documentation to link to GitHub issues. diff --git a/Misc/NEWS.d/next/Library/2019-06-22-11-01-45.bpo-36073.ED8mB9.rst b/Misc/NEWS.d/next/Library/2019-06-22-11-01-45.bpo-36073.ED8mB9.rst deleted file mode 100644 index 6c214d8..0000000 --- a/Misc/NEWS.d/next/Library/2019-06-22-11-01-45.bpo-36073.ED8mB9.rst +++ /dev/null @@ -1,2 +0,0 @@ -Raise :exc:`~sqlite3.ProgrammingError` instead of segfaulting on recursive -usage of cursors in :mod:`sqlite3` converters. Patch by Sergey Fedoseev. diff --git a/Misc/NEWS.d/next/Library/2022-01-03-15-07-06.bpo-46197.Z0djv6.rst b/Misc/NEWS.d/next/Library/2022-01-03-15-07-06.bpo-46197.Z0djv6.rst deleted file mode 100644 index 7a3b2d5..0000000 --- a/Misc/NEWS.d/next/Library/2022-01-03-15-07-06.bpo-46197.Z0djv6.rst +++ /dev/null @@ -1 +0,0 @@ -Fix :mod:`ensurepip` environment isolation for subprocess running ``pip``. diff --git a/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst b/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst deleted file mode 100644 index 029d437..0000000 --- a/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst +++ /dev/null @@ -1,3 +0,0 @@ -:mod:`http.server`: Fix an open redirection vulnerability in the HTTP server -when an URI path starts with ``//``. Vulnerability discovered, and initial -fix proposed, by Hamza Avvan. diff --git a/Misc/NEWS.d/next/Security/2022-08-07-16-53-38.gh-issue-95778.ch010gps.rst b/Misc/NEWS.d/next/Security/2022-08-07-16-53-38.gh-issue-95778.ch010gps.rst deleted file mode 100644 index 8eb8a34..0000000 --- a/Misc/NEWS.d/next/Security/2022-08-07-16-53-38.gh-issue-95778.ch010gps.rst +++ /dev/null @@ -1,14 +0,0 @@ -Converting between :class:`int` and :class:`str` in bases other than 2 -(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now -raises a :exc:`ValueError` if the number of digits in string form is above a -limit to avoid potential denial of service attacks due to the algorithmic -complexity. This is a mitigation for `CVE-2020-10735 -<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735>`_. - -This new limit can be configured or disabled by environment variable, command -line flag, or :mod:`sys` APIs. See the :ref:`integer string conversion length -limitation <int_max_str_digits>` documentation. The default limit is 4300 -digits in string form. - -Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback -from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson. diff --git a/Misc/NEWS.d/next/Tests/2021-12-17-14-46-19.bpo-46114.9iyZ_9.rst b/Misc/NEWS.d/next/Tests/2021-12-17-14-46-19.bpo-46114.9iyZ_9.rst deleted file mode 100644 index 6878cea..0000000 --- a/Misc/NEWS.d/next/Tests/2021-12-17-14-46-19.bpo-46114.9iyZ_9.rst +++ /dev/null @@ -1 +0,0 @@ -Fix test case for OpenSSL 3.0.1 version. OpenSSL 3.0 uses ``0xMNN00PP0L``. diff --git a/Misc/NEWS.d/next/Tests/2022-03-14-23-28-17.bpo-47016.K-t2QX.rst b/Misc/NEWS.d/next/Tests/2022-03-14-23-28-17.bpo-47016.K-t2QX.rst deleted file mode 100644 index 774bfaf..0000000 --- a/Misc/NEWS.d/next/Tests/2022-03-14-23-28-17.bpo-47016.K-t2QX.rst +++ /dev/null @@ -1,2 +0,0 @@ -Create a GitHub Actions workflow for verifying bundled pip and setuptools. -Patch by Illia Volochii and Adam Turner. diff --git a/Misc/NEWS.d/next/Tests/2022-06-27-21-27-20.gh-issue-94208.VR6HX-.rst b/Misc/NEWS.d/next/Tests/2022-06-27-21-27-20.gh-issue-94208.VR6HX-.rst deleted file mode 100644 index d0f970a..0000000 --- a/Misc/NEWS.d/next/Tests/2022-06-27-21-27-20.gh-issue-94208.VR6HX-.rst +++ /dev/null @@ -1,2 +0,0 @@ -``test_ssl`` is now checking for supported TLS version and protocols in more -tests. diff --git a/Misc/NEWS.d/next/Windows/2022-04-01-14-57-40.bpo-47194.IB0XL4.rst b/Misc/NEWS.d/next/Windows/2022-04-01-14-57-40.bpo-47194.IB0XL4.rst deleted file mode 100644 index 7e76add..0000000 --- a/Misc/NEWS.d/next/Windows/2022-04-01-14-57-40.bpo-47194.IB0XL4.rst +++ /dev/null @@ -1 +0,0 @@ -Update ``zlib`` to v1.2.12 to resolve CVE-2018-25032. |