diff options
Diffstat (limited to 'Misc')
7 files changed, 70 insertions, 22 deletions
diff --git a/Misc/NEWS.d/3.9.22.rst b/Misc/NEWS.d/3.9.22.rst new file mode 100644 index 0000000..5a2a026 --- /dev/null +++ b/Misc/NEWS.d/3.9.22.rst @@ -0,0 +1,70 @@ +.. date: 2025-04-07-04-11-08 +.. gh-issue: 131809 +.. nonce: 4MBDuy +.. release date: 2025-04-08 +.. section: Security + +Update bundled libexpat to 2.7.1 + +.. + +.. date: 2025-03-14-23-28-39 +.. gh-issue: 131261 +.. nonce: 0aB6nM +.. section: Security + +Upgrade to libexpat 2.7.0 + +.. + +.. date: 2025-01-28-14-08-03 +.. gh-issue: 105704 +.. nonce: EnhHxu +.. section: Security + +When using :func:`urllib.parse.urlsplit` and :func:`urllib.parse.urlparse` +host parsing would not reject domain names containing square brackets (``[`` +and ``]``). Square brackets are only valid for IPv6 and IPvFuture hosts +according to `RFC 3986 Section 3.2.2 +<https://www.rfc-editor.org/rfc/rfc3986#section-3.2.2>`__. + +.. + +.. date: 2024-08-06-12-27-34 +.. gh-issue: 121284 +.. nonce: 8rwPxe +.. section: Security + +Fix bug in the folding of rfc2047 encoded-words when flattening an email +message using a modern email policy. Previously when an encoded-word was too +long for a line, it would be decoded, split across lines, and re-encoded. +But commas and other special characters in the original text could be left +unencoded and unquoted. This could theoretically be used to spoof header +lines using a carefully constructed encoded-word if the resulting rendered +email was transmitted or re-parsed. + +.. + +.. date: 2024-05-24-21-00-52 +.. gh-issue: 119511 +.. nonce: jKrXQ8 +.. section: Security + +Fix a potential denial of service in the :mod:`imaplib` module. When +connecting to a malicious server, it could cause an arbitrary amount of +memory to be allocated. On many systems this is harmless as unused virtual +memory is only a mapping, but if this hit a virtual address size limit it +could lead to a :exc:`MemoryError` or other process crash. On unusual +systems or builds where all allocated memory is touched and backed by actual +ram or storage it could've consumed resources doing so until similarly +crashing. + +.. + +.. date: 2024-07-19-12-22-48 +.. gh-issue: 121277 +.. nonce: wF_zKd +.. section: Documentation + +Writers of CPython's documentation can now use ``next`` as the version for +the ``versionchanged``, ``versionadded``, ``deprecated`` directives. diff --git a/Misc/NEWS.d/next/Documentation/2024-07-19-12-22-48.gh-issue-121277.wF_zKd.rst b/Misc/NEWS.d/next/Documentation/2024-07-19-12-22-48.gh-issue-121277.wF_zKd.rst deleted file mode 100644 index 60f75ae..0000000 --- a/Misc/NEWS.d/next/Documentation/2024-07-19-12-22-48.gh-issue-121277.wF_zKd.rst +++ /dev/null @@ -1,2 +0,0 @@ -Writers of CPython's documentation can now use ``next`` as the version for -the ``versionchanged``, ``versionadded``, ``deprecated`` directives. diff --git a/Misc/NEWS.d/next/Security/2024-05-24-21-00-52.gh-issue-119511.jKrXQ8.rst b/Misc/NEWS.d/next/Security/2024-05-24-21-00-52.gh-issue-119511.jKrXQ8.rst deleted file mode 100644 index f7b4031..0000000 --- a/Misc/NEWS.d/next/Security/2024-05-24-21-00-52.gh-issue-119511.jKrXQ8.rst +++ /dev/null @@ -1,7 +0,0 @@ -Fix a potential denial of service in the :mod:`imaplib` module. When connecting -to a malicious server, it could cause an arbitrary amount of memory to be -allocated. On many systems this is harmless as unused virtual memory is only a -mapping, but if this hit a virtual address size limit it could lead to a -:exc:`MemoryError` or other process crash. On unusual systems or builds where -all allocated memory is touched and backed by actual ram or storage it could've -consumed resources doing so until similarly crashing. diff --git a/Misc/NEWS.d/next/Security/2024-08-06-12-27-34.gh-issue-121284.8rwPxe.rst b/Misc/NEWS.d/next/Security/2024-08-06-12-27-34.gh-issue-121284.8rwPxe.rst deleted file mode 100644 index 923e911..0000000 --- a/Misc/NEWS.d/next/Security/2024-08-06-12-27-34.gh-issue-121284.8rwPxe.rst +++ /dev/null @@ -1,7 +0,0 @@ -Fix bug in the folding of rfc2047 encoded-words when flattening an email message -using a modern email policy. Previously when an encoded-word was too long -for a line, it would be decoded, split across lines, and re-encoded. But commas -and other special characters in the original text could be left unencoded and -unquoted. This could theoretically be used to spoof header lines using -a carefully constructed encoded-word if the resulting rendered email was -transmitted or re-parsed. diff --git a/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst b/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst deleted file mode 100644 index bff1bc6..0000000 --- a/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst +++ /dev/null @@ -1,4 +0,0 @@ -When using :func:`urllib.parse.urlsplit` and :func:`urllib.parse.urlparse` host -parsing would not reject domain names containing square brackets (``[`` and -``]``). Square brackets are only valid for IPv6 and IPvFuture hosts according to -`RFC 3986 Section 3.2.2 <https://www.rfc-editor.org/rfc/rfc3986#section-3.2.2>`__. diff --git a/Misc/NEWS.d/next/Security/2025-03-14-23-28-39.gh-issue-131261.0aB6nM.rst b/Misc/NEWS.d/next/Security/2025-03-14-23-28-39.gh-issue-131261.0aB6nM.rst deleted file mode 100644 index fa56e7a..0000000 --- a/Misc/NEWS.d/next/Security/2025-03-14-23-28-39.gh-issue-131261.0aB6nM.rst +++ /dev/null @@ -1 +0,0 @@ -Upgrade to libexpat 2.7.0 diff --git a/Misc/NEWS.d/next/Security/2025-04-07-04-11-08.gh-issue-131809.4MBDuy.rst b/Misc/NEWS.d/next/Security/2025-04-07-04-11-08.gh-issue-131809.4MBDuy.rst deleted file mode 100644 index 1421b4d..0000000 --- a/Misc/NEWS.d/next/Security/2025-04-07-04-11-08.gh-issue-131809.4MBDuy.rst +++ /dev/null @@ -1 +0,0 @@ -Update bundled libexpat to 2.7.1 |