diff options
author | Larry Hastings <larry@hastings.org> | 2017-07-23 17:59:56 -0700 |
---|---|---|
committer | Larry Hastings <larry@hastings.org> | 2017-07-23 17:59:56 -0700 |
commit | e9a74c416cb89a0d329995ff3e60c498adb2f689 (patch) | |
tree | 88d400ecb0f2ae27f5d5e79c945bd4718b9791f2 | |
parent | f067f7e2c1f1702e7302cbc6a5683a1c2d6a1d8e (diff) | |
download | cpython-git-e9a74c416cb89a0d329995ff3e60c498adb2f689.tar.gz |
blurb release for 3.4.7rc1.
10 files changed, 99 insertions, 30 deletions
diff --git a/Misc/NEWS.d/3.4.7rc1.rst b/Misc/NEWS.d/3.4.7rc1.rst new file mode 100644 index 0000000000..16ad0ffe07 --- /dev/null +++ b/Misc/NEWS.d/3.4.7rc1.rst @@ -0,0 +1,99 @@ +.. bpo: 29591 +.. date: 2017-07-11-22-26-48 +.. nonce: cOeMX- +.. release date: 2017-07-23 +.. section: Security + +Update expat copy from 2.1.1 to 2.2.0 to get fixes of CVE-2016-0718 and +CVE-2016-4472. See https://sourceforge.net/p/expat/bugs/537/ for more +information. + +.. + +.. bpo: 30694 +.. date: 2017-07-11-22-25-24 +.. nonce: oOf3Er +.. section: Security + +Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security +vulnerabilities including: CVE-2017-9233 (External entity infinite loop +DoS), CVE-2016-9063 (Integer overflow, re-fix), CVE-2016-0718 (Fix +regression bugs from 2.2.0's fix to CVE-2016-0718) and CVE-2012-0876 +(Counter hash flooding with SipHash). Note: the CVE-2016-5300 (Use os- +specific entropy sources like getrandom) doesn't impact Python, since Python +already gets entropy from the OS to set the expat secret using +``XML_SetHashSalt()``. + +.. + +.. bpo: 26657 +.. date: 2017-07-11-22-07-03 +.. nonce: wvpzFD +.. section: Security + +Fix directory traversal vulnerability with http.server on Windows. This +fixes a regression that was introduced in 3.3.4rc1 and 3.4.0rc1. Based on +patch by Philipp Hagemeister. + +.. + +.. bpo: 30500 +.. date: 2017-07-11-22-02-51 +.. nonce: wXUrkQ +.. section: Security + +Fix urllib.parse.splithost() to correctly parse fragments. For example, +``splithost('//127.0.0.1#@evil.com/')`` now correctly returns the +``127.0.0.1`` host, instead of treating ``@evil.com`` as the host in an +authentification (``login@host``). + +.. + +.. bpo: 30730 +.. date: 02 +.. nonce: ZF8XGV +.. original section: Library +.. section: Security + +Prevent environment variables injection in subprocess on Windows. Prevent +passing other invalid environment variables and command arguments. + +.. + +.. bpo: 26617 +.. date: 2017-07-15-13-55-22 +.. nonce: Gh5LvN +.. section: Core and Builtins + +Fix crash when GC runs during weakref callbacks. + +.. + +.. bpo: 27945 +.. date: 04 +.. nonce: p29r3O +.. section: Core and Builtins + +Fixed various segfaults with dict when input collections are mutated during +searching, inserting or comparing. Based on patches by Duane Griffin and +Tim Mitchell. + +.. + +.. bpo: 27850 +.. date: 01 +.. nonce: kIVQ0m +.. section: Library + +Remove 3DES from ssl module's default cipher list to counter measure sweet32 +attack (CVE-2016-2183). + +.. + +.. bpo: 25008 +.. date: 03 +.. nonce: CeIzyU +.. section: Documentation + +Document smtpd.py as effectively deprecated and add a pointer to aiosmtpd, a +third-party asyncio-based replacement. diff --git a/Misc/NEWS.d/next/Core and Builtins/04.bpo-27945.p29r3O.rst b/Misc/NEWS.d/next/Core and Builtins/04.bpo-27945.p29r3O.rst deleted file mode 100644 index da5b8d1a2c..0000000000 --- a/Misc/NEWS.d/next/Core and Builtins/04.bpo-27945.p29r3O.rst +++ /dev/null @@ -1,3 +0,0 @@ -Fixed various segfaults with dict when input collections are mutated during -searching, inserting or comparing. Based on patches by Duane Griffin and -Tim Mitchell. diff --git a/Misc/NEWS.d/next/Core and Builtins/2017-07-15-13-55-22.bpo-26617.Gh5LvN.rst b/Misc/NEWS.d/next/Core and Builtins/2017-07-15-13-55-22.bpo-26617.Gh5LvN.rst deleted file mode 100644 index c3a41396df..0000000000 --- a/Misc/NEWS.d/next/Core and Builtins/2017-07-15-13-55-22.bpo-26617.Gh5LvN.rst +++ /dev/null @@ -1 +0,0 @@ -Fix crash when GC runs during weakref callbacks. diff --git a/Misc/NEWS.d/next/Documentation/03.bpo-25008.CeIzyU.rst b/Misc/NEWS.d/next/Documentation/03.bpo-25008.CeIzyU.rst deleted file mode 100644 index ea4046ead7..0000000000 --- a/Misc/NEWS.d/next/Documentation/03.bpo-25008.CeIzyU.rst +++ /dev/null @@ -1,2 +0,0 @@ -Document smtpd.py as effectively deprecated and add a pointer to aiosmtpd, a -third-party asyncio-based replacement. diff --git a/Misc/NEWS.d/next/Library/01.bpo-27850.kIVQ0m.rst b/Misc/NEWS.d/next/Library/01.bpo-27850.kIVQ0m.rst deleted file mode 100644 index f21375d16d..0000000000 --- a/Misc/NEWS.d/next/Library/01.bpo-27850.kIVQ0m.rst +++ /dev/null @@ -1,2 +0,0 @@ -Remove 3DES from ssl module's default cipher list to counter measure sweet32 -attack (CVE-2016-2183). diff --git a/Misc/NEWS.d/next/Security/02.bpo-30730.ZF8XGV.rst b/Misc/NEWS.d/next/Security/02.bpo-30730.ZF8XGV.rst deleted file mode 100644 index 2c764439a0..0000000000 --- a/Misc/NEWS.d/next/Security/02.bpo-30730.ZF8XGV.rst +++ /dev/null @@ -1,4 +0,0 @@ -.. original section: Library - -Prevent environment variables injection in subprocess on Windows. Prevent -passing other invalid environment variables and command arguments. diff --git a/Misc/NEWS.d/next/Security/2017-07-11-22-02-51.bpo-30500.wXUrkQ.rst b/Misc/NEWS.d/next/Security/2017-07-11-22-02-51.bpo-30500.wXUrkQ.rst deleted file mode 100644 index 6570e709d6..0000000000 --- a/Misc/NEWS.d/next/Security/2017-07-11-22-02-51.bpo-30500.wXUrkQ.rst +++ /dev/null @@ -1,4 +0,0 @@ -Fix urllib.parse.splithost() to correctly parse fragments. For example, -``splithost('//127.0.0.1#@evil.com/')`` now correctly returns the -``127.0.0.1`` host, instead of treating ``@evil.com`` as the host in an -authentification (``login@host``). diff --git a/Misc/NEWS.d/next/Security/2017-07-11-22-07-03.bpo-26657.wvpzFD.rst b/Misc/NEWS.d/next/Security/2017-07-11-22-07-03.bpo-26657.wvpzFD.rst deleted file mode 100644 index ac1dc14d06..0000000000 --- a/Misc/NEWS.d/next/Security/2017-07-11-22-07-03.bpo-26657.wvpzFD.rst +++ /dev/null @@ -1,3 +0,0 @@ -Fix directory traversal vulnerability with http.server on Windows. This -fixes a regression that was introduced in 3.3.4rc1 and 3.4.0rc1. Based on -patch by Philipp Hagemeister. diff --git a/Misc/NEWS.d/next/Security/2017-07-11-22-25-24.bpo-30694.oOf3Er.rst b/Misc/NEWS.d/next/Security/2017-07-11-22-25-24.bpo-30694.oOf3Er.rst deleted file mode 100644 index ee2c0a5c35..0000000000 --- a/Misc/NEWS.d/next/Security/2017-07-11-22-25-24.bpo-30694.oOf3Er.rst +++ /dev/null @@ -1,8 +0,0 @@ -Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security -vulnerabilities including: CVE-2017-9233 (External entity infinite loop -DoS), CVE-2016-9063 (Integer overflow, re-fix), CVE-2016-0718 (Fix -regression bugs from 2.2.0's fix to CVE-2016-0718) and CVE-2012-0876 -(Counter hash flooding with SipHash). Note: the CVE-2016-5300 (Use os- -specific entropy sources like getrandom) doesn't impact Python, since Python -already gets entropy from the OS to set the expat secret using -``XML_SetHashSalt()``. diff --git a/Misc/NEWS.d/next/Security/2017-07-11-22-26-48.bpo-29591.cOeMX-.rst b/Misc/NEWS.d/next/Security/2017-07-11-22-26-48.bpo-29591.cOeMX-.rst deleted file mode 100644 index ca740bb1b1..0000000000 --- a/Misc/NEWS.d/next/Security/2017-07-11-22-26-48.bpo-29591.cOeMX-.rst +++ /dev/null @@ -1,3 +0,0 @@ -Update expat copy from 2.1.1 to 2.2.0 to get fixes of CVE-2016-0718 and -CVE-2016-4472. See https://sourceforge.net/p/expat/bugs/537/ for more -information. |