summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLarry Hastings <larry@hastings.org>2017-07-23 17:59:56 -0700
committerLarry Hastings <larry@hastings.org>2017-07-23 17:59:56 -0700
commite9a74c416cb89a0d329995ff3e60c498adb2f689 (patch)
tree88d400ecb0f2ae27f5d5e79c945bd4718b9791f2
parentf067f7e2c1f1702e7302cbc6a5683a1c2d6a1d8e (diff)
downloadcpython-git-e9a74c416cb89a0d329995ff3e60c498adb2f689.tar.gz
blurb release for 3.4.7rc1.
-rw-r--r--Misc/NEWS.d/3.4.7rc1.rst99
-rw-r--r--Misc/NEWS.d/next/Core and Builtins/04.bpo-27945.p29r3O.rst3
-rw-r--r--Misc/NEWS.d/next/Core and Builtins/2017-07-15-13-55-22.bpo-26617.Gh5LvN.rst1
-rw-r--r--Misc/NEWS.d/next/Documentation/03.bpo-25008.CeIzyU.rst2
-rw-r--r--Misc/NEWS.d/next/Library/01.bpo-27850.kIVQ0m.rst2
-rw-r--r--Misc/NEWS.d/next/Security/02.bpo-30730.ZF8XGV.rst4
-rw-r--r--Misc/NEWS.d/next/Security/2017-07-11-22-02-51.bpo-30500.wXUrkQ.rst4
-rw-r--r--Misc/NEWS.d/next/Security/2017-07-11-22-07-03.bpo-26657.wvpzFD.rst3
-rw-r--r--Misc/NEWS.d/next/Security/2017-07-11-22-25-24.bpo-30694.oOf3Er.rst8
-rw-r--r--Misc/NEWS.d/next/Security/2017-07-11-22-26-48.bpo-29591.cOeMX-.rst3
10 files changed, 99 insertions, 30 deletions
diff --git a/Misc/NEWS.d/3.4.7rc1.rst b/Misc/NEWS.d/3.4.7rc1.rst
new file mode 100644
index 0000000000..16ad0ffe07
--- /dev/null
+++ b/Misc/NEWS.d/3.4.7rc1.rst
@@ -0,0 +1,99 @@
+.. bpo: 29591
+.. date: 2017-07-11-22-26-48
+.. nonce: cOeMX-
+.. release date: 2017-07-23
+.. section: Security
+
+Update expat copy from 2.1.1 to 2.2.0 to get fixes of CVE-2016-0718 and
+CVE-2016-4472. See https://sourceforge.net/p/expat/bugs/537/ for more
+information.
+
+..
+
+.. bpo: 30694
+.. date: 2017-07-11-22-25-24
+.. nonce: oOf3Er
+.. section: Security
+
+Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security
+vulnerabilities including: CVE-2017-9233 (External entity infinite loop
+DoS), CVE-2016-9063 (Integer overflow, re-fix), CVE-2016-0718 (Fix
+regression bugs from 2.2.0's fix to CVE-2016-0718) and CVE-2012-0876
+(Counter hash flooding with SipHash). Note: the CVE-2016-5300 (Use os-
+specific entropy sources like getrandom) doesn't impact Python, since Python
+already gets entropy from the OS to set the expat secret using
+``XML_SetHashSalt()``.
+
+..
+
+.. bpo: 26657
+.. date: 2017-07-11-22-07-03
+.. nonce: wvpzFD
+.. section: Security
+
+Fix directory traversal vulnerability with http.server on Windows. This
+fixes a regression that was introduced in 3.3.4rc1 and 3.4.0rc1. Based on
+patch by Philipp Hagemeister.
+
+..
+
+.. bpo: 30500
+.. date: 2017-07-11-22-02-51
+.. nonce: wXUrkQ
+.. section: Security
+
+Fix urllib.parse.splithost() to correctly parse fragments. For example,
+``splithost('//127.0.0.1#@evil.com/')`` now correctly returns the
+``127.0.0.1`` host, instead of treating ``@evil.com`` as the host in an
+authentification (``login@host``).
+
+..
+
+.. bpo: 30730
+.. date: 02
+.. nonce: ZF8XGV
+.. original section: Library
+.. section: Security
+
+Prevent environment variables injection in subprocess on Windows. Prevent
+passing other invalid environment variables and command arguments.
+
+..
+
+.. bpo: 26617
+.. date: 2017-07-15-13-55-22
+.. nonce: Gh5LvN
+.. section: Core and Builtins
+
+Fix crash when GC runs during weakref callbacks.
+
+..
+
+.. bpo: 27945
+.. date: 04
+.. nonce: p29r3O
+.. section: Core and Builtins
+
+Fixed various segfaults with dict when input collections are mutated during
+searching, inserting or comparing. Based on patches by Duane Griffin and
+Tim Mitchell.
+
+..
+
+.. bpo: 27850
+.. date: 01
+.. nonce: kIVQ0m
+.. section: Library
+
+Remove 3DES from ssl module's default cipher list to counter measure sweet32
+attack (CVE-2016-2183).
+
+..
+
+.. bpo: 25008
+.. date: 03
+.. nonce: CeIzyU
+.. section: Documentation
+
+Document smtpd.py as effectively deprecated and add a pointer to aiosmtpd, a
+third-party asyncio-based replacement.
diff --git a/Misc/NEWS.d/next/Core and Builtins/04.bpo-27945.p29r3O.rst b/Misc/NEWS.d/next/Core and Builtins/04.bpo-27945.p29r3O.rst
deleted file mode 100644
index da5b8d1a2c..0000000000
--- a/Misc/NEWS.d/next/Core and Builtins/04.bpo-27945.p29r3O.rst
+++ /dev/null
@@ -1,3 +0,0 @@
-Fixed various segfaults with dict when input collections are mutated during
-searching, inserting or comparing. Based on patches by Duane Griffin and
-Tim Mitchell.
diff --git a/Misc/NEWS.d/next/Core and Builtins/2017-07-15-13-55-22.bpo-26617.Gh5LvN.rst b/Misc/NEWS.d/next/Core and Builtins/2017-07-15-13-55-22.bpo-26617.Gh5LvN.rst
deleted file mode 100644
index c3a41396df..0000000000
--- a/Misc/NEWS.d/next/Core and Builtins/2017-07-15-13-55-22.bpo-26617.Gh5LvN.rst
+++ /dev/null
@@ -1 +0,0 @@
-Fix crash when GC runs during weakref callbacks.
diff --git a/Misc/NEWS.d/next/Documentation/03.bpo-25008.CeIzyU.rst b/Misc/NEWS.d/next/Documentation/03.bpo-25008.CeIzyU.rst
deleted file mode 100644
index ea4046ead7..0000000000
--- a/Misc/NEWS.d/next/Documentation/03.bpo-25008.CeIzyU.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Document smtpd.py as effectively deprecated and add a pointer to aiosmtpd, a
-third-party asyncio-based replacement.
diff --git a/Misc/NEWS.d/next/Library/01.bpo-27850.kIVQ0m.rst b/Misc/NEWS.d/next/Library/01.bpo-27850.kIVQ0m.rst
deleted file mode 100644
index f21375d16d..0000000000
--- a/Misc/NEWS.d/next/Library/01.bpo-27850.kIVQ0m.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Remove 3DES from ssl module's default cipher list to counter measure sweet32
-attack (CVE-2016-2183).
diff --git a/Misc/NEWS.d/next/Security/02.bpo-30730.ZF8XGV.rst b/Misc/NEWS.d/next/Security/02.bpo-30730.ZF8XGV.rst
deleted file mode 100644
index 2c764439a0..0000000000
--- a/Misc/NEWS.d/next/Security/02.bpo-30730.ZF8XGV.rst
+++ /dev/null
@@ -1,4 +0,0 @@
-.. original section: Library
-
-Prevent environment variables injection in subprocess on Windows. Prevent
-passing other invalid environment variables and command arguments.
diff --git a/Misc/NEWS.d/next/Security/2017-07-11-22-02-51.bpo-30500.wXUrkQ.rst b/Misc/NEWS.d/next/Security/2017-07-11-22-02-51.bpo-30500.wXUrkQ.rst
deleted file mode 100644
index 6570e709d6..0000000000
--- a/Misc/NEWS.d/next/Security/2017-07-11-22-02-51.bpo-30500.wXUrkQ.rst
+++ /dev/null
@@ -1,4 +0,0 @@
-Fix urllib.parse.splithost() to correctly parse fragments. For example,
-``splithost('//127.0.0.1#@evil.com/')`` now correctly returns the
-``127.0.0.1`` host, instead of treating ``@evil.com`` as the host in an
-authentification (``login@host``).
diff --git a/Misc/NEWS.d/next/Security/2017-07-11-22-07-03.bpo-26657.wvpzFD.rst b/Misc/NEWS.d/next/Security/2017-07-11-22-07-03.bpo-26657.wvpzFD.rst
deleted file mode 100644
index ac1dc14d06..0000000000
--- a/Misc/NEWS.d/next/Security/2017-07-11-22-07-03.bpo-26657.wvpzFD.rst
+++ /dev/null
@@ -1,3 +0,0 @@
-Fix directory traversal vulnerability with http.server on Windows. This
-fixes a regression that was introduced in 3.3.4rc1 and 3.4.0rc1. Based on
-patch by Philipp Hagemeister.
diff --git a/Misc/NEWS.d/next/Security/2017-07-11-22-25-24.bpo-30694.oOf3Er.rst b/Misc/NEWS.d/next/Security/2017-07-11-22-25-24.bpo-30694.oOf3Er.rst
deleted file mode 100644
index ee2c0a5c35..0000000000
--- a/Misc/NEWS.d/next/Security/2017-07-11-22-25-24.bpo-30694.oOf3Er.rst
+++ /dev/null
@@ -1,8 +0,0 @@
-Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security
-vulnerabilities including: CVE-2017-9233 (External entity infinite loop
-DoS), CVE-2016-9063 (Integer overflow, re-fix), CVE-2016-0718 (Fix
-regression bugs from 2.2.0's fix to CVE-2016-0718) and CVE-2012-0876
-(Counter hash flooding with SipHash). Note: the CVE-2016-5300 (Use os-
-specific entropy sources like getrandom) doesn't impact Python, since Python
-already gets entropy from the OS to set the expat secret using
-``XML_SetHashSalt()``.
diff --git a/Misc/NEWS.d/next/Security/2017-07-11-22-26-48.bpo-29591.cOeMX-.rst b/Misc/NEWS.d/next/Security/2017-07-11-22-26-48.bpo-29591.cOeMX-.rst
deleted file mode 100644
index ca740bb1b1..0000000000
--- a/Misc/NEWS.d/next/Security/2017-07-11-22-26-48.bpo-29591.cOeMX-.rst
+++ /dev/null
@@ -1,3 +0,0 @@
-Update expat copy from 2.1.1 to 2.2.0 to get fixes of CVE-2016-0718 and
-CVE-2016-4472. See https://sourceforge.net/p/expat/bugs/537/ for more
-information.