diff options
Diffstat (limited to 'Misc/NEWS.d')
17 files changed, 165 insertions, 32 deletions
diff --git a/Misc/NEWS.d/3.6.9rc1.rst b/Misc/NEWS.d/3.6.9rc1.rst new file mode 100644 index 0000000000..c810151faf --- /dev/null +++ b/Misc/NEWS.d/3.6.9rc1.rst @@ -0,0 +1,165 @@ +.. bpo: 35907 +.. date: 2019-05-21-23-20-18 +.. nonce: NC_zNK +.. release date: 2019-06-18 +.. section: Security + +CVE-2019-9948: Avoid file reading by disallowing ``local-file://`` and +``local_file://`` URL schemes in ``URLopener().open()`` and +``URLopener().retrieve()`` of :mod:`urllib.request`. + +.. + +.. bpo: 36742 +.. date: 2019-04-29-15-34-59 +.. nonce: QCUY0i +.. section: Security + +Fixes mishandling of pre-normalization characters in urlsplit(). + +.. + +.. bpo: 30458 +.. date: 2019-04-10-08-53-30 +.. nonce: 51E-DA +.. section: Security + +Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or +control characters through into the underlying http client request. Such +potentially malicious header injection URLs now cause an +http.client.InvalidURL exception to be raised. + +.. + +.. bpo: 36216 +.. date: 2019-03-06-09-38-40 +.. nonce: 6q1m4a +.. section: Security + +Changes urlsplit() to raise ValueError when the URL contains characters that +decompose under IDNA encoding (NFKC-normalization) into characters that +affect how the URL is parsed. + +.. + +.. bpo: 33529 +.. date: 2019-02-24-18-48-16 +.. nonce: wpNNBD +.. section: Security + +Prevent fold function used in email header encoding from entering infinite +loop when there are too many non-ASCII characters in a header. + +.. + +.. bpo: 35746 +.. date: 2019-01-15-18-16-05 +.. nonce: nMSd0j +.. section: Security + +[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did +not handle CRL distribution points with empty DP or URI correctly. A +malicious or buggy certificate can result into segfault. Vulnerability +(TALOS-2018-0758) reported by Colin Read and Nicolas Edet of Cisco. + +.. + +.. bpo: 35121 +.. date: 2018-10-31-15-39-17 +.. nonce: EgHv9k +.. section: Security + +Don't send cookies of domain A without Domain attribute to domain B when +domain A is a suffix match of domain B while using a cookiejar with +:class:`http.cookiejar.DefaultCookiePolicy` policy. Patch by Karthikeyan +Singaravelan. + +.. + +.. bpo: 35643 +.. date: 2019-01-02-20-04-49 +.. nonce: DaMiaV +.. section: Library + +Fixed a SyntaxWarning: invalid escape sequence in Modules/_sha3/cleanup.py. +Patch by Mickaël Schoentgen. + +.. + +.. bpo: 35121 +.. date: 2018-12-30-14-35-19 +.. nonce: oWmiGU +.. section: Library + +Don't set cookie for a request when the request path is a prefix match of +the cookie's path attribute but doesn't end with "/". Patch by Karthikeyan +Singaravelan. + +.. + +.. bpo: 35605 +.. date: 2018-12-30-09-56-13 +.. nonce: gAWt32 +.. section: Documentation + +Fix documentation build for sphinx<1.6. Patch by Anthony Sottile. + +.. + +.. bpo: 35564 +.. date: 2018-12-22-22-52-05 +.. nonce: TuEU_D +.. section: Documentation + +Explicitly set master_doc variable in conf.py for compliance with Sphinx 2.0 + +.. + +.. bpo: 36816 +.. date: 2019-05-08-15-55-46 +.. nonce: WBKRGZ +.. section: Tests + +Update Lib/test/selfsigned_pythontestdotnet.pem to match +self-signed.pythontest.net's new TLS certificate. + +.. + +.. bpo: 35925 +.. date: 2019-05-06-18-29-54 +.. nonce: gwQPuC +.. section: Tests + +Skip specific nntplib and ssl networking tests when they would otherwise +fail due to a modern OS or distro with a default OpenSSL policy of rejecting +connections to servers with weak certificates or disabling TLS below +TLSv1.2. + +.. + +.. bpo: 27313 +.. date: 2019-02-24-01-58-38 +.. nonce: Sj9veH +.. section: Tests + +Avoid test_ttk_guionly ComboboxTest failure with macOS Cocoa Tk. + +.. + +.. bpo: 32947 +.. date: 2019-01-18-17-46-10 +.. nonce: Hk0KnM +.. section: Tests + +test_ssl fixes for TLS 1.3 and OpenSSL 1.1.1. + +.. + +.. bpo: 34602 +.. date: 2019-04-29-10-54-14 +.. nonce: Lrl2zU +.. section: macOS + +Avoid failures setting macOS stack resource limit with resource.setrlimit. +This reverts an earlier fix for bpo-18075 which forced a non-default stack +size when building the interpreter executable on macOS. diff --git a/Misc/NEWS.d/next/Documentation/2018-12-22-22-52-05.bpo-35564.TuEU_D.rst b/Misc/NEWS.d/next/Documentation/2018-12-22-22-52-05.bpo-35564.TuEU_D.rst deleted file mode 100644 index 8ca95eed4c..0000000000 --- a/Misc/NEWS.d/next/Documentation/2018-12-22-22-52-05.bpo-35564.TuEU_D.rst +++ /dev/null @@ -1 +0,0 @@ -Explicitly set master_doc variable in conf.py for compliance with Sphinx 2.0 diff --git a/Misc/NEWS.d/next/Documentation/2018-12-30-09-56-13.bpo-35605.gAWt32.rst b/Misc/NEWS.d/next/Documentation/2018-12-30-09-56-13.bpo-35605.gAWt32.rst deleted file mode 100644 index cbc0f1e07f..0000000000 --- a/Misc/NEWS.d/next/Documentation/2018-12-30-09-56-13.bpo-35605.gAWt32.rst +++ /dev/null @@ -1 +0,0 @@ -Fix documentation build for sphinx<1.6. Patch by Anthony Sottile. diff --git a/Misc/NEWS.d/next/Library/2018-12-30-14-35-19.bpo-35121.oWmiGU.rst b/Misc/NEWS.d/next/Library/2018-12-30-14-35-19.bpo-35121.oWmiGU.rst deleted file mode 100644 index 032e1e2c00..0000000000 --- a/Misc/NEWS.d/next/Library/2018-12-30-14-35-19.bpo-35121.oWmiGU.rst +++ /dev/null @@ -1,3 +0,0 @@ -Don't set cookie for a request when the request path is a prefix match of -the cookie's path attribute but doesn't end with "/". Patch by Karthikeyan -Singaravelan. diff --git a/Misc/NEWS.d/next/Library/2019-01-02-20-04-49.bpo-35643.DaMiaV.rst b/Misc/NEWS.d/next/Library/2019-01-02-20-04-49.bpo-35643.DaMiaV.rst deleted file mode 100644 index 0b47bb61fc..0000000000 --- a/Misc/NEWS.d/next/Library/2019-01-02-20-04-49.bpo-35643.DaMiaV.rst +++ /dev/null @@ -1,2 +0,0 @@ -Fixed a SyntaxWarning: invalid escape sequence in Modules/_sha3/cleanup.py. -Patch by Mickaël Schoentgen. diff --git a/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst deleted file mode 100644 index d2eb8f1f35..0000000000 --- a/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst +++ /dev/null @@ -1,4 +0,0 @@ -Don't send cookies of domain A without Domain attribute to domain B -when domain A is a suffix match of domain B while using a cookiejar -with :class:`http.cookiejar.DefaultCookiePolicy` policy. Patch by -Karthikeyan Singaravelan. diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst deleted file mode 100644 index fc703b9c24..0000000000 --- a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst +++ /dev/null @@ -1,4 +0,0 @@ -[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did -not handle CRL distribution points with empty DP or URI correctly. A -malicious or buggy certificate can result into segfault. Vulnerability -(TALOS-2018-0758) reported by Colin Read and Nicolas Edet of Cisco. diff --git a/Misc/NEWS.d/next/Security/2019-02-24-18-48-16.bpo-33529.wpNNBD.rst b/Misc/NEWS.d/next/Security/2019-02-24-18-48-16.bpo-33529.wpNNBD.rst deleted file mode 100644 index 84d16f5a56..0000000000 --- a/Misc/NEWS.d/next/Security/2019-02-24-18-48-16.bpo-33529.wpNNBD.rst +++ /dev/null @@ -1,2 +0,0 @@ -Prevent fold function used in email header encoding from entering infinite -loop when there are too many non-ASCII characters in a header. diff --git a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst deleted file mode 100644 index 5546394157..0000000000 --- a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst +++ /dev/null @@ -1,3 +0,0 @@ -Changes urlsplit() to raise ValueError when the URL contains characters that -decompose under IDNA encoding (NFKC-normalization) into characters that -affect how the URL is parsed. diff --git a/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst deleted file mode 100644 index ed8027fb4d..0000000000 --- a/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst +++ /dev/null @@ -1 +0,0 @@ -Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause an http.client.InvalidURL exception to be raised. diff --git a/Misc/NEWS.d/next/Security/2019-04-29-15-34-59.bpo-36742.QCUY0i.rst b/Misc/NEWS.d/next/Security/2019-04-29-15-34-59.bpo-36742.QCUY0i.rst deleted file mode 100644 index d729ed2f3c..0000000000 --- a/Misc/NEWS.d/next/Security/2019-04-29-15-34-59.bpo-36742.QCUY0i.rst +++ /dev/null @@ -1 +0,0 @@ -Fixes mishandling of pre-normalization characters in urlsplit(). diff --git a/Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst b/Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst deleted file mode 100644 index 37b567a5b6..0000000000 --- a/Misc/NEWS.d/next/Security/2019-05-21-23-20-18.bpo-35907.NC_zNK.rst +++ /dev/null @@ -1,3 +0,0 @@ -CVE-2019-9948: Avoid file reading by disallowing ``local-file://`` and -``local_file://`` URL schemes in ``URLopener().open()`` and -``URLopener().retrieve()`` of :mod:`urllib.request`. diff --git a/Misc/NEWS.d/next/Tests/2019-01-18-17-46-10.bpo-32947.Hk0KnM.rst b/Misc/NEWS.d/next/Tests/2019-01-18-17-46-10.bpo-32947.Hk0KnM.rst deleted file mode 100644 index f508504ea6..0000000000 --- a/Misc/NEWS.d/next/Tests/2019-01-18-17-46-10.bpo-32947.Hk0KnM.rst +++ /dev/null @@ -1 +0,0 @@ -test_ssl fixes for TLS 1.3 and OpenSSL 1.1.1. diff --git a/Misc/NEWS.d/next/Tests/2019-02-24-01-58-38.bpo-27313.Sj9veH.rst b/Misc/NEWS.d/next/Tests/2019-02-24-01-58-38.bpo-27313.Sj9veH.rst deleted file mode 100644 index 189b9cf69f..0000000000 --- a/Misc/NEWS.d/next/Tests/2019-02-24-01-58-38.bpo-27313.Sj9veH.rst +++ /dev/null @@ -1 +0,0 @@ -Avoid test_ttk_guionly ComboboxTest failure with macOS Cocoa Tk. diff --git a/Misc/NEWS.d/next/Tests/2019-05-06-18-29-54.bpo-35925.gwQPuC.rst b/Misc/NEWS.d/next/Tests/2019-05-06-18-29-54.bpo-35925.gwQPuC.rst deleted file mode 100644 index 428326cdfe..0000000000 --- a/Misc/NEWS.d/next/Tests/2019-05-06-18-29-54.bpo-35925.gwQPuC.rst +++ /dev/null @@ -1 +0,0 @@ -Skip specific nntplib and ssl networking tests when they would otherwise fail due to a modern OS or distro with a default OpenSSL policy of rejecting connections to servers with weak certificates or disabling TLS below TLSv1.2. diff --git a/Misc/NEWS.d/next/Tests/2019-05-08-15-55-46.bpo-36816.WBKRGZ.rst b/Misc/NEWS.d/next/Tests/2019-05-08-15-55-46.bpo-36816.WBKRGZ.rst deleted file mode 100644 index 420dfe8323..0000000000 --- a/Misc/NEWS.d/next/Tests/2019-05-08-15-55-46.bpo-36816.WBKRGZ.rst +++ /dev/null @@ -1 +0,0 @@ -Update Lib/test/selfsigned_pythontestdotnet.pem to match self-signed.pythontest.net's new TLS certificate.
\ No newline at end of file diff --git a/Misc/NEWS.d/next/macOS/2019-04-29-10-54-14.bpo-34602.Lrl2zU.rst b/Misc/NEWS.d/next/macOS/2019-04-29-10-54-14.bpo-34602.Lrl2zU.rst deleted file mode 100644 index 6f7ac881c8..0000000000 --- a/Misc/NEWS.d/next/macOS/2019-04-29-10-54-14.bpo-34602.Lrl2zU.rst +++ /dev/null @@ -1,3 +0,0 @@ -Avoid failures setting macOS stack resource limit with resource.setrlimit. -This reverts an earlier fix for bpo-18075 which forced a non-default stack -size when building the interpreter executable on macOS. |