.. bpo: 38945
.. date: 2019-12-01-22-44-40
.. nonce: ztmNXc
.. release date: 2019-12-11
.. section: Security

Newline characters have been escaped when performing uu encoding to prevent
them from overflowing into to content section of the encoded file. This
prevents malicious or accidental modification of data during the decoding
process.

..

.. bpo: 37228
.. date: 2019-11-21-21-36-54
.. nonce: yBZnFG
.. section: Security

Due to significant security concerns, the *reuse_address* parameter of
:meth:`asyncio.loop.create_datagram_endpoint` is no longer supported. This
is because of the behavior of ``SO_REUSEADDR`` in UDP. For more details, see
the documentation for ``loop.create_datagram_endpoint()``. (Contributed by
Kyle Stanley, Antoine Pitrou, and Yury Selivanov in :issue:`37228`.)

..

.. bpo: 38804
.. date: 2019-11-15-00-54-42
.. nonce: vjbM8V
.. section: Security

Fixes a ReDoS vulnerability in :mod:`http.cookiejar`. Patch by Ben Caller.

..

.. bpo: 38243
.. date: 2019-09-25-13-21-09
.. nonce: 1pfz24
.. section: Security

Escape the server title of :class:`xmlrpc.server.DocXMLRPCServer` when
rendering the document page as HTML. (Contributed by Dong-hee Na in
:issue:`38243`.)

..

.. bpo: 38174
.. date: 2019-09-23-21-02-46
.. nonce: MeWuJd
.. section: Security

Update vendorized expat library version to 2.2.8, which resolves
CVE-2019-15903.

..

.. bpo: 37461
.. date: 2019-07-16-08-11-00
.. nonce: 1Ahz7O
.. section: Security

Fix an infinite loop when parsing specially crafted email headers. Patch by
Abhilash Raj.

..

.. bpo: 34155
.. date: 2019-05-04-13-33-37
.. nonce: MJll68
.. section: Security

Fix parsing of invalid email addresses with more than one ``@`` (e.g.
a@b@c.com.) to not return the part before 2nd ``@`` as valid email address.
Patch by maxking & jpic.

..

.. bpo: 38216
.. date: 2019-09-27-15-24-45
.. nonce: -7yvZR
.. section: Library

Allow the rare code that wants to send invalid http requests from the
`http.client` library a way to do so.  The fixes for bpo-30458 led to
breakage for some projects that were relying on this ability to test their
own behavior in the face of bad requests.

..

.. bpo: 36564
.. date: 2019-04-08-13-00-13
.. nonce: _n67m_
.. section: Library

Fix infinite loop in email header folding logic that would be triggered when
an email policy's max_line_length is not long enough to include the required
markup and any values in the message. Patch by Paul Ganssle