blob: 1a902e429d438df00228081742bd0f898cfc64bd (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
.. bpo: 38945
.. date: 2019-12-01-22-44-40
.. nonce: ztmNXc
.. release date: 2019-12-11
.. section: Security
Newline characters have been escaped when performing uu encoding to prevent
them from overflowing into to content section of the encoded file. This
prevents malicious or accidental modification of data during the decoding
process.
..
.. bpo: 37228
.. date: 2019-11-21-21-36-54
.. nonce: yBZnFG
.. section: Security
Due to significant security concerns, the *reuse_address* parameter of
:meth:`asyncio.loop.create_datagram_endpoint` is no longer supported. This
is because of the behavior of ``SO_REUSEADDR`` in UDP. For more details, see
the documentation for ``loop.create_datagram_endpoint()``. (Contributed by
Kyle Stanley, Antoine Pitrou, and Yury Selivanov in :issue:`37228`.)
..
.. bpo: 38804
.. date: 2019-11-15-00-54-42
.. nonce: vjbM8V
.. section: Security
Fixes a ReDoS vulnerability in :mod:`http.cookiejar`. Patch by Ben Caller.
..
.. bpo: 38243
.. date: 2019-09-25-13-21-09
.. nonce: 1pfz24
.. section: Security
Escape the server title of :class:`xmlrpc.server.DocXMLRPCServer` when
rendering the document page as HTML. (Contributed by Dong-hee Na in
:issue:`38243`.)
..
.. bpo: 38174
.. date: 2019-09-23-21-02-46
.. nonce: MeWuJd
.. section: Security
Update vendorized expat library version to 2.2.8, which resolves
CVE-2019-15903.
..
.. bpo: 37461
.. date: 2019-07-16-08-11-00
.. nonce: 1Ahz7O
.. section: Security
Fix an infinite loop when parsing specially crafted email headers. Patch by
Abhilash Raj.
..
.. bpo: 34155
.. date: 2019-05-04-13-33-37
.. nonce: MJll68
.. section: Security
Fix parsing of invalid email addresses with more than one ``@`` (e.g.
a@b@c.com.) to not return the part before 2nd ``@`` as valid email address.
Patch by maxking & jpic.
..
.. bpo: 38216
.. date: 2019-09-27-15-24-45
.. nonce: -7yvZR
.. section: Library
Allow the rare code that wants to send invalid http requests from the
`http.client` library a way to do so. The fixes for bpo-30458 led to
breakage for some projects that were relying on this ability to test their
own behavior in the face of bad requests.
..
.. bpo: 36564
.. date: 2019-04-08-13-00-13
.. nonce: _n67m_
.. section: Library
Fix infinite loop in email header folding logic that would be triggered when
an email policy's max_line_length is not long enough to include the required
markup and any values in the message. Patch by Paul Ganssle
|