|
| 1 | +.. date: 2025-04-07-04-11-08 |
| 2 | +.. gh-issue: 131809 |
| 3 | +.. nonce: 4MBDuy |
| 4 | +.. release date: 2025-04-08 |
| 5 | +.. section: Security |
| 6 | +
|
| 7 | +Update bundled libexpat to 2.7.1 |
| 8 | + |
| 9 | +.. |
| 10 | +
|
| 11 | +.. date: 2025-03-14-23-28-39 |
| 12 | +.. gh-issue: 131261 |
| 13 | +.. nonce: 0aB6nM |
| 14 | +.. section: Security |
| 15 | +
|
| 16 | +Upgrade to libexpat 2.7.0 |
| 17 | + |
| 18 | +.. |
| 19 | +
|
| 20 | +.. date: 2025-01-28-14-08-03 |
| 21 | +.. gh-issue: 105704 |
| 22 | +.. nonce: EnhHxu |
| 23 | +.. section: Security |
| 24 | +
|
| 25 | +When using :func:`urllib.parse.urlsplit` and :func:`urllib.parse.urlparse` |
| 26 | +host parsing would not reject domain names containing square brackets (``[`` |
| 27 | +and ``]``). Square brackets are only valid for IPv6 and IPvFuture hosts |
| 28 | +according to `RFC 3986 Section 3.2.2 |
| 29 | +<https://www.rfc-editor.org/rfc/rfc3986#section-3.2.2>`__. |
| 30 | + |
| 31 | +.. |
| 32 | +
|
| 33 | +.. date: 2024-08-06-12-27-34 |
| 34 | +.. gh-issue: 121284 |
| 35 | +.. nonce: 8rwPxe |
| 36 | +.. section: Security |
| 37 | +
|
| 38 | +Fix bug in the folding of rfc2047 encoded-words when flattening an email |
| 39 | +message using a modern email policy. Previously when an encoded-word was too |
| 40 | +long for a line, it would be decoded, split across lines, and re-encoded. |
| 41 | +But commas and other special characters in the original text could be left |
| 42 | +unencoded and unquoted. This could theoretically be used to spoof header |
| 43 | +lines using a carefully constructed encoded-word if the resulting rendered |
| 44 | +email was transmitted or re-parsed. |
| 45 | + |
| 46 | +.. |
| 47 | +
|
| 48 | +.. date: 2024-08-06-11-43-08 |
| 49 | +.. gh-issue: 80222 |
| 50 | +.. nonce: wfR4BU |
| 51 | +.. section: Security |
| 52 | +
|
| 53 | +Fix bug in the folding of quoted strings when flattening an email message |
| 54 | +using a modern email policy. Previously when a quoted string was folded so |
| 55 | +that it spanned more than one line, the surrounding quotes and internal |
| 56 | +escapes would be omitted. This could theoretically be used to spoof header |
| 57 | +lines using a carefully constructed quoted string if the resulting rendered |
| 58 | +email was transmitted or re-parsed. |
| 59 | + |
| 60 | +.. |
| 61 | +
|
| 62 | +.. date: 2024-05-24-21-00-52 |
| 63 | +.. gh-issue: 119511 |
| 64 | +.. nonce: jKrXQ8 |
| 65 | +.. section: Security |
| 66 | +
|
| 67 | +Fix a potential denial of service in the :mod:`imaplib` module. When |
| 68 | +connecting to a malicious server, it could cause an arbitrary amount of |
| 69 | +memory to be allocated. On many systems this is harmless as unused virtual |
| 70 | +memory is only a mapping, but if this hit a virtual address size limit it |
| 71 | +could lead to a :exc:`MemoryError` or other process crash. On unusual |
| 72 | +systems or builds where all allocated memory is touched and backed by actual |
| 73 | +ram or storage it could've consumed resources doing so until similarly |
| 74 | +crashing. |
| 75 | + |
| 76 | +.. |
| 77 | +
|
| 78 | +.. date: 2024-11-28-14-14-46 |
| 79 | +.. gh-issue: 127257 |
| 80 | +.. nonce: n6-jU9 |
| 81 | +.. section: Library |
| 82 | +
|
| 83 | +In :mod:`ssl`, system call failures that OpenSSL reports using |
| 84 | +``ERR_LIB_SYS`` are now raised as :exc:`OSError`. |
| 85 | + |
| 86 | +.. |
| 87 | +
|
| 88 | +.. date: 2024-07-19-12-22-48 |
| 89 | +.. gh-issue: 121277 |
| 90 | +.. nonce: wF_zKd |
| 91 | +.. section: Documentation |
| 92 | +
|
| 93 | +Writers of CPython's documentation can now use ``next`` as the version for |
| 94 | +the ``versionchanged``, ``versionadded``, ``deprecated`` directives. |
0 commit comments