Staging
v0.8.1
v0.8.1
https://github.com/python/cpython
Tip revision: 17bf6b4671ec02d80ad29b278639d5307baddeb5 authored by Ned Deily on 19 September 2017, 07:32:02 UTC
Bump to 3.3.7
Bump to 3.3.7
Tip revision: 17bf6b4
3.3.7rc1.rst
.. bpo: 30947
.. date: 2017-09-05-20-34-44
.. nonce: iNMmm4
.. release date: 2017-09-05
.. section: Security
Upgrade libexpat embedded copy from version 2.2.1 to 2.2.3 to get security
fixes.
..
.. bpo: 26657
.. date: 2017-07-11-22-07-03
.. nonce: wvpzFD
.. section: Security
Fix directory traversal vulnerability with http.server on Windows. This
fixes a regression that was introduced in 3.3.4rc1 and 3.4.0rc1. Based on
patch by Philipp Hagemeister.
..
.. bpo: 30500
.. date: 2017-07-11-22-02-51
.. nonce: wXUrkQ
.. section: Security
Fix urllib.parse.splithost() to correctly parse fragments. For example,
``splithost('//127.0.0.1#@evil.com/')`` now correctly returns the
``127.0.0.1`` host, instead of treating ``@evil.com`` as the host in an
authentification (``login@host``).
..
.. bpo: 30730
.. date: 023
.. nonce: ZF8XGV
.. original section: Library
.. section: Security
Prevent environment variables injection in subprocess on Windows. Prevent
passing other invalid environment variables and command arguments.
..
.. bpo: 30585
.. date: 022
.. nonce: W_u2bO
.. original section: Library
.. section: Security
Fix TLS stripping vulnerability in smptlib, CVE-2016-0772. Reported by Team
Oststrom
..
.. bpo: 30694
.. date: 021
.. nonce: WkMWM_
.. original section: Library
.. section: Security
Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security
vulnerabilities including: CVE-2017-9233 (External entity infinite loop
DoS), CVE-2016-9063 (Integer overflow, re-fix), CVE-2016-0718 (Fix
regression bugs from 2.2.0's fix to CVE-2016-0718) and CVE-2012-0876
(Counter hash flooding with SipHash). Note: the CVE-2016-5300 (Use os-
specific entropy sources like getrandom) doesn't impact Python, since Python
already gets entropy from the OS to set the expat secret using
``XML_SetHashSalt()``.
..
.. bpo: 29591
.. date: 020
.. nonce: -hhJCP
.. original section: Library
.. section: Security
Update expat copy from 2.1.0 to 2.2.0 to get fixes of CVE-2016-0718 and
CVE-2016-4472. See https://sourceforge.net/p/expat/bugs/537/ for more
information.
..
.. bpo: 27945
.. date: 033
.. nonce: p29r3O
.. section: Core and Builtins
Fixed various segfaults with dict when input collections are mutated during
searching, inserting or comparing. Based on patches by Duane Griffin and
Tim Mitchell.
..
.. bpo: 28648
.. date: 032
.. nonce: z7B52W
.. section: Core and Builtins
Fixed crash in Py_DecodeLocale() in debug build on Mac OS X when decode
astral characters. Patch by Xiang Zhang.
..
.. bpo: 26171
.. date: 031
.. nonce: 8SaQEa
.. section: Core and Builtins
Fix possible integer overflow and heap corruption in zipimporter.get_data().
..
.. bpo: 25709
.. date: 030
.. nonce: kZHYbk
.. section: Core and Builtins
Fixed problem with in-place string concatenation and utf-8 cache.
..
.. bpo: 24407
.. date: 029
.. nonce: GmCBB3
.. section: Core and Builtins
Fix crash when dict is mutated while being updated.
..
.. bpo: 24097
.. date: 028
.. nonce: Vt4E-i
.. section: Core and Builtins
Fixed crash in object.__reduce__() if slot name is freed inside __getattr__.
..
.. bpo: 24096
.. date: 027
.. nonce: a_Rap7
.. section: Core and Builtins
Make warnings.warn_explicit more robust against mutation of the
warnings.filters list.
..
.. bpo: 24044
.. date: 026
.. nonce: H7vb6-
.. section: Core and Builtins
Fix possible null pointer dereference in list.sort in out of memory
conditions.
..
.. bpo: 23055
.. date: 025
.. nonce: rRkRIJ
.. section: Core and Builtins
Fixed a buffer overflow in PyUnicode_FromFormatV. Analysis and fix by Guido
Vranken.
..
.. bpo: 31170
.. date: 2017-09-05-20-35-21
.. nonce: QGmJ1t
.. section: Library
expat: Update libexpat from 2.2.3 to 2.2.4. Fix copying of partial
characters for UTF-8 input (libexpat bug 115):
https://github.com/libexpat/libexpat/issues/115
..
.. bpo: 22928
.. date: 2017-07-25-15-48-29
.. nonce: LCRp8D
.. section: Library
Disabled HTTP header injections in http.client. Original patch by Demian
Brecht.
..
.. bpo: 30119
.. date: 024
.. nonce: 8ezFT1
.. section: Library
ftplib.FTP.putline() now throws ValueError on commands that contains CR or
LF. Patch by Dong-hee Na
..
.. bpo: 28563
.. date: 019
.. nonce: iweEiw
.. section: Library
Fixed possible DoS and arbitrary code execution when handle plural form
selections in the gettext module. The expression parser now supports exact
syntax supported by GNU gettext.
..
.. bpo: 27783
.. date: 018
.. nonce: 6fCCY9
.. section: Library
Fix possible usage of uninitialized memory in operator.methodcaller.
..
.. bpo: 27774
.. date: 017
.. nonce: FDcik1
.. section: Library
Fix possible Py_DECREF on unowned object in _sre.
..
.. bpo: 27760
.. date: 016
.. nonce: gxMjp4
.. section: Library
Fix possible integer overflow in binascii.b2a_qp.
..
.. bpo: 27758
.. date: 015
.. nonce: x9DC4R
.. section: Library
Fix possible integer overflow in the _csv module for large record lengths.
..
.. bpo: 27568
.. date: 014
.. nonce: OnuO9s
.. section: Library
Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the HTTP_PROXY variable
when REQUEST_METHOD environment is set, which indicates that the script is
in CGI mode.
..
.. bpo: 24521
.. date: 013
.. nonce: bn4U-y
.. section: Library
Fix possible integer overflows in the pickle module.
..
.. bpo: 22931
.. date: 012
.. nonce: 4CuWYD
.. section: Library
Allow '[' and ']' in cookie values.
..
.. bpo: 24094
.. date: 011
.. nonce: 7T-u7k
.. section: Library
Fix possible crash in json.encode with poorly behaved dict subclasses.
..
.. bpo: 23367
.. date: 010
.. nonce: kHnFiz
.. section: Library
Fix possible overflows in the unicodedata module.
..
.. bpo: 23361
.. date: 009
.. nonce: I_w0-z
.. section: Library
Fix possible overflow in Windows subprocess creation code.
..
.. bpo: 23363
.. date: 008
.. nonce: -koaol
.. section: Library
Fix possible overflow in itertools.permutations.
..
.. bpo: 23364
.. date: 007
.. nonce: 3yBV-6
.. section: Library
Fix possible overflow in itertools.product.
..
.. bpo: 23369
.. date: 006
.. nonce: nqChyE
.. section: Library
Fixed possible integer overflow in _json.encode_basestring_ascii.
..
.. bpo: 23366
.. date: 005
.. nonce: tyAfm8
.. section: Library
Fixed possible integer overflow in itertools.combinations.
..
.. bpo: 23365
.. date: 004
.. nonce: h5jLQ9
.. section: Library
Fixed possible integer overflow in itertools.combinations_with_replacement.
..
.. bpo: 27369
.. date: 002
.. nonce: LG7U2D
.. section: Tests
In test_pyexpat, avoid testing an error message detail that changed in Expat
2.2.0.
..
.. bpo: 25940
.. date: 001
.. nonce: 7uNcQG
.. section: Tests
Changed test_ssl and test_httplib to use self-signed.pythontest.net. This
avoids relying on svn.python.org, which recently changed root certificate.
..
.. bpo: 23998
.. date: 003
.. nonce: z7mlLW
.. section: C API
PyImport_ReInitLock() now checks for lock allocation error