.. bpo: 39073
.. date: 2020-03-15-01-28-36
.. nonce: 6Szd3i
.. release date: 2020-06-17
.. section: Security

Disallow CR or LF in email.headerregistry.Address arguments to guard against
header injection attacks.

..

.. bpo: 38576
.. date: 2020-03-14-14-57-44
.. nonce: OowwQn
.. section: Security

Disallow control characters in hostnames in http.client, addressing
CVE-2019-18348. Such potentially malicious header injection URLs now cause a
InvalidURL to be raised.

..

.. bpo: 39503
.. date: 2020-01-30-16-15-29
.. nonce: B299Yq
.. section: Security

CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class
of the :mod:`urllib.request` module uses an inefficient regular expression
which can be exploited by an attacker to cause a denial of service. Fix the
regex to prevent the catastrophic backtracking. Vulnerability reported by
Ben Caller and Matt Schwager.

..

.. bpo: 39401
.. date: 2020-01-28-20-54-09
.. nonce: he7h_A
.. section: Security

Avoid unsafe load of ``api-ms-win-core-path-l1-1-0.dll`` at startup on
Windows 7.

..

.. bpo: 39510
.. date: 2020-02-04-10-27-41
.. nonce: PMIh-f
.. section: Core and Builtins

Fix segfault in ``readinto()`` method on closed BufferedReader.

..

.. bpo: 39421
.. date: 2020-01-22-15-53-37
.. nonce: O3nG7u
.. section: Core and Builtins

Fix possible crashes when operating with the functions in the :mod:`heapq`
module and custom comparison operators.

..

.. bpo: 39503
.. date: 2020-03-25-16-02-16
.. nonce: YmMbYn
.. section: Library

:class:`~urllib.request.AbstractBasicAuthHandler` of :mod:`urllib.request`
now parses all WWW-Authenticate HTTP headers and accepts multiple challenges
per header: use the realm of the first Basic challenge.