Staging
v0.8.1
v0.8.1
Revision e25757408dc22561af9f9589c2c7e2a2fbb66ee4 authored by Ned Deily on 12 June 2018, 01:44:58 UTC, committed by GitHub on 12 June 2018, 01:44:58 UTC
The documentation for CERT_NONE, CERT_OPTIONAL, and CERT_REQUIRED were misleading and partly wrong. It fails to explain that OpenSSL behaves differently in client and server mode. Also OpenSSL does validate the cert chain everytime. With SSL_VERIFY_NONE a validation error is not fatal in client mode and does not request a client cert in server mode. Also discourage people from using CERT_OPTIONAL in client mode.
1 parent 2023eaf
3.6.2rc2.rst
.. bpo: 30730
.. date: 9992
.. nonce: rJsyTH
.. original section: Library
.. release date: 2017-07-07
.. section: Security
Prevent environment variables injection in subprocess on Windows. Prevent
passing other environment variables and command arguments.
..
.. bpo: 30694
.. date: 9991
.. nonce: WkMWM_
.. original section: Library
.. section: Security
Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security
vulnerabilities including: CVE-2017-9233 (External entity infinite loop
DoS), CVE-2016-9063 (Integer overflow, re-fix), CVE-2016-0718 (Fix
regression bugs from 2.2.0's fix to CVE-2016-0718) and CVE-2012-0876
(Counter hash flooding with SipHash). Note: the CVE-2016-5300 (Use
os-specific entropy sources like getrandom) doesn't impact Python, since
Python already gets entropy from the OS to set the expat secret using
``XML_SetHashSalt()``.
..
.. bpo: 30500
.. date: 9990
.. nonce: 1VG7R-
.. original section: Library
.. section: Security
Fix urllib.parse.splithost() to correctly parse fragments. For example,
``splithost('//127.0.0.1#@evil.com/')`` now correctly returns the
``127.0.0.1`` host, instead of treating ``@evil.com`` as the host in an
authentification (``login@host``).
Computing file changes ...
