|
| 1 | +.. date: 2024-09-04-09-59-18 |
| 2 | +.. gh-issue: 123418 |
| 3 | +.. nonce: QaMC12 |
| 4 | +.. release date: 2024-09-07 |
| 5 | +.. section: Windows |
| 6 | +
|
| 7 | +Updated Windows build to use OpenSSL 3.0.15. |
| 8 | + |
| 9 | +.. |
| 10 | +
|
| 11 | +.. date: 2024-05-29-17-00-27 |
| 12 | +.. gh-issue: 119690 |
| 13 | +.. nonce: tv6Zgs |
| 14 | +.. section: Windows |
| 15 | +
|
| 16 | +Fixes data type confusion in audit event raised by |
| 17 | +``_winapi.CreateNamedPipe``. |
| 18 | + |
| 19 | +.. |
| 20 | +
|
| 21 | +.. date: 2024-09-04-12-41-35 |
| 22 | +.. gh-issue: 123678 |
| 23 | +.. nonce: N41y9n |
| 24 | +.. section: Security |
| 25 | +
|
| 26 | +Upgrade libexpat to 2.6.3 |
| 27 | + |
| 28 | +.. |
| 29 | +
|
| 30 | +.. date: 2024-07-22-13-14-38 |
| 31 | +.. gh-issue: 121957 |
| 32 | +.. nonce: FYkcOt |
| 33 | +.. section: Security |
| 34 | +
|
| 35 | +Fixed missing audit events around interactive use of Python, now also |
| 36 | +properly firing for ``python -i``, as well as for ``python -m asyncio``. The |
| 37 | +event in question is ``cpython.run_stdin``. |
| 38 | + |
| 39 | +.. |
| 40 | +
|
| 41 | +.. date: 2024-07-22-13-11-28 |
| 42 | +.. gh-issue: 122133 |
| 43 | +.. nonce: 0mPeta |
| 44 | +.. section: Security |
| 45 | +
|
| 46 | +Authenticate the socket connection for the ``socket.socketpair()`` fallback |
| 47 | +on platforms where ``AF_UNIX`` is not available like Windows. |
| 48 | + |
| 49 | +Patch by Gregory P. Smith <greg@krypto.org> and Seth Larson |
| 50 | +<seth@python.org>. Reported by Ellie <el@horse64.org> |
| 51 | + |
| 52 | +.. |
| 53 | +
|
| 54 | +.. date: 2024-07-02-13-39-20 |
| 55 | +.. gh-issue: 121285 |
| 56 | +.. nonce: hrl-yI |
| 57 | +.. section: Security |
| 58 | +
|
| 59 | +Remove backtracking from tarfile header parsing for ``hdrcharset``, PAX, and |
| 60 | +GNU sparse headers. |
| 61 | + |
| 62 | +.. |
| 63 | +
|
| 64 | +.. date: 2024-05-01-20-57-09 |
| 65 | +.. gh-issue: 118486 |
| 66 | +.. nonce: K44KJG |
| 67 | +.. section: Security |
| 68 | +
|
| 69 | +:func:`os.mkdir` on Windows now accepts *mode* of ``0o700`` to restrict the |
| 70 | +new directory to the current user. This fixes CVE-2024-4030 affecting |
| 71 | +:func:`tempfile.mkdtemp` in scenarios where the base temporary directory is |
| 72 | +more permissive than the default. |
| 73 | + |
| 74 | +.. |
| 75 | +
|
| 76 | +.. date: 2024-03-27-13-50-02 |
| 77 | +.. gh-issue: 116741 |
| 78 | +.. nonce: ZoGryG |
| 79 | +.. section: Security |
| 80 | +
|
| 81 | +Update bundled libexpat to 2.6.2 |
| 82 | + |
| 83 | +.. |
| 84 | +
|
| 85 | +.. date: 2024-08-26-13-45-20 |
| 86 | +.. gh-issue: 123270 |
| 87 | +.. nonce: gXHvNJ |
| 88 | +.. section: Library |
| 89 | +
|
| 90 | +Applied a more surgical fix for malformed payloads in :class:`zipfile.Path` |
| 91 | +causing infinite loops (gh-122905) without breaking contents using |
| 92 | +legitimate characters. |
| 93 | + |
| 94 | +.. |
| 95 | +
|
| 96 | +.. date: 2024-08-16-19-13-21 |
| 97 | +.. gh-issue: 123067 |
| 98 | +.. nonce: Nx9O4R |
| 99 | +.. section: Library |
| 100 | +
|
| 101 | +Fix quadratic complexity in parsing ``"``-quoted cookie values with |
| 102 | +backslashes by :mod:`http.cookies`. |
| 103 | + |
| 104 | +.. |
| 105 | +
|
| 106 | +.. date: 2024-08-11-14-08-04 |
| 107 | +.. gh-issue: 122905 |
| 108 | +.. nonce: 7tDsxA |
| 109 | +.. section: Library |
| 110 | +
|
| 111 | +:class:`zipfile.Path` objects now sanitize names from the zipfile. |
| 112 | + |
| 113 | +.. |
| 114 | +
|
| 115 | +.. date: 2024-07-27-16-10-41 |
| 116 | +.. gh-issue: 121650 |
| 117 | +.. nonce: nf6oc9 |
| 118 | +.. section: Library |
| 119 | +
|
| 120 | +:mod:`email` headers with embedded newlines are now quoted on output. The |
| 121 | +:mod:`~email.generator` will now refuse to serialize (write) headers that |
| 122 | +are unsafely folded or delimited; see |
| 123 | +:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas |
| 124 | +Bloemsaat and Petr Viktorin in :gh:`121650`.) |
| 125 | + |
| 126 | +.. |
| 127 | +
|
| 128 | +.. date: 2024-05-24-14-32-24 |
| 129 | +.. gh-issue: 119506 |
| 130 | +.. nonce: -nMNqq |
| 131 | +.. section: Library |
| 132 | +
|
| 133 | +Fix :meth:`!io.TextIOWrapper.write` method breaks internal buffer when the |
| 134 | +method is called again during flushing internal buffer. |
| 135 | + |
| 136 | +.. |
| 137 | +
|
| 138 | +.. date: 2024-05-16-17-31-46 |
| 139 | +.. gh-issue: 118643 |
| 140 | +.. nonce: hAWH4C |
| 141 | +.. section: Library |
| 142 | +
|
| 143 | +Fix an AttributeError in the :mod:`email` module when re-fold a long address |
| 144 | +list. Also fix more cases of incorrect encoding of the address separator in |
| 145 | +the address list. |
| 146 | + |
| 147 | +.. |
| 148 | +
|
| 149 | +.. date: 2024-03-14-01-38-44 |
| 150 | +.. gh-issue: 113171 |
| 151 | +.. nonce: VFnObz |
| 152 | +.. section: Library |
| 153 | +
|
| 154 | +Fixed various false positives and false negatives in |
| 155 | + |
| 156 | +* :attr:`ipaddress.IPv4Address.is_private` (see these docs for details) |
| 157 | +* :attr:`ipaddress.IPv4Address.is_global` |
| 158 | +* :attr:`ipaddress.IPv6Address.is_private` |
| 159 | +* :attr:`ipaddress.IPv6Address.is_global` |
| 160 | + |
| 161 | +Also in the corresponding :class:`ipaddress.IPv4Network` and |
| 162 | +:class:`ipaddress.IPv6Network` attributes. |
| 163 | + |
| 164 | +.. |
| 165 | +
|
| 166 | +.. date: 2023-10-20-15-28-08 |
| 167 | +.. gh-issue: 102988 |
| 168 | +.. nonce: dStNO7 |
| 169 | +.. section: Library |
| 170 | +
|
| 171 | +:func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now |
| 172 | +return ``('', '')`` 2-tuples in more situations where invalid email |
| 173 | +addresses are encountered instead of potentially inaccurate values. Add |
| 174 | +optional *strict* parameter to these two functions: use ``strict=False`` to |
| 175 | +get the old behavior, accept malformed inputs. ``getattr(email.utils, |
| 176 | +'supports_strict_parsing', False)`` can be use to check if the *strict* |
| 177 | +paramater is available. Patch by Thomas Dwyer and Victor Stinner to improve |
| 178 | +the CVE-2023-27043 fix. |
| 179 | + |
| 180 | +.. |
| 181 | +
|
| 182 | +.. date: 2019-08-27-01-16-50 |
| 183 | +.. gh-issue: 67693 |
| 184 | +.. nonce: 4NIAiy |
| 185 | +.. section: Library |
| 186 | +
|
| 187 | +Fix :func:`urllib.parse.urlunparse` and :func:`urllib.parse.urlunsplit` for |
| 188 | +URIs with path starting with multiple slashes and no authority. Based on |
| 189 | +patch by Ashwin Ramaswami. |
| 190 | + |
| 191 | +.. |
| 192 | +
|
| 193 | +.. date: 2024-09-04-18-20-11 |
| 194 | +.. gh-issue: 112275 |
| 195 | +.. nonce: W_iMiB |
| 196 | +.. section: Core and Builtins |
| 197 | +
|
| 198 | +A deadlock involving ``pystate.c``'s ``HEAD_LOCK`` in ``posixmodule.c`` at |
| 199 | +fork is now fixed. Patch by ChuBoning based on previous Python 3.12 fix by |
| 200 | +Victor Stinner. |
| 201 | + |
| 202 | +.. |
| 203 | +
|
| 204 | +.. date: 2024-04-02-06-16-49 |
| 205 | +.. gh-issue: 109120 |
| 206 | +.. nonce: X485oN |
| 207 | +.. section: Core and Builtins |
| 208 | +
|
| 209 | +Added handle of incorrect star expressions, e.g ``f(3, *)``. Patch by |
| 210 | +Grigoryev Semyon |
0 commit comments