|
| 1 | +.. date: 2024-02-18-03-14-40 |
| 2 | +.. gh-issue: 115398 |
| 3 | +.. nonce: tzvxH8 |
| 4 | +.. release date: 2024-03-19 |
| 5 | +.. section: Security |
| 6 | +
|
| 7 | +Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding |
| 8 | +five new methods: |
| 9 | + |
| 10 | +* :meth:`xml.etree.ElementTree.XMLParser.flush` |
| 11 | +* :meth:`xml.etree.ElementTree.XMLPullParser.flush` |
| 12 | +* :meth:`xml.parsers.expat.xmlparser.GetReparseDeferralEnabled` |
| 13 | +* :meth:`xml.parsers.expat.xmlparser.SetReparseDeferralEnabled` |
| 14 | +* :meth:`xml.sax.expatreader.ExpatParser.flush` |
| 15 | + |
| 16 | +.. |
| 17 | +
|
| 18 | +.. date: 2024-02-13-15-14-39 |
| 19 | +.. gh-issue: 115399 |
| 20 | +.. nonce: xT-scP |
| 21 | +.. section: Security |
| 22 | +
|
| 23 | +Update bundled libexpat to 2.6.0 |
| 24 | + |
| 25 | +.. |
| 26 | +
|
| 27 | +.. date: 2024-01-02-19-52-23 |
| 28 | +.. gh-issue: 113659 |
| 29 | +.. nonce: DkmnQc |
| 30 | +.. section: Security |
| 31 | +
|
| 32 | +Skip ``.pth`` files with names starting with a dot or hidden file attribute. |
| 33 | + |
| 34 | +.. |
| 35 | +
|
| 36 | +.. date: 2023-10-27-19-38-33 |
| 37 | +.. gh-issue: 102388 |
| 38 | +.. nonce: vd5YUZ |
| 39 | +.. section: Core and Builtins |
| 40 | +
|
| 41 | +Fix a bug where ``iso2022_jp_3`` and ``iso2022_jp_2004`` codecs read out of |
| 42 | +bounds |
| 43 | + |
| 44 | +.. |
| 45 | +
|
| 46 | +.. date: 2024-02-09-19-41-48 |
| 47 | +.. gh-issue: 115197 |
| 48 | +.. nonce: 20wkWH |
| 49 | +.. section: Library |
| 50 | +
|
| 51 | +``urllib.request`` no longer resolves the hostname before checking it |
| 52 | +against the system's proxy bypass list on macOS and Windows. |
| 53 | + |
| 54 | +.. |
| 55 | +
|
| 56 | +.. date: 2024-02-08-14-21-28 |
| 57 | +.. gh-issue: 115133 |
| 58 | +.. nonce: ycl4ko |
| 59 | +.. section: Library |
| 60 | +
|
| 61 | +Fix tests for :class:`~xml.etree.ElementTree.XMLPullParser` with Expat |
| 62 | +2.6.0. |
| 63 | + |
| 64 | +.. |
| 65 | +
|
| 66 | +.. date: 2023-12-01-16-09-59 |
| 67 | +.. gh-issue: 81194 |
| 68 | +.. nonce: FFad1c |
| 69 | +.. section: Library |
| 70 | +
|
| 71 | +Fix a crash in :func:`socket.if_indextoname` with specific value (UINT_MAX). |
| 72 | +Fix an integer overflow in :func:`socket.if_indextoname` on 64-bit |
| 73 | +non-Windows platforms. |
| 74 | + |
| 75 | +.. |
| 76 | +
|
| 77 | +.. date: 2023-09-28-13-15-51 |
| 78 | +.. gh-issue: 109858 |
| 79 | +.. nonce: 43e2dg |
| 80 | +.. section: Library |
| 81 | +
|
| 82 | +Protect :mod:`zipfile` from "quoted-overlap" zipbomb. It now raises |
| 83 | +BadZipFile when try to read an entry that overlaps with other entry or |
| 84 | +central directory. |
| 85 | + |
| 86 | +.. |
| 87 | +
|
| 88 | +.. date: 2023-08-03-12-52-19 |
| 89 | +.. gh-issue: 107077 |
| 90 | +.. nonce: -pzHD6 |
| 91 | +.. section: Library |
| 92 | +
|
| 93 | +Seems that in some conditions, OpenSSL will return ``SSL_ERROR_SYSCALL`` |
| 94 | +instead of ``SSL_ERROR_SSL`` when a certification verification has failed, |
| 95 | +but the error parameters will still contain ``ERR_LIB_SSL`` and |
| 96 | +``SSL_R_CERTIFICATE_VERIFY_FAILED``. We are now detecting this situation and |
| 97 | +raising the appropiate ``ssl.SSLCertVerificationError``. Patch by Pablo |
| 98 | +Galindo |
| 99 | + |
| 100 | +.. |
| 101 | +
|
| 102 | +.. date: 2022-12-01-16-57-44 |
| 103 | +.. gh-issue: 91133 |
| 104 | +.. nonce: LKMVCV |
| 105 | +.. section: Library |
| 106 | +
|
| 107 | +Fix a bug in :class:`tempfile.TemporaryDirectory` cleanup, which now no |
| 108 | +longer dereferences symlinks when working around file system permission |
| 109 | +errors. |
| 110 | + |
| 111 | +.. |
| 112 | +
|
| 113 | +.. date: 2024-02-14-20-17-04 |
| 114 | +.. gh-issue: 115399 |
| 115 | +.. nonce: fb9a0R |
| 116 | +.. section: Documentation |
| 117 | +
|
| 118 | +Document CVE-2023-52425 of Expat <2.6.0 under "XML vulnerabilities". |
| 119 | + |
| 120 | +.. |
| 121 | +
|
| 122 | +.. date: 2023-10-11-16-02-55 |
| 123 | +.. gh-issue: 108310 |
| 124 | +.. nonce: URRe8Y |
| 125 | +.. section: Tests |
| 126 | +
|
| 127 | +SSL tests for pre-handshake close were previously not enabled on Python 3.8 |
| 128 | +due to an incorrect backport. This is now fixed. Patch by Lumír Balhar. |
| 129 | + |
| 130 | +.. |
| 131 | +
|
| 132 | +.. date: 2024-02-01-14-35-05 |
| 133 | +.. gh-issue: 111239 |
| 134 | +.. nonce: SO7SUF |
| 135 | +.. section: Windows |
| 136 | +
|
| 137 | +Update Windows builds to use zlib v1.3.1. |
| 138 | + |
| 139 | +.. |
| 140 | +
|
| 141 | +.. date: 2023-09-29-10-35-29 |
| 142 | +.. gh-issue: 109991 |
| 143 | +.. nonce: GmuzGZ |
| 144 | +.. section: Windows |
| 145 | +
|
| 146 | +Windows builds now use OpenSSL 1.1.1w. Note that OpenSSL 1.1 has reached its |
| 147 | +end of life and no future fixes will be made, and this version of Python is |
| 148 | +no longer receiving maintenance fixes and will not be updated to OpenSSL |
| 149 | +3.0. |
0 commit comments