Ned Deily | aee5df5 | 2018-06-27 18:45:50 -0400 | [diff] [blame] | 1 | .. bpo: 32551 |
| 2 | .. date: 2018-01-16-16-05-37 |
| 3 | .. nonce: U0z4W- |
| 4 | .. release date: 2018-01-23 |
| 5 | .. section: Security |
| 6 | |
| 7 | The ``sys.path[0]`` initialization change for bpo-29139 caused a regression |
| 8 | by revealing an inconsistency in how sys.path is initialized when executing |
| 9 | ``__main__`` from a zipfile, directory, or other import location. This is |
| 10 | considered a potential security issue, as it may lead to privileged |
| 11 | processes unexpectedly loading code from user controlled directories in |
| 12 | situations where that was not previously the case. |
Ned Deily | aee5df5 | 2018-06-27 18:45:50 -0400 | [diff] [blame] | 13 | The interpreter now consistently avoids ever adding the import location's |
| 14 | parent directory to ``sys.path``, and ensures no other ``sys.path`` entries |
| 15 | are inadvertently modified when inserting the import location named on the |
| 16 | command line. (Originally reported as bpo-29723 against Python 3.6rc1, but |
| 17 | it was missed at the time that the then upcoming Python 3.5.4 release would |
| 18 | also be affected) |
| 19 | |
| 20 | .. |
| 21 | |
| 22 | .. bpo: 30657 |
| 23 | .. date: 2017-12-01-18-51-03 |
| 24 | .. nonce: Fd8kId |
| 25 | .. section: Security |
| 26 | |
| 27 | Fixed possible integer overflow in PyBytes_DecodeEscape, CVE-2017-1000158. |
| 28 | Original patch by Jay Bosamiya; rebased to Python 3 by Miro HronĨok. |
| 29 | |
| 30 | .. |
| 31 | |
| 32 | .. bpo: 30947 |
| 33 | .. date: 2017-09-05-20-34-44 |
| 34 | .. nonce: iNMmm4 |
| 35 | .. section: Security |
| 36 | |
| 37 | Upgrade libexpat embedded copy from version 2.2.1 to 2.2.3 to get security |
| 38 | fixes. |
| 39 | |
| 40 | .. |
| 41 | |
| 42 | .. bpo: 31095 |
| 43 | .. date: 2017-08-01-18-48-30 |
| 44 | .. nonce: bXWZDb |
| 45 | .. section: Core and Builtins |
| 46 | |
| 47 | Fix potential crash during GC caused by ``tp_dealloc`` which doesn't call |
| 48 | ``PyObject_GC_UnTrack()``. |
| 49 | |
| 50 | .. |
| 51 | |
| 52 | .. bpo: 32072 |
| 53 | .. date: 2017-11-18-21-13-52 |
| 54 | .. nonce: nwDV8L |
| 55 | .. section: Library |
| 56 | |
| 57 | Fixed issues with binary plists: |
Julien Palard | 137be34 | 2019-05-09 21:52:32 +0200 | [diff] [blame] | 58 | Fixed saving bytearrays. |
| 59 | Identical objects will be saved only once. |
| 60 | Equal references will be load as identical objects. |
| 61 | Added support for saving and loading recursive data structures. |
Ned Deily | aee5df5 | 2018-06-27 18:45:50 -0400 | [diff] [blame] | 62 | |
| 63 | .. |
| 64 | |
| 65 | .. bpo: 31170 |
| 66 | .. date: 2017-09-05-20-35-21 |
| 67 | .. nonce: QGmJ1t |
| 68 | .. section: Library |
| 69 | |
| 70 | expat: Update libexpat from 2.2.3 to 2.2.4. Fix copying of partial |
| 71 | characters for UTF-8 input (libexpat bug 115): |
| 72 | https://github.com/libexpat/libexpat/issues/115 |