| Ned Deily | aee5df5 | 2018-06-27 18:45:50 -0400 | [diff] [blame] | 1 | .. bpo: 30730 |
| 2 | .. date: 9992 |
| 3 | .. nonce: rJsyTH |
| 4 | .. original section: Library |
| 5 | .. release date: 2017-07-07 |
| 6 | .. section: Security |
| 7 | |
| 8 | Prevent environment variables injection in subprocess on Windows. Prevent |
| 9 | passing other environment variables and command arguments. |
| 10 | |
| 11 | .. |
| 12 | |
| 13 | .. bpo: 30694 |
| 14 | .. date: 9991 |
| 15 | .. nonce: WkMWM_ |
| 16 | .. original section: Library |
| 17 | .. section: Security |
| 18 | |
| 19 | Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security |
| 20 | vulnerabilities including: CVE-2017-9233 (External entity infinite loop |
| 21 | DoS), CVE-2016-9063 (Integer overflow, re-fix), CVE-2016-0718 (Fix |
| 22 | regression bugs from 2.2.0's fix to CVE-2016-0718) and CVE-2012-0876 |
| 23 | (Counter hash flooding with SipHash). Note: the CVE-2016-5300 (Use |
| 24 | os-specific entropy sources like getrandom) doesn't impact Python, since |
| 25 | Python already gets entropy from the OS to set the expat secret using |
| 26 | ``XML_SetHashSalt()``. |
| 27 | |
| 28 | .. |
| 29 | |
| 30 | .. bpo: 30500 |
| 31 | .. date: 9990 |
| 32 | .. nonce: 1VG7R- |
| 33 | .. original section: Library |
| 34 | .. section: Security |
| 35 | |
| 36 | Fix urllib.parse.splithost() to correctly parse fragments. For example, |
| 37 | ``splithost('//127.0.0.1#@evil.com/')`` now correctly returns the |
| 38 | ``127.0.0.1`` host, instead of treating ``@evil.com`` as the host in an |
| Stéphane Wirtel | 683281f | 2018-10-06 16:35:53 +0200 | [diff] [blame] | 39 | authentication (``login@host``). |