2018-06-27 19:45:50 -03:00
|
|
|
.. bpo: 30730
|
|
|
|
.. date: 9992
|
|
|
|
.. nonce: rJsyTH
|
|
|
|
.. original section: Library
|
|
|
|
.. release date: 2017-07-07
|
|
|
|
.. section: Security
|
|
|
|
|
|
|
|
Prevent environment variables injection in subprocess on Windows. Prevent
|
|
|
|
passing other environment variables and command arguments.
|
|
|
|
|
|
|
|
..
|
|
|
|
|
|
|
|
.. bpo: 30694
|
|
|
|
.. date: 9991
|
|
|
|
.. nonce: WkMWM_
|
|
|
|
.. original section: Library
|
|
|
|
.. section: Security
|
|
|
|
|
|
|
|
Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security
|
2024-04-15 15:22:00 -03:00
|
|
|
vulnerabilities including: :cve:`2017-9233` (External entity infinite loop
|
|
|
|
DoS), :cve:`2016-9063` (Integer overflow, re-fix), :cve:`2016-0718` (Fix
|
|
|
|
regression bugs from 2.2.0's fix to :cve:`2016-0718`) and :cve:`2012-0876`
|
|
|
|
(Counter hash flooding with SipHash). Note: the :cve:`2016-5300` (Use
|
2018-06-27 19:45:50 -03:00
|
|
|
os-specific entropy sources like getrandom) doesn't impact Python, since
|
|
|
|
Python already gets entropy from the OS to set the expat secret using
|
|
|
|
``XML_SetHashSalt()``.
|
|
|
|
|
|
|
|
..
|
|
|
|
|
|
|
|
.. bpo: 30500
|
|
|
|
.. date: 9990
|
|
|
|
.. nonce: 1VG7R-
|
|
|
|
.. original section: Library
|
|
|
|
.. section: Security
|
|
|
|
|
|
|
|
Fix urllib.parse.splithost() to correctly parse fragments. For example,
|
|
|
|
``splithost('//127.0.0.1#@evil.com/')`` now correctly returns the
|
|
|
|
``127.0.0.1`` host, instead of treating ``@evil.com`` as the host in an
|
2018-10-06 11:35:53 -03:00
|
|
|
authentication (``login@host``).
|