traverseda
/
cpython
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

What's New in Python 3.4: Security improvements

This commit is contained in:
Victor Stinner 2014-03-11 13:17:30 +01:00
parent 637d2e9296
commit 11a4270b6a
2 changed files with 28 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Doc/library/multiprocessing.rst
View File

@ -137,7 +137,7 @@ to start a process. These *start methods* are
over Unix pipes. over Unix pipes.
.. versionchanged:: 3.4 .. versionchanged:: 3.4
*span* added on all unix platforms, and *forkserver* added for *spawn* added on all unix platforms, and *forkserver* added for
some unix platforms. some unix platforms.
Child processes no longer inherit all of the parents inheritable Child processes no longer inherit all of the parents inheritable
handles on Windows. handles on Windows.

30
Doc/whatsnew/3.4.rst
View File

@ -124,8 +124,6 @@ Significantly Improved Library Modules:
* :ref:`Single-dispatch generic functions <whatsnew-singledispatch>` in * :ref:`Single-dispatch generic functions <whatsnew-singledispatch>` in
:mod:`functools` (:pep:`443`). :mod:`functools` (:pep:`443`).
* New :mod:`pickle` :ref:`protocol 4 <whatsnew-protocol-4>` (:pep:`3154`). * New :mod:`pickle` :ref:`protocol 4 <whatsnew-protocol-4>` (:pep:`3154`).
* :ref:`TLSv1.1 and TLSv1.2 support <whatsnew-tls-11-12>` for :mod:`ssl`
(:issue:`16692`).
* :mod:`multiprocessing` now has :ref:`an option to avoid using os.fork * :mod:`multiprocessing` now has :ref:`an option to avoid using os.fork
on Unix <whatsnew-multiprocessing-no-fork>` (:issue:`8713`). on Unix <whatsnew-multiprocessing-no-fork>` (:issue:`8713`).
* :mod:`email` has a new submodule, :mod:`~email.contentmanager`, and * :mod:`email` has a new submodule, :mod:`~email.contentmanager`, and
@ -136,6 +134,26 @@ Significantly Improved Library Modules:
correct introspection of a much wider variety of callable objects correct introspection of a much wider variety of callable objects
* The :mod:`ipaddress` module API has been declared stable * The :mod:`ipaddress` module API has been declared stable
Security improvements:
* :ref:`Secure and interchangeable hash algorithm <whatsnew-pep-456>`
(:pep:`456`).
* :ref:`Make newly created file descriptors non-inheritable <whatsnew-pep-446>`
(:pep:`446`) to avoid leaking file descriptors to child processes.
* A new :func:`hashlib.pbkdf2_hmac` function provides
the `PKCS#5 password-based key derivation function 2
<http://en.wikipedia.org/wiki/PBKDF2>`_.
* :ref:`TLSv1.1 and TLSv1.2 support <whatsnew-tls-11-12>` for :mod:`ssl`.
* :ref:`Retrieving certificates from the Windows system cert store support
<whatsnew34-win-cert-store>` for :mod:`ssl`.
* :ref:`Server-side SNI (Server Name Indication) support
<whatsnew34-sni>` for :mod:`ssl`.
* The :class:`ssl.SSLContext` class got a :ref:`lot of improvements
<whatsnew34-sslcontext>`.
* :mod:`multiprocessing` now has :ref:`an option to avoid using os.fork
on Unix <whatsnew-multiprocessing-no-fork>`: *spawn* and *forkserver* avoid
sharing data with child processes; child processes no longer inherit all of
the parents inheritable handles on Windows.
CPython implementation improvements: CPython implementation improvements:
@ -1364,6 +1382,8 @@ TLSv1.2 support) have been added; support for these protocols is only available
Python is linked with OpenSSL 1.0.1 or later. (Contributed by Michele Orrù and Python is linked with OpenSSL 1.0.1 or later. (Contributed by Michele Orrù and
Antoine Pitrou in :issue:`16692`) Antoine Pitrou in :issue:`16692`)
.. _whatsnew34-sslcontext:
:class:`~ssl.SSLContext` method :meth:`~ssl.SSLContext.load_verify_locations` :class:`~ssl.SSLContext` method :meth:`~ssl.SSLContext.load_verify_locations`
accepts a new optional argument *cadata*, which can be used to provide PEM or accepts a new optional argument *cadata*, which can be used to provide PEM or
DER encoded certificates directly via strings or bytes, respectively. DER encoded certificates directly via strings or bytes, respectively.
@ -1383,12 +1403,16 @@ s), as well as a :meth:`~ssl.SSLContext.get_ca_certs` method that returns a
list of the loaded ``CA`` certificates. (Contributed by Christian Heimes in list of the loaded ``CA`` certificates. (Contributed by Christian Heimes in
and :issue:`18147`.) and :issue:`18147`.)
.. _whatsnew34-win-cert-store:
Two new windows-only functions, :func:`~ssl.enum_certificates` and Two new windows-only functions, :func:`~ssl.enum_certificates` and
:func:`~ssl.enum_crls` provide the ability to retrieve certificates, :func:`~ssl.enum_crls` provide the ability to retrieve certificates,
certificate information, and CRLs from the Windows cert store. (Contributed certificate information, and CRLs from the Windows cert store. (Contributed
by Christian Heimes in :issue:`17134`.) by Christian Heimes in :issue:`17134`.)
Support for server-side SNI using the new .. _whatsnew34-sni:
Support for server-side SNI (Server Name Indication) using the new
:meth:`ssl.SSLContext.set_servername_callback` method. :meth:`ssl.SSLContext.set_servername_callback` method.
(Contributed by Daniel Black in :issue:`8109`.) (Contributed by Daniel Black in :issue:`8109`.)