update changelog for 2.0.2

Pylons · Aug 25, 2023 · 8dc51af · 8dc51af
1 parent 538a706
commit 8dc51af
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -1,3 +1,28 @@
+.. _changes_2.0.2:
+
+2.0.2 (2023-08-24)
+==========
+
+Bug Fixes
+---------
+
+- Removed support for null-bytes in the path when making a request for a file
+  against a static_view. Whille null-bytes are allowed by the HTTP
+  specification, due to the handling of null-bytes potentially leading to
+  security vulnerabilities it is no longer supported.
+
+  This fixes a security vulnerability that is present due to a bug in Python
+  3.11.0 through 3.11.4, thereby allowing the unintended disclosure of an
+  ``index.html`` one directory up from the static views path.
+
+  Thanks to Masashi Yamane of LAC Co., Ltd for reporting this issue.
+
+Backward Incompatibilities
+--------------------------
+
+- Requests to a static_view are no longer allowed to contain a null-byte in any
+  part of the path segment.
+
 .. _changes_2.0.1:
 
 2.0.1 (2023-01-29)

diff --git a/docs/whatsnew-2.0.rst b/docs/whatsnew-2.0.rst
@@ -16,6 +16,7 @@ Pyramid 2.0 was released on 2021-02-28.
 The following bug fix releases were made since then. Bug fix releases also include documentation improvements and other minor feature changes.
 
 - :ref:`changes_2.0.1`
+- :ref:`changes_2.0.2`
 
 Feature Additions
 -----------------