Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised.
CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the :mod:`urllib.request` module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager.
Avoid unsafe load of api-ms-win-core-path-l1-1-0.dll
at startup on
Windows 7.
Fix segfault in readinto()
method on closed BufferedReader.
Fix possible crashes when operating with the functions in the :mod:`heapq` module and custom comparison operators.
:class:`~urllib.request.AbstractBasicAuthHandler` of :mod:`urllib.request` now parses all WWW-Authenticate HTTP headers and accepts multiple challenges per header: use the realm of the first Basic challenge.