Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
9 changed files
with
71 additions
and
28 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
.. bpo: 44022 | ||
.. date: 2021-05-05-17-37-04 | ||
.. nonce: bS3XJ9 | ||
.. release date: 2021-06-28 | ||
.. section: Security | ||
mod:`http.client` now avoids infinitely reading potential HTTP headers after | ||
a ``100 Continue`` status response from the server. | ||
|
||
.. | ||
.. bpo: 43882 | ||
.. date: 2021-04-25-07-46-37 | ||
.. nonce: Jpwx85 | ||
.. section: Security | ||
The presence of newline or tab characters in parts of a URL could allow some | ||
forms of attacks. | ||
|
||
Following the controlling specification for URLs defined by WHATWG | ||
:func:`urllib.parse` now removes ASCII newlines and tabs from URLs, | ||
preventing such attacks. | ||
|
||
.. | ||
.. bpo: 42988 | ||
.. date: 2021-03-24-14-16-56 | ||
.. nonce: P2aNco | ||
.. section: Security | ||
CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module | ||
which could be abused to read arbitrary files on the disk (directory | ||
traversal vulnerability). Moreover, even source code of Python modules can | ||
contain sensitive data like passwords. Vulnerability reported by David | ||
Schwörer. | ||
|
||
.. | ||
.. bpo: 43285 | ||
.. date: 2021-03-13-03-48-14 | ||
.. nonce: g-Hah3 | ||
.. section: Security | ||
:mod:`ftplib` no longer trusts the IP address value returned from the server | ||
in response to the PASV command by default. This prevents a malicious FTP | ||
server from using the response to probe IPv4 address and port combinations | ||
on the client network. | ||
|
||
Code that requires the former vulnerable behavior may set a | ||
``trust_server_pasv_ipv4_address`` attribute on their :class:`ftplib.FTP` | ||
instances to ``True`` to re-enable it. | ||
|
||
.. | ||
.. bpo: 43075 | ||
.. date: 2021-01-31-05-28-14 | ||
.. nonce: DoAXqO | ||
.. section: Security | ||
Fix Regular Expression Denial of Service (ReDoS) vulnerability in | ||
:class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable | ||
regex has quadratic worst-case complexity and it allows cause a denial of | ||
service when identifying crafted invalid RFCs. This ReDoS issue is on the | ||
client side and needs remote attackers to control the HTTP server. |
1 change: 0 additions & 1 deletion
1
Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst
This file was deleted.
Oops, something went wrong.
8 changes: 0 additions & 8 deletions
8
Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst
This file was deleted.
Oops, something went wrong.
4 changes: 0 additions & 4 deletions
4
Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
This file was deleted.
Oops, something went wrong.
6 changes: 0 additions & 6 deletions
6
Misc/NEWS.d/next/Security/2021-04-25-07-46-37.bpo-43882.Jpwx85.rst
This file was deleted.
Oops, something went wrong.
2 changes: 0 additions & 2 deletions
2
Misc/NEWS.d/next/Security/2021-05-05-17-37-04.bpo-44022.bS3XJ9.rst
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters