diff options
author | Ned Deily <nad@python.org> | 2021-06-28 12:51:36 -0400 |
---|---|---|
committer | Ned Deily <nad@python.org> | 2021-06-28 12:51:36 -0400 |
commit | 9da28d2b3429d1bb30e082e4c9cb544d81fdae20 (patch) | |
tree | ceb20f25d9629514923481f3b3857ec800a3f754 | |
parent | bpo-44022: Improve the regression test. (GH-26503) (GH-26507) (diff) | |
download | cpython-3.7.11.tar.gz cpython-3.7.11.tar.bz2 cpython-3.7.11.zip |
3.7.11v3.7.11
11 files changed, 91 insertions, 32 deletions
diff --git a/Include/patchlevel.h b/Include/patchlevel.h index 308ef0af10..bc0b97aef2 100644 --- a/Include/patchlevel.h +++ b/Include/patchlevel.h @@ -18,12 +18,12 @@ /*--start constants--*/ #define PY_MAJOR_VERSION 3 #define PY_MINOR_VERSION 7 -#define PY_MICRO_VERSION 10 +#define PY_MICRO_VERSION 11 #define PY_RELEASE_LEVEL PY_RELEASE_LEVEL_FINAL #define PY_RELEASE_SERIAL 0 /* Version as a string */ -#define PY_VERSION "3.7.10+" +#define PY_VERSION "3.7.11" /*--end constants--*/ /* Version as a single 4-byte hex number, e.g. 0x010502B2 == 1.5.2b2. diff --git a/Lib/pydoc_data/topics.py b/Lib/pydoc_data/topics.py index 98c9efd942..108e492ee7 100644 --- a/Lib/pydoc_data/topics.py +++ b/Lib/pydoc_data/topics.py @@ -1,5 +1,5 @@ # -*- coding: utf-8 -*- -# Autogenerated by Sphinx on Mon Feb 15 20:10:03 2021 +# Autogenerated by Sphinx on Mon Jun 28 12:37:39 2021 topics = {'assert': 'The "assert" statement\n' '**********************\n' '\n' @@ -5118,7 +5118,7 @@ topics = {'assert': 'The "assert" statement\n' 'character that can be any character and defaults to a space ' 'if\n' 'omitted. It is not possible to use a literal curly brace ' - '(“"{"” or\n' + '(”"{"” or\n' '“"}"”) as the *fill* character in a formatted string ' 'literal or when\n' 'using the "str.format()" method. However, it is possible ' @@ -6742,7 +6742,7 @@ topics = {'assert': 'The "assert" statement\n' '\n' 'Note that numeric literals do not include a sign; a phrase like ' '"-1"\n' - 'is actually an expression composed of the unary operator ‘"-"‘ ' + 'is actually an expression composed of the unary operator ‘"-"’ ' 'and the\n' 'literal "1".\n', 'numeric-types': 'Emulating numeric types\n' diff --git a/Misc/NEWS.d/3.7.11.rst b/Misc/NEWS.d/3.7.11.rst new file mode 100644 index 0000000000..be63cd164a --- /dev/null +++ b/Misc/NEWS.d/3.7.11.rst @@ -0,0 +1,84 @@ +.. bpo: 44022 +.. date: 2021-05-05-17-37-04 +.. nonce: bS3XJ9 +.. release date: 2021-06-28 +.. section: Security + +mod:`http.client` now avoids infinitely reading potential HTTP headers after +a ``100 Continue`` status response from the server. + +.. + +.. bpo: 43882 +.. date: 2021-04-25-07-46-37 +.. nonce: Jpwx85 +.. section: Security + +The presence of newline or tab characters in parts of a URL could allow some +forms of attacks. + +Following the controlling specification for URLs defined by WHATWG +:func:`urllib.parse` now removes ASCII newlines and tabs from URLs, +preventing such attacks. + +.. + +.. bpo: 42988 +.. date: 2021-03-24-14-16-56 +.. nonce: P2aNco +.. section: Security + +CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module +which could be abused to read arbitrary files on the disk (directory +traversal vulnerability). Moreover, even source code of Python modules can +contain sensitive data like passwords. Vulnerability reported by David +Schwörer. + +.. + +.. bpo: 43285 +.. date: 2021-03-13-03-48-14 +.. nonce: g-Hah3 +.. section: Security + +:mod:`ftplib` no longer trusts the IP address value returned from the server +in response to the PASV command by default. This prevents a malicious FTP +server from using the response to probe IPv4 address and port combinations +on the client network. + +Code that requires the former vulnerable behavior may set a +``trust_server_pasv_ipv4_address`` attribute on their :class:`ftplib.FTP` +instances to ``True`` to re-enable it. + +.. + +.. bpo: 43075 +.. date: 2021-01-31-05-28-14 +.. nonce: DoAXqO +.. section: Security + +Fix Regular Expression Denial of Service (ReDoS) vulnerability in +:class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable +regex has quadratic worst-case complexity and it allows cause a denial of +service when identifying crafted invalid RFCs. This ReDoS issue is on the +client side and needs remote attackers to control the HTTP server. + +.. + +.. bpo: 43660 +.. date: 2021-03-29-19-50-34 +.. nonce: scTgag +.. section: Core and Builtins + +Fix crash that happens when replacing ``sys.stderr`` with a callable that +can remove the object while an exception is being printed. Patch by Pablo +Galindo. + +.. + +.. bpo: 41561 +.. date: 2021-03-18-10-34-42 +.. nonce: pDg4w- +.. section: Tests + +Add workaround for Ubuntu's custom OpenSSL security level policy. diff --git a/Misc/NEWS.d/next/Core and Builtins/2021-03-29-19-50-34.bpo-43660.scTgag.rst b/Misc/NEWS.d/next/Core and Builtins/2021-03-29-19-50-34.bpo-43660.scTgag.rst deleted file mode 100644 index 98419501d9..0000000000 --- a/Misc/NEWS.d/next/Core and Builtins/2021-03-29-19-50-34.bpo-43660.scTgag.rst +++ /dev/null @@ -1,3 +0,0 @@ -Fix crash that happens when replacing ``sys.stderr`` with a callable that -can remove the object while an exception is being printed. Patch by Pablo -Galindo. diff --git a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst deleted file mode 100644 index 1c9f727e96..0000000000 --- a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst +++ /dev/null @@ -1 +0,0 @@ -Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server. diff --git a/Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst b/Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst deleted file mode 100644 index 8312b7e885..0000000000 --- a/Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst +++ /dev/null @@ -1,8 +0,0 @@ -:mod:`ftplib` no longer trusts the IP address value returned from the server -in response to the PASV command by default. This prevents a malicious FTP -server from using the response to probe IPv4 address and port combinations -on the client network. - -Code that requires the former vulnerable behavior may set a -``trust_server_pasv_ipv4_address`` attribute on their -:class:`ftplib.FTP` instances to ``True`` to re-enable it. diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst deleted file mode 100644 index 4b42dd0530..0000000000 --- a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst +++ /dev/null @@ -1,4 +0,0 @@ -CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which -could be abused to read arbitrary files on the disk (directory traversal -vulnerability). Moreover, even source code of Python modules can contain -sensitive data like passwords. Vulnerability reported by David Schwörer. diff --git a/Misc/NEWS.d/next/Security/2021-04-25-07-46-37.bpo-43882.Jpwx85.rst b/Misc/NEWS.d/next/Security/2021-04-25-07-46-37.bpo-43882.Jpwx85.rst deleted file mode 100644 index a326d079df..0000000000 --- a/Misc/NEWS.d/next/Security/2021-04-25-07-46-37.bpo-43882.Jpwx85.rst +++ /dev/null @@ -1,6 +0,0 @@ -The presence of newline or tab characters in parts of a URL could allow -some forms of attacks. - -Following the controlling specification for URLs defined by WHATWG -:func:`urllib.parse` now removes ASCII newlines and tabs from URLs, -preventing such attacks. diff --git a/Misc/NEWS.d/next/Security/2021-05-05-17-37-04.bpo-44022.bS3XJ9.rst b/Misc/NEWS.d/next/Security/2021-05-05-17-37-04.bpo-44022.bS3XJ9.rst deleted file mode 100644 index cf6b63e396..0000000000 --- a/Misc/NEWS.d/next/Security/2021-05-05-17-37-04.bpo-44022.bS3XJ9.rst +++ /dev/null @@ -1,2 +0,0 @@ -mod:`http.client` now avoids infinitely reading potential HTTP headers after a -``100 Continue`` status response from the server. diff --git a/Misc/NEWS.d/next/Tests/2021-03-18-10-34-42.bpo-41561.pDg4w-.rst b/Misc/NEWS.d/next/Tests/2021-03-18-10-34-42.bpo-41561.pDg4w-.rst deleted file mode 100644 index 214350729b..0000000000 --- a/Misc/NEWS.d/next/Tests/2021-03-18-10-34-42.bpo-41561.pDg4w-.rst +++ /dev/null @@ -1 +0,0 @@ -Add workaround for Ubuntu's custom OpenSSL security level policy. diff --git a/README.rst b/README.rst index 05f56a9f06..6797764b78 100644 --- a/README.rst +++ b/README.rst @@ -1,5 +1,5 @@ -This is Python version 3.7.10+ -============================== +This is Python version 3.7.11 +============================= .. image:: https://travis-ci.org/python/cpython.svg?branch=3.7 :alt: CPython build status on Travis CI |