| e53c985 | Larry Hastings | 19 August 2020, 19:56:53 UTC | Version bump and copyright update for 3.5.10rc1. | 19 August 2020, 19:56:53 UTC |
| 45efe03 | Larry Hastings | 19 August 2020, 19:51:35 UTC | Blurb release and pydoc topics for 3.5.10rc1. | 19 August 2020, 19:51:35 UTC |
| 11d258c | Tapas Kundu | 04 August 2020, 02:33:30 UTC | [3.5] bpo-41004: Resolve hash collisions for IPv4Interface and IPv6Interface (GH-21033) (#21233) CVE-2020-14422: The __hash__() methods of classes IPv4Interface and IPv6Interface had issue of generating constant hash values of 32 and 128 respectively causing hash collisions. The fix uses the hash() function to generate hash values for the objects instead of XOR operation. (cherry picked from commit b30ee26e366bf509b7538d79bfec6c6d38d53f28) Co-authored-by: Ravi Teja P <rvteja92@gmail.com> Signed-off-by: Tapas Kundu <tkundu@vmware.com> | 04 August 2020, 02:33:30 UTC |
| f205f10 | Steve Dower | 04 August 2020, 02:16:20 UTC | [3.5] bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (GH-21297) (#21377) bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded. | 04 August 2020, 02:16:20 UTC |
| cac9ca8 | Petr Viktorin | 16 July 2020, 19:48:01 UTC | [3.5] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (#21489) Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). (cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4) Co-authored-by: Rishi <rishi_devan@mail.com> | 16 July 2020, 19:48:01 UTC |
| f52bf62 | Christian Heimes | 02 July 2020, 12:32:05 UTC | bpo-41183: Update finite DH params to 3072 bits (#21278) Signed-off-by: Christian Heimes <christian@python.org> | 02 July 2020, 12:32:05 UTC |
| d565be8 | Christian Heimes | 02 July 2020, 07:07:15 UTC | bpo-41183: Update test certs and keys (#21258) Manual backport of bpo-34542, GH-8997 and commit 1da2b23504a68ed0432aa74a17ec2533933f5af8 to Python 3.5. Signed-off-by: Christian Heimes <christian@python.org> | 02 July 2020, 07:07:15 UTC |
| 09d8172 | Tapas Kundu | 20 June 2020, 06:43:50 UTC | [3.5] closes bpo-38576: Disallow control characters in hostnames in http.client. (#19300) Add host validation for control characters for more CVE-2019-18348 protection. (cherry picked from commit 83fc70159b24) | 20 June 2020, 06:43:50 UTC |
| 37fe316 | Victor Stinner | 20 June 2020, 06:26:58 UTC | bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (#19305) The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager. AbstractBasicAuthHandler of urllib.request now parses all WWW-Authenticate HTTP headers and accepts multiple challenges per header: use the realm of the first Basic challenge. | 20 June 2020, 06:26:58 UTC |
| f91a0b6 | Victor Stinner | 12 June 2020, 15:33:19 UTC | bpo-39073: validate Address parts to disallow CRLF (#19007) (#20450) Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks. (cherry picked from commit 614f17211c5fc0e5b828be1d3320661d1038fe8f) | 12 June 2020, 15:33:19 UTC |
| f88b578 | Inada Naoki | 12 June 2020, 14:46:40 UTC | bpo-39035: travis: Update image to xenial (#17623) Use image same to master to ease maintainance. Remove "group: beta" to make Travis more stable. | 12 June 2020, 14:46:40 UTC |
| 55a6a16 | Victor Stinner | 03 April 2020, 01:37:32 UTC | bpo-38804: Fix REDoS in http.cookiejar (GH-17157) (#17344) The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular expression denial of service (REDoS). LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar to parse Set-Cookie headers returned by a server. Processing a response from a malicious HTTP server can lead to extreme CPU usage and execution will be blocked for a long time. The regex contained multiple overlapping \s* capture groups. Ignoring the ?-optional capture groups the regex could be simplified to \d+-\w+-\d+(\s*\s*\s*)$ Therefore, a long sequence of spaces can trigger bad performance. Matching a malicious string such as LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!") caused catastrophic backtracking. The fix removes ambiguity about which \s* should match a particular space. You can create a malicious server which responds with Set-Cookie headers to attack all python programs which access it e.g. from http.server import BaseHTTPRequestHandler, HTTPServer def make_set_cookie_value(n_spaces): spaces = " " * n_spaces expiry = f"1-c-1{spaces}!" return f"b;Expires={expiry}" class Handler(BaseHTTPRequestHandler): def do_GET(self): self.log_request(204) self.send_response_only(204) # Don't bother sending Server and Date n_spaces = ( int(self.path[1:]) # Can GET e.g. /100 to test shorter sequences if len(self.path) > 1 else 65506 # Max header line length 65536 ) value = make_set_cookie_value(n_spaces) for i in range(99): # Not necessary, but we can have up to 100 header lines self.send_header("Set-Cookie", value) self.end_headers() if __name__ == "__main__": HTTPServer(("", 44020), Handler).serve_forever() This server returns 99 Set-Cookie headers. Each has 65506 spaces. Extracting the cookies will pretty much never complete. Vulnerable client using the example at the bottom of https://docs.python.org/3/library/http.cookiejar.html : import http.cookiejar, urllib.request cj = http.cookiejar.CookieJar() opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) r = opener.open("http://localhost:44020/") The popular requests library was also vulnerable without any additional options (as it uses http.cookiejar by default): import requests requests.get("http://localhost:44020/") * Regression test for http.cookiejar REDoS If we regress, this test will take a very long time. * Improve performance of http.cookiejar.ISO_DATE_RE A string like "444444" + (" " * 2000) + "A" could cause poor performance due to the 2 overlapping \s* groups, although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was. (cherry picked from commit 1b779bfb8593739b11cbb988ef82a883ec9d077e) Co-authored-by: bcaller <bcaller@users.noreply.github.com> | 03 April 2020, 01:37:32 UTC |
| ed07522 | Victor Stinner | 02 April 2020, 23:09:58 UTC | bpo-40156: Copy Codecov configuration from master (#19309) Disable "Codevov patch" job on pull requests. | 02 April 2020, 23:09:58 UTC |
| 8835f46 | Ned Deily | 21 March 2020, 05:42:50 UTC | bpo-38945: UU Encoding: Don't let newline in filename corrupt the output format (GH-17418) (GH-17444) (#17445) (cherry picked from commit a62ad4730c9b575f140f24074656c0257c86a09a) Co-authored-by: Matthew Rollings <1211162+stealthcopter@users.noreply.github.com> | 21 March 2020, 05:42:50 UTC |
| 276eb67 | Larry Hastings | 02 November 2019, 00:18:54 UTC | Post-release update for 3.5.9 final. | 02 November 2019, 00:18:54 UTC |
| e5f6aba | Larry Hastings | 01 November 2019, 23:02:34 UTC | Version bump for 3.5.9 final. | 01 November 2019, 23:02:34 UTC |
| 9f9afc1 | Larry Hastings | 01 November 2019, 23:01:12 UTC | Blurb release and pydoc topics for 3.5.9 final. | 01 November 2019, 23:01:12 UTC |
| 58ae08d | Larry Hastings | 29 October 2019, 06:42:44 UTC | Post release updates for 3.5.8 final. | 29 October 2019, 06:42:44 UTC |
| ac39a51 | Larry Hastings | 29 October 2019, 06:08:24 UTC | Version bump for 3.5.8 final. | 29 October 2019, 06:08:24 UTC |
| efb6611 | Larry Hastings | 29 October 2019, 06:07:34 UTC | Blurb release and pydoc topics for 3.5.8 final. | 29 October 2019, 06:07:34 UTC |
| d7b336f | Serhiy Storchaka | 29 April 2018, 12:45:03 UTC | [3.5] bpo-31026: Fix test_dbm if dbm.ndbm is build with Berkeley DB. (GH-6632) (cherry picked from commit 70af06cdc4e8fbee0b9d7d46bdc193097d4bc71f) | 29 October 2019, 05:56:33 UTC |
| 3fe1b19 | Victor Stinner | 29 October 2019, 05:40:15 UTC | bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441) (#16516) Escape the server title of xmlrpc.server.DocXMLRPCServer when rendering the document page as HTML. (cherry picked from commit e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa) | 29 October 2019, 05:40:15 UTC |
| 2a6ce8a | Larry Hastings | 12 October 2019, 11:50:04 UTC | Post-release update for 3.5.8rc2. | 12 October 2019, 11:50:04 UTC |
| ac4f751 | Larry Hastings | 12 October 2019, 11:10:33 UTC | Version bump for 3.5.8rc2. | 12 October 2019, 11:10:33 UTC |
| 280a0f5 | Larry Hastings | 12 October 2019, 11:07:42 UTC | Fix docs, blurb release, pydoc-topics for 3.5.8rc2. | 12 October 2019, 11:07:42 UTC |
| c386c8b | Victor Stinner | 09 October 2019, 05:34:26 UTC | closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16346) (#16434) Fixes CVE-2019-15903. See full changelog at https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes. | 09 October 2019, 05:34:26 UTC |
| 2784e78 | Jason R. Coombs | 08 October 2019, 17:36:44 UTC | [3.5] bpo-38216, bpo-36274: Allow subclasses to separately override validation and encoding behavior (GH-16448) (#16475) * [3.5] bpo-38216, bpo-36274: Allow subclasses to separately override validation and encoding behavior (GH-16448) | 08 October 2019, 17:36:44 UTC |
| edd9bc9 | Victor Stinner | 08 October 2019, 17:12:21 UTC | [3.7] Doc: Bump sphinx. (GH-10676) (GH-10803) (#16522) (cherry picked from commit 2db96ae7444880d66d4ef65abab8a5e6ff328711) Co-authored-by: Julien Palard <julien@palard.fr> (cherry picked from commit 23a98abd4256f931ed89b65ec6babd4f06dbff97) | 08 October 2019, 17:12:21 UTC |
| 4452cdc | Larry Hastings | 09 September 2019, 13:39:36 UTC | Sphinx 1.8 is now preferred for building 3.5 docs. | 09 September 2019, 13:39:36 UTC |
| a7b0992 | Larry Hastings | 09 September 2019, 11:18:48 UTC | Version bump for 3.5.8rc1. | 09 September 2019, 11:18:48 UTC |
| ee5b1a2 | Larry Hastings | 09 September 2019, 11:16:26 UTC | Blurb release and pydoc-topics for 3.5.8rc1. | 09 September 2019, 11:16:26 UTC |
| c28e4a5 | Abhilash Raj | 07 September 2019, 07:08:53 UTC | [3.5] bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794) (#15446) * [3.5] bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794) Some crafted email header would cause the get_parameter method to run in an infinite loop causing a DoS attack surface when parsing those headers. This patch fixes that by making sure the DQUOTE character is handled to prevent going into an infinite loop. (cherry picked from commit a4a994bd3e619cbaff97610a1cee8ffa87c672f5) Co-authored-by: Abhilash Raj <maxking@users.noreply.github.com> Co-Authored-By: Ashwin Ramaswami <aramaswamis@gmail.com> | 07 September 2019, 07:08:53 UTC |
| 095373c | Victor Stinner | 07 September 2019, 06:33:24 UTC | bpo-36742: Corrects fix to handle decomposition in usernames (GH-13812) (GH-13814) (#14772) (cherry picked from commit 8d0ef0b5edeae52960c7ed05ae8a12388324f87e) Co-authored-by: Steve Dower <steve.dower@python.org> (cherry picked from commit fd1771dbdd28709716bd531580c40ae5ed814468) | 07 September 2019, 06:33:24 UTC |
| 4d1c254 | Victor Stinner | 07 September 2019, 06:06:27 UTC | bpo-36576: Skip test_ssl and test_asyncio tests failing with OpenSSL 1.1.1 (#12694) Some test_ssl and test_asyncio tests were written for OpenSSL 1.0 and TLS 1.0, but fail with OpenSSL 1.1.1 and TLS 1.3. Fixing these requires backporting new ssl flags like ssl.OP_NO_TLSv1_3 or ssl.OP_NO_COMPRESSION, which is inappropriate at this stage in Python 3.5's lifetime. Moreover, it's not really worth it: the code works fine, the problem is just in the tests. This patch disables those problematic tests when Python 3.5 is built using newer versions of OpenSSL. | 07 September 2019, 06:06:27 UTC |
| 063eba2 | Abhilash Raj | 07 September 2019, 05:24:05 UTC | [3.5] bpo-34155: Dont parse domains containing @ (GH-13079) (#15317) https://bugs.python.org/issue34155 (cherry picked from commit 8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9) Co-authored-by: jpic <jpic@users.noreply.github.com> | 07 September 2019, 05:24:05 UTC |
| afe3a49 | Miro Hrončok | 14 July 2019, 09:07:11 UTC | bpo-30458: Disallow control chars in http URLs. (GH-12755) (#13207) Disallow control chars in http URLs in urllib.urlopen. This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected. Disable https related urllib tests on a build without ssl (GH-13032) These tests require an SSL enabled build. Skip these tests when python is built without SSL to fix test failures. Use http.client.InvalidURL instead of ValueError as the new error case's exception. (GH-13044) Co-Authored-By: Miro Hrončok <miro@hroncok.cz> | 14 July 2019, 09:07:11 UTC |
| 4655d57 | Steve Dower | 14 July 2019, 08:16:19 UTC | bpo-36742: Fixes handling of pre-normalization characters in urlsplit() (GH-13017) (#13042) | 14 July 2019, 08:16:19 UTC |
| 4fe82a8 | Victor Stinner | 14 July 2019, 07:04:15 UTC | bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-13474) (GH-13505) (#13510) CVE-2019-9948: Avoid file reading by disallowing local-file:// and local_file:// URL schemes in URLopener().open() and URLopener().retrieve() of urllib.request. Co-Authored-By: SH <push0ebp@gmail.com> | 14 July 2019, 07:04:15 UTC |
| 43a0ae9 | Anthony Sottile | 13 July 2019, 22:12:45 UTC | Fix compatibility with ISO C89 needed by "gnu89" standard of GCC 4.8: use C89 for loops in backported pickle patch (#12622) | 13 July 2019, 22:12:44 UTC |
| 221178a | Gregory P. Smith | 13 July 2019, 15:35:35 UTC | [3.5] bpo-36816: Update the self-signed.pythontest.net cert (GH-13192) (#13200) * [3.5] bpo-36816: Update the self-signed.pythontest.net cert (GH-13192) We updated the server, our testsuite must match. https://bugs.python.org/issue36816 ✈️ CLE -> DEN ✈️ GH-pycon2019 (cherry picked from commit 6bd81734de0b73f1431880d6a75fb71bcbc65fa1) Co-authored-by: Gregory P. Smith <greg@krypto.org> | 13 July 2019, 15:35:34 UTC |
| 8486716 | Julien Palard | 13 July 2019, 14:46:56 UTC | [3.5] Doc: Add an optional obsolete header. (GH-13638). (#13658) * [3.5] Doc: Add an optional obsolete header. (GH-13638). (cherry picked from commit 46ed90dd014010703c7a3b2a61c4927644fa8210) Co-authored-by: Julien Palard <julien@palard.fr> | 13 July 2019, 14:46:56 UTC |
| 2bb3278 | Larry Hastings | 19 March 2019, 15:19:22 UTC | Post-release version bump for 3.5.7. | 19 March 2019, 15:19:22 UTC |
| 1917d9b | Larry Hastings | 17 March 2019, 23:47:59 UTC | Version bump for 3.5.7 final. | 17 March 2019, 23:47:59 UTC |
| 6c4214d | Larry Hastings | 17 March 2019, 23:39:54 UTC | Blurb release and pydoc-topics for 3.5.7 final. | 17 March 2019, 23:39:54 UTC |
| 4749f1b | Xtreak | 17 March 2019, 00:03:39 UTC | [3.5] bpo-35121: prefix dot in domain for proper subdomain validation (GH-10258) (#12281) Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy. Patch by Karthikeyan Singaravelan. (cherry picked from commit ca7fe5063593958e5efdf90f068582837f07bd14) Co-authored-by: Xtreak <tir.karthi@gmail.com> | 17 March 2019, 00:03:39 UTC |
| 382981b | Xtreak | 16 March 2019, 23:42:11 UTC | bpo-35647: Fix path check in cookiejar (#11436) (#12277) * Refactor cookie path check as per RFC 6265 * Add tests for prefix match of path * Add news entry * Fix set_ok_path and refactor tests * Use slice for last letter (cherry picked from commit 0e1f1f01058bd4a9b98cfe443214adecc019a38c) | 16 March 2019, 23:42:11 UTC |
| c0d9511 | Steve Dower | 11 March 2019, 04:59:24 UTC | bpo-36216: Add check for characters in netloc that normalize to separators (GH-12201) (#12223) | 11 March 2019, 04:59:24 UTC |
| 6b0d50d | Larry Hastings | 04 March 2019, 09:36:14 UTC | Post-release verison bump for 3.5.7rc1. | 04 March 2019, 09:36:14 UTC |
| d571dd3 | Larry Hastings | 04 March 2019, 02:09:45 UTC | Version bump & copyright year update for 3.5.7rc1. | 04 March 2019, 02:09:45 UTC |
| 485fa7e | Larry Hastings | 04 March 2019, 02:00:25 UTC | PyDoc and blurb updates for 3.5.7rc1. | 04 March 2019, 02:00:25 UTC |
| 8ec1fd1 | Cheryl Sabella | 04 March 2019, 00:00:49 UTC | [3.5] bpo-33329: Fix multiprocessing regression on newer glibcs (GH-6575) (#12144) Starting with glibc 2.27.9000-xxx, sigaddset() can return EINVAL for some reserved signal numbers between 1 and NSIG. The `range(1, NSIG)` idiom is commonly used to select all signals for blocking with `pthread_sigmask`. So we ignore the sigaddset() return value until we expose sigfillset() to provide a better idiom. (cherry picked from commit 25038ec) Co-authored-by: Antoine Pitrou <pitrou@free.fr> | 04 March 2019, 00:00:49 UTC |
| 56f8783 | Alex Viscreanu | 01 March 2019, 07:36:00 UTC | [3.5] bpo-33127: Compatibility patch for LibreSSL 2.7.0 (GH-6210) (#10994) * bpo-33127: Compatibility patch for LibreSSL 2.7.0 (GH-6210) LibreSSL 2.7 introduced OpenSSL 1.1.0 API. The ssl module now detects LibreSSL 2.7 and only provides API shims for OpenSSL < 1.1.0 and LibreSSL < 2.7. Documentation updates and fixes for failing tests will be provided in another patch set. Signed-off-by: Christian Heimes <christian@python.org> | 01 March 2019, 07:36:00 UTC |
| 7cd08cf | Victor Stinner | 26 February 2019, 01:47:47 UTC | bpo-34791: xml package obeys ignore env flags (GH-9544) (#11871) The xml.sax and xml.dom.domreg modules now obey sys.flags.ignore_environment. Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit 223e501fb9c2b6ae21b96054e20c4c31d94a5d96) | 26 February 2019, 01:47:47 UTC |
| ef33dd6 | Victor Stinner | 26 February 2019, 00:42:39 UTC | closes bpo-34656: Avoid relying on signed overflow in _pickle memos. (GH-9261) (#11869) (cherry picked from commit a4ae828ee416a66d8c7bf5ee71d653c2cc6a26dd) | 26 February 2019, 00:42:39 UTC |
| efec763 | Victor Stinner | 26 February 2019, 00:17:02 UTC | bpo-35746: Fix segfault in ssl's cert parser (GH-11569) (#11867) Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL distribution points with empty DP or URI correctly. A malicious or buggy certificate can result into segfault. Vulnerability (TALOS-2018-0758) reported by Colin Read and Nicolas Edet of Cisco. Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3) | 26 February 2019, 00:17:02 UTC |
| 8bcbc78 | Victor Stinner | 25 February 2019, 23:16:36 UTC | bpo-35411: Skip test_urllib2net FTP tests on Travis CI (GH-10907) (#11874) On Travis CI, FTP tests of test_urllib2net randomly fail with "425 Security: Bad IP connecting". (cherry picked from commit c11b3b19a5b022c6c229043d37f9a9fd06f22500) | 25 February 2019, 23:16:36 UTC |
| 41b48e7 | stratakis | 25 February 2019, 21:04:09 UTC | [3.5] bpo-34623: Use XML_SetHashSalt in _elementtree (#9933) * bpo-34623: Use XML_SetHashSalt in _elementtree (GH-9146) The C accelerated _elementtree module now initializes hash randomization salt from _Py_HashSecret instead of libexpat's default CPRNG. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue34623 (cherry picked from commit cb5778f00ce48631c7140f33ba242496aaf7102b) Co-authored-by: Christian Heimes <christian@python.org> | 25 February 2019, 21:04:09 UTC |
| 1a2b52b | Larry Hastings | 02 August 2018, 13:51:56 UTC | Post-release version bump for 3.5.6. | 02 August 2018, 13:51:56 UTC |
| 627d0c6 | Larry Hastings | 02 August 2018, 09:19:12 UTC | Version bump for 3.5.6 final. | 02 August 2018, 09:19:12 UTC |
| b86a50f | Larry Hastings | 02 August 2018, 09:16:53 UTC | Add Blurb entry for 3.5.6 final. | 02 August 2018, 09:16:53 UTC |
| f497e74 | Larry Hastings | 20 July 2018, 02:31:49 UTC | Post-release version bump for 3.5.6rc1. | 20 July 2018, 02:31:49 UTC |
| 7df16b1 | Larry Hastings | 20 July 2018, 00:57:25 UTC | Version bump for 3.5.6rc1. | 20 July 2018, 00:57:25 UTC |
| 95c6597 | Larry Hastings | 20 July 2018, 00:55:28 UTC | PyDoc topics refresh & blurb release for 3.5.6rc1. | 20 July 2018, 00:55:28 UTC |
| 76aa2c0 | larryhastings | 19 July 2018, 23:35:28 UTC | bpo-33216: Clarify the documentation for CALL_FUNCTION_* (#8338) Clarify the documentation for the CALL_FUNCTION_* bytecodes. They changed in 3.5 in subtle ways and the documentation has never been correct, much less clear. | 19 July 2018, 23:35:28 UTC |
| 1b141b9 | Julien Palard | 02 July 2018, 19:56:28 UTC | Doc: Backport language switcher (bpo-33700, bpo-31045) (#8048) | 02 July 2018, 19:56:28 UTC |
| 13402fc | Ned Deily | 27 June 2018, 22:49:31 UTC | Backport 3.7.0 final changes | 27 June 2018, 22:49:31 UTC |
| f381cfe | Steve Dower | 14 May 2018, 18:03:17 UTC | [3.5] bpo-33001: Prevent buffer overrun in os.symlink (GH-5989) (#5991) * bpo-33001: Minimal fix to prevent buffer overrun in os.symlink * Remove invalid test | 14 May 2018, 18:03:17 UTC |
| 937ac1f | Ned Deily | 11 March 2018, 18:29:05 UTC | [3.5] bpo-32981: Fix catastrophic backtracking vulns (GH-5955) (#6034) * Prevent low-grade poplib REDOS (CVE-2018-1060) The regex to test a mail server's timestamp is susceptible to catastrophic backtracking on long evil responses from the server. Happily, the maximum length of malicious inputs is 2K thanks to a limit introduced in the fix for CVE-2013-1752. A 2KB evil response from the mail server would result in small slowdowns (milliseconds vs. microseconds) accumulated over many apop calls. This is a potential DOS vector via accumulated slowdowns. Replace it with a similar non-vulnerable regex. The new regex is RFC compliant. The old regex was non-compliant in edge cases. * Prevent difflib REDOS (CVE-2018-1061) The default regex for IS_LINE_JUNK is susceptible to catastrophic backtracking. This is a potential DOS vector. Replace it with an equivalent non-vulnerable regex. Also introduce unit and REDOS tests for difflib. Co-authored-by: Tim Peters <tim.peters@gmail.com> Co-authored-by: Christian Heimes <christian@python.org>. (cherry picked from commit 0e6c8ee2358a2e23117501826c008842acb835ac) | 11 March 2018, 18:29:05 UTC |
| 6fb30f4 | Larry Hastings | 05 February 2018, 00:38:21 UTC | Post-release bump for Python 3.5.5. | 05 February 2018, 00:38:21 UTC |
| 27657e7 | Larry Hastings | 04 February 2018, 23:40:56 UTC | Version bump for 3.5.5. | 04 February 2018, 23:40:56 UTC |
| 8201a1e | Larry Hastings | 04 February 2018, 23:39:04 UTC | Finalize blurb archive for 3.5.5 (no new blurbs). | 04 February 2018, 23:39:04 UTC |
| 50b75d0 | Larry Hastings | 04 February 2018, 16:28:44 UTC | Merge branch '3.5' of github.com:python/cpython into 3.5 | 04 February 2018, 16:28:44 UTC |
| 2d80514 | Larry Hastings | 04 February 2018, 16:17:48 UTC | Post-release version bump for 3.5.5rc1. | 04 February 2018, 16:17:48 UTC |
| 2fc65c6 | Ned Deily | 01 February 2018, 03:11:02 UTC | Update docs template for 3.8 | 01 February 2018, 03:11:02 UTC |
| bc7a130 | Larry Hastings | 23 January 2018, 13:49:45 UTC | Whoops, missed checking in version bump. | 23 January 2018, 13:49:45 UTC |
| 2740fcc | Larry Hastings | 23 January 2018, 12:35:33 UTC | Bump version and copyright year for 3.5.5rc1. | 23 January 2018, 12:35:33 UTC |
| 604fb62 | Larry Hastings | 23 January 2018, 12:25:28 UTC | blurb release and pydoc topics for 3.5.5rc1. | 23 January 2018, 12:25:28 UTC |
| 43f014d | Serhiy Storchaka | 23 January 2018, 11:21:21 UTC | [3.5] bpo-32072: Fix issues with binary plists. (GH-4455) (#4656) * [3.5] bpo-32072: Fix issues with binary plists. (GH-4455) * Fixed saving bytearrays. * Identical objects will be saved only once. * Equal references will be load as identical objects. * Added support for saving and loading recursive data structures. (cherry picked from commit a897aee) * Fix implementation dependent assertion in test_plistlib. (#4813) It is failed with an advanced optimizer. | 23 January 2018, 11:21:21 UTC |
| 891c91d | Nick Coghlan | 23 January 2018, 10:48:11 UTC | [3.5] bpo-32551: Consistently configure sys.path[0] (#5197) Directory and zipfile execution previously added the parent directory of the directory or zipfile as sys.path[0] and then subsequently overwrote it with the directory or zipfile itself. This caused problems in isolated mode, as it overwrote the "stdlib as a zip archive" entry in sys.path, as the parent directory was never added. The attempted fix to that issue in bpo-29319 created the opposite problem in *non*-isolated mode, by potentially leaving the parent directory on sys.path instead of overwriting it. This change fixes the root cause of the problem by removing the whole "add-and-overwrite" dance for sys.path[0], and instead simply never adds the parent directory to sys.path in the first place. (cherry picked from commit d2977a3ae2cc6802921b1e3b6e9d13fcfbda872d) | 23 January 2018, 10:48:11 UTC |
| 57fa0ab | Nick Coghlan | 23 January 2018, 10:24:39 UTC | [3.5] bpo-32563: Get expat to compile under C89 (#5201) * [3.5] bpo-32563: Get expat to compile under C89 expat: Add artificial scopes in xmltok.c utf8_toUtf8() to fix c89 compilation. Cherry-picked from libexpat commit e0b290eb3d8f4c4b45137a7d7f4f8db812145bd2 * Backport XML RPC test skip to 3.5 The buildbot service upgrade removed the XML-RPC interface, so this test no longer works (through no fault of the standard library). * Don't configure a nonexistent Python | 23 January 2018, 10:24:39 UTC |
| 4a4c274 | Nick Coghlan | 23 January 2018, 09:10:43 UTC | [3.5] bpo-32620: Remove failing pyenv call from CI config (#5274) * [3.5] Remove failing pyenv call from CI config * Backport XML RPC test skip to 3.5 The buildbot service upgrade removed the XML-RPC interface, so this test no longer works (through no fault of the standard library). | 23 January 2018, 09:10:43 UTC |
| fd8614c | Miro Hrončok | 08 December 2017, 21:34:12 UTC | bpo-30657: Fix CVE-2017-1000158 (#4664) Fixes possible integer overflow in PyBytes_DecodeEscape. Co-Authored-By: Jay Bosamiya <jaybosamiya@gmail.com> | 08 December 2017, 21:34:12 UTC |
| dcb101e | Ned Deily | 12 October 2017, 20:39:51 UTC | Exclude VENVDIR in Doc builds (#3977) | 12 October 2017, 20:39:51 UTC |
| 0a8ff1b | Ned Deily | 04 October 2017, 03:29:07 UTC | Remove retired and security branches from active docs (#3882) | 04 October 2017, 03:29:07 UTC |
| 0fcc033 | INADA Naoki | 26 September 2017, 21:24:16 UTC | bpo-31095: fix potential crash during GC (GH-2974) (#3196) (cherry picked from commit a6296d34a478b4f697ea9db798146195075d496c) | 26 September 2017, 21:24:16 UTC |
| 44c1b62 | Steve Dower | 26 September 2017, 13:00:28 UTC | [3.5] bpo-31170: Fix inclusion of expat in Windows build projects. (#3751) * bpo-31170: Fix inclusion of expat in Windows build projects. * Fixes line endings | 26 September 2017, 13:00:28 UTC |
| f2492bb | Victor Stinner | 25 September 2017, 00:58:32 UTC | [3.5][Security] bpo-30947, bpo-31170: Update expat from 2.2.1 to 2.2.4 (#3354) * bpo-30947, bpo-31170: Update expat from 2.2.1 to 2.2.4 * Upgrade libexpat embedded copy from version 2.2.1 to 2.2.3 to get security fixes. * Update libexpat from 2.2.3 to 2.2.4. Fix copying of partial characters for UTF-8 input (libexpat bug 115): https://github.com/libexpat/libexpat/issues/115 * Define XML_POOR_ENTROPY when compiling expat | 25 September 2017, 00:58:32 UTC |
| 70c630a | Victor Stinner | 24 September 2017, 22:45:00 UTC | bpo-31568, Travis CI: Fix python3.5 (#3737) Works around Travis CI bug about the python3.5 binary: https://github.com/travis-ci/travis-ci/issues/8363 | 24 September 2017, 22:45:00 UTC |
| 0d68d6d | Mariatta | 08 September 2017, 18:32:26 UTC | [3.5] Fix broken `Show Source` links on documentation pages (GH-3113) (#3126) The `Show Source` was broken because of a change made in sphinx 1.5.1 In Sphinx 1.4.9, the sourcename was "index.txt". In Sphinx 1.5.1+, it is now "index.rst.txt". (cherry picked from commit b9ff498793611d1c6a9b99df464812931a1e2d69) | 08 September 2017, 18:32:26 UTC |
| 9cc3320 | Ned Deily | 08 September 2017, 17:42:19 UTC | [3.5] bpo-31036: Allow sphinx and blurb to be found automatically (GH-3440) Rather than requiring the path to blurb and/or sphinx-build to be specified to the make rule, enhance the Doc/Makefile to look for each first in a virtual environment created by make venv and, if not found, look on the normal process PATH. This allows the Doc/Makefile to take advantage of an installed spinx-build or blurb and, thus, do the right thing most of the time. Also, make the directory for the venv be configurable and document the `make venv` target. | 08 September 2017, 17:42:19 UTC |
| 5da989c | Larry Hastings | 08 August 2017, 11:09:22 UTC | Merge 3.5.4 release into main 3.5 branch. | 08 August 2017, 11:09:22 UTC |
| 86833a2 | Larry Hastings | 08 August 2017, 11:08:20 UTC | Post-release version bump for 3.5.4 final. | 08 August 2017, 11:08:20 UTC |
| 3f56838 | Larry Hastings | 07 August 2017, 07:59:11 UTC | Version bump for 3.5.4 final. | 07 August 2017, 07:59:11 UTC |
| ff078f4 | Larry Hastings | 07 August 2017, 07:56:55 UTC | Blurb release and pydoc topics for 3.5.4 final. | 07 August 2017, 07:56:55 UTC |
| 14167c9 | Mariatta | 01 August 2017, 02:53:43 UTC | bpo-25910: Update LICENSE (GH-2873) (GH-2968) Use the copy provided in https://bugs.python.org/issue25910GH-msg295200 (cherry picked from commit 8474d87165593bac2bc231287f42c4cff3fd6aaf) (cherry picked from commit f6306e737203ac1bf1717bbf62bc58dac24b68db) | 07 August 2017, 07:34:16 UTC |
| b672a45 | Mariatta | 29 July 2017, 02:56:13 UTC | Fix trivial typo in multiprocessing documentation (GH-2930) (GH-2941) (cherry picked from commit 6fcb69dad579cc9a7dc15eabead43b6c37464f8c) (cherry picked from commit 52c41f18086f3d8b1eb3854b568f04717c724e3d) | 07 August 2017, 07:34:16 UTC |
| abe7b60 | Ned Deily | 27 July 2017, 19:50:04 UTC | [3.5] bpo-31036: use an existing Misc/NEWS rather than trying to use blurb (#2874) * bpo-31036: use an existing Misc/NEWS rather than trying to use blurb * bpo-31036: avoid echoing comments (cherry picked from commit 3de144890ad3bc50694368a1b33be6d7f3a780b3) | 07 August 2017, 07:34:16 UTC |
| 27ea3c7 | Mariatta | 01 August 2017, 04:34:47 UTC | Remove .mention-bot (GH-2923) (GH-2971) (cherry picked from commit e1e60bd95c376f9b18cbaf9481364281c6cc1bc7) | 01 August 2017, 04:34:47 UTC |
| f6306e7 | Mariatta | 01 August 2017, 02:53:43 UTC | bpo-25910: Update LICENSE (GH-2873) (GH-2968) Use the copy provided in https://bugs.python.org/issue25910GH-msg295200 (cherry picked from commit 8474d87165593bac2bc231287f42c4cff3fd6aaf) | 01 August 2017, 02:53:43 UTC |
| 52c41f1 | Mariatta | 29 July 2017, 02:56:13 UTC | Fix trivial typo in multiprocessing documentation (GH-2930) (GH-2941) (cherry picked from commit 6fcb69dad579cc9a7dc15eabead43b6c37464f8c) | 29 July 2017, 02:56:13 UTC |
