What's New in Python 3.4: Security improvements

vstinner · vstinner · commit 11a4270b6a75 · 2014-03-11T13:17:30.000+01:00
diff --git a/Doc/library/multiprocessing.rst b/Doc/library/multiprocessing.rst
@@ -137,7 +137,7 @@ to start a process.  These *start methods* are
     over Unix pipes.
 
 .. versionchanged:: 3.4
-   *span* added on all unix platforms, and *forkserver* added for
+   *spawn* added on all unix platforms, and *forkserver* added for
      some unix platforms.
    Child processes no longer inherit all of the parents inheritable
      handles on Windows.
diff --git a/Doc/whatsnew/3.4.rst b/Doc/whatsnew/3.4.rst
@@ -124,8 +124,6 @@ Significantly Improved Library Modules:
 * :ref:`Single-dispatch generic functions <whatsnew-singledispatch>` in
   :mod:`functools` (:pep:`443`).
 * New :mod:`pickle` :ref:`protocol 4 <whatsnew-protocol-4>` (:pep:`3154`).
-* :ref:`TLSv1.1 and TLSv1.2 support <whatsnew-tls-11-12>` for :mod:`ssl`
-  (:issue:`16692`).
 * :mod:`multiprocessing` now has :ref:`an option to avoid using os.fork
   on Unix <whatsnew-multiprocessing-no-fork>` (:issue:`8713`).
 * :mod:`email` has a new submodule, :mod:`~email.contentmanager`, and
@@ -136,6 +134,26 @@ Significantly Improved Library Modules:
   correct introspection of a much wider variety of callable objects
 * The :mod:`ipaddress` module API has been declared stable
 
+Security improvements:
+
+* :ref:`Secure and interchangeable hash algorithm <whatsnew-pep-456>`
+  (:pep:`456`).
+* :ref:`Make newly created file descriptors non-inheritable <whatsnew-pep-446>`
+  (:pep:`446`) to avoid leaking file descriptors to child processes.
+* A new :func:`hashlib.pbkdf2_hmac` function provides
+  the `PKCS#5 password-based key derivation function 2
+  <http://en.wikipedia.org/wiki/PBKDF2>`_.
+* :ref:`TLSv1.1 and TLSv1.2 support <whatsnew-tls-11-12>` for :mod:`ssl`.
+* :ref:`Retrieving certificates from the Windows system cert store support
+  <whatsnew34-win-cert-store>` for :mod:`ssl`.
+* :ref:`Server-side SNI (Server Name Indication) support
+  <whatsnew34-sni>` for :mod:`ssl`.
+* The :class:`ssl.SSLContext` class got a :ref:`lot of improvements
+  <whatsnew34-sslcontext>`.
+* :mod:`multiprocessing` now has :ref:`an option to avoid using os.fork
+  on Unix <whatsnew-multiprocessing-no-fork>`: *spawn* and *forkserver* avoid
+  sharing data with child processes; child processes no longer inherit all of
+  the parents inheritable handles on Windows.
 
 CPython implementation improvements:
 
@@ -1364,6 +1382,8 @@ TLSv1.2 support) have been added; support for these protocols is only available
 Python is linked with OpenSSL 1.0.1 or later.  (Contributed by Michele Orrù and
 Antoine Pitrou in :issue:`16692`)
 
+.. _whatsnew34-sslcontext:
+
 :class:`~ssl.SSLContext` method :meth:`~ssl.SSLContext.load_verify_locations`
 accepts a new optional argument *cadata*, which can be used to provide PEM or
 DER encoded certificates directly via strings or bytes, respectively.
@@ -1383,12 +1403,16 @@ s), as well as a :meth:`~ssl.SSLContext.get_ca_certs` method that returns a
 list of the loaded ``CA`` certificates.  (Contributed by Christian Heimes in
 and :issue:`18147`.)
 
+.. _whatsnew34-win-cert-store:
+
 Two new windows-only functions, :func:`~ssl.enum_certificates` and
 :func:`~ssl.enum_crls` provide the ability to retrieve certificates,
 certificate information, and CRLs from the Windows cert store.  (Contributed
 by Christian Heimes in :issue:`17134`.)
 
-Support for server-side SNI using the new
+.. _whatsnew34-sni:
+
+Support for server-side SNI (Server Name Indication) using the new
 :meth:`ssl.SSLContext.set_servername_callback` method.
 (Contributed by Daniel Black in :issue:`8109`.)
 
