|
| 1 | +.. date: 2026-01-21-12-34-05 |
| 2 | +.. gh-issue: 144125 |
| 3 | +.. nonce: TAz5uo |
| 4 | +.. release date: 2026-03-03 |
| 5 | +.. section: Security |
| 6 | +
|
| 7 | +:mod:`~email.generator.BytesGenerator` will now refuse to serialize (write) |
| 8 | +headers that are unsafely folded or delimited; see |
| 9 | +:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas |
| 10 | +Bloemsaat and Petr Viktorin in :gh:`121650`). |
| 11 | + |
| 12 | +.. |
| 13 | +
|
| 14 | +.. date: 2026-01-16-14-40-31 |
| 15 | +.. gh-issue: 143935 |
| 16 | +.. nonce: U2YtKl |
| 17 | +.. section: Security |
| 18 | +
|
| 19 | +Fixed a bug in the folding of comments when flattening an email message |
| 20 | +using a modern email policy. Comments consisting of a very long sequence of |
| 21 | +non-foldable characters could trigger a forced line wrap that omitted the |
| 22 | +required leading space on the continuation line, causing the remainder of |
| 23 | +the comment to be interpreted as a new header field. This enabled header |
| 24 | +injection with carefully crafted inputs. |
| 25 | + |
| 26 | +.. |
| 27 | +
|
| 28 | +.. date: 2026-01-16-11-51-19 |
| 29 | +.. gh-issue: 143925 |
| 30 | +.. nonce: mrtcHW |
| 31 | +.. section: Security |
| 32 | +
|
| 33 | +Reject control characters in ``data:`` URL media types. |
| 34 | + |
| 35 | +.. |
| 36 | +
|
| 37 | +.. date: 2026-01-16-11-13-15 |
| 38 | +.. gh-issue: 143919 |
| 39 | +.. nonce: kchwZV |
| 40 | +.. section: Security |
| 41 | +
|
| 42 | +Reject control characters in :class:`http.cookies.Morsel` fields and values. |
| 43 | + |
| 44 | +.. |
| 45 | +
|
| 46 | +.. date: 2026-01-16-11-07-36 |
| 47 | +.. gh-issue: 143916 |
| 48 | +.. nonce: dpWeOD |
| 49 | +.. section: Security |
| 50 | +
|
| 51 | +Reject C0 control characters within wsgiref.headers.Headers fields, values, |
| 52 | +and parameters. |
| 53 | + |
| 54 | +.. |
| 55 | +
|
| 56 | +.. date: 2025-12-01-09-36-45 |
| 57 | +.. gh-issue: 142145 |
| 58 | +.. nonce: tcAUhg |
| 59 | +.. section: Security |
| 60 | +
|
| 61 | +Remove quadratic behavior in ``xml.minidom`` node ID cache clearing. In |
| 62 | +order to do this without breaking existing users, we also add the |
| 63 | +*ownerDocument* attribute to :mod:`xml.dom.minidom` elements and attributes |
| 64 | +created by directly instantiating the ``Element`` or ``Attr`` class. Note |
| 65 | +that this way of creating nodes is not supported; creator functions like |
| 66 | +:py:meth:`xml.dom.Document.documentElement` should be used instead. |
| 67 | + |
| 68 | +.. |
| 69 | +
|
| 70 | +.. date: 2025-08-15-23-08-44 |
| 71 | +.. gh-issue: 137836 |
| 72 | +.. nonce: b55rhh |
| 73 | +.. section: Security |
| 74 | +
|
| 75 | +Add support of the "plaintext" element, RAWTEXT elements "xmp", "iframe", |
| 76 | +"noembed" and "noframes", and optionally RAWTEXT element "noscript" in |
| 77 | +:class:`html.parser.HTMLParser`. |
| 78 | + |
| 79 | +.. |
| 80 | +
|
| 81 | +.. date: 2025-06-28-13-23-53 |
| 82 | +.. gh-issue: 136063 |
| 83 | +.. nonce: aGk0Jv |
| 84 | +.. section: Security |
| 85 | +
|
| 86 | +:mod:`email.message`: ensure linear complexity for legacy HTTP parameters |
| 87 | +parsing. Patch by Bénédikt Tran. |
| 88 | + |
| 89 | +.. |
| 90 | +
|
| 91 | +.. date: 2025-05-30-22-33-27 |
| 92 | +.. gh-issue: 136065 |
| 93 | +.. nonce: bu337o |
| 94 | +.. section: Security |
| 95 | +
|
| 96 | +Fix quadratic complexity in :func:`os.path.expandvars`. |
| 97 | + |
| 98 | +.. |
| 99 | +
|
| 100 | +.. date: 2024-05-23-11-47-48 |
| 101 | +.. gh-issue: 119451 |
| 102 | +.. nonce: qkJe9- |
| 103 | +.. section: Security |
| 104 | +
|
| 105 | +Fix a potential memory denial of service in the :mod:`http.client` module. |
| 106 | +When connecting to a malicious server, it could cause an arbitrary amount of |
| 107 | +memory to be allocated. This could have led to symptoms including a |
| 108 | +:exc:`MemoryError`, swapping, out of memory (OOM) killed processes or |
| 109 | +containers, or even system crashes. |
| 110 | + |
| 111 | +.. |
| 112 | +
|
| 113 | +.. date: 2024-05-23-11-44-41 |
| 114 | +.. gh-issue: 119452 |
| 115 | +.. nonce: PRfsSv |
| 116 | +.. section: Security |
| 117 | +
|
| 118 | +Fix a potential memory denial of service in the :mod:`http.server` module. |
| 119 | +When a malicious user is connected to the CGI server on Windows, it could |
| 120 | +cause an arbitrary amount of memory to be allocated. This could have led to |
| 121 | +symptoms including a :exc:`MemoryError`, swapping, out of memory (OOM) |
| 122 | +killed processes or containers, or even system crashes. |
| 123 | + |
| 124 | +.. |
| 125 | +
|
| 126 | +.. date: 2024-05-21-22-11-31 |
| 127 | +.. gh-issue: 119342 |
| 128 | +.. nonce: BTFj4Z |
| 129 | +.. section: Security |
| 130 | +
|
| 131 | +Fix a potential memory denial of service in the :mod:`plistlib` module. When |
| 132 | +reading a Plist file received from untrusted source, it could cause an |
| 133 | +arbitrary amount of memory to be allocated. This could have led to symptoms |
| 134 | +including a :exc:`MemoryError`, swapping, out of memory (OOM) killed |
| 135 | +processes or containers, or even system crashes. |
| 136 | + |
| 137 | +.. |
| 138 | +
|
| 139 | +.. date: 2026-02-15-00-00-00 |
| 140 | +.. gh-issue: 144833 |
| 141 | +.. nonce: TUelo1 |
| 142 | +.. section: Library |
| 143 | +
|
| 144 | +Fixed a use-after-free in :mod:`ssl` when ``SSL_new()`` returns NULL in |
| 145 | +``newPySSLSocket()``. The error was reported via a dangling pointer after |
| 146 | +the object had already been freed. |
| 147 | + |
| 148 | +.. |
| 149 | +
|
| 150 | +.. date: 2026-01-31-17-15-49 |
| 151 | +.. gh-issue: 144363 |
| 152 | +.. nonce: X9f0sU |
| 153 | +.. section: Library |
| 154 | +
|
| 155 | +Update bundled `libexpat <https://libexpat.github.io/>`_ to 2.7.4 |
| 156 | + |
| 157 | +.. |
| 158 | +
|
| 159 | +.. date: 2025-09-22-14-40-11 |
| 160 | +.. gh-issue: 90949 |
| 161 | +.. nonce: UM35nb |
| 162 | +.. section: Library |
| 163 | +
|
| 164 | +Add :meth:`~xml.parsers.expat.xmlparser.SetAllocTrackerActivationThreshold` |
| 165 | +and :meth:`~xml.parsers.expat.xmlparser.SetAllocTrackerMaximumAmplification` |
| 166 | +to :ref:`xmlparser <xmlparser-objects>` objects to prevent use of |
| 167 | +disproportional amounts of dynamic memory from within an Expat parser. Patch |
| 168 | +by Bénédikt Tran. |
| 169 | + |
| 170 | +.. |
| 171 | +
|
| 172 | +.. date: 2024-06-13-12-17-52 |
| 173 | +.. gh-issue: 120384 |
| 174 | +.. nonce: w1UBGl |
| 175 | +.. section: Core and Builtins |
| 176 | +
|
| 177 | +Fix an array out of bounds crash in ``list_ass_subscript``, which could be |
| 178 | +invoked via some specificly tailored input: including concurrent |
| 179 | +modification of a list object, where one thread assigns a slice and another |
| 180 | +clears it. |
| 181 | + |
| 182 | +.. |
| 183 | +
|
| 184 | +.. date: 2024-06-10-10-42-48 |
| 185 | +.. gh-issue: 120298 |
| 186 | +.. nonce: napREA |
| 187 | +.. section: Core and Builtins |
| 188 | +
|
| 189 | +Fix use-after free in ``list_richcompare_impl`` which can be invoked via |
| 190 | +some specificly tailored evil input. |
0 commit comments