Path to this page:
Subject: CVS commit: pkgsrc/lang/python35
From: Adam Ciarcinski
Date: 2017-08-14 11:16:28
Message id: 20170814091628.DC1F7FAD0@cvs.NetBSD.org
Log Message:
Python 3.5.4:
Security
* bpo-30730: Prevent environment variables injection in subprocess on Windows. \
Prevent passing other environment variables and command arguments.
* bpo-30694: Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple \
security vulnerabilities including: CVE-2017-9233 (External entity infinite loop \
DoS), CVE-2016-9063 (Integer overflow, re-fix), CVE-2016-0718 (Fix regression \
bugs from 2.2.0âs fix to CVE-2016-0718) and CVE-2012-0876 (Counter hash \
flooding with SipHash). Note: the CVE-2016-5300 (Use os- specific entropy \
sources like getrandom) doesnât impact Python, since Python already gets \
entropy from the OS to set the expat secret using XML_SetHashSalt().
* bpo-30500: Fix urllib.parse.splithost() to correctly parse fragments. For \
example, splithost('//127.0.0.1#@evil.com/') now correctly returns the 127.0.0.1 \
host, instead of treating @evil.com as the host in an authentification \
(login@host).
* bpo-29591: Update expat copy from 2.1.1 to 2.2.0 to get fixes of CVE-2016-0718 \
and CVE-2016-4472. See https://sourceforge.net/p/expat/bugs/537/ for more \
information.
Files: