Merge pull request #37 from ActiveState/BE-3465-update-any-copyright-and-release-notes-that-are-needed

ucodery · web-flow · commit 22b6ffd520a9 · 2024-02-16T09:30:02.000-08:00
Be 3465 update any copyright and release notes that are needed
diff --git a/Include/patchlevel.h b/Include/patchlevel.h
@@ -27,7 +27,7 @@
 #define PY_RELEASE_SERIAL	0
 
 /* Version as a string */
-#define PY_VERSION      	"2.7.18.7"
+#define PY_VERSION      	"2.7.18.8"
 /*--end constants--*/
 
 /* Subversion Revision number of this file (not of the repository). Empty
diff --git a/Misc/NEWS.d/2.7.18.8.rst b/Misc/NEWS.d/2.7.18.8.rst
@@ -0,0 +1,46 @@
+.. bpo: 37428
+.. date: 2024-02-15
+.. nonce: 
+.. release date: 2024-02-15
+.. section: Core and Builtins
+
+CVE-2023-40217
+
+SSLContext.post_handshake_auth = True no longer sets
+SSL_VERIFY_POST_HANDSHAKE verify flag for client connections. Although the
+option is documented as ignored for clients, OpenSSL implicitly enables cert
+chain validation when the flag is set.
+
+.. bpo: ?
+.. date: 2024-02-15
+.. nonce: 
+.. release date: 2024-02-15
+.. section: Core and Builtins
+
+CVE-2023-24329
+
+Start stripping C0 control and space chars in urlsplit (#… …102508)
+
+`urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit #25595.
+
+This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/#url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).
+
+.. bpo: 43882
+.. date: 2024-02-15
+.. nonce: 
+.. release date: 2024-02-15
+.. section: Core and Builtins
+
+CVE-2022-0391
+
+A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.
+
+.. bpo: 43285
+.. date: 2024-02-15
+.. nonce: 
+.. release date: 2024-02-15
+.. section: Core and Builtins
+
+CVE-2021-4189
+
+A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.
