diff options
| author | Matthias Andree <mandree@FreeBSD.org> | 2026-02-04 23:52:01 +0000 |
|---|---|---|
| committer | Matthias Andree <mandree@FreeBSD.org> | 2026-02-05 00:14:29 +0000 |
| commit | ac8b1c3293727c806d352be64fd74b606f1e27b7 (patch) | |
| tree | 9ace6900ace20db6ae30a0235c4c2d1837decc0f /devel/pecl-psr | |
| parent | a950cda2477cd8681c9463467dbb46aeae222305 (diff) | |
ChangeLog: https://docs.python.org/release/3.14.3/whatsnew/changelog.html
MFH: 2026Q1 (immediately)
Security fixes:
* gh-144125: BytesGenerator will now refuse to serialize (write) headers
that are unsafely folded or delimited; see verify_generated_headers.
(Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650).
* gh-143935: Fixed a bug in the folding of comments when flattening an
email message using a modern email policy. Comments consisting of a
very long sequence of non-foldable characters could trigger a forced
line wrap that omitted the required leading space on the continuation
line, causing the remainder of the comment to be interpreted as a new
header field. This enabled header injection with carefully crafted
inputs.
* gh-143925: Reject control characters in data: URL media types.
* gh-143919: Reject control characters in http.cookies.Morsel fields and
values.
* gh-143916: Reject C0 control characters within wsgiref.headers.Headers
fields, values, and parameters.
Security: CVE-2026-0865
Security: CVE-2026-1299
Security: bfe9adc8-0224-11f1-8790-c5fb948922ad
Diffstat (limited to 'devel/pecl-psr')
0 files changed, 0 insertions, 0 deletions