---
- branch: MAIN
  date: Tue Jun 29 12:39:10 UTC 2021
  files:
  - new: '1.12'
    old: '1.11'
    path: pkgsrc/lang/py37-html-docs/Makefile
    pathrev: pkgsrc/lang/py37-html-docs/Makefile@1.12
    type: modified
  - new: '1.12'
    old: '1.11'
    path: pkgsrc/lang/py37-html-docs/distinfo
    pathrev: pkgsrc/lang/py37-html-docs/distinfo@1.12
    type: modified
  - new: '1.12'
    old: '1.11'
    path: pkgsrc/lang/python37/dist.mk
    pathrev: pkgsrc/lang/python37/dist.mk@1.12
    type: modified
  - new: '1.26'
    old: '1.25'
    path: pkgsrc/lang/python37/distinfo
    pathrev: pkgsrc/lang/python37/distinfo@1.26
    type: modified
  id: 20210629T123910Z.e86d05a88259b5c7e0e3eda9b2b8534163446a3f
  log: "python37: updated to 3.7.11\n\nPython 3.7.11 final\n\nSecurity\n\nbpo-44022:
    mod:http.client now avoids infinitely reading potential HTTP headers after a 100
    Continue status response from the server.\nbpo-43882: The presence of newline
    or tab characters in parts of a URL could allow some forms of attacks.\n\nFollowing
    the controlling specification for URLs defined by WHATWG urllib.parse() now removes
    ASCII newlines and tabs from URLs, preventing such attacks.\nbpo-42988: CVE-2021-3426:
    Remove the getfile feature of the pydoc module which could be abused to read arbitrary
    files on the disk (directory traversal vulnerability). Moreover, even source code
    of Python modules can contain sensitive data like passwords. Vulnerability reported
    by David Schwörer.\nbpo-43285: ftplib no longer trusts the IP address value returned
    from the server in response to the PASV command by default. This prevents a malicious
    FTP server from using the response to probe IPv4 address and port combinations
    on the client network.\n\nCode that requires the former vulnerable behavior may
    set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to
    True to re-enable it.\nbpo-43075: Fix Regular Expression Denial of Service (ReDoS)
    vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable
    regex has quadratic worst-case complexity and it allows cause a denial of service
    when identifying crafted invalid RFCs. This ReDoS issue is on the client side
    and needs remote attackers to control the HTTP server.\n\nCore and Builtins\n\nbpo-43660:
    Fix crash that happens when replacing sys.stderr with a callable that can remove
    the object while an exception is being printed. Patch by Pablo Galindo.\n\nTests\n\nbpo-41561:
    Add workaround for Ubuntuâ\x80\x99s custom OpenSSL security level policy.\n"
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/lang'
  unixtime: '1624970350'
  user: adam