[Python-checkins] bpo-36384: [doc] Mention CVE-2021-29921 fix in 3.8.12 (GH-27824)

ambv webhook-mailer at python.org
Thu Aug 19 04:55:54 EDT 2021

commit: 0fd66e46b2f472d0d206a185dc8892f4f0347cb6
branch: main
author: Łukasz Langa <lukasz at langa.pl>
committer: ambv <lukasz at langa.pl>
date: 2021-08-19T10:55:49+02:00

bpo-36384: [doc] Mention CVE-2021-29921 fix in 3.8.12 (GH-27824)

M Doc/library/ipaddress.rst
M Doc/whatsnew/3.8.rst

diff --git a/Doc/library/ipaddress.rst b/Doc/library/ipaddress.rst
index 1c2263b128a8fe..2ab4dd83ad4dee 100644
--- a/Doc/library/ipaddress.rst
+++ b/Doc/library/ipaddress.rst
@@ -132,6 +132,11 @@ write code that handles both IP versions correctly.  Address objects are
       The above change was also included in Python 3.9 starting with
       version 3.9.5.
+   .. versionchanged:: 3.8.12
+      The above change was also included in Python 3.8 starting with
+      version 3.8.12.
    .. attribute:: version
       The appropriate version number: ``4`` for IPv4, ``6`` for IPv6.
diff --git a/Doc/whatsnew/3.8.rst b/Doc/whatsnew/3.8.rst
index f1a903624f4c2c..7c293a501895b3 100644
--- a/Doc/whatsnew/3.8.rst
+++ b/Doc/whatsnew/3.8.rst
@@ -2248,3 +2248,16 @@ separator key, with ``&`` as the default.  This change also affects
 functions internally. For more details, please see their respective
 (Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)
+Notable changes in Python 3.8.12
+Starting with Python 3.8.12 the :mod:`ipaddress` module no longer accepts
+any leading zeros in IPv4 address strings. Leading zeros are ambiguous and
+interpreted as octal notation by some libraries. For example the legacy
+function :func:`socket.inet_aton` treats leading zeros as octal notation.
+glibc implementation of modern :func:`~socket.inet_pton` does not accept
+any leading zeros.
+(Originally contributed by Christian Heimes in :issue:`36384`, and backported
+to 3.8 by Achraf Merzouki.)

More information about the Python-checkins mailing list