[Python-checkins] [3.8] bpo-43285: Whats New entry for 3.8.9. (GH-24889)

gpshead webhook-mailer at python.org
Tue Mar 16 00:38:32 EDT 2021

commit: 9eda0dfff2884bf9272f37d4151ef2335f55066f
branch: 3.8
author: Gregory P. Smith <greg at krypto.org>
committer: gpshead <greg at krypto.org>
date: 2021-03-15T21:38:24-07:00

[3.8] bpo-43285: Whats New entry for 3.8.9. (GH-24889)

Covers the ftplib security fix.

M Doc/whatsnew/3.8.rst

diff --git a/Doc/whatsnew/3.8.rst b/Doc/whatsnew/3.8.rst
index 632ccc1f2c40a..d4a9ee707f5a7 100644
--- a/Doc/whatsnew/3.8.rst
+++ b/Doc/whatsnew/3.8.rst
@@ -2264,3 +2264,12 @@ separator key, with ``&`` as the default.  This change also affects
 functions internally. For more details, please see their respective
 (Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)
+Notable changes in Python 3.8.9
+A security fix alters the :class:`ftplib.FTP` behavior to not trust the
+IPv4 address sent from the remote server when setting up a passive data
+channel.  We reuse the ftp server IP address instead.  For unusual code
+requiring the old behavior, set a ``trust_server_pasv_ipv4_address``
+attribute on your FTP instance to ``True``.  (See :issue:`43285`)

More information about the Python-checkins mailing list