[Python-checkins] [3.9] bpo-43285: Add a What's New entry for 3.9.3. (GH-24888)
gpshead
webhook-mailer at python.org
Tue Mar 16 00:38:06 EDT 2021
https://github.com/python/cpython/commit/d0312cece9ce89d783687ff6dddaae6495e19fcf
commit: d0312cece9ce89d783687ff6dddaae6495e19fcf
branch: 3.9
author: Gregory P. Smith <greg at krypto.org>
committer: gpshead <greg at krypto.org>
date: 2021-03-15T21:37:58-07:00
summary:
[3.9] bpo-43285: Add a What's New entry for 3.9.3. (GH-24888)
Covers the ftplib security fix.
files:
M Doc/whatsnew/3.9.rst
diff --git a/Doc/whatsnew/3.9.rst b/Doc/whatsnew/3.9.rst
index 3086930569dc9..4cb49406d6b77 100644
--- a/Doc/whatsnew/3.9.rst
+++ b/Doc/whatsnew/3.9.rst
@@ -1529,3 +1529,12 @@ separator key, with ``&`` as the default. This change also affects
functions internally. For more details, please see their respective
documentation.
(Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)
+
+Notable changes in Python 3.9.3
+===============================
+
+A security fix alters the :class:`ftplib.FTP` behavior to not trust the
+IPv4 address sent from the remote server when setting up a passive data
+channel. We reuse the ftp server IP address instead. For unusual code
+requiring the old behavior, set a ``trust_server_pasv_ipv4_address``
+attribute on your FTP instance to ``True``. (See :issue:`43285`)
More information about the Python-checkins
mailing list