Update release documentation

ActiveState · Sep 11, 2023 · f2707a6 · f2707a6
1 parent 2d53a49
commit f2707a6
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/Doc/whatsnew/3.7.rst b/Doc/whatsnew/3.7.rst
@@ -2615,3 +2615,24 @@ This limit can be configured or disabled by environment variable, command
 line flag, or :mod:`sys` APIs. See the :ref:`integer string conversion
 length limitation <int_max_str_digits>` documentation.  The default limit
 is 4300 digits in string form.
+
+Notable security feature in 3.7.17.1
+==================================
+
+Converting between :class:`int` and :class:`str` in bases other than 2
+(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal)
+now raises a :exc:`ValueError` if the number of digits in string form is
+above a limit to avoid potential denial of service attacks due to the
+algorithmic complexity. This is a mitigation for `CVE-2020-10735
+<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735>`_.
+This limit can be configured or disabled by environment variable, command
+line flag, or :mod:`sys` APIs. See the :ref:`integer string conversion
+length limitation <int_max_str_digits>` documentation.  The default limit
+is 4300 digits in string form.
+
+An issue in the urllib.parse component of Python before 3.11.4 allows attackers
+to bypass blocklisting methods by supplying a URL that starts with blank
+characters. Leading WHATWG C0 control and space characters are now stripped
+from the URL. This is a mitigation for `CVE-2023-24329
+<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24329>`_.
+