1.. bpo: 30730 2.. date: 9992 3.. nonce: rJsyTH 4.. original section: Library 5.. release date: 2017-07-07 6.. section: Security 7 8Prevent environment variables injection in subprocess on Windows. Prevent 9passing other environment variables and command arguments. 10 11.. 12 13.. bpo: 30694 14.. date: 9991 15.. nonce: WkMWM_ 16.. original section: Library 17.. section: Security 18 19Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security 20vulnerabilities including: CVE-2017-9233 (External entity infinite loop 21DoS), CVE-2016-9063 (Integer overflow, re-fix), CVE-2016-0718 (Fix 22regression bugs from 2.2.0's fix to CVE-2016-0718) and CVE-2012-0876 23(Counter hash flooding with SipHash). Note: the CVE-2016-5300 (Use 24os-specific entropy sources like getrandom) doesn't impact Python, since 25Python already gets entropy from the OS to set the expat secret using 26``XML_SetHashSalt()``. 27 28.. 29 30.. bpo: 30500 31.. date: 9990 32.. nonce: 1VG7R- 33.. original section: Library 34.. section: Security 35 36Fix urllib.parse.splithost() to correctly parse fragments. For example, 37``splithost('//127.0.0.1#@evil.com/')`` now correctly returns the 38``127.0.0.1`` host, instead of treating ``@evil.com`` as the host in an 39authentication (``login@host``). 40