cpython/Misc/NEWS.d/3.5.5rc1.rst

.. bpo: 32551
.. date: 2018-01-16-16-05-37
.. nonce: U0z4W-
.. release date: 2018-01-23
.. section: Security

The ``sys.path[0]`` initialization change for bpo-29139 caused a regression
by revealing an inconsistency in how sys.path is initialized when executing
``__main__`` from a zipfile, directory, or other import location. This is
considered a potential security issue, as it may lead to privileged
processes unexpectedly loading code from user controlled directories in
situations where that was not previously the case.
The interpreter now consistently avoids ever adding the import location's
parent directory to ``sys.path``, and ensures no other ``sys.path`` entries
are inadvertently modified when inserting the import location named on the
command line. (Originally reported as bpo-29723 against Python 3.6rc1, but
it was missed at the time that the then upcoming Python 3.5.4 release would
also be affected)

..

.. bpo: 30657
.. date: 2017-12-01-18-51-03
.. nonce: Fd8kId
.. section: Security

Fixed possible integer overflow in PyBytes_DecodeEscape, :cve:`2017-1000158`.
Original patch by Jay Bosamiya; rebased to Python 3 by Miro HronĨok.

..

.. bpo: 30947
.. date: 2017-09-05-20-34-44
.. nonce: iNMmm4
.. section: Security

Upgrade libexpat embedded copy from version 2.2.1 to 2.2.3 to get security
fixes.

..

.. bpo: 31095
.. date: 2017-08-01-18-48-30
.. nonce: bXWZDb
.. section: Core and Builtins

Fix potential crash during GC caused by ``tp_dealloc`` which doesn't call
``PyObject_GC_UnTrack()``.

..

.. bpo: 32072
.. date: 2017-11-18-21-13-52
.. nonce: nwDV8L
.. section: Library

Fixed issues with binary plists:
Fixed saving bytearrays.
Identical objects will be saved only once.
Equal references will be load as identical objects.
Added support for saving and loading recursive data structures.

..

.. bpo: 31170
.. date: 2017-09-05-20-35-21
.. nonce: QGmJ1t
.. section: Library

expat: Update libexpat from 2.2.3 to 2.2.4. Fix copying of partial
characters for UTF-8 input (libexpat bug 115):
https://github.com/libexpat/libexpat/issues/115