Fixes the following security vulnerabilities:
- bpo-38243: Escape the server title of xmlrpc.server.DocXMLRPCServer when
rendering the document page as HTML. (Contributed by Dong-hee Na in
bpo-38243.)
- bpo-38174: Update vendorized expat library version to 2.2.8, which
resolves CVE-2019-15903.
- bpo-37764: Fixes email._header_value_parser.get_unstructured going into an
infinite loop for a specific case in which the email header does not have
trailing whitespace, and the case in which it contains an invalid encoded
word. Patch by Ashwin Ramaswami.
- bpo-37461: Fix an infinite loop when parsing specially crafted email
headers. Patch by Abhilash Raj.
- bpo-34155: Fix parsing of invalid email addresses with more than one @
(e.g. a@b@c.com.) to not return the part before 2nd @ as valid email
address. Patch by maxking & jpic.
Additionally, the release contains a number of non-security related fixes.
For details, see the changelog:
https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-5-final
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
