Release version 4.2.1

diff --git a/docs/releases.rst b/docs/releases.rst
index dd6c54f9e902df6309eb1a9077583c7cdb7334fb..21c4e638bb10826dba1cb5954a061cbf57ef7fdd 100644 (file)
--- a/docs/releases.rst
+++ b/docs/releases.rst
@@ -4,6 +4,7 @@ Release notes
 .. toctree::
    :maxdepth: 2
 
+   releases/v4.2.1
    releases/v4.2.0
    releases/v4.1.0
    releases/v4.0.2

diff --git a/docs/releases/v4.2.1.rst b/docs/releases/v4.2.1.rst
new file mode 100644 (file)
index 0000000..a2ed144
--- /dev/null
+++ b/docs/releases/v4.2.1.rst
@@ -0,0 +1,12 @@
+What's new in Tornado 4.2.1
+===========================
+
+Jul 17, 2015
+------------
+
+Security fix
+~~~~~~~~~~~~
+
+* This release fixes a path traversal vulnerability in `.StaticFileHandler`,
+  in which files whose names *started with* the ``static_path`` directory
+  but were not actually *in* that directory could be accessed.

diff --git a/setup.py b/setup.py
index 9e5ea7fa23bd04425515e0e852545d179a5fa758..613c6c16b19403d7b68d36aab72059da7c20aa27 100644 (file)
--- a/setup.py
+++ b/setup.py
@@ -99,7 +99,7 @@ http://api.mongodb.org/python/current/installation.html#osx
 
 kwargs = {}
 
-version = "4.2"
+version = "4.2.1"
 
 with open('README.rst') as f:
     kwargs['long_description'] = f.read()

diff --git a/tornado/__init__.py b/tornado/__init__.py
index 29e8704118086e80072dd21ee4f97ecfcf160b7d..5588295e49e064b1c542aeca0ff94eb0178bd529 100644 (file)
--- a/tornado/__init__.py
+++ b/tornado/__init__.py
@@ -25,5 +25,5 @@ from __future__ import absolute_import, division, print_function, with_statement
 # is zero for an official release, positive for a development branch,
 # or negative for a release candidate or beta (after the base version
 # number has been incremented)
-version = "4.2"
-version_info = (4, 2, 0, 0)
+version = "4.2.1"
+version_info = (4, 2, 1, 0)