From: Ben Darnell <ben@bendarnell.com>
Date: Fri, 17 Jul 2015 15:48:58 +0000 (-0400)
Subject: Release version 4.2.1
X-Git-Tag: v4.2.1^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5d4d114354f86b663e4ed4d963075237bf7e8a35;p=thirdparty%2Ftornado.git

Release version 4.2.1
---

diff --git a/docs/releases.rst b/docs/releases.rst
index dd6c54f9e..21c4e638b 100644
--- a/docs/releases.rst
+++ b/docs/releases.rst
@@ -4,6 +4,7 @@ Release notes
 .. toctree::
    :maxdepth: 2
 
+   releases/v4.2.1
    releases/v4.2.0
    releases/v4.1.0
    releases/v4.0.2
diff --git a/docs/releases/v4.2.1.rst b/docs/releases/v4.2.1.rst
new file mode 100644
index 000000000..a2ed14495
--- /dev/null
+++ b/docs/releases/v4.2.1.rst
@@ -0,0 +1,12 @@
+What's new in Tornado 4.2.1
+===========================
+
+Jul 17, 2015
+------------
+
+Security fix
+~~~~~~~~~~~~
+
+* This release fixes a path traversal vulnerability in `.StaticFileHandler`,
+  in which files whose names *started with* the ``static_path`` directory
+  but were not actually *in* that directory could be accessed.
diff --git a/setup.py b/setup.py
index 9e5ea7fa2..613c6c16b 100644
--- a/setup.py
+++ b/setup.py
@@ -99,7 +99,7 @@ http://api.mongodb.org/python/current/installation.html#osx
 
 kwargs = {}
 
-version = "4.2"
+version = "4.2.1"
 
 with open('README.rst') as f:
     kwargs['long_description'] = f.read()
diff --git a/tornado/__init__.py b/tornado/__init__.py
index 29e870411..5588295e4 100644
--- a/tornado/__init__.py
+++ b/tornado/__init__.py
@@ -25,5 +25,5 @@ from __future__ import absolute_import, division, print_function, with_statement
 # is zero for an official release, positive for a development branch,
 # or negative for a release candidate or beta (after the base version
 # number has been incremented)
-version = "4.2"
-version_info = (4, 2, 0, 0)
+version = "4.2.1"
+version_info = (4, 2, 1, 0)