From 920a1c30dd547548c79744994164c48557cc0688 Mon Sep 17 00:00:00 2001 From: =?utf8?q?=C5=81ukasz=20Langa?= Date: Tue, 3 Jun 2025 20:33:38 +0200 Subject: [PATCH] Reword 3.9.23 notable changes to reflect status of backports --- Doc/whatsnew/3.9.rst | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Doc/whatsnew/3.9.rst b/Doc/whatsnew/3.9.rst index 8196f76f1e29..18bdf386085e 100644 --- a/Doc/whatsnew/3.9.rst +++ b/Doc/whatsnew/3.9.rst @@ -1670,9 +1670,10 @@ Notable changes in 3.9.23 os.path ------- -* The *strict* parameter to :func:`os.path.realpath` accepts a new value, - :data:`os.path.ALLOW_MISSING`. - If used, errors other than :exc:`FileNotFoundError` will be re-raised; +* The *strict* parameter was backported to :func:`os.path.realpath` to + allow for ``tarfile`` to use it for security vulnerability mitigation. + In particular, when *strict* is set to :data:`os.path.ALLOW_MISSING`, + errors other than :exc:`FileNotFoundError` will be re-raised; the resulting path can be missing but it will be free of symlinks. (Contributed by Petr Viktorin for CVE 2025-4517.) -- 2.47.3