bpo-36384: [doc] Mention CVE-2021-29921 fix in 3.8.12 (GH-27824) (GH-27827)

(cherry picked from commit 0fd66e46b2f472d0d206a185dc8892f4f0347cb6)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>

diff --git a/Doc/library/ipaddress.rst b/Doc/library/ipaddress.rst
index 1c2263b128a8fe5fef67b443fbb5da7a1e342632..2ab4dd83ad4deefff26e3f5b40c6fdf6bb7d42c1 100644 (file)
--- a/Doc/library/ipaddress.rst
+++ b/Doc/library/ipaddress.rst
@@ -132,6 +132,11 @@ write code that handles both IP versions correctly.  Address objects are
       The above change was also included in Python 3.9 starting with
       version 3.9.5.
 
+   .. versionchanged:: 3.8.12
+
+      The above change was also included in Python 3.8 starting with
+      version 3.8.12.
+
    .. attribute:: version
 
       The appropriate version number: ``4`` for IPv4, ``6`` for IPv6.

diff --git a/Doc/whatsnew/3.8.rst b/Doc/whatsnew/3.8.rst
index dbc3875aae61b3888cc2ecae3eb270d7c96a00d6..1b3bb152eea13c97d4779fd5cea2c4e2f011a0a4 100644 (file)
--- a/Doc/whatsnew/3.8.rst
+++ b/Doc/whatsnew/3.8.rst
@@ -2247,3 +2247,16 @@ separator key, with ``&`` as the default.  This change also affects
 functions internally. For more details, please see their respective
 documentation.
 (Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)
+
+Notable changes in Python 3.8.12
+================================
+
+Starting with Python 3.8.12 the :mod:`ipaddress` module no longer accepts
+any leading zeros in IPv4 address strings. Leading zeros are ambiguous and
+interpreted as octal notation by some libraries. For example the legacy
+function :func:`socket.inet_aton` treats leading zeros as octal notation.
+glibc implementation of modern :func:`~socket.inet_pton` does not accept
+any leading zeros.
+
+(Originally contributed by Christian Heimes in :issue:`36384`, and backported
+to 3.8 by Achraf Merzouki.)