[3.9] bpo-43285: Add a What's New entry for 3.9.3. (GH-24888)

author Gregory P. Smith <greg@krypto.org>

Tue, 16 Mar 2021 04:37:58 +0000 (21:37 -0700)

committer GitHub <noreply@github.com>

Tue, 16 Mar 2021 04:37:58 +0000 (21:37 -0700)
author Gregory P. Smith <greg@krypto.org>
Tue, 16 Mar 2021 04:37:58 +0000 (21:37 -0700)
committer GitHub <noreply@github.com>
Tue, 16 Mar 2021 04:37:58 +0000 (21:37 -0700)
diff --git a/Doc/whatsnew/3.9.rst b/Doc/whatsnew/3.9.rst

index 3086930569dc9884886f19f27ab9f9d342e3983f..4cb49406d6b7775635fe23bf1e1e743ef7302c81 100644 (file)
--- a/Doc/whatsnew/3.9.rst
+++ b/Doc/whatsnew/3.9.rst
@@ -1529,3 +1529,12 @@ separator key, with ``&`` as the default.  This change also affects
  functions internally. For more details, please see their respective
  documentation.
  (Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)
+
+Notable changes in Python 3.9.3
+===============================
+
+A security fix alters the :class:`ftplib.FTP` behavior to not trust the
+IPv4 address sent from the remote server when setting up a passive data
+channel.  We reuse the ftp server IP address instead.  For unusual code
+requiring the old behavior, set a ``trust_server_pasv_ipv4_address``
+attribute on your FTP instance to ``True``.  (See :issue:`43285`)
author	Gregory P. Smith <greg@krypto.org>
	Tue, 16 Mar 2021 04:37:58 +0000 (21:37 -0700)
committer	GitHub <noreply@github.com>
	Tue, 16 Mar 2021 04:37:58 +0000 (21:37 -0700)