blurb release for 3.4.7rc1.

diff --git a/Misc/NEWS.d/3.4.7rc1.rst b/Misc/NEWS.d/3.4.7rc1.rst
new file mode 100644 (file)
index 0000000..16ad0ff
--- /dev/null
+++ b/Misc/NEWS.d/3.4.7rc1.rst
@@ -0,0 +1,99 @@
+.. bpo: 29591
+.. date: 2017-07-11-22-26-48
+.. nonce: cOeMX-
+.. release date: 2017-07-23
+.. section: Security
+
+Update expat copy from 2.1.1 to 2.2.0 to get fixes of CVE-2016-0718 and
+CVE-2016-4472. See https://sourceforge.net/p/expat/bugs/537/ for more
+information.
+
+..
+
+.. bpo: 30694
+.. date: 2017-07-11-22-25-24
+.. nonce: oOf3Er
+.. section: Security
+
+Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security
+vulnerabilities including: CVE-2017-9233 (External entity infinite loop
+DoS), CVE-2016-9063 (Integer overflow, re-fix), CVE-2016-0718 (Fix
+regression bugs from 2.2.0's fix to CVE-2016-0718) and CVE-2012-0876
+(Counter hash flooding with SipHash).  Note: the CVE-2016-5300 (Use os-
+specific entropy sources like getrandom) doesn't impact Python, since Python
+already gets entropy from the OS to set the expat secret using
+``XML_SetHashSalt()``.
+
+..
+
+.. bpo: 26657
+.. date: 2017-07-11-22-07-03
+.. nonce: wvpzFD
+.. section: Security
+
+Fix directory traversal vulnerability with http.server on Windows. This
+fixes a regression that was introduced in 3.3.4rc1 and 3.4.0rc1. Based on
+patch by Philipp Hagemeister.
+
+..
+
+.. bpo: 30500
+.. date: 2017-07-11-22-02-51
+.. nonce: wXUrkQ
+.. section: Security
+
+Fix urllib.parse.splithost() to correctly parse fragments. For example,
+``splithost('//127.0.0.1#@evil.com/')`` now correctly returns the
+``127.0.0.1`` host, instead of treating ``@evil.com`` as the host in an
+authentification (``login@host``).
+
+..
+
+.. bpo: 30730
+.. date: 02
+.. nonce: ZF8XGV
+.. original section: Library
+.. section: Security
+
+Prevent environment variables injection in subprocess on Windows.  Prevent
+passing other invalid environment variables and command arguments.
+
+..
+
+.. bpo: 26617
+.. date: 2017-07-15-13-55-22
+.. nonce: Gh5LvN
+.. section: Core and Builtins
+
+Fix crash when GC runs during weakref callbacks.
+
+..
+
+.. bpo: 27945
+.. date: 04
+.. nonce: p29r3O
+.. section: Core and Builtins
+
+Fixed various segfaults with dict when input collections are mutated during
+searching, inserting or comparing.  Based on patches by Duane Griffin and
+Tim Mitchell.
+
+..
+
+.. bpo: 27850
+.. date: 01
+.. nonce: kIVQ0m
+.. section: Library
+
+Remove 3DES from ssl module's default cipher list to counter measure sweet32
+attack (CVE-2016-2183).
+
+..
+
+.. bpo: 25008
+.. date: 03
+.. nonce: CeIzyU
+.. section: Documentation
+
+Document smtpd.py as effectively deprecated and add a pointer to aiosmtpd, a
+third-party asyncio-based replacement.

diff --git a/Misc/NEWS.d/next/Core and Builtins/04.bpo-27945.p29r3O.rst b/Misc/NEWS.d/next/Core and Builtins/04.bpo-27945.p29r3O.rst
deleted file mode 100644 (file)
index da5b8d1..0000000
--- a/Misc/NEWS.d/next/Core and Builtins/04.bpo-27945.p29r3O.rst
+++ /dev/null
@@ -1,3 +0,0 @@
-Fixed various segfaults with dict when input collections are mutated during
-searching, inserting or comparing.  Based on patches by Duane Griffin and
-Tim Mitchell.

diff --git a/Misc/NEWS.d/next/Core and Builtins/2017-07-15-13-55-22.bpo-26617.Gh5LvN.rst b/Misc/NEWS.d/next/Core and Builtins/2017-07-15-13-55-22.bpo-26617.Gh5LvN.rst
deleted file mode 100644 (file)
index c3a4139..0000000
--- a/Misc/NEWS.d/next/Core and Builtins/2017-07-15-13-55-22.bpo-26617.Gh5LvN.rst
+++ /dev/null
@@ -1 +0,0 @@
-Fix crash when GC runs during weakref callbacks.

diff --git a/Misc/NEWS.d/next/Documentation/03.bpo-25008.CeIzyU.rst b/Misc/NEWS.d/next/Documentation/03.bpo-25008.CeIzyU.rst
deleted file mode 100644 (file)
index ea4046e..0000000
--- a/Misc/NEWS.d/next/Documentation/03.bpo-25008.CeIzyU.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Document smtpd.py as effectively deprecated and add a pointer to aiosmtpd, a
-third-party asyncio-based replacement.

diff --git a/Misc/NEWS.d/next/Library/01.bpo-27850.kIVQ0m.rst b/Misc/NEWS.d/next/Library/01.bpo-27850.kIVQ0m.rst
deleted file mode 100644 (file)
index f21375d..0000000
--- a/Misc/NEWS.d/next/Library/01.bpo-27850.kIVQ0m.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Remove 3DES from ssl module's default cipher list to counter measure sweet32
-attack (CVE-2016-2183).

diff --git a/Misc/NEWS.d/next/Security/02.bpo-30730.ZF8XGV.rst b/Misc/NEWS.d/next/Security/02.bpo-30730.ZF8XGV.rst
deleted file mode 100644 (file)
index 2c76443..0000000
--- a/Misc/NEWS.d/next/Security/02.bpo-30730.ZF8XGV.rst
+++ /dev/null
@@ -1,4 +0,0 @@
-.. original section: Library
-
-Prevent environment variables injection in subprocess on Windows.  Prevent
-passing other invalid environment variables and command arguments.

diff --git a/Misc/NEWS.d/next/Security/2017-07-11-22-02-51.bpo-30500.wXUrkQ.rst b/Misc/NEWS.d/next/Security/2017-07-11-22-02-51.bpo-30500.wXUrkQ.rst
deleted file mode 100644 (file)
index 6570e70..0000000
--- a/Misc/NEWS.d/next/Security/2017-07-11-22-02-51.bpo-30500.wXUrkQ.rst
+++ /dev/null
@@ -1,4 +0,0 @@
-Fix urllib.parse.splithost() to correctly parse fragments. For example,
-``splithost('//127.0.0.1#@evil.com/')`` now correctly returns the
-``127.0.0.1`` host, instead of treating ``@evil.com`` as the host in an
-authentification (``login@host``).

diff --git a/Misc/NEWS.d/next/Security/2017-07-11-22-07-03.bpo-26657.wvpzFD.rst b/Misc/NEWS.d/next/Security/2017-07-11-22-07-03.bpo-26657.wvpzFD.rst
deleted file mode 100644 (file)
index ac1dc14..0000000
--- a/Misc/NEWS.d/next/Security/2017-07-11-22-07-03.bpo-26657.wvpzFD.rst
+++ /dev/null
@@ -1,3 +0,0 @@
-Fix directory traversal vulnerability with http.server on Windows. This
-fixes a regression that was introduced in 3.3.4rc1 and 3.4.0rc1. Based on
-patch by Philipp Hagemeister.

diff --git a/Misc/NEWS.d/next/Security/2017-07-11-22-25-24.bpo-30694.oOf3Er.rst b/Misc/NEWS.d/next/Security/2017-07-11-22-25-24.bpo-30694.oOf3Er.rst
deleted file mode 100644 (file)
index ee2c0a5..0000000
--- a/Misc/NEWS.d/next/Security/2017-07-11-22-25-24.bpo-30694.oOf3Er.rst
+++ /dev/null
@@ -1,8 +0,0 @@
-Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security
-vulnerabilities including: CVE-2017-9233 (External entity infinite loop
-DoS), CVE-2016-9063 (Integer overflow, re-fix), CVE-2016-0718 (Fix
-regression bugs from 2.2.0's fix to CVE-2016-0718) and CVE-2012-0876
-(Counter hash flooding with SipHash).  Note: the CVE-2016-5300 (Use os-
-specific entropy sources like getrandom) doesn't impact Python, since Python
-already gets entropy from the OS to set the expat secret using
-``XML_SetHashSalt()``.

diff --git a/Misc/NEWS.d/next/Security/2017-07-11-22-26-48.bpo-29591.cOeMX-.rst b/Misc/NEWS.d/next/Security/2017-07-11-22-26-48.bpo-29591.cOeMX-.rst
deleted file mode 100644 (file)
index ca740bb..0000000
--- a/Misc/NEWS.d/next/Security/2017-07-11-22-26-48.bpo-29591.cOeMX-.rst
+++ /dev/null
@@ -1,3 +0,0 @@
-Update expat copy from 2.1.1 to 2.2.0 to get fixes of CVE-2016-0718 and
-CVE-2016-4472. See https://sourceforge.net/p/expat/bugs/537/ for more
-information.