BE-5248 New AS Release 2.7.18.12

rickprice · rickprice · commit ef22247ef226 · 2025-04-29T20:46:11.000-04:00
diff --git a/Include/patchlevel.h b/Include/patchlevel.h
@@ -27,7 +27,7 @@
 #define PY_RELEASE_SERIAL	0
 
 /* Version as a string */
-#define PY_VERSION      	"2.7.18.11"
+#define PY_VERSION      	"2.7.18.12"
 /*--end constants--*/
 
 /* Subversion Revision number of this file (not of the repository). Empty
diff --git a/Misc/NEWS.d/2.7.18.12.rst b/Misc/NEWS.d/2.7.18.12.rst
@@ -0,0 +1,9 @@
+.. bpo: ?
+.. date: 2025-01-22
+.. nonce: 
+.. release date: 2025-01-22
+.. section: Core and Builtins
+
+CVE-2023-27043
+
+The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class. NOTE: the vendor's perspective is that this is neither a vulnerability nor a bug. The email package is intended to have size limits and to throw an exception when limits are exceeded; they were exceeded by the example demonstration code.
