Update CHANGES.txtaudit-fixes

author: Bob Ippolito <bob@redivi.com> 2023-04-06 09:28:28 -0700
committer: Bob Ippolito <bob@redivi.com> 2023-04-06 09:28:28 -0700
commit: ec4a3d5c7299b16a9bf4d431fa16f466cc453697 (patch)
tree: d97740dcd5e2185c30ab20550fe35558806dfac0
parent: 2cbc419a31208dd9d0ed5706d5f3aa333ebd3e30 (diff)
download: simplejson-ec4a3d5c7299b16a9bf4d431fa16f466cc453697.tar.gz
1 files changed, 13 insertions, 2 deletions
diff --git a/CHANGES.txt b/CHANGES.txt
index 2ceab57..c3e176c 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,5 +1,16 @@
-Version 3.19.0 released 2023-04-XX
-
+Version 3.19.0 released 2023-04-06
+
+* This release contains security hardening measures based on recommendations
+  by a security audit sponsored by OSTIF and conducted by X41 D-Sec GmbH.
+  Several of these measures include changing defaults to be more strict,
+  by default simplejson will now only consume and produce compliant JSON,
+  but the flags still exist for any backwards compatibility needs.
+  No high priority issues were discovered, the reference count
+  leak is thought to be unreachable since the digits of the float are
+  checked before PyOS_string_to_double is called.
+  A link to the public version of this report will be included in a
+  future release of simplejson. The following fixes were implemented in
+  one PR: https://github.com/simplejson/simplejson/pull/313
 * Fix invalid handling of unicode escape sequences in the pure Python
   implementation of the decoder (SJ-PT-23-01)
 * Fix missing reference count decrease if PyOS_string_to_double raises
author	Bob Ippolito <bob@redivi.com>	2023-04-06 09:28:28 -0700
committer	Bob Ippolito <bob@redivi.com>	2023-04-06 09:28:28 -0700
commit	ec4a3d5c7299b16a9bf4d431fa16f466cc453697 (patch)
tree	d97740dcd5e2185c30ab20550fe35558806dfac0
parent	2cbc419a31208dd9d0ed5706d5f3aa333ebd3e30 (diff)
download	simplejson-ec4a3d5c7299b16a9bf4d431fa16f466cc453697.tar.gz