From 8da981c0f614f63d9d3b2cd5017db2b40e5642f6 Mon Sep 17 00:00:00 2001 From: Ben Darnell Date: Tue, 2 Jun 2026 15:58:39 -0400 Subject: [PATCH 1/2] docs: Add CVE links to 6.5.6 release notes --- docs/releases/v6.5.6.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/releases/v6.5.6.rst b/docs/releases/v6.5.6.rst index ac100d38f..20c3989e1 100644 --- a/docs/releases/v6.5.6.rst +++ b/docs/releases/v6.5.6.rst @@ -14,12 +14,15 @@ Security fixes Wang](https://github.com/noobone123) for being first to report this issue, as well as additional reporters [Kai Aizen](https://github.com/SnailSploit), [HunSec](https://github.com/0xHunSec), and [Thai Son Dinh](https://github.com/sondt99). + `CVE-2026-49853 `_ - ``SimpleAsyncHTTPClient`` now enforces ``max_body_size`` on the decompressed size of the response, rather than the compressed size. This prevents a denial-of-service attack via a very large compressed response. Thanks to [Yuichiro Kedashiro](https://github.com/yuui25) for reporting this issue. + `CVE-2026-49855 `_ - Fixed a bug in the C extension that could have read up to three bytes past the end of an input array. Thanks to [Thai Son Dinh](https://github.com/sondt99) for reporting this issue. + `CVE-2026-49854 `_ - ``OpenIDMixin`` has improved parsing for the ``check_authentication`` response. Thanks to [Yannick Wang](https://github.com/noobone123) for reporting this issue. From 288241f6812bb7204984573e55de21d17af951f3 Mon Sep 17 00:00:00 2001 From: Ben Darnell Date: Tue, 2 Jun 2026 16:02:23 -0400 Subject: [PATCH 2/2] docs: Use the correct link syntax --- docs/releases/v6.5.6.rst | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/releases/v6.5.6.rst b/docs/releases/v6.5.6.rst index 20c3989e1..21d3f8795 100644 --- a/docs/releases/v6.5.6.rst +++ b/docs/releases/v6.5.6.rst @@ -10,21 +10,21 @@ Security fixes - ``SimpleAsyncHTTPClient`` now strips the ``Authorization`` and ``Cookie`` headers from the request when following a redirect to a different origin. This matches the default behavior of ``CurlAsyncHTTPClient``. Applications that need different behavior here can set - ``follow_redirects=False`` and handle redirects manually. Thanks to [Yannick - Wang](https://github.com/noobone123) for being first to report this issue, as well as additional - reporters [Kai Aizen](https://github.com/SnailSploit), [HunSec](https://github.com/0xHunSec), and - [Thai Son Dinh](https://github.com/sondt99). + ``follow_redirects=False`` and handle redirects manually. Thanks to `Yannick + Wang `_ for being first to report this issue, as well as + additional reporters `Kai Aizen `_, + `HunSec `_, and `Thai Son Dinh `_. `CVE-2026-49853 `_ - ``SimpleAsyncHTTPClient`` now enforces ``max_body_size`` on the decompressed size of the response, rather than the compressed size. This prevents a denial-of-service attack via a very large - compressed response. Thanks to [Yuichiro Kedashiro](https://github.com/yuui25) for reporting this + compressed response. Thanks to `Yuichiro Kedashiro `_ for reporting this issue. `CVE-2026-49855 `_ - Fixed a bug in the C extension that could have read up to three bytes past the end of an input - array. Thanks to [Thai Son Dinh](https://github.com/sondt99) for reporting this issue. + array. Thanks to `Thai Son Dinh `_ for reporting this issue. `CVE-2026-49854 `_ - ``OpenIDMixin`` has improved parsing for the ``check_authentication`` response. Thanks to - [Yannick Wang](https://github.com/noobone123) for reporting this issue. + `Yannick Wang `_ for reporting this issue. Bug fixes ~~~~~~~~~