Misc/NEWS.d/next/Security/2022-08-07-16-53-38.gh-issue-95778.ch010gps.rst - platform/external/python/cpython3 - Git at Google

 Converting between :class:`int` and :class:`str` in bases other than 2
 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now
 raises a :exc:`ValueError` if the number of digits in string form is above a
 limit to avoid potential denial of service attacks due to the algorithmic
 complexity. This is a mitigation for `CVE-2020-10735
 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735>`_.

 This new limit can be configured or disabled by environment variable, command
 line flag, or :mod:`sys` APIs. See the :ref:`integer string conversion length
 limitation <int_max_str_digits>` documentation.  The default limit is 4300
 digits in string form.

 Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback
 from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.
	Converting between :class:`int` and :class:`str` in bases other than 2
	(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now
	raises a :exc:`ValueError` if the number of digits in string form is above a
	limit to avoid potential denial of service attacks due to the algorithmic
	complexity. This is a mitigation for `CVE-2020-10735
	<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735>`_.

	This new limit can be configured or disabled by environment variable, command
	line flag, or :mod:`sys` APIs. See the :ref:`integer string conversion length
	limitation <int_max_str_digits>` documentation. The default limit is 4300
	digits in string form.

	Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback
	from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.