These are the changes updating zlib from 1.2.8 to 1.2.10. It is only used when building without a system zlib. The new release includes fixes for security issues CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843.

Intending to update all active branches. Larry, is it ok to add this before the upcoming 3.4 and 3.5 releases, or should it wait?

Changes in 1.2.10 (2 Jan 2017)

• Avoid warnings on snprintf() return value
• Fix bug in deflate_stored() for zero-length input
• Fix bug in gzwrite.c that produced corrupt gzip files
• Remove files to be installed before copying them in Makefile.in
• Add warnings when compiling with assembler code

Changes in 1.2.9 (31 Dec 2016)

• Fix contrib/minizip to permit unzipping with desktop API [Zouzou]
• Improve contrib/blast to return unused bytes
• Assure that gzoffset() is correct when appending
• Improve compress() and uncompress() to support large lengths
• Fix bug in test/example.c where error code not saved
• Remedy Coverity warning [Randers-Pehrson]
• Improve speed of gzprintf() in transparent mode
• Fix inflateInit2() bug when windowBits is 16 or 32
• Change DEBUG macro to ZLIB_DEBUG
• Avoid uninitialized access by gzclose_w()
• Allow building zlib outside of the source directory
• Fix bug that accepted invalid zlib header when windowBits is zero
• Fix gzseek() problem on MinGW due to buggy _lseeki64 there
• Loop on write() calls in gzwrite.c in case of non-blocking I/O
• Add --warn (-w) option to ./configure for more compiler warnings
• Reject a window size of 256 bytes if not using the zlib wrapper
• Fix bug when level 0 used with Z_HUFFMAN or Z_RLE
• Add --debug (-d) option to ./configure to define ZLIB_DEBUG
• Fix bugs in creating a very large gzip header
• Add uncompress2() function, which returns the input size used
• Assure that deflateParams() will not switch functions mid-block
• Dramatically speed up deflation for level 0 (storing)
• Add gzfread(), duplicating the interface of fread()
• Add gzfwrite(), duplicating the interface of fwrite()
• Add deflateGetDictionary() function
• Use snprintf() for later versions of Microsoft C
• Fix *Init macros to use z_ prefix when requested
• Replace as400 with os400 for OS/400 support [Monnerat]
• Add crc32_z() and adler32_z() functions with size_t lengths
• Update Visual Studio project files [AraHaan]

New changeset ed172054a812 by doko in branch '2.7':

• Issue bpo-29169: Update zlib to 1.2.10.
  https://hg.python.org/cpython/rev/ed172054a812

I cut 3.4.6rc1 and 3.5.3rc1 a couple of days ago. Do you think the CVEs are bad enough to warrant cherry-picking this? A quick google suggests they were all low severity:

http://www.openwall.com/lists/oss-security/2016/12/05/21

I'm inclined to not cherry-pick this, which means it'd ship in 3.5.4 and 3.4.7, probably in six months.

I'm inclined to not cherry-pick this, which means it'd
ship in 3.5.4 and 3.4.7, probably in six months.

I concur. Looking at the CVEs, these all seem minor and not exploitable through the Python interface.

ok, will wait with the commits until after the releases.

plus the update to 1.2.11

New changeset 0136c99a9795 by doko in branch '2.7':

• Issue bpo-29169: Update zlib to 1.2.11.
  https://hg.python.org/cpython/rev/0136c99a9795

New changeset c8c1f08428cb by doko in branch '3.5':

• Issue bpo-29169: Update zlib to 1.2.10.
  https://hg.python.org/cpython/rev/c8c1f08428cb

now updated all active branches to 1.2.11

Misc/NEWS (and the commit message) say 1.2.10. Perhaps you meant 1.2.11?

New changeset 7b279c263708 by doko in branch '3.5':
Issue bpo-29169: Fix NEWS entry.
https://hg.python.org/cpython/rev/7b279c263708

New changeset d0e61bd by larryhastings (Victor Stinner) in branch '3.4':
bpo-29169: Update zlib to 1.2.11 (bpo-3107)
d0e61bd

New changeset 7c1f136 by doko in branch '3.6':
Issue bpo-29169: Fix NEWS entry.
7c1f136

New changeset 7c1f136 by doko in branch '3.5':
Issue bpo-29169: Fix NEWS entry.
7c1f136

New changeset 7c1f136 by doko in branch 'master':
Issue bpo-29169: Fix NEWS entry.
7c1f136