From 02caee917f1b629467942ae3112d10e13d03202a Mon Sep 17 00:00:00 2001
From: Michael Merickel <michael@merickel.org>
Date: Sat, 3 Nov 2018 13:27:32 -0500
Subject: remove UnencryptedCookieSessionFactoryConfig and signed_(de)serialize

---
 CHANGES.rst | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'CHANGES.rst')

diff --git a/CHANGES.rst b/CHANGES.rst
index f847cec7a..dfea7afa9 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -39,6 +39,19 @@ Backward Incompatibilities
   matching that was not compliant with the RFC.
   See https://github.com/Pylons/pyramid/pull/3411
 
+- Removed ``pyramid.session.UnencryptedCookieSessionFactoryConfig``. This
+  session factory was replaced with
+  ``pyramid.session.SignedCookieSessionFactory`` in Pyramid 1.5 and has been
+  deprecated since then.
+  See https://github.com/Pylons/pyramid/pull/3412
+
+- Removed ``pyramid.session.signed_serialize``, and
+  ``pyramid.session.signed_deserialize``. These methods were only used by
+  the now-removed ``pyramid.session.UnencryptedCookieSessionFactoryConfig``
+  and were coupled to the vulnerable pickle serialization format which could
+  lead to remove code execution if the secret key is compromised.
+  See https://github.com/Pylons/pyramid/pull/3412
+
 Documentation Changes
 ---------------------
 
-- 
cgit v1.2.3