v1.1.1

2cab9ecc · Inada Naoki · 521e4005 · 2cab9ecc · 2cab9ecc
Commit 2cab9ecc authored 1 year ago by Inada Naoki
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,21 @@
 * `db` and `passwd` will emit DeprecationWarning in v1.2. See #933.
 * `Connection.ping(reconnect)` change the default to not reconnect.

+## v1.1.1
+
+Release date: 2024-05-21
+
+> [!WARNING]
+> This release fixes a vulnerability (CVE-2024-36039).
+> All users are recommended to update to this version.
+>
+> If you can not update soon, check the input value from
+> untrusted source has an expected type. Only dict input
+> from untrusted source can be an attack vector.
+
+* Prohibit dict parameter for `Cursor.execute()`. It didn't produce valid SQL
+  and might cause SQL injection. (CVE-2024-36039)
+
 ## v1.1.0

 Release date: 2023-06-26

--- a/pymysql/__init__.py
+++ b/pymysql/__init__.py
@@ -49,8 +49,8 @@ from .times import (

 # PyMySQL version.
 # Used by setuptools and connection_attrs
-VERSION = (1, 1, 0, "final", 1)
-VERSION_STRING = "1.1.0"
+VERSION = (1, 1, 1, "final", 1)
+VERSION_STRING = "1.1.1"

 ### for mysqlclient compatibility
 ### Django checks mysqlclient version.