unplugged-vendor/external/python/cpython2/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst

When ``shutil.make_archive`` falls back to the external ``zip`` problem, it
uses :mod:`subprocess` to invoke it rather than :mod:`distutils.spawn`. This
closes a possible shell injection vector.
	When ``shutil.make_archive`` falls back to the external ``zip`` problem, it
	uses :mod:`subprocess` to invoke it rather than :mod:`distutils.spawn`. This
	`closes a possible shell injection vector.`