The only real change is to paste.httpexceptions, which was
using insecure quoting of some parameters and allowed an XSS hole, most
specifically with its 404 messages. The most notably WSGI application using
this is paste.urlparse.StaticURLParser and PkgResourcesParser. By directing
someone to an appropriately formed URL an attacker can execute arbitrary
Javascript on the victim's client. paste.urlmap.URLMap is also affected, but
only if you have no application attached to /. Other applications using
paste.httpexceptions may be effected (especially HTTPNotFound).
WebOb/webob.exc.HTTPNotFound is not affected.
