- Update patch fix_configure_rst.patch
- Update to 3.11.7:
- Core and Builtins
- gh-112625: Fixes a bug where a bytearray object could be cleared
while iterating over an argument in the bytearray.join() method
that could result in reading memory after it was freed.
- gh-112388: Fix an error that was causing the parser to try to
overwrite tokenizer errors. Patch by pablo Galindo
- gh-112387: Fix error positions for decoded strings with
backwards tokenize errors. Patch by Pablo Galindo
- gh-112266: Change docstrings of __dict__ and __weakref__.
- gh-109181: Speed up Traceback object creation by lazily compute
the line number. Patch by Pablo Galindo
- gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004
codecs read out of bounds
- gh-111366: Fix an issue in the codeop that was causing
SyntaxError exceptions raised in the presence of invalid syntax
to not contain precise error messages. Patch by Pablo Galindo
- gh-111380: Fix a bug that was causing SyntaxWarning to appear
twice when parsing if invalid syntax is encountered later. Patch
by Pablo galindo
- gh-88116: Traceback location ranges involving wide unicode
characters (like emoji and asian characters) now are properly
highlighted. Patch by Batuhan Taskaya and Pablo Galindo.
- gh-94438: Fix a regression that prevented jumping across is None
and is not None when debugging. Patch by Savannah Ostrowski.
- gh-110696: Fix incorrect error message for invalid argument
unpacking. Patch by Pablo Galindo
- gh-110237: Fix missing error checks for calls to PyList_Append
in _PyEval_MatchClass.
- gh-109216: Fix possible memory leak in BUILD_MAP.
- Library
- gh-112618: Fix a caching bug relating to typing.Annotated.
Annotated[str, True] is no longer identical to Annotated[str,
1].
- gh-112509: Fix edge cases that could cause a key to be present
in both the __required_keys__ and __optional_keys__ attributes
of a typing.TypedDict. Patch by Jelle Zijlstra.
- gh-94722: Fix bug where comparison between instances of DocTest
fails if one of them has None as its lineno.
- gh-112105: Make readline.set_completer_delims() work with
libedit
- gh-111942: Fix SystemError in the TextIOWrapper constructor with
non-encodable “errors” argument in non-debug mode.
- gh-109538: Issue warning message instead of having RuntimeError
be displayed when event loop has already been closed at
StreamWriter.__del__().
- gh-111942: Fix crashes in io.TextIOWrapper.reconfigure() when
pass invalid arguments, e.g. non-string encoding.
- gh-111804: Remove posix.fallocate() under WASI as the underlying
posix_fallocate() is not available in WASI preview2.
- gh-111841: Fix truncating arguments on an embedded null
character in os.putenv() and os.unsetenv() on Windows.
- gh-111541: Fix doctest for SyntaxError not-builtin subclasses.
- gh-110894: Call loop exception handler for exceptions in
client_connected_cb of asyncio.start_server() so that
applications can handle it. Patch by Kumar Aditya.
- gh-111531: Fix reference leaks in bind_class() and bind_all()
methods of tkinter widgets.
- gh-111356: Added io.text_encoding(), io.DEFAULT_BUFFER_SIZE, and
io.IncrementalNewlineDecoder to io.__all__.
- gh-68166: Remove mention of not supported “vsapi” element type
in tkinter.ttk.Style.element_create(). Add tests for
element_create() and other ttk.Style methods. Add examples for
element_create() in the documentation.
- gh-111251: Fix _blake2 not checking for errors when
initializing.
- gh-111174: Fix crash in io.BytesIO.getbuffer() called repeatedly
for empty BytesIO.
- gh-111187: Postpone removal version for
locale.getdefaultlocale() to Python 3.15.
- gh-111159: Fix doctest output comparison for exceptions with
notes.
- gh-110910: Fix invalid state handling in asyncio.TaskGroup and
asyncio.Timeout. They now raise proper RuntimeError if they are
improperly used and are left in consistent state after this.
- gh-111092: Make turtledemo run without default root enabled.
- gh-110590: Fix a bug in _sre.compile() where TypeError would be
overwritten by OverflowError when the code argument was a list
of non-ints.
- gh-65052: Prevent pdb from crashing when trying to display
undisplayable objects
- gh-110519: Deprecation warning about non-integer number in
gettext now alwais refers to the line in the user code where
gettext function or method is used. Previously it could refer to
a line in gettext code.
- gh-110378: contextmanager() and asynccontextmanager() context
managers now close an invalid underlying generator object that
yields more then one value.
- gh-110365: Fix termios.tcsetattr() bug that was overwritting
existing errors during parsing integers from term list.
- gh-110196: Add __reduce__ method to IPv6Address in order to keep
scope_id
- gh-109747: Improve errors for unsupported look-behind patterns.
Now re.error is raised instead of OverflowError or RuntimeError
for too large width of look-behind pattern.
- gh-109786: Fix possible reference leaks and crash when re-enter
the __next__() method of itertools.pairwise.
- gh-108791: Improved error handling in pdb command line
interface, making it produce more concise error messages.
- gh-73561: Omit the interface scope from an IPv6 address when
used as Host header by http.client.
- gh-86826: zipinfo now supports the full range of values in the
TZ string determined by RFC 8536 and detects all invalid
formats. Both Python and C implementations now raise exceptions
of the same type on invalid data.
- bpo-41422: Fixed memory leaks of pickle.Pickler and
pickle.Unpickler involving cyclic references via the internal
memo mapping.
- bpo-40262: The ssl.SSLSocket.recv_into() method no longer
requires the buffer argument to implement __len__ and supports
buffers with arbitrary item size.
- bpo-35191: Fix unexpected integer truncation in
socket.setblocking() which caused it to interpret multiples of
2**32 as False.
- Documentation
- gh-108826: dis module command-line interface is now mentioned in
documentation.
- Tests
- gh-110367: Make regrtest --verbose3 option compatible with
--huntrleaks -jN options. The ./python -m test -j1 -R 3:3
--verbose3 command now works as expected. Patch by Victor
Stinner.
- gh-111309: distutils tests can now be run via unittest.
- gh-111165: Remove no longer used functions run_unittest() and
run_doctest() and class BasicTestRunner from the test.support
module.
- gh-110932: Fix regrtest if the SOURCE_DATE_EPOCH environment
variable is defined: use the variable value as the random seed.
Patch by Victor Stinner.
- gh-110995: test_gdb: Fix detection of gdb built without Python
scripting support. Patch by Victor Stinner.
- gh-110918: Test case matching patterns specified by options
--match, --ignore, --matchfile and --ignorefile are now tested
in the order of specification, and the last match determines
whether the test case be run or ignored.
- gh-110647: Fix test_stress_modifying_handlers() of test_signal.
Patch by Victor Stinner.
- gh-103053: Fix test_tools.test_freeze on FreeBSD: run “make
distclean” instead of “make clean” in the copied source
directory to remove also the “python” program. Patch by Victor
Stinner.
- gh-110167: Fix a deadlock in test_socket when server fails with
a timeout but the client is still running in its thread. Don’t
hold a lock to call cleanup functions in doCleanups(). One of
the cleanup function waits until the client completes, whereas
the client could deadlock if it called addCleanup() in such
situation. Patch by Victor Stinner.
- gh-110388: Add tests for tty.
- gh-81002: Add tests for termios.
- gh-110267: Add tests for pickling and copying PyStructSequence
objects. Patched by Xuehai Pan.
- gh-109974: Fix race conditions in test_threading lock tests.
Wait until a condition is met rather than using time.sleep()
with a hardcoded number of seconds. Patch by Victor Stinner.
- gh-109972: Split test_gdb.py file into a test_gdb package made
of multiple tests, so tests can now be run in parallel. Patch by
Victor Stinner.
- gh-104736: Fix test_gdb on Python built with LLVM clang 16 on
Linux ppc64le (ex: Fedora 38). Search patterns in gdb “bt”
command output to detect when gdb fails to retrieve the
traceback. For example, skip a test if Backtrace stopped: frame
did not save the PC is found. Patch by Victor Stinner.
- gh-108927: Fixed order dependence in running tests in the same
process when a test that has submodules (e.g. test_importlib)
follows a test that imports its submodule (e.g.
test_importlib.util) and precedes a test (e.g. test_unittest or
test_compileall) that uses that submodule.
- Build
- gh-103053: “make check-clean-src” now also checks if the
“python” program is found in the source directory: fail with an
error if it does exist. Patch by Victor Stinner.
- gh-109191: Fix compile error when building with recent versions
of libedit.
- IDLE
- bpo-35668: Add docstrings to the IDLE debugger module. Fix two
bugs: initialize Idb.botframe (should be in Bdb); in
Idb.in_rpc_code, check whether prev_frame is None before trying
to use it. Greatly expand test_debugger.
- C API
- gh-112438: Fix support of format units “es”, “et”, “es#”, and
“et#” in nested tuples in PyArg_ParseTuple()-like functions.
- gh-109521: PyImport_GetImporter() now sets RuntimeError if it
fails to get sys.path_hooks or sys.path_importer_cache or they
are not list and dict correspondingly. Previously it could
return NULL without setting error in obscure cases, crash or
raise SystemError if these attributes have wrong type.
OBS-URL: https://build.opensuse.org/request/show/1133399
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=89
- Remove not needed patch 103213-fetch-CONFIG_ARGS.patch
- Refresh patches:
- bpo-31046_ensurepip_honours_prefix.patch
- fix_configure_rst.patch
- Update to 3.11.6:
- Core and Builtins
- gh-109351: Fix crash when compiling an invalid AST involving a
named (walrus) expression.
- gh-109207: Fix a SystemError in __repr__ of symtable entry
object.
- gh-109179: Fix bug where the C traceback display drops notes
from SyntaxError.
- gh-88943: Improve syntax error for non-ASCII character that
follows a numerical literal. It now points on the invalid
non-ASCII character, not on the valid numerical literal.
- gh-108959: Fix caret placement for error locations for subscript
and binary operations that involve non-semantic parentheses and
spaces. Patch by Pablo Galindo
- gh-108520: Fix
multiprocessing.synchronize.SemLock.__setstate__() to properly
initialize multiprocessing.synchronize.SemLock._is_fork_ctx.
This fixes a regression when passing a SemLock accross nested
processes.
- Rename multiprocessing.synchronize.SemLock.is_fork_ctx to
multiprocessing.synchronize.SemLock._is_fork_ctx to avoid
exposing it as public API.
- Library
- gh-110036: On Windows, multiprocessing Popen.terminate() now
catchs PermissionError and get the process exit code. If the
process is still running, raise again the PermissionError.
OBS-URL: https://build.opensuse.org/request/show/1126597
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=87
- Security
- gh-108310: Fixed an issue where instances of ssl.SSLSocket were
vulnerable to a bypass of the TLS handshake and included
protections (like certificate verification) and treating sent
unencrypted data as if it were post-handshake TLS encrypted data.
Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by
Gregory P. Smith.
- Core and Builtins
- gh-104432: Fix potential unaligned memory access on C APIs
involving returned sequences of char * pointers within the grp
and socket modules. These were revealed using a
-fsaniziter=alignment build on ARM macOS. Patch by Christopher
Chavez.
- gh-77377: Ensure that multiprocessing synchronization objects
created in a fork context are not sent to a different process
created in a spawn context. This changes a segfault into an
actionable RuntimeError in the parent process.
- gh-106092: Fix a segmentation fault caused by a use-after-free
bug in frame_dealloc when the trashcan delays the deallocation
of a PyFrameObject.
- gh-106719: No longer suppress arbitrary errors in the
__annotations__ getter and setter in the type and module types.
- gh-106723: Propagate frozen_modules to multiprocessing spawned
process interpreters.
- gh-105979: Fix crash in _imp.get_frozen_object() due to improper
exception handling.
- gh-105840: Fix possible crashes when specializing function calls
with too many __defaults__.
- gh-105588: Fix an issue that could result in crashes when
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=83
partially reverting CVE-2023-27043-email-parsing-errors.patch,
because of the regression in gh#python/cpython#106669.
- (bsc#1210638, CVE-2023-27043) Add
CVE-2023-27043-email-parsing-errors.patch, which detects email
address parsing errors and returns empty tuple to indicate the
parsing error (old API). (The patch is faulty,
gh#python/cpython#106669, but upstream decided not to just
revert it).
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=77
- gh-103142: The version of OpenSSL used in Windows and
Mac installers has been upgraded to 1.1.1u to address
CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
fixed previously in 1.1.1t (gh-101727).
- gh-102153: urllib.parse.urlsplit() now strips leading C0
control and space characters following the specification for
URLs defined by WHATWG in response to CVE-2023-24329
(bsc#1208471).
- gh-99889: Fixed a security in flaw in uu.decode() that could
allow for directory traversal based on the input if no
out_file was specified.
- gh-104049: Do not expose the local on-disk
location in directory indexes produced by
http.client.SimpleHTTPRequestHandler.
- gh-103935: trace.__main__ now uses io.open_code() for files
to be executed instead of raw open().
- gh-102953: The extraction methods in tarfile, and
shutil.unpack_archive(), have a new filter argument that
allows limiting tar features than may be surprising or
dangerous, such as creating files outside the destination
directory. See Extraction filters for details (fixing
CVE-2007-4559, bsc#1203750).
- Remove upstreamed patches:
- CVE-2007-4559-filter-tarfile_extractall.patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=71
- Security
- gh-101727: Updated the OpenSSL version used in Windows
and macOS binary release builds to 1.1.1t to address
CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 per the
OpenSSL 2023-02-07 security advisory.
- gh-101283: subprocess.Popen now uses a safer approach to
find cmd.exe when launching with shell=True. Patch by Eryk
Sun, based on a patch by Oleg Iarygin.
- Core and Builtins
- gh-101975: Fixed stacktop value on tracing entries to avoid
corruption on garbage collection.
- gh-102701: Fix overflow when creating very large dict.
- gh-102416: Do not memoize incorrectly automatically
generated loop rules in the parser. Patch by Pablo Galindo.
- gh-102356: Fix a bug that caused a crash when deallocating
deeply nested filter objects. Patch by Marta Gómez Macías.
- gh-102397: Fix segfault from race condition in signal
handling during garbage collection. Patch by Kumar Aditya.
- gh-102281: Fix potential nullptr dereference and use of
uninitialized memory in fileutils. Patch by Max Bachmann.
- gh-102126: Fix deadlock at shutdown when clearing thread
states if any finalizer tries to acquire the runtime head
lock. Patch by Kumar Aditya.
- gh-102027: Fix SSE2 and SSE3 detection in _blake2 internal
module. Patch by Max Bachmann.
- gh-101967: Fix possible segfault in
positional_only_passed_as_keyword function, when new list
created.
- gh-101765: Fix SystemError / segmentation fault in iter
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=57
- python -m http.server no longer allows terminal control
characters sent within a garbage request to be printed
to the stderr server lo This is done by changing the
http.server BaseHTTPRequestHandler .log_message method to
replace control characters with a \xHH hex escape before
printin
- Avoid publishing list of active per-interpreter audit hooks
via the gc module
- The IDNA codec decoder used on DNS hostnames by socket or
asyncio related name resolution functions no longer involves
a quadratic algorithm. This prevents a potential CPU denial
of service if an out-of-spec excessive length hostname
involving bidirectional characters were decoded. Some
protocols such as urllib http 3xx redirects potentially allow
for an attacker to supply such a name (CVE-2022-45061).
- Update bundled libexpat to 2.5.0
- Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no
longer uses a shell to run openssl commands. Issue reported
and initial fix by Caleb Shortt. Patch by Victor Stinner.
- Fix a crash when an object which does not have a dictionary
frees its instance values.
- Fix a bug in the tokenizer that could cause infinite
recursion when showing syntax warnings that happen in the
first line of the source. Patch by Pablo Galindo
- Fix an issue that could cause frames to be visible to Python
code as they are being torn down, possibly leading to memory
corruption or hard crashes of the interpreter.
- Fix a reference bug in _imp.create_builtin() after the
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=40
- Update to 3.11.0 (overall changes from 3.10.*):
- General changes
- PEP 657 -- Include Fine-Grained Error Locations in
Tracebacks
- PEP 654 -- Exception Groups and except*
- PEP 680 -- tomllib: Support for Parsing TOML in the
Standard Library
- gh-90908 -- Introduce task groups to asyncio
- gh-34627 -- Atomic grouping ((?>...)) and possessive
quantifiers (*+, ++, ?+, {m,n}+) are now supported in
regular expressions.
- The Faster CPython Project is already yielding some
exciting results. Python 3.11 is up to 10-60% faster than
Python 3.10. On average, we measured a 1.22x speedup on the
standard benchmark suite. See Faster CPython for details.
- Typing and typing language changes
- PEP 673 -- Self Type
- PEP 646 -- Variadic Generics
- PEP 675 -- Arbitrary Literal String Type
- PEP 655 -- Marking individual TypedDict items as required
or potentially-missing
- PEP 681 -- Data Class Transforms
- (just changes from 3.11.0rc2):
- Fix multiplying a list by an integer (list *= int): detect
the integer overflow when the new allocated length is close
to the maximum size. Issue reported by Jordan Limor. Patch by
Victor Stinner.
- On Linux the multiprocessing module returns to using
filesystem backed unix domain sockets for communication
with the forkserver process instead of the Linux abstract
OBS-URL: https://build.opensuse.org/request/show/1031401
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=34
- Converting between int and str in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base
10 (decimal) now raises a ValueError if the number of digits
in string form is above a limit to avoid potential denial of
service attacks due to the algorithmic complexity. This is
a mitigation for CVE-2020-10735.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- Fix case of undefined behavior in ceval.c
- Do not expose KeyWrapper in _functools.
- Ensure that tracing, sys.setrace(), is turned on
immediately. In pre-release versions of 3.11, some tracing
events might have been lost when turning on tracing in a
__del__ method or interrupt.
- Fix use after free in trace refs build mode. Patch by Kumar
Aditya.
- When loading a file with invalid UTF-8 inside a multi-line
string, a correct SyntaxError is emitted.
- Make sure that incomplete frames do not show up in
tracemalloc traces.
- Remove two cases of undefined behavior, by adding NULL
checks.
- Fix possible NULL pointer dereference in
_PyThread_CurrentFrames. Patch by Kumar Aditya.
- Fix AttributeError missing name and obj attributes in
object.__getattribute__(). Patch by Philip Georgi.
- Loading a file with invalid UTF-8 will now report the broken
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=32
- Core and Builtins
- Update code object hashing and equality to consider all
debugging and exception handling tables. This fixes an
issue where certain non-identical code objects could be
“deduplicated” during compilation.
- _PyPegen_Parser_New now properly detects token memory
allocation errors. Patch by Honglin Zhu.
- Run Python code in tracer/profiler function at full
speed. Fixes slowdown in earlier versions of 3.11.
- Emit a warning in debug mode if an object does not call
PyObject_GC_UnTrack() before deallocation. Patch by Pablo
Galindo.
- Prevented crashes in the AST constructor when
compiling some absurdly long expressions like
"+0"*1000000. RecursionError is now raised instead. Patch
by Pablo Galindo
- ast.AST node positions are now validated when provided to
compile() and other related functions. If invalid positions
are detected, a ValueError will be raised.
- Fix error detection in some builtin functions when keyword
argument name is an instance of a str subclass with
overloaded __eq__ and __hash__. Previously it could cause
SystemError or other undesired behavior.
- Library
- Update bundled pip to 22.2.2.
- Fix asyncio.TaskGroup to propagate exception when
asyncio.CancelledError was replaced with another exception
by a context manger. Patch by Kumar Aditya and Guido van
Rossum.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=27
- Core and Builtins
- gh-93351: ast.AST node positions are now validated when
provided to compile() and other related functions. If
invalid positions are detected, a ValueError will be
raised.
- gh-94438: Fix an issue that caused extended opcode
arguments and some conditional pops to be ignored when
calculating valid jump targets for assignments to the
f_lineno attribute of frame objects. In some cases, this
could cause inconsistent internal state, resulting in a
hard crash of the interpreter.
- gh-95060: Undocumented PyCode_Addr2Location function now
properly returns when addrq argument is less than zero.
- gh-95113: Replace all EXTENDED_ARG_QUICK instructions
with basic EXTENDED_ARG instructions in unquickened
code. Consumers of non-adaptive bytecode should be able to
handle extended arguments the same way they were handled in
CPython 3.10 and older.
- gh-91409: Fix incorrect source location info caused by
certain optimizations in the bytecode compiler.
- gh-94036: Fix incorrect source location info for some
multi-line attribute accesses and method calls.
- gh-94739: Allow jumping within, out of, and across
exception handlers in the debugger.
- gh-94949: ast.parse() will no longer parse parenthesized
context managers when passed feature_version less than (3,
9). Patch by Shantanu Jain.
- gh-94947: ast.parse() will no longer parse assignment
expressions when passed feature_version less than (3,
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=25
- Fixes many bugs and adds following more significant changes
- Security
- gh-68966: The deprecated mailcap module now refuses to inject
Coreunsafe text (filenames, MIME types, parameters) into
shell Corecommands. Instead of using such text, it will
warn and act Coreas if a match was not found (or for test
commands, as if the Coretest failed). and Builtins
- gh-93516: Lazily create a table mapping bytecode offsets to
line numbers to speed up calculation of line numbers when
tracing.
- gh-93461: importlib.invalidate_caches() now drops entries
from sys.path_importer_cache with a relative path as
name. This solves a caching issue when a process changes its
current working directory.
- FileFinder no longer inserts a dot in the path, e.g.
/egg/./spam is now /egg/spam.
Library
- gh-93896: Fix asyncio.run() and
unittest.IsolatedAsyncioTestCase to always the set event loop
as it was done in Python 3.10 and earlier. Patch by Kumar
Aditya.
- gh-94101: Manual instantiation of ssl.SSLSession objects is
no longer allowed as it lead to misconfigured instances that
crashed the interpreter when attributes where accessed on
them.
- gh-83658: Make multiprocessing.Pool raise an exception if
maxtasksperchild is not None or a positive int.
- gh-61162: Clarify sqlite3 behavior when Using the connection
as a context manager.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=20
