- Update to 3.12.7:
- Tests
- gh-124378: Updated test_ttk to pass with Tcl/Tk 8.6.15.
- Security
- gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to
consistently use the mapped IPv4 address value for deciding
properties. Properties which have their behavior fixed are
is_multicast, is_reserved, is_link_local, is_global, and
is_unspecified.
- Library
- gh-116850: Fix argparse for namespaces with not directly
writable dict (e.g. classes).
- gh-58573: Fix conflicts between abbreviated long options in
the parent parser and subparsers in argparse.
- gh-61181: Fix support of choices with string value in
argparse. Substrings of the specified string no longer
considered valid values.
- gh-80259: Fix argparse support of positional arguments with
nargs='?', default=argparse.SUPPRESS and specified type.
- gh-124498: Fix typing.TypeAliasType not to be generic, when
type_params is an empty tuple.
- gh-124345: argparse vim supports abbreviated single-dash
long options separated by = from its value.
- gh-104860: Fix disallowing abbreviation of single-dash long
options in argparse with allow_abbrev=False.
- gh-63143: Fix parsing mutually exclusive arguments in
argparse. Arguments with the value identical to the default
value (e.g. booleans, small integers, empty or 1-character
strings) are no longer considered “not present”.
- gh-72795: Positional arguments with nargs equal to '*' or
OBS-URL: https://build.opensuse.org/request/show/1205549
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python312?expand=0&rev=22
- Tests
- gh-124378: Updated test_ttk to pass with Tcl/Tk 8.6.15.
- Security
- gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to
consistently use the mapped IPv4 address value for deciding
properties. Properties which have their behavior fixed are
is_multicast, is_reserved, is_link_local, is_global, and
is_unspecified.
- Library
- gh-116850: Fix argparse for namespaces with not directly
writable dict (e.g. classes).
- gh-58573: Fix conflicts between abbreviated long options in
the parent parser and subparsers in argparse.
- gh-61181: Fix support of choices with string value in
argparse. Substrings of the specified string no longer
considered valid values.
- gh-80259: Fix argparse support of positional arguments with
nargs='?', default=argparse.SUPPRESS and specified type.
- gh-124498: Fix typing.TypeAliasType not to be generic, when
type_params is an empty tuple.
- gh-124345: argparse vim supports abbreviated single-dash
long options separated by = from its value.
- gh-104860: Fix disallowing abbreviation of single-dash long
options in argparse with allow_abbrev=False.
- gh-63143: Fix parsing mutually exclusive arguments in
argparse. Arguments with the value identical to the default
value (e.g. booleans, small integers, empty or 1-character
strings) are no longer considered “not present”.
- gh-72795: Positional arguments with nargs equal to '*' or
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=71
- Add doc-py38-to-py36.patch making building documentation
compatible with Python 3.6, which runs Sphinx on SLE.
- Update to 3.12.6:
- Tests
- gh-101525: Skip test_gdb if the binary is relocated by
BOLT. Patch by Donghee Na.
- Security
- gh-123678: Upgrade libexpat to 2.6.3
- gh-121285: Remove backtracking from tarfile header parsing
for hdrcharset, PAX, and GNU sparse headers (bsc#1230227,
CVE-2024-6232).
- Library
- gh-123270: Applied a more surgical fix for malformed
payloads in zipfile.Path causing infinite loops (gh-122905)
without breaking contents using legitimate characters
(bsc#1229704, CVE-2024-8088).
- gh-123213: xml.etree.ElementTree.Element.extend() and
Element assignment no longer hide the internal exception if
an erronous generator is passed. Patch by Bar Harel.
- gh-85110: Preserve relative path in URL without netloc in
urllib.parse.urlunsplit() and urllib.parse.urlunparse().
- gh-123067: Fix quadratic complexity in parsing "-quoted
cookie values with backslashes by http.cookies
(bsc#1229596, CVE-2024-7592)
- gh-122903: zipfile.Path.glob now correctly matches
directories instead of silently omitting them.
- gh-122905: zipfile.Path objects now sanitize names from the
zipfile.
- gh-122695: Fixed double-free when using gc.get_referents()
with a freed asyncio.Future iterator.
- gh-116263: logging.handlers.RotatingFileHandler no longer
rolls over empty log files.
- gh-118814: Fix the typing.TypeVar constructor when name is
passed by keyword.
- gh-122478: Remove internal frames from tracebacks
shown in code.InteractiveInterpreter with non-default
sys.excepthook(). Save correct tracebacks in
sys.last_traceback and update __traceback__ attribute of
sys.last_value and sys.last_exc.
- gh-113785: csv now correctly parses numeric fields (when
used with csv.QUOTE_NONNUMERIC) which start with an escape
character.
- gh-112182: asyncio.futures.Future.set_exception() now
transforms StopIteration into RuntimeError instead of
hanging or other misbehavior. Patch contributed by Jamie
Phan.
- gh-108172: webbrowser honors OS preferred browser on Linux
when its desktop entry name contains the text of a known
browser name.
- gh-102988: email.utils.getaddresses() and
email.utils.parseaddr() now return ('', '') 2-tuples
in more situations where invalid email addresses are
encountered instead of potentially inaccurate values. Add
optional strict parameter to these two functions: use
strict=False to get the old behavior, accept malformed
inputs. getattr(email.utils, 'supports_strict_parsing',
False) can be use to check if the strict paramater is
available. Patch by Thomas Dwyer and Victor Stinner to
improve the CVE-2023-27043 fix.
- gh-99437: runpy.run_path() now decodes path-like objects,
making sure __file__ and sys.argv[0] of the module being
run are always strings.
- IDLE
- gh-120083: Add explicit black IDLE Hovertip foreground
color needed for recent macOS. Fixes Sonoma showing
unreadable white on pale yellow. Patch by John Riggles.
- Core and Builtins
- gh-123321: Prevent Parser/myreadline race condition from
segfaulting on multi-threaded use. Patch by Bar Harel and
Amit Wienner.
- gh-122982: Extend the deprecation period for bool inversion
(~) by two years.
- gh-123229: Fix valgrind warning by initializing the
f-string buffers to 0 in the tokenizer. Patch by Pablo
Galindo
- gh-123142: Fix too-wide source location in exception
tracebacks coming from broken iterables in comprehensions.
- gh-123048: Fix a bug where pattern matching code could emit
a JUMP_FORWARD with no source location.
- gh-123083: Fix a potential use-after-free in
STORE_ATTR_WITH_HINT.
- gh-122527: Fix a crash that occurred when a
PyStructSequence was deallocated after its type’s
dictionary was cleared by the GC. The type’s tp_basicsize
now accounts for non-sequence fields that aren’t included
in the Py_SIZE of the sequence.
- gh-93691: Fix source locations of instructions generated
for with statements.
- Build
- gh-123297: Propagate the value of LDFLAGS to LDCXXSHARED in
sysconfig. Patch by Pablo Galindo
- Remove upstreamed patches:
- CVE-2023-27043-email-parsing-errors.patch
- CVE-2024-8088-inf-loop-zipfile_Path.patch
- CVE-2023-6597-TempDir-cleaning-symlink.patch
- gh120226-fix-sendfile-test-kernel-610.patch
- Add gh120226-fix-sendfile-test-kernel-610.patch to avoid
failing test_sendfile_close_peer_in_the_middle_of_receiving
tests on Linux >= 6.10 (GH-120227).
OBS-URL: https://build.opensuse.org/request/show/1200888
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python312?expand=0&rev=20
- Tests
- gh-101525: Skip test_gdb if the binary is relocated by
BOLT. Patch by Donghee Na.
- Security
- gh-123678: Upgrade libexpat to 2.6.3
- gh-121285: Remove backtracking from tarfile header parsing
for hdrcharset, PAX, and GNU sparse headers (bsc#1230227,
CVE-2024-6232).
- Library
- gh-123270: Applied a more surgical fix for malformed
payloads in zipfile.Path causing infinite loops (gh-122905)
without breaking contents using legitimate characters
(bsc#1229704, CVE-2024-8088).
- gh-123213: xml.etree.ElementTree.Element.extend() and
Element assignment no longer hide the internal exception if
an erronous generator is passed. Patch by Bar Harel.
- gh-85110: Preserve relative path in URL without netloc in
urllib.parse.urlunsplit() and urllib.parse.urlunparse().
- gh-123067: Fix quadratic complexity in parsing "-quoted
cookie values with backslashes by http.cookies
(bsc#1229596, CVE-2024-7592)
- gh-122903: zipfile.Path.glob now correctly matches
directories instead of silently omitting them.
- gh-122905: zipfile.Path objects now sanitize names from the
zipfile.
- gh-122695: Fixed double-free when using gc.get_referents()
with a freed asyncio.Future iterator.
- gh-116263: logging.handlers.RotatingFileHandler no longer
rolls over empty log files.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=66
- Update to 3.12.5:
- Tests
- gh-59022: Add tests for pkgutil.extend_path(). Patch by
Andreas Stocker.
- gh-99242: os.getloadavg() may throw OSError when
running regression tests under certain conditions (e.g.
chroot). This error is now caught and ignored, since
reporting load average is optional.
- gh-121084: Fix test_typing random leaks. Clear typing ABC
caches when running tests for refleaks (-R option): call
_abc_caches_clear() on typing abstract classes and their
subclasses. Patch by Victor Stinner.
- gh-121160: Add a test for
readline.set_history_length(). Note that this test may fail
on readline libraries.
- gh-121200: Fix test_expanduser_pwd2() of
test_posixpath. Call getpwnam() to get pw_dir, since it
can be different than getpwall() pw_dir. Patch by Victor
Stinner.
- gh-121188: When creating the JUnit XML file, regrtest
now escapes characters which are invalid in XML, such
as the chr(27) control character used in ANSI escape
sequences. Patch by Victor Stinner.
- Security
- gh-121957: Fixed missing audit events around interactive
use of Python, now also properly firing for python -i, as
well as for python -m asyncio. The event in question is
cpython.run_stdin.
- gh-122133: Authenticate the socket connection for the
socket.socketpair() fallback on platforms where AF_UNIX is
OBS-URL: https://build.opensuse.org/request/show/1192365
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python312?expand=0&rev=18
- Tests
- gh-59022: Add tests for pkgutil.extend_path(). Patch by
Andreas Stocker.
- gh-99242: os.getloadavg() may throw OSError when
running regression tests under certain conditions (e.g.
chroot). This error is now caught and ignored, since
reporting load average is optional.
- gh-121084: Fix test_typing random leaks. Clear typing ABC
caches when running tests for refleaks (-R option): call
_abc_caches_clear() on typing abstract classes and their
subclasses. Patch by Victor Stinner.
- gh-121160: Add a test for
readline.set_history_length(). Note that this test may fail
on readline libraries.
- gh-121200: Fix test_expanduser_pwd2() of
test_posixpath. Call getpwnam() to get pw_dir, since it
can be different than getpwall() pw_dir. Patch by Victor
Stinner.
- gh-121188: When creating the JUnit XML file, regrtest
now escapes characters which are invalid in XML, such
as the chr(27) control character used in ANSI escape
sequences. Patch by Victor Stinner.
- Security
- gh-121957: Fixed missing audit events around interactive
use of Python, now also properly firing for python -i, as
well as for python -m asyncio. The event in question is
cpython.run_stdin.
- gh-122133: Authenticate the socket connection for the
socket.socketpair() fallback on platforms where AF_UNIX is
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=60
- Security
- gh-118486: os.mkdir() on Windows now accepts mode of 0o700
to restrict the new directory to the current user. This
fixes CVE-2024-4030 affecting tempfile.mkdtemp() in
scenarios where the base temporary directory is more
permissive than the default.
- gh-116741: Update bundled libexpat to 2.6.2
- gh-117233: Detect BLAKE2, SHA3, Shake, & truncated SHA512
support in the OpenSSL-ish libcrypto library at build
time. This allows hashlib to be used with libraries that do
not to support every algorithm that upstream OpenSSL does.
- Core and Builtins
- gh-119821: Fix execution of annotation scopes within
classes when globals is set to a non-dict. Patch by Jelle
Zijlstra.
- gh-118263: Speed up os.path.normpath() with a direct C
call.
- gh-119311: Fix bug where names are unexpectedly mangled in
the bases of generic classes.
- gh-119395: Fix bug where names appearing after a generic
class are mangled as if they are in the generic class.
- gh-118507: Fix os.path.isfile() on Windows for pipes.
- gh-119213: Non-builtin modules built with argument clinic
were crashing if used in a subinterpreter before the main
interpreter. The objects that were causing the problem by
leaking between interpreters carelessly have been fixed.
- gh-119011: Fixes type.__type_params__ to return an empty
tuple instead of a descriptor.
- gh-118997: Fix _Py_ClearImmortal() assertion: use
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=47
- Security¶
- gh-115398: Allow controlling Expat >=2.6.0 reparse deferral
(CVE-2023-52425, bsc#1219559) by adding five new methods:
xml.etree.ElementTree.XMLParser.flush()
xml.etree.ElementTree.XMLPullParser.flush()
xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
xml.sax.expatreader.ExpatParser.flush()
- gh-115399: Update bundled libexpat to 2.6.0 (bsc#1222075)
- gh-115243: Fix possible crashes in
collections.deque.index() when the deque is concurrently
modified.
- gh-114572: ssl.SSLContext.cert_store_stats() and
ssl.SSLContext.get_ca_certs() now correctly lock access to
the certificate store, when the ssl.SSLContext is shared
across multiple threads.
- Core and Builtins
- gh-109120: Added handle of incorrect star expressions, e.g
f(3, *). Patch by Grigoryev Semyon
- gh-99108: Updated the hashlib built-in HACL* project C code
from upstream that we use for many implementations when
they are not present via OpenSSL in a given build. This
also avoids the rare potential for a C symbol name one
definition rule linking issue.
- gh-116735: For INSTRUMENTED_CALL_FUNCTION_EX, set arg0 to
sys.monitoring.MISSING instead of None for CALL event.
- gh-113964: Starting new threads and process creation
through os.fork() are now only prevented once all
non-daemon threads exit.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=43
CVE-2023-27043-email-parsing-errors.patch, which rejects
malformed addresses in email.parseaddr() (gh#python/cpython!111116)
Detect email address parsing errors and return empty tuple to
indicate the parsing error (old API). Add an optional 'strict'
parameter to getaddresses() and parseaddr() functions. Patch by
Thomas Dwyer.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=33
