- Tools/Demos
- gh-139330: SBOM generation tool didn’t cross-check the version
and checksum values against the Modules/expat/refresh.sh script,
leading to the values becoming out-of-date during routine
updates.
- Security
- gh-139700: Check consistency of the zip64 end of central
directory record. Support records with “zip64 extensible data”
if there are no bytes prepended to the ZIP file.
- gh-139400: xml.parsers.expat: Make sure that parent Expat
parsers are only garbage-collected once they are no longer
referenced by subparsers created by
ExternalEntityParserCreate(). Patch by Sebastian Pipping.
- gh-135661: Fix parsing start and end tags in
html.parser.HTMLParser according to the HTML5 standard.
* Whitespaces no longer accepted between </ and the tag name.
E.g. </ script> does not end the script section.
* Vertical tabulation (\v) and non-ASCII whitespaces no longer
recognized as whitespaces. The only whitespaces are \t\n\r\f
and space.
* Null character (U+0000) no longer ends the tag name.
* Attributes and slashes after the tag name in end tags are now
ignored, instead of terminating after the first > in quoted
attribute value. E.g. </script/foo=">"/>.
* Multiple slashes and whitespaces between the last attribute
and closing > are now ignored in both start and end tags. E.g.
<a foo=bar/ //>.
* Multiple = between attribute name and value are no longer
collapsed. E.g. <a foo==bar> produces attribute “foo” with
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=162
- Add gh139257-Support-docutils-0.22.patch to fix build with latest
docutils (>=0.22) gh#python/cpython#139257
- Drop AppStream: this results in a different cycle than
appstream-glib. As the appdata.xml is controlled by ourselves, we
can get away with just manually validating it when changing it.
- Require AppStream to validate appdata file instead of deprecated
appstream-glib.
- Update idle3.appdata.xml to pass the more pedantic appstreamcli.
OBS-URL: https://build.opensuse.org/request/show/1308661
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python312?expand=0&rev=38
DEPENDS ON SR#1294511, THEY HAVE TO GO TOGETHER!!!
- Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst
case quadratic complexity when processing certain crafted
malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705).
- Add bsc1243155-sphinx-non-determinism.patch (bsc#1243155) to
generate ids for audit_events using docname (reproducible
builds).
- Use one core to build doc. This will make sphinx doc build
reproducible.
bsc#1243155
- Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst
case quadratic complexity when processing certain crafted
malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705).
- Add bsc1243155-sphinx-non-determinism.patch (bsc#1243155) to
generate ids for audit_events using docname (reproducible
builds).
- Use one core to build doc. This will make sphinx doc build
reproducible.
bsc#1243155
OBS-URL: https://build.opensuse.org/request/show/1294513
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python312?expand=0&rev=36
- Update to 3.12.11:
- Security
- gh-135034: Fixes multiple issues that allowed tarfile
extraction filters (filter="data" and filter="tar") to be
bypassed using crafted symlinks and hard links.
Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
(bsc#1244059), CVE-2025-4330 (bsc#1244060), and
CVE-2025-4517 (bsc#1244032).
- gh-133767: Fix use-after-free in the “unicode-escape”
decoder with a non-“strict” error handler (CVE-2025-4516,
bsc#1243273).
- gh-128840: Short-circuit the processing of long IPv6
addresses early in ipaddress to prevent excessive memory
consumption and a minor denial-of-service.
- Library
- gh-128840: Fix parsing long IPv6 addresses with embedded
IPv4 address.
- gh-134062: ipaddress: fix collisions in __hash__() for
IPv4Network and IPv6Network objects.
- gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
according to RFC 3596, §2.5. Patch by Bénédikt Tran.
- bpo-43633: Improve the textual representation of
IPv4-mapped IPv6 addresses (RFC 4291 Sections 2.2, 2.5.5.2)
in ipaddress. Patch by Oleksandr Pavliuk.
- Remove upstreamed patches:
- CVE-2025-4516-DecodeError-handler.patch
- restrict PEP668 to ALP/Tumbleweed
* Support Expat >= 2.4.5
- allow build with Sphinx >= 3.x
OBS-URL: https://build.opensuse.org/request/show/1284283
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python312?expand=0&rev=34
- Security
- gh-135034: Fixes multiple issues that allowed tarfile
extraction filters (filter="data" and filter="tar") to be
bypassed using crafted symlinks and hard links.
Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
(bsc#1244059), CVE-2025-4330 (bsc#1244060), and
CVE-2025-4517 (bsc#1244032).
- gh-133767: Fix use-after-free in the “unicode-escape”
decoder with a non-“strict” error handler (CVE-2025-4516,
bsc#1243273).
- gh-128840: Short-circuit the processing of long IPv6
addresses early in ipaddress to prevent excessive memory
consumption and a minor denial-of-service.
- Library
- gh-128840: Fix parsing long IPv6 addresses with embedded
IPv4 address.
- gh-134062: ipaddress: fix collisions in __hash__() for
IPv4Network and IPv6Network objects.
- gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
according to RFC 3596, §2.5. Patch by Bénédikt Tran.
- bpo-43633: Improve the textual representation of
IPv4-mapped IPv6 addresses (RFC 4291 Sections 2.2, 2.5.5.2)
in ipaddress. Patch by Oleksandr Pavliuk.
- Remove upstreamed patches:
- CVE-2025-4516-DecodeError-handler.patch
- restrict PEP668 to ALP/Tumbleweed
* Support Expat >= 2.4.5
- allow build with Sphinx >= 3.x
* remove importlib_resources and importlib-metadata
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=147
- Update to 3.12.10:
- gh-131852: msgfmt no longer adds the POT-Creation-Date to
generated .mo files for consistency with GNU msgfmt.
- gh-85012: Correctly reset msgctxt when compiling messages in
msgfmt.
- gh-131050: test_ssl.test_dh_params is skipped if the
underlying TLS library does not support finite-field
ephemeral Diffie-Hellman.
- gh-119727: Add --single-process command line option to Python
test runner (regrtest). Patch by Victor Stinner.
- gh-131809: Update bundled libexpat to 2.7.1
- gh-131261: Upgrade to libexpat 2.7.0
- gh-127371: Avoid unbounded buffering for
tempfile.SpooledTemporaryFile.writelines(). Previously, disk
spillover was only checked after the lines iterator had been
exhausted. This is now done after each line is written.
- gh-121284: Fix bug in the folding of rfc2047 encoded-words
when flattening an email message using a modern email
policy. Previously when an encoded-word was too long for
a line, it would be decoded, split across lines, and
re-encoded. But commas and other special characters in the
original text could be left unencoded and unquoted. This
could theoretically be used to spoof header lines using a
carefully constructed encoded-word if the resulting rendered
email was transmitted or re-parsed.
- gh-116608: undeprecate functional API for importlib.resources
- gh-132075: Fix possible use of socket address structures
with uninitialized members. Now all structure members are
initialized with zeroes by default.
- gh-132002: Fix crash when deallocating contextvars.ContextVar
OBS-URL: https://build.opensuse.org/request/show/1269059
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python312?expand=0&rev=30
- gh-131852: msgfmt no longer adds the POT-Creation-Date to
generated .mo files for consistency with GNU msgfmt.
- gh-85012: Correctly reset msgctxt when compiling messages in
msgfmt.
- gh-131050: test_ssl.test_dh_params is skipped if the
underlying TLS library does not support finite-field
ephemeral Diffie-Hellman.
- gh-119727: Add --single-process command line option to Python
test runner (regrtest). Patch by Victor Stinner.
- gh-131809: Update bundled libexpat to 2.7.1
- gh-131261: Upgrade to libexpat 2.7.0
- gh-127371: Avoid unbounded buffering for
tempfile.SpooledTemporaryFile.writelines(). Previously, disk
spillover was only checked after the lines iterator had been
exhausted. This is now done after each line is written.
- gh-121284: Fix bug in the folding of rfc2047 encoded-words
when flattening an email message using a modern email
policy. Previously when an encoded-word was too long for
a line, it would be decoded, split across lines, and
re-encoded. But commas and other special characters in the
original text could be left unencoded and unquoted. This
could theoretically be used to spoof header lines using a
carefully constructed encoded-word if the resulting rendered
email was transmitted or re-parsed.
- gh-116608: undeprecate functional API for importlib.resources
- gh-132075: Fix possible use of socket address structures
with uninitialized members. Now all structure members are
initialized with zeroes by default.
- gh-132002: Fix crash when deallocating contextvars.ContextVar
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=108
- Update to 3.12.9:
- Tests
- gh-127906: Test the limited C API in test_cppext. Patch by
Victor Stinner.
- gh-127906: Backport test_cext from the main branch. Patch
by Victor Stinner.
- gh-127637: Add tests for the dis command-line
interface. Patch by Bénédikt Tran.
- Security
- gh-105704: When using urllib.parse.urlsplit() and
urllib.parse.urlparse() host parsing would not reject
domain names containing square brackets ([ and ]). Square
brackets are only valid for IPv6 and IPvFuture hosts
according to RFC 3986 Section 3.2.2. (CVE-2025-0938,
bsc#1236705)
- gh-127655: Fixed the
asyncio.selector_events._SelectorSocketTransport
transport not pausing writes for the protocol when
the buffer reaches the high water mark when using
asyncio.WriteTransport.writelines() (CVE-2024-12254,
bsc#1234290).
- gh-126108: Fix a possible NULL pointer dereference in
PySys_AddWarnOptionUnicode().
- gh-80222: Fix bug in the folding of quoted strings
when flattening an email message using a modern email
policy. Previously when a quoted string was folded so
that it spanned more than one line, the surrounding
quotes and internal escapes would be omitted. This could
theoretically be used to spoof header lines using a
carefully constructed quoted string if the resulting
OBS-URL: https://build.opensuse.org/request/show/1244005
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python312?expand=0&rev=28
- Tests
- gh-127906: Test the limited C API in test_cppext. Patch by
Victor Stinner.
- gh-127906: Backport test_cext from the main branch. Patch
by Victor Stinner.
- gh-127637: Add tests for the dis command-line
interface. Patch by Bénédikt Tran.
- Security
- gh-105704: When using urllib.parse.urlsplit() and
urllib.parse.urlparse() host parsing would not reject
domain names containing square brackets ([ and ]). Square
brackets are only valid for IPv6 and IPvFuture hosts
according to RFC 3986 Section 3.2.2. (CVE-2025-0938,
bsc#1236705)
- gh-127655: Fixed the
asyncio.selector_events._SelectorSocketTransport
transport not pausing writes for the protocol when
the buffer reaches the high water mark when using
asyncio.WriteTransport.writelines() (CVE-2024-12254,
bsc#1234290).
- gh-126108: Fix a possible NULL pointer dereference in
PySys_AddWarnOptionUnicode().
- gh-80222: Fix bug in the folding of quoted strings
when flattening an email message using a modern email
policy. Previously when a quoted string was folded so
that it spanned more than one line, the surrounding
quotes and internal escapes would be omitted. This could
theoretically be used to spoof header lines using a
carefully constructed quoted string if the resulting
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=94
- Add CVE-2024-12254-unbound-mem-buffering-SelectorSocketTransport.writelines.patch
preventing exhaustion of memory (gh#python/cpython#127655,
bsc#1234290, CVE-2024-12254).
- Update to 3.12.8:
- Tools/Demos
- gh-126807: Fix extraction warnings in pygettext.py caused
by mistaking function definitions for function calls.
- Tests
- gh-126909: Fix test_os extended attribute tests to work on
filesystems with 1 KiB xattr size limit.
- gh-125041: Re-enable skipped tests for zlib on the
s390x architecture: only skip checks of the compressed
bytes, which can be different between zlib’s software
implementation and the hardware-accelerated implementation.
- gh-124295: Add translation tests to the argparse module.
- Security
- gh-126623: Upgrade libexpat to 2.6.4
- Library
- gh-127303: Publicly expose EXACT_TOKEN_TYPES in
token.__all__.
- gh-123967: Fix faulthandler for trampoline frames. If the
top-most frame is a trampoline frame, skip it. Patch by
Victor Stinner.
- gh-127182: Fix io.StringIO.__setstate__() crash, when None
was passed as the first value.
- gh-127217: Fix urllib.request.pathname2url() for paths
starting with multiple slashes on Posix.
- gh-127035: Fix shutil.which on Windows. Now it looks at
direct match if and only if the command ends with a PATHEXT
extension or X_OK is not in mode. Support extensionless
files if “.” is in PATHEXT. Support PATHEXT extensions that
end with a dot.
- gh-127078: Fix issue where urllib.request.url2pathname()
failed to discard an extra slash before a UNC drive in the
URL path on Windows.
- gh-126766: Fix issue where urllib.request.url2pathname()
failed to discard any ‘localhost’ authority present in the
URL.
- gh-126997: Fix support of STRING and GLOBAL opcodes with
non-ASCII arguments in pickletools. pickletools.dis()
now outputs non-ASCII bytes in STRING, BINSTRING and
SHORT_BINSTRING arguments as escaped (\xXX).
- gh-126618: Fix the representation of itertools.count
objects when the count value is sys.maxsize.
- gh-85168: Fix issue where urllib.request.url2pathname() and
pathname2url() always used UTF-8 when quoting and unquoting
file URIs. They now use the filesystem encoding and error
handler.
- gh-67877: Fix memory leaks when regular expression matching
terminates abruptly, either because of a signal or because
memory allocation fails.
- gh-126789: Fixed the values of sysconfig.get_config_vars(),
sysconfig.get_paths(), and their siblings when the site
initialization happens after sysconfig has built a cache
for sysconfig.get_config_vars().
- gh-126188: Update bundled pip to 24.3.1
- gh-126766: Fix issue where urllib.request.url2pathname()
failed to discard two leading slashes introducing an empty
authority section.
- gh-126727: locale.nl_langinfo(locale.ERA) now returns
multiple era description segments separated by
semicolons. Previously it only returned the first segment
on platforms with Glibc.
- gh-126699: Allow collections.abc.AsyncIterator to be a base
for Protocols.
- gh-104745: Limit starting a patcher (from
unittest.mock.patch() or unittest.mock.patch.object()) more
than once without stopping it
- gh-126595: Fix a crash when instantiating itertools.count
with an initial count of sys.maxsize on debug builds. Patch
by Bénédikt Tran.
- gh-120423: Fix issue where urllib.request.pathname2url()
mishandled Windows paths with embedded forward slashes.
- gh-126565: Improve performances of zipfile.Path.open() for
non-reading modes.
- gh-126505: Fix bugs in compiling case-insensitive regular
expressions with character classes containing non-BMP
characters: upper-case non-BMP character did was ignored
and the ASCII flag was ignored when matching a character
range whose upper bound is beyond the BMP region.
- gh-117378: Fixed the multiprocessing "forkserver"
start method forkserver process to correctly inherit
the parent’s sys.path during the importing of
multiprocessing.set_forkserver_preload() modules in the
same manner as sys.path is configured in workers before
executing work items.
This bug caused some forkserver module preloading to silently
fail to preload. This manifested as a performance degration
in child processes when the sys.path was required due to
additional repeated work in every worker.
It could also have a side effect of "" remaining in
sys.path during forkserver preload imports instead of the
absolute path from os.getcwd() at multiprocessing import time
used in the worker sys.path.
The sys.path differences between phases in the child
process could potentially have caused preload to import incorrect
things from the wrong location. We are unaware of that actually
having happened in practice.
- gh-125679: The multiprocessing.Lock and
multiprocessing.RLock repr values no longer say “unknown”
on macOS.
- gh-126476: Raise calendar.IllegalMonthError (now a subclass
of IndexError) for calendar.month() when the input month is
not correct.
- gh-126489: The Python implementation of pickle no longer
calls pickle.Pickler.persistent_id() for the result of
persistent_id().
- gh-126303: Fix pickling and copying of os.sched_param
objects.
- gh-126138: Fix a use-after-free crash on asyncio.Task
objects whose underlying coroutine yields an object that
implements an evil __getattribute__(). Patch by Nico
Posada.
- gh-126220: Fix crash in cProfile.Profile and
_lsprof.Profiler when their callbacks were directly called
with 0 arguments.
- gh-126212: Fix issue where urllib.request.pathname2url()
and url2pathname() removed slashes from Windows DOS drive
paths and URLs.
- gh-126205: Fix issue where urllib.request.pathname2url()
generated URLs beginning with four slashes (rather than
two) when given a Windows UNC path.
- gh-126105: Fix a crash in ast when the ast.AST._fields
attribute is deleted.
- gh-126106: Fixes a possible NULL pointer dereference in
ssl.
- gh-126080: Fix a use-after-free crash on asyncio.Task
objects for which the underlying event loop implements an
evil __getattribute__(). Reported by Nico-Posada. Patch by
Bénédikt Tran.
- gh-126083: Fixed a reference leak in asyncio.Task objects
when reinitializing the same object with a non-None
context. Patch by Nico Posada.
- gh-125984: Fix use-after-free crashes on asyncio.Future
objects for which the underlying event loop implements an
evil __getattribute__(). Reported by Nico-Posada. Patch by
Bénédikt Tran.
- gh-125969: Fix an out-of-bounds crash when an evil
asyncio.loop.call_soon() mutates the length of the internal
callbacks list. Patch by Bénédikt Tran.
- gh-125966: Fix a use-after-free crash in
asyncio.Future.remove_done_callback(). Patch by Bénédikt
Tran.
- gh-125789: Fix possible crash when mutating list of
callbacks returned by asyncio.Future._callbacks. It
now always returns a new copy in C implementation
_asyncio. Patch by Kumar Aditya.
- gh-124452: Fix an issue in
email.policy.EmailPolicy.header_source_parse() and
email.policy.Compat32.header_source_parse() that introduced
spurious leading whitespaces into header values when the
header includes a newline character after the header name
delimiter (:) and before the value.
- gh-125884: Fixed the bug for pdb where it can’t set
breakpoints on functions with certain annotations.
- gh-125355: Fix several bugs in
argparse.ArgumentParser.parse_intermixed_args().
The parser no longer changes temporarily during parsing.
Default values are not processed twice.
Required mutually exclusive groups containing positional
arguments are now supported.
The missing arguments report now includes the names of
all required optional and positional arguments.
Unknown options can be intermixed with positional
arguments in parse_known_intermixed_args().
- gh-125682: Reject non-ASCII digits in the Python
implementation of json.loads() conforming to the JSON
specification.
- gh-125660: Reject invalid unicode escapes for Python
implementation of json.loads().
- gh-125259: Fix the notes removal logic for errors thrown in
enum initialization.
- gh-125519: Improve traceback if importlib.reload() is
called with an object that is not a module. Patch by Alex
Waygood.
- gh-125451: Fix deadlock when
concurrent.futures.ProcessPoolExecutor shuts down
concurrently with an error when feeding a job to a worker
process.
- gh-125422: Fixed the bug where pdb and bdb can step into
the bottom caller frame.
- gh-100141: Fixed the bug where pdb will be stuck in an
infinite loop when debugging an empty file.
- gh-53203: Fix time.strptime() for %c, %x and %X formats
in many locales that use non-ASCII digits, like Persian,
Burmese, Odia and Shan.
- gh-125254: Fix a bug where ArgumentError includes the
incorrect ambiguous option in argparse.
- gh-61011: Fix inheritance of nested mutually
exclusive groups from parent parser in
argparse.ArgumentParser. Previously, all nested mutually
exclusive groups lost their connection to the group
containing them and were displayed as belonging directly to
the parser.
- gh-52551: Fix encoding issues in time.strftime(), the
strftime() method of the datetime classes datetime, date
and time and formatting of these classes. Characters
not encodable in the current locale are now acceptable
in the format string. Surrogate pairs and sequence
of surrogatescape-encoded bytes are no longer
recombinated. Embedded null character no longer terminates
the format string.
- gh-125118: Don’t copy arbitrary values to _Bool in the
struct module.
- gh-125069: Fix an issue where providing a pathlib.PurePath
object as an initializer argument to a second PurePath
object with a different flavour resulted in arguments to
the former object’s initializer being joined by the latter
object’s flavour.
- gh-124969: Fix locale.nl_langinfo(locale.ALT_DIGITS) on
platforms with glibc. Now it returns a string consisting of
up to 100 semicolon-separated symbols (an empty string in
most locales) on all Posix platforms. Previously it only
returned the first symbol or an empty string.
- gh-124958: Fix refcycles in exceptions raised from
asyncio.TaskGroup and the python implementation of
asyncio.Future
- gh-53203: Fix time.strptime() for %c and %x formats in many
locales: Arabic, Bislama, Breton, Bodo, Kashubian, Chuvash,
Estonian, French, Irish, Ge’ez, Gurajati, Manx Gaelic,
Hebrew, Hindi, Chhattisgarhi, Haitian Kreyol, Japanese,
Kannada, Korean, Marathi, Malay, Norwegian, Nynorsk,
Punjabi, Rajasthani, Tok Pisin, Yoruba, Yue Chinese,
Yau/Nungon and Chinese.
- gh-124917: Allow calling os.path.exists() and
os.path.lexists() with keyword arguments on Windows. Fixes
a regression in 3.12.4.
- gh-124653: Fix detection of the minimal Queue API needed by
the logging module. Patch by Bénédikt Tran.
- gh-124858: Fix reference cycles left in tracebacks
in asyncio.open_connection() when used with
happy_eyeballs_delay
- gh-124390: Fixed AssertionError when using
asyncio.staggered.staggered_race() with
asyncio.eager_task_factory.
- gh-124651: Properly quote template strings in venv
activation scripts.
- gh-124594: All asyncio REPL prompts run in the same
context. Contributed by Bartosz Sławecki.
- gh-120378: Fix a crash related to an integer overflow in
curses.resizeterm() and curses.resize_term().
- gh-123884: Fixed bug in itertools.tee() handling of other
tee inputs (a tee in a tee). The output now has the
promised n independent new iterators. Formerly, the first
iterator was identical (not independent) to the input
iterator. This would sometimes give surprising results.
- gh-123978: Remove broken time.thread_time() and
time.thread_time_ns() on NetBSD.
- gh-124008: Fix possible crash (in debug build), incorrect
output or returning incorrect value from raw binary write()
when writing to console on Windows.
- gh-123370: Fix the canvas not clearing after running
turtledemo clock.
- gh-120754: Update unbounded read calls in zipfile to
specify an explicit size putting a limit on how much data
they may read. This also updates handling around ZIP max
comment size to match the standard instead of reading
comments that are one byte too long.
- gh-70764: Fixed an issue where inspect.getclosurevars()
would incorrectly classify an attribute name as a global
variable when the name exists both as an attribute name and
a global variable.
- gh-119826: Always return an absolute path for
os.path.abspath() on Windows.
- gh-117766: Always use str() to print choices in argparse.
- gh-101955: Fix SystemError when match regular expression
pattern containing some combination of possessive
quantifier, alternative and capture group.
- gh-88110: Fixed multiprocessing.Process reporting a
.exitcode of 1 even on success when using the "fork" start
method while using a concurrent.futures.ThreadPoolExecutor.
- gh-71936: Fix a race condition in
multiprocessing.pool.Pool.
- bpo-46128: Strip unittest.IsolatedAsyncioTestCase stack
frames from reported stacktraces.
- bpo-14074: Fix argparse metavar processing to allow
positional arguments to have a tuple metavar.
- IDLE
- gh-122392: Increase currently inadequate vertical spacing
for the IDLE browsers (path, module, and stack) on
high-resolution monitors.
- Documentation
- gh-125277: Require Sphinx 7.2.6 or later to build the
Python documentation. Patch by Adam Turner.
- gh-125018: The importlib.metadata documentation now
includes semantic cross-reference targets for the
significant documented APIs. This means intersphinx
references like importlib.metadata.version() will now work
as expected.
- gh-121277: Writers of CPython’s documentation can now use
next as the version for the versionchanged, versionadded,
deprecated directives.
- gh-60712: Include the object type in the lists of
documented types. Change by Furkan Onder and Martin Panter.
- Core and Builtins
- gh-113841: Fix possible undefined behavior division by zero
in complex’s _Py_c_pow().
- gh-126341: Now ValueError is raised instead of SystemError
when trying to iterate over a released memoryview object.
- gh-126066: Fix importlib to not write an incomplete
.pyc files when a ulimit or some other operating system
mechanism is preventing the write to go through fully.
- gh-126139: Provide better error location when attempting to
use a future statement with an unknown future feature.
- gh-125008: Fix tokenize.untokenize() producing invalid
syntax for double braces preceded by certain escape
characters.
- gh-123378: Fix a crash in the __str__() method of
UnicodeError objects when the UnicodeError.start and
UnicodeError.end values are invalid or out-of-range. Patch
by Bénédikt Tran.
- gh-116510: Fix a crash caused by immortal interned strings
being shared between sub-interpreters that use basic
single-phase init. In that case, the string can be used
by an interpreter that outlives the interpreter that
created and interned it. For interpreters that share
obmalloc state, also share the interned dict with the main
interpreter.
- gh-118950: Fix bug where SSLProtocol.connection_lost wasn’t
getting called when OSError was thrown on writing to
socket.
- gh-113570: Fixed a bug in reprlib.repr where it incorrectly
called the repr method on shadowed Python built-in types.
- gh-109746: If _thread.start_new_thread() fails to start a
new thread, it deletes its state from interpreter and thus
avoids its repeated cleanup on finalization.
- C API
- gh-113601: Removed debug build assertions related to
interning strings, which were falsely triggered by stable
ABI extensions.
- Build
- gh-89640: Hard-code float word ordering as little endian on
WASM.
- gh-89640: Improve detection of float word ordering on Linux
when link-time optimizations are enabled.
- Remove upstreamed patches:
- CVE-2024-9287-venv_path_unquoted.patch
OBS-URL: https://build.opensuse.org/request/show/1228975
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python312?expand=0&rev=26
- Tools/Demos
- gh-126807: Fix extraction warnings in pygettext.py caused
by mistaking function definitions for function calls.
- Tests
- gh-126909: Fix test_os extended attribute tests to work on
filesystems with 1 KiB xattr size limit.
- gh-125041: Re-enable skipped tests for zlib on the
s390x architecture: only skip checks of the compressed
bytes, which can be different between zlib’s software
implementation and the hardware-accelerated implementation.
- gh-124295: Add translation tests to the argparse module.
- Security
- gh-126623: Upgrade libexpat to 2.6.4
- Library
- gh-127303: Publicly expose EXACT_TOKEN_TYPES in
token.__all__.
- gh-123967: Fix faulthandler for trampoline frames. If the
top-most frame is a trampoline frame, skip it. Patch by
Victor Stinner.
- gh-127182: Fix io.StringIO.__setstate__() crash, when None
was passed as the first value.
- gh-127217: Fix urllib.request.pathname2url() for paths
starting with multiple slashes on Posix.
- gh-127035: Fix shutil.which on Windows. Now it looks at
direct match if and only if the command ends with a PATHEXT
extension or X_OK is not in mode. Support extensionless
files if “.” is in PATHEXT. Support PATHEXT extensions that
end with a dot.
- gh-127078: Fix issue where urllib.request.url2pathname()
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=85
- Update to 3.12.7:
- Tests
- gh-124378: Updated test_ttk to pass with Tcl/Tk 8.6.15.
- Security
- gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to
consistently use the mapped IPv4 address value for deciding
properties. Properties which have their behavior fixed are
is_multicast, is_reserved, is_link_local, is_global, and
is_unspecified.
- Library
- gh-116850: Fix argparse for namespaces with not directly
writable dict (e.g. classes).
- gh-58573: Fix conflicts between abbreviated long options in
the parent parser and subparsers in argparse.
- gh-61181: Fix support of choices with string value in
argparse. Substrings of the specified string no longer
considered valid values.
- gh-80259: Fix argparse support of positional arguments with
nargs='?', default=argparse.SUPPRESS and specified type.
- gh-124498: Fix typing.TypeAliasType not to be generic, when
type_params is an empty tuple.
- gh-124345: argparse vim supports abbreviated single-dash
long options separated by = from its value.
- gh-104860: Fix disallowing abbreviation of single-dash long
options in argparse with allow_abbrev=False.
- gh-63143: Fix parsing mutually exclusive arguments in
argparse. Arguments with the value identical to the default
value (e.g. booleans, small integers, empty or 1-character
strings) are no longer considered “not present”.
- gh-72795: Positional arguments with nargs equal to '*' or
OBS-URL: https://build.opensuse.org/request/show/1205549
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python312?expand=0&rev=22
- Tests
- gh-124378: Updated test_ttk to pass with Tcl/Tk 8.6.15.
- Security
- gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to
consistently use the mapped IPv4 address value for deciding
properties. Properties which have their behavior fixed are
is_multicast, is_reserved, is_link_local, is_global, and
is_unspecified.
- Library
- gh-116850: Fix argparse for namespaces with not directly
writable dict (e.g. classes).
- gh-58573: Fix conflicts between abbreviated long options in
the parent parser and subparsers in argparse.
- gh-61181: Fix support of choices with string value in
argparse. Substrings of the specified string no longer
considered valid values.
- gh-80259: Fix argparse support of positional arguments with
nargs='?', default=argparse.SUPPRESS and specified type.
- gh-124498: Fix typing.TypeAliasType not to be generic, when
type_params is an empty tuple.
- gh-124345: argparse vim supports abbreviated single-dash
long options separated by = from its value.
- gh-104860: Fix disallowing abbreviation of single-dash long
options in argparse with allow_abbrev=False.
- gh-63143: Fix parsing mutually exclusive arguments in
argparse. Arguments with the value identical to the default
value (e.g. booleans, small integers, empty or 1-character
strings) are no longer considered “not present”.
- gh-72795: Positional arguments with nargs equal to '*' or
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=71
- Add doc-py38-to-py36.patch making building documentation
compatible with Python 3.6, which runs Sphinx on SLE.
- Update to 3.12.6:
- Tests
- gh-101525: Skip test_gdb if the binary is relocated by
BOLT. Patch by Donghee Na.
- Security
- gh-123678: Upgrade libexpat to 2.6.3
- gh-121285: Remove backtracking from tarfile header parsing
for hdrcharset, PAX, and GNU sparse headers (bsc#1230227,
CVE-2024-6232).
- Library
- gh-123270: Applied a more surgical fix for malformed
payloads in zipfile.Path causing infinite loops (gh-122905)
without breaking contents using legitimate characters
(bsc#1229704, CVE-2024-8088).
- gh-123213: xml.etree.ElementTree.Element.extend() and
Element assignment no longer hide the internal exception if
an erronous generator is passed. Patch by Bar Harel.
- gh-85110: Preserve relative path in URL without netloc in
urllib.parse.urlunsplit() and urllib.parse.urlunparse().
- gh-123067: Fix quadratic complexity in parsing "-quoted
cookie values with backslashes by http.cookies
(bsc#1229596, CVE-2024-7592)
- gh-122903: zipfile.Path.glob now correctly matches
directories instead of silently omitting them.
- gh-122905: zipfile.Path objects now sanitize names from the
zipfile.
- gh-122695: Fixed double-free when using gc.get_referents()
with a freed asyncio.Future iterator.
- gh-116263: logging.handlers.RotatingFileHandler no longer
rolls over empty log files.
- gh-118814: Fix the typing.TypeVar constructor when name is
passed by keyword.
- gh-122478: Remove internal frames from tracebacks
shown in code.InteractiveInterpreter with non-default
sys.excepthook(). Save correct tracebacks in
sys.last_traceback and update __traceback__ attribute of
sys.last_value and sys.last_exc.
- gh-113785: csv now correctly parses numeric fields (when
used with csv.QUOTE_NONNUMERIC) which start with an escape
character.
- gh-112182: asyncio.futures.Future.set_exception() now
transforms StopIteration into RuntimeError instead of
hanging or other misbehavior. Patch contributed by Jamie
Phan.
- gh-108172: webbrowser honors OS preferred browser on Linux
when its desktop entry name contains the text of a known
browser name.
- gh-102988: email.utils.getaddresses() and
email.utils.parseaddr() now return ('', '') 2-tuples
in more situations where invalid email addresses are
encountered instead of potentially inaccurate values. Add
optional strict parameter to these two functions: use
strict=False to get the old behavior, accept malformed
inputs. getattr(email.utils, 'supports_strict_parsing',
False) can be use to check if the strict paramater is
available. Patch by Thomas Dwyer and Victor Stinner to
improve the CVE-2023-27043 fix.
- gh-99437: runpy.run_path() now decodes path-like objects,
making sure __file__ and sys.argv[0] of the module being
run are always strings.
- IDLE
- gh-120083: Add explicit black IDLE Hovertip foreground
color needed for recent macOS. Fixes Sonoma showing
unreadable white on pale yellow. Patch by John Riggles.
- Core and Builtins
- gh-123321: Prevent Parser/myreadline race condition from
segfaulting on multi-threaded use. Patch by Bar Harel and
Amit Wienner.
- gh-122982: Extend the deprecation period for bool inversion
(~) by two years.
- gh-123229: Fix valgrind warning by initializing the
f-string buffers to 0 in the tokenizer. Patch by Pablo
Galindo
- gh-123142: Fix too-wide source location in exception
tracebacks coming from broken iterables in comprehensions.
- gh-123048: Fix a bug where pattern matching code could emit
a JUMP_FORWARD with no source location.
- gh-123083: Fix a potential use-after-free in
STORE_ATTR_WITH_HINT.
- gh-122527: Fix a crash that occurred when a
PyStructSequence was deallocated after its type’s
dictionary was cleared by the GC. The type’s tp_basicsize
now accounts for non-sequence fields that aren’t included
in the Py_SIZE of the sequence.
- gh-93691: Fix source locations of instructions generated
for with statements.
- Build
- gh-123297: Propagate the value of LDFLAGS to LDCXXSHARED in
sysconfig. Patch by Pablo Galindo
- Remove upstreamed patches:
- CVE-2023-27043-email-parsing-errors.patch
- CVE-2024-8088-inf-loop-zipfile_Path.patch
- CVE-2023-6597-TempDir-cleaning-symlink.patch
- gh120226-fix-sendfile-test-kernel-610.patch
- Add gh120226-fix-sendfile-test-kernel-610.patch to avoid
failing test_sendfile_close_peer_in_the_middle_of_receiving
tests on Linux >= 6.10 (GH-120227).
OBS-URL: https://build.opensuse.org/request/show/1200888
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python312?expand=0&rev=20
- Tests
- gh-101525: Skip test_gdb if the binary is relocated by
BOLT. Patch by Donghee Na.
- Security
- gh-123678: Upgrade libexpat to 2.6.3
- gh-121285: Remove backtracking from tarfile header parsing
for hdrcharset, PAX, and GNU sparse headers (bsc#1230227,
CVE-2024-6232).
- Library
- gh-123270: Applied a more surgical fix for malformed
payloads in zipfile.Path causing infinite loops (gh-122905)
without breaking contents using legitimate characters
(bsc#1229704, CVE-2024-8088).
- gh-123213: xml.etree.ElementTree.Element.extend() and
Element assignment no longer hide the internal exception if
an erronous generator is passed. Patch by Bar Harel.
- gh-85110: Preserve relative path in URL without netloc in
urllib.parse.urlunsplit() and urllib.parse.urlunparse().
- gh-123067: Fix quadratic complexity in parsing "-quoted
cookie values with backslashes by http.cookies
(bsc#1229596, CVE-2024-7592)
- gh-122903: zipfile.Path.glob now correctly matches
directories instead of silently omitting them.
- gh-122905: zipfile.Path objects now sanitize names from the
zipfile.
- gh-122695: Fixed double-free when using gc.get_referents()
with a freed asyncio.Future iterator.
- gh-116263: logging.handlers.RotatingFileHandler no longer
rolls over empty log files.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=66
- Update to 3.12.5:
- Tests
- gh-59022: Add tests for pkgutil.extend_path(). Patch by
Andreas Stocker.
- gh-99242: os.getloadavg() may throw OSError when
running regression tests under certain conditions (e.g.
chroot). This error is now caught and ignored, since
reporting load average is optional.
- gh-121084: Fix test_typing random leaks. Clear typing ABC
caches when running tests for refleaks (-R option): call
_abc_caches_clear() on typing abstract classes and their
subclasses. Patch by Victor Stinner.
- gh-121160: Add a test for
readline.set_history_length(). Note that this test may fail
on readline libraries.
- gh-121200: Fix test_expanduser_pwd2() of
test_posixpath. Call getpwnam() to get pw_dir, since it
can be different than getpwall() pw_dir. Patch by Victor
Stinner.
- gh-121188: When creating the JUnit XML file, regrtest
now escapes characters which are invalid in XML, such
as the chr(27) control character used in ANSI escape
sequences. Patch by Victor Stinner.
- Security
- gh-121957: Fixed missing audit events around interactive
use of Python, now also properly firing for python -i, as
well as for python -m asyncio. The event in question is
cpython.run_stdin.
- gh-122133: Authenticate the socket connection for the
socket.socketpair() fallback on platforms where AF_UNIX is
OBS-URL: https://build.opensuse.org/request/show/1192365
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python312?expand=0&rev=18
- Tests
- gh-59022: Add tests for pkgutil.extend_path(). Patch by
Andreas Stocker.
- gh-99242: os.getloadavg() may throw OSError when
running regression tests under certain conditions (e.g.
chroot). This error is now caught and ignored, since
reporting load average is optional.
- gh-121084: Fix test_typing random leaks. Clear typing ABC
caches when running tests for refleaks (-R option): call
_abc_caches_clear() on typing abstract classes and their
subclasses. Patch by Victor Stinner.
- gh-121160: Add a test for
readline.set_history_length(). Note that this test may fail
on readline libraries.
- gh-121200: Fix test_expanduser_pwd2() of
test_posixpath. Call getpwnam() to get pw_dir, since it
can be different than getpwall() pw_dir. Patch by Victor
Stinner.
- gh-121188: When creating the JUnit XML file, regrtest
now escapes characters which are invalid in XML, such
as the chr(27) control character used in ANSI escape
sequences. Patch by Victor Stinner.
- Security
- gh-121957: Fixed missing audit events around interactive
use of Python, now also properly firing for python -i, as
well as for python -m asyncio. The event in question is
cpython.run_stdin.
- gh-122133: Authenticate the socket connection for the
socket.socketpair() fallback on platforms where AF_UNIX is
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=60
- Security
- gh-118486: os.mkdir() on Windows now accepts mode of 0o700
to restrict the new directory to the current user. This
fixes CVE-2024-4030 affecting tempfile.mkdtemp() in
scenarios where the base temporary directory is more
permissive than the default.
- gh-116741: Update bundled libexpat to 2.6.2
- gh-117233: Detect BLAKE2, SHA3, Shake, & truncated SHA512
support in the OpenSSL-ish libcrypto library at build
time. This allows hashlib to be used with libraries that do
not to support every algorithm that upstream OpenSSL does.
- Core and Builtins
- gh-119821: Fix execution of annotation scopes within
classes when globals is set to a non-dict. Patch by Jelle
Zijlstra.
- gh-118263: Speed up os.path.normpath() with a direct C
call.
- gh-119311: Fix bug where names are unexpectedly mangled in
the bases of generic classes.
- gh-119395: Fix bug where names appearing after a generic
class are mangled as if they are in the generic class.
- gh-118507: Fix os.path.isfile() on Windows for pipes.
- gh-119213: Non-builtin modules built with argument clinic
were crashing if used in a subinterpreter before the main
interpreter. The objects that were causing the problem by
leaking between interpreters carelessly have been fixed.
- gh-119011: Fixes type.__type_params__ to return an empty
tuple instead of a descriptor.
- gh-118997: Fix _Py_ClearImmortal() assertion: use
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=47
