------------------------------------------------------------------- Fri Aug 1 20:09:24 UTC 2025 - Matej Cepl - Add CVE-2025-8194-tarfile-no-neg-offsets.patch which now validates archives to ensure member offsets are non-negative (gh#python/cpython#130577, CVE-2025-8194, bsc#1247249). ------------------------------------------------------------------- Wed Jul 23 08:05:20 UTC 2025 - Matej Cepl - Update to 3.14.0~rc1: - Tools/Demos - gh-136251: Fixes and usability improvements for Tools/wasm/emscripten/web_example - Security - gh-135661: Fix parsing attributes with whitespaces around the = separator in html.parser.HTMLParser according to the HTML5 standard. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - Library - gh-136170: Removed the unreleased zipfile.ZipFile.data_offset property added in 3.14.0a7 as it wasn’t fully clear which behavior it should have in some situations so the result was not always what a user might expect. - gh-124621: pyrepl now works in Emscripten. - gh-136874: Discard URL query and fragment in urllib.request.url2pathname(). - gh-130645: Enable color help by default in argparse. - gh-136549: Fix signature of threading.excepthook(). - gh-136523: Fix wave.Wave_write emitting an unraisable when open raises. - gh-52876: Add missing keepends (default True) parameter to codecs.StreamReaderWriter.readline() and codecs.StreamReaderWriter.readlines(). - gh-136470: Correct concurrent.futures.InterpreterPoolExecutor’s default thread name. - gh-136476: Fix a bug that was causing the get_async_stack_trace function to miss some frames in the stack trace. - gh-136434: Fix docs generation of UnboundItem in concurrent.interpreters when running with -OO. - gh-136380: Raises AttributeError when accessing concurrent.futures.InterpreterPoolExecutor and subinterpreters are not available. - gh-134759: Fix UnboundLocalError in email.message.Message.get_payload() when the payload to decode is a bytes object. Patch by Kliment Lamonov. - gh-134657: asyncio: Remove some private names from asyncio.__all__. - Core and Builtins - gh-136801: Fix PyREPL syntax highlighting on match cases after multi-line case. Contributed by Olga Matoula. - gh-136421: Fix crash when initializing datetime concurrently. - gh-136541: Fix some issues with the perf trampolines on x86-64 and aarch64. The trampolines were not being generated correctly for some cases, which could lead to the perf integration not working correctly. Patch by Pablo Galindo. - gh-136517: Fixed a typo that prevented printing of uncollectable objects when the gc.DEBUG_UNCOLLECTABLE mode was set. - gh-136525: Fix issue where per-thread bytecode was not instrumented for newly created threads. - gh-132661: Interpolation.expression now has a default, the empty string. - gh-132661: Reflect recent PEP 750 change. - Disallow concatenation of string.templatelib.Template and str. Also, disallow implicit concatenation of t-string literals with string or f-string literals. - gh-116738: Make functions in grp thread-safe on the free threaded build. - gh-135148: Fixed a bug where f-string debug expressions (using =) would incorrectly strip out parts of strings containing escaped quotes and # characters. Patch by Pablo Galindo. - gh-133136: Limit excess memory usage in the free threading build when a large dictionary or list is resized and accessed by multiple threads. - gh-91153: Fix a crash when a bytearray is concurrently mutated during item assignment. - gh-127971: Fix off-by-one read beyond the end of a string in string search. - C API - gh-112068: Revert support of nullable arguments in PyArg_Parse(). - gh-133296: New variants for the critical section API that accept one or two PyMutex pointers rather than PyObject instances are now public in the non-limited C API. - gh-134009: Expose PyMutex_IsLocked() as part of the public C API. - Build - gh-135621: PyREPL no longer depends on the curses standard library. Contributed by Łukasz Langa. ------------------------------------------------------------------- Thu Jul 10 10:17:47 UTC 2025 - Daniel Garcia - Fix gil/nogil package description, bsc#1246229 ------------------------------------------------------------------- Wed Jul 9 05:50:32 UTC 2025 - Matej Cepl - Update to 3.14.0~b4: - Tools/Demos - gh-135968: Stubs for strip are now provided as part of an iOS install. - gh-133600: Backport file reorganization for Tools/wasm/wasi This should make backporting future code changes easier. It also simplifies instructions around how to do WASI builds in the devguide. - Tests - gh-135966: The iOS testbed now handles the app_packages folder as a site directory. - gh-135494: Fix regrtest to support excluding tests from --pgo tests. Patch by Victor Stinner. - Security - gh-136053: marshal: fix a possible crash when deserializing slice objects. - gh-135661: Fix parsing start and end tags in html.parser.HTMLParser according to the HTML5 standard. - Whitespaces no longer accepted between does not end the script section. - Vertical tabulation (\v) and non-ASCII whitespaces no longer recognized as whitespaces. The only whitespaces are \t\n\r\f and space. - Null character (U+0000) no longer ends the tag name. - Attributes and slashes after the tag name in end tags are now ignored, instead of terminating after the first > in quoted attribute value. E.g. . - Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . - Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - Whitespaces between the = separator and attribute name or value are no longer ignored. E.g. produces two attributes “foo” and “=bar”, both with value None; produces two attributes: “foo” with value “” and “bar” with value None. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - Library - gh-136286: Fix pickling failures for protocols 0 and 1 for many objects realted to subinterpreters. - gh-136316: Improve support for evaluating nested forward references in typing.evaluate_forward_ref(). - gh-85702: If zoneinfo._common.load_tzdata is given a package without a resource a zoneinfo.ZoneInfoNotFoundError is raised rather than a PermissionError. Patch by Victor Stinner. - gh-136028: Fix parsing month names containing “İ” (U+0130, LATIN CAPITAL LETTER I WITH DOT ABOVE) in time.strptime(). This affects locales az_AZ, ber_DZ, ber_MA and crh_UA. - gh-135995: In the palmos encoding, make byte 0x9b decode to › (U+203A - SINGLE RIGHT-POINTING ANGLE QUOTATION MARK). - gh-53203: Fix time.strptime() for %c and %x formats on locales byn_ER, wal_ET and lzh_TW, and for %X format on locales ar_SA, bg_BG and lzh_TW. - gh-91555: An earlier change, which was introduced in 3.14.0b2, has been reverted. It disabled logging for a logger during handling of log messages for that logger. Since the reversion, the behaviour should be as it was before 3.14.0b2. - gh-135878: Fixes a crash of types.SimpleNamespace on free threading builds, when several threads were calling its __repr__() method at the same time. - gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when non-OSError exception is raised during connection and socket’s close() raises OSError. - gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when the Happy Eyeballs algorithm resulted in an empty exceptions list during connection attempts. - gh-135855: Raise TypeError instead of SystemError when _interpreters.set___main___attrs() is passed a non-dict object. Patch by Brian Schubert. - gh-135815: netrc: skip security checks if os.getuid() is missing. Patch by Bénédikt Tran. - gh-135640: Address bug where it was possible to call xml.etree.ElementTree.ElementTree.write() on an ElementTree object with an invalid root element. This behavior blanked the file passed to write if it already existed. - gh-135645: Added supports_isolated_interpreters field to sys.implementation. - gh-135646: Raise consistent NameError exceptions in annotationlib.ForwardRef.evaluate() - gh-135557: Fix races on heapq updates and list reads on the free threaded build. - gh-119180: Only fetch globals and locals if necessary in annotationlib.get_annotations() - gh-135561: Fix a crash on DEBUG builds when an HACL* HMAC routine fails. Patch by Bénédikt Tran. - gh-135487: Fix reprlib.Repr.repr_int() when given integers with more than sys.get_int_max_str_digits() digits. Patch by Bénédikt Tran. - gh-135335: multiprocessing: Flush stdout and stderr after preloading modules in the forkserver. - gh-135069: Fix the “Invalid error handling” exception in encodings.idna.IncrementalDecoder to correctly replace the ‘errors’ parameter. - gh-130662: +Accept leading zeros in precision and width fields for +:class:Decimal formatting, for example format(Decimal(1.25), '.016f'). - gh-130662: Accept leading zeros in precision and width fields for Fraction formatting, for example format(Fraction(1, 3), '.016f'). - gh-87790: Support underscore and comma as thousands separators in the fractional part for Fraction’s formatting. Patch by Sergey B Kirpichev. - gh-87790: Support underscore and comma as thousands separators in the fractional part for Decimal’s formatting. Patch by Sergey B Kirpichev. - gh-130664: Handle corner-case for Fraction’s formatting: treat zero-padding (preceding the width field by a zero ('0') character) as an equivalent to a fill character of '0' with an alignment type of '=', just as in case of float’s. - Documentation - gh-136155: EPUB builds are fixed by excluding non-XHTML-compatible tags. - Core and Builtins - gh-109700: Fix memory error handling in PyDict_SetDefault(). - gh-78465: Fix error message for cls.__new__(cls, ...) where cls is not instantiable builtin or extension type (with tp_new set to NULL). - gh-129958: Differentiate between t-strings and f-strings in syntax error for newlines in format specifiers of single-quoted interpolated strings. - gh-135871: Non-blocking mutex lock attempts now return immediately when the lock is busy instead of briefly spinning in the free threading build. - gh-135106: Restrict the trashcan mechanism to GC’ed objects and untrack them while in the trashcan to prevent the GC and trashcan mechanisms conflicting. - gh-135607: Fix potential weakref races in an object’s destructor on the free threaded build. - gh-135608: Fix a crash in the JIT involving attributes of modules. - gh-135543: Emit sys.remote_exec audit event when sys.remote_exec() is called and migrate remote_debugger_script to cpython.remote_debugger_script. - gh-134280: Disable constant folding for ~ with a boolean argument. This moves the deprecation warning from compile time to runtime. - C API - gh-135906: Fix compilation errors when compiling the internal headers with a C++ compiler. - Build - gh-134273: Add support for configuring compiler flags for the JIT with CFLAGS_JIT ------------------------------------------------------------------- Wed Jul 2 13:14:28 UTC 2025 - Matej Cepl - Add bsc1243155-sphinx-non-determinism.patch (bsc#1243155) to generate ids for audit_events using docname (reproducible builds). ------------------------------------------------------------------- Tue Jul 1 08:24:53 UTC 2025 - Daniel Garcia - Use one core to build doc. This will make sphinx doc build reproducible. bsc#1243155 ------------------------------------------------------------------- Sat Jun 21 22:30:08 UTC 2025 - Matej Cepl - Update to 3.14.0~b3: - Tests - gh-132815: Fix test__opcode: add JUMP_BACKWARD to specialization stats. - gh-135489: Show verbose output for failing tests during PGO profiling step with –enable-optimizations. - gh-135120: Add test.support.subTests(). - Security - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored (bsc#1244705, CVE-2025-6069). - gh-135034: Fixes multiple issues that allowed tarfile extraction filters (filter="data" and filter="tar") to be bypassed using crafted symlinks and hard links. Addresses CVE 2024-12718, CVE 2025-4138, CVE 2025-4330, and CVE 2025-4517. Also addresses CVE-2025-4435 (gh#135034, bsc#1244061). - Library - gh-65697: configparser’s error message when attempting to write an invalid key is now more helpful. - gh-135497: Fix os.getlogin() failing for longer usernames on BSD-based platforms. - gh-135429: Fix the argument mismatch in _lsprof for PY_THROW event. - gh-135368: Fix unittest.mock.Mock generation on dataclasses.dataclass() objects. Now all special attributes are set as it was before gh-124429. - gh-133967: Do not normalize locale name ‘C.UTF-8’ to ‘en_US.UTF-8’. - gh-135321: Raise a correct exception for values greater than 0x7fffffff for the BINSTRING opcode in the C implementation of pickle. - gh-135276: Backported bugfixes in zipfile.Path from zipp 3.23. Fixed .name, .stem and other basename-based properties on Windows when working with a zipfile on disk. - gh-135244: uuid: when the MAC address cannot be determined, the 48-bit node ID is now generated with a cryptographically-secure pseudo-random number generator (CSPRNG) as per RFC 9562, §6.10.3. This affects uuid1() and uuid6(). - gh-134970: Fix the “unknown action” exception in argparse.ArgumentParser.add_argument_group() to correctly replace the action class. - gh-134718: ast.dump() now only omits None and [] values if they are default values. - gh-134939: Add the concurrent.interpreters module. See PEP 734. - gh-134885: Fix possible crash in the compression.zstd module related to setting parameter types. Patch by Jelle Zijlstra. - gh-134857: Improve error report for doctests run with unittest. Remove doctest module frames from tracebacks and redundant newline character from a failure message. - gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address. - gh-134637: Fix performance regression in calling a ctypes function pointer in free threading. - gh-134696: Built-in HACL* and OpenSSL implementations of hash function constructors now correctly accept the same documented named arguments. For instance, md5() could be previously invoked as md5(data=data) or md5(string=string) depending on the underlying implementation but these calls were not compatible. Patch by Bénédikt Tran. - gh-134151: email: Fix TypeError in email.utils.decode_params() when sorting RFC 2231 continuations that contain an unnumbered section. - gh-134210: curses.window.getch() now correctly handles signals. Patch by Bénédikt Tran. - gh-134152: email: Fix parsing of email message ID with invalid domain. - gh-133489: random.getrandbits() can now generate more that 231 bits. random.randbytes() can now generate more that 256 MiB. - gh-132813: Improve error messages for incorrect types and values of csv.Dialect attributes. - gh-132969: Prevent the ProcessPoolExecutor executor thread, which remains running when shutdown(wait=False), from attempting to adjust the pool’s worker processes after the object state has already been reset during shutdown. A combination of conditions, including a worker process having terminated abormally, resulted in an exception and a potential hang when the still-running executor thread attempted to replace dead workers within the pool. - gh-127081: Fix libc thread safety issues with os by replacing getlogin with getlogin_r re-entrant version. - gh-131884: Fix formatting issues in json.dump() when both indent and skipkeys are used. - gh-130999: Avoid exiting the new REPL and offer suggestions even if there are non-string candidates when errors occur. - Documentation - gh-135171: Document that the iterator for the leftmost for clause in the generator expression is created immediately. - bpo-45210: Document that error indicator may be set in tp_dealloc, and how to avoid clobbering it. - Core and Builtins - gh-135496: Fix typo in the f-string conversion type error (“exclamanation” -> “exclamation”). - gh-135371: Fixed asyncio debugging tools to properly display internal coroutine call stacks alongside external task dependencies. The python -m asyncio ps and python -m asyncio pstree commands now show complete execution context. Patch by Pablo Galindo. - gh-127319: Set the allow_reuse_port class variable to False on the XMLRPC, logging, and HTTP servers. This matches the behavior in prior Python releases, which is to not allow port reuse. - gh-135171: Reverts the behavior of async generator expressions when created with object w/o __aiter__ method to the pre-3.13 behavior of raising a TypeError. - gh-130077: Properly raise custom syntax errors when incorrect syntax containing names that are prefixes of soft keywords is encountered. Patch by Pablo Galindo. - gh-135171: Reverts the behavior of generator expressions when created with a non-iterable to the pre-3.13 behavior of raising a TypeError. It is no longer possible to cause a crash in the debugger by altering the generator expression’s local variables. This is achieved by moving the GET_ITER instruction back to the creation of the generator expression and adding an additional check to FOR_ITER. - gh-116738: Make methods in heapq thread-safe on the free threaded build. - gh-134876: Add support to PEP 768 remote debugging for Linux kernels which don’t have CONFIG_CROSS_MEMORY_ATTACH configured. - gh-134889: Fix handling of a few opcodes that leave operands on the stack when optimizing LOAD_FAST. - gh-134908: Fix crash when iterating over lines in a text file on the free threaded build. - gh-132617: Fix dict.update() modification check that could incorrectly raise a “dict mutated during update” error when a different dictionary was modified that happens to share the same underlying keys object. - gh-134679: Fix crash in the free threading build’s QSBR code that could occur when changing an object’s __dict__ attribute. - gh-127682: No longer call __iter__ twice in list comprehensions. This brings the behavior of list comprehensions in line with other forms of iteration - gh-133912: Fix the C API function PyObject_GenericSetDict to handle extension classes with inline values. - C API - gh-134989: Fix Py_RETURN_NONE, Py_RETURN_TRUE and Py_RETURN_FALSE macros in the limited C API 3.11 and older: don’t treat Py_None, Py_True and Py_False as immortal. Patch by Victor Stinner. - gh-134989: Implement PyObject_DelAttr() and PyObject_DelAttrString() as macros in the limited C API 3.12 and older. Patch by Victor Stinner. - gh-133968: Add PyUnicodeWriter_WriteASCII() function to write an ASCII string into a PyUnicodeWriter. The function is faster than PyUnicodeWriter_WriteUTF8(), but has an undefined behavior if the input string contains non-ASCII characters. Patch by Victor Stinner. - Build - gh-119132: Remove “experimental” tag from the CPython free-threading build. - gh-135497: Fix the detection of MAXLOGNAME in the configure.ac script. - gh-134923: Windows builds with profile-guided optimization enabled now use /GENPROFILE and /USEPROFILE instead of deprecated /LTCG: options. - gh-134774: Fix Py_DEBUG macro redefinition warnings on Windows debug builds. Patch by Chris Eibl. - gh-134632: Fixed build-details.json generation to use INCLUDEPY, in order to reference the pythonX.Y subdirectory of the include directory, as required in PEP 739, instead of the top-level include directory. ------------------------------------------------------------------- Thu May 29 11:42:15 UTC 2025 - Matej Cepl - Update to 3.14.0~b2: - Tools/Demos - gh-134215: REPL import autocomplete only suggests private modules when explicitly specified. - Tests - gh-133744: Fix multiprocessing interrupt test. Add an event to synchronize the parent process with the child process: wait until the child process starts sleeping. Patch by Victor Stinner. - gh-133682: Fixed test case test.test_annotationlib.TestStringFormat.test_displays which ensures proper handling of complex data structures (lists, sets, dictionaries, and tuples) in string annotations. - gh-133639: Fix TestPyReplAutoindent.test_auto_indent_default() doesn’t run input_code. - Security - gh-133767: Fix use-after-free in the “unicode-escape” decoder with a non-“strict” error handler (CVE-2025-4516 bsc#1243273). - gh-128840: Short-circuit the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service. - Library - gh-132710: If possible, ensure that uuid.getnode() returns the same result even across different processes. Previously, the result was constant only within the same process. Patch by Bénédikt Tran. - gh-80334: multiprocessing.freeze_support() now checks for work on any “spawn” start method platform rather than only on Windows. - gh-134582: Fix tokenize.untokenize() round-trip errors related to t-strings braces escaping - gh-134546: Ensure pdb remote debugging script is readable by remote Python process. - gh-134451: Converted asyncio.tools.CycleFoundException from dataclass to a regular exception type. - gh-114177: Fix asyncio to not close subprocess pipes which would otherwise error out when the event loop is already closed. - gh-90871: Fixed an off by one error concerning the backlog parameter in create_unix_server(). Contributed by Christian Harries. - gh-134323: Fix the threading.RLock.locked() method. - gh-86802: Fixed asyncio memory leak in cancelled shield tasks. For shielded tasks where the shield was cancelled, log potential exceptions through the exception handler. Contributed by Christian Harries. - gh-134209: curses: The curses.window.instr() and curses.window.getstr() methods now allocate their internal buffer on the heap instead of the stack; in addition, the max buffer size is increased from 1023 to 2047. - gh-134235: Updated tab completion on REPL to include builtin modules. Contributed by Tom Wang, Hunter Young - gh-134152: Fixed UnboundLocalError that could occur during email header parsing if an expected trailing delimiter is missing in some contexts. - gh-134168: http.server: Fix IPv6 address binding and --directory handling when using HTTPS. - gh-62184: Remove import of C implementation of io.FileIO from Python implementation which has its own implementation - gh-133982: Emit RuntimeWarning in the Python implementation of io when the file-like object is not closed explicitly in the presence of multiple I/O layers. - gh-133890: The tarfile module now handles UnicodeEncodeError in the same way as OSError when cannot extract a member. - gh-134097: Fix interaction of the new REPL and -X showrefcount command line option. - gh-133889: The generated directory listing page in http.server.SimpleHTTPRequestHandler now only shows the decoded path component of the requested URL, and not the query and fragment. - gh-134098: Fix handling paths that end with a percent-encoded slash (%2f or %2F) in http.server.SimpleHTTPRequestHandler. - gh-132124: On POSIX-compliant systems, multiprocessing.util.get_temp_dir() now ignores TMPDIR (and similar environment variables) if the path length of AF_UNIX socket files exceeds the platform-specific maximum length when using the forkserver start method. Patch by Bénédikt Tran. - gh-134062: ipaddress: fix collisions in __hash__() for IPv4Network and IPv6Network objects. - gh-133970: Make string.templatelib.Template and string.templatelib.Interpolation generic. - gh-71253: Raise ValueError in open() if opener returns a negative file-descriptor in the Python implementation of io to match the C implementation. - gh-133960: Simplify and improve typing.evaluate_forward_ref(). It now no longer raises errors on certain invalid types. In several situations, it is now able to evaluate forward references that were previously unsupported. - gh-133925: Make the private class typing._UnionGenericAlias hashable. - gh-133653: Fix argparse.ArgumentParser with the formatter_class argument. Fix TypeError when formatter_class is a custom subclass of HelpFormatter. Fix TypeError when formatter_class is not a subclass of HelpFormatter and non-standard prefix_char is used. Fix support of colorizing when formatter_class is not a subclass of HelpFormatter. - gh-132641: Fixed a race in functools.lru_cache() under free-threading. - gh-133783: Fix bug with applying copy.replace() to ast objects. Attributes that default to None were incorrectly treated as required for manually created AST nodes. - gh-133684: Fix bug where annotationlib.get_annotations() would return the wrong result for certain classes that are part of a class hierarchy where from __future__ import annotations is used. - gh-77057: Fix handling of invalid markup declarations in html.parser.HTMLParser. - gh-130328: Speedup pasting in PyREPL on Windows in a legacy console. Patch by Chris Eibl. - gh-133701: Fix bug where typing.TypedDict classes defined under from __future__ import annotations and inheriting from another TypedDict had an incorrect __annotations__ attribute. - gh-133581: Improve unparsing of t-strings in ast.unparse() and from __future__ import annotations. Empty t-strings now round-trip correctly and formatting in interpolations is preserved. Patch by Jelle Zijlstra. - gh-133551: Support t-strings (PEP 750) in annotationlib. Patch by Jelle Zijlstra. - gh-133439: Fix dot commands with trailing spaces are mistaken for multi-line SQL statements in the sqlite3 command-line interface. - gh-132493: Avoid accessing __annotations__ unnecessarily in inspect.signature(). - gh-132876: ldexp() on Windows doesn’t round subnormal results before Windows 11, but should. Python’s math.ldexp() wrapper now does round them, so results may change slightly, in rare cases of very small results, on Windows versions before 11. - gh-133009: xml.etree.ElementTree: Fix a crash in Element.__deepcopy__ when the element is concurrently mutated. Patch by Bénédikt Tran. - gh-91555: Ignore log messages generated during handling of log messages, to avoid deadlock or infinite recursion. - gh-125028: functools.Placeholder cannot be passed to functools.partial() as a keyword argument. - gh-62824: Fix aliases for iso8859_8 encoding. Patch by Dave Goncalves. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the