- Security
- Replaced usage of tempfile.mktemp() with TemporaryDirectory
to avoid a potential race condition.
- Add auditing events to the marshal module, and stop raising
code.__init__ events for every unmarshalled code object.
Directly instantiated code objects will continue to raise
an event, and audit event handlers should inspect or
collect the raw marshal data. This reduces a significant
performance overhead when loading from .pyc files.
- Made the internal putcmd function in smtplib sanitize input
for presence of \r and \n characters to avoid (unlikely)
command injection.
- Core and Builtins
- Fixed pickling of range iterators that iterated for over
2**32 times.
- Fix a race in WeakKeyDictionary, WeakValueDictionary and
WeakSet when two threads attempt to commit the last pending
removal. This fixes asyncio.create_task and fixes a data
loss in asyncio.run where shutdown_asyncgens is not run
- Fixed a corner case bug where the result of
float.fromhex('0x.8p-1074') was rounded the wrong way.
- Refine the syntax error for trailing commas in import
statements. Patch by Pablo Galindo.
- Restore behaviour of complex exponentiation with
integer-valued exponent of type float or complex.
- Correct the ast locations of f-strings with format specs
and repeated expressions. Patch by Pablo Galindo
- Use new trashcan macros (Py_TRASHCAN_BEGIN/END) in
frameobject.c instead of the old ones
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=83
- Update to 3.9.6:
* Security
- bpo-44022: mod:http.client now avoids infinitely reading
potential HTTP headers after a 100 Continue status response
from the server.
* Core and Builtins
- bpo-44409: Fix error location information for tokenizer
errors raised on initialization of the tokenizer. Patch by
Pablo Galindo.
- bpo-43667: Improve Unicode support in non-UTF locales on
Oracle Solaris. This issue does not affect other Solaris
systems.
- bpo-44168: Fix error message in the parser involving keyword
arguments with invalid expressions. Patch by Pablo Galindo
- bpo-44114: Fix incorrect dictkeys_reversed and
dictitems_reversed function signatures in C code, which broke
webassembly builds.
- bpo-44070: No longer eagerly makes import filenames absolute,
except for extension modules, which was introduced in 3.9.5.
- bpo-28146: Fix a confusing error message in str.format().
- bpo-11105: When compiling ast.AST objects with recursive
references through compile(), the interpreter doesn’t crash
anymore instead it raises a RecursionError.
* Library
- bpo-44516: Update vendored pip to 21.1.3
- bpo-44482: Fix very unlikely resource leak in glob in
alternate Python implementations.
- bpo-44439: Fix in bz2.BZ2File.write() / lzma.LZMAFile.write()
methods, when the input data is an object that supports the
buffer protocol, the file length may be wrong.
OBS-URL: https://build.opensuse.org/request/show/910899
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=76
- Update to 3.9.5:
* Security
- bpo-43434: Creating a sqlite3.Connection object now also
produces a sqlite3.connect auditing event. Previously this
event was only produced by sqlite3.connect() calls. Patch
by Erlend E. Aasland.
- bpo-43882: The presence of newline or tab characters in
parts of a URL could allow some forms of attacks.
- Following the controlling specification for URLs defined by
WHATWG urllib.parse() now removes ASCII newlines and tabs
from URLs, preventing such attacks.
- bpo-43472: Ensures interpreter-level audit hooks receive
the cpython.PyInterpreterState_New event when called
through the _xxsubinterpreters module.
- bpo-36384: ipaddress module no longer accepts any leading
zeros in IPv4 address strings. Leading zeros are ambiguous
and interpreted as octal notation by some libraries. For
example the legacy function socket.inet_aton() treats
leading zeros as octal notatation. glibc implementation of
modern inet_pton() does not accept any leading zeros. For
a while the ipaddress module used to accept ambiguous
leading zeros.
- bpo-43075: Fix Regular Expression Denial of Service (ReDoS)
vulnerability in urllib.request.AbstractBasicAuthHandler.
The ReDoS-vulnerable regex has quadratic worst-case
complexity and it allows cause a denial of service when
identifying crafted invalid RFCs. This ReDoS issue is on
the client side and needs remote attackers to control the
HTTP server.
- bpo-42800: Audit hooks are now fired for frame.f_code,
traceback.tb_frame, and generator code/frame attribute
access.
* Core and Builtins
- bpo-43105: Importlib now resolves relative paths when
creating module spec objects from file locations.
- bpo-42924: Fix bytearray repetition incorrectly copying
data from the start of the buffer, even if the data is
offset within the buffer (e.g. after reassigning a slice at
the start of the bytearray to a shorter byte string).
* Library
- bpo-43993: Update bundled pip to 21.1.1.
- bpo-43937: Fixed the turtle module working with non-default
root window.
- bpo-43930: Update bundled pip to 21.1 and setuptools to
56.0.0
- bpo-43920: OpenSSL 3.0.0: load_verify_locations() now
returns a consistent error message when cadata contains no
valid certificate.
- bpo-43607: urllib can now convert Windows paths with \\?\
prefixes into URL paths.
- bpo-43284: platform.win32_ver derives the windows version
from sys.getwindowsversion().platform_version which in turn
derives the version from kernel32.dll (which can be of
a different version than Windows itself). Therefore change
the platform.win32_ver to determine the version using the
platform module’s _syscmd_ver private function to return an
accurate version.
- bpo-42248: [Enum] ensure exceptions raised in _missing__
are released
- bpo-43799: OpenSSL 3.0.0: define OPENSSL_API_COMPAT 1.1.1
to suppress deprecation warnings. Python requires OpenSSL
1.1.1 APIs.
- bpo-43794: Add ssl.OP_IGNORE_UNEXPECTED_EOF constants
(OpenSSL 3.0.0)
- bpo-43789: OpenSSL 3.0.0: Don’t call the password callback
function a second time when first call has signaled an
error condition.
- bpo-43788: The header files for ssl error codes are now
OpenSSL version-specific. Exceptions will now show correct
reason and library codes. The make_ssl_data.py script has
been rewritten to use OpenSSL’s text file with error codes.
- bpo-43655: tkinter dialog windows are now recognized as
dialogs by window managers on macOS and X Window.
- bpo-43534: turtle.textinput() and turtle.numinput() create
now a transient window working on behalf of the canvas
window.
- bpo-43522: Fix problem with hostname_checks_common_name.
OpenSSL does not copy hostflags from struct SSL_CTX to
struct SSL.
- bpo-42967: Allow bytes separator argument in
urllib.parse.parse_qs and urllib.parse.parse_qsl when
parsing str query strings. Previously, this raised
a TypeError.
- bpo-43176: Fixed processing of a dataclass that inherits
from a frozen dataclass with no fields. It is now correctly
detected as an error.
- bpo-41735: Fix thread locks in zlib module may go wrong in
rare case. Patch by Ma Lin.
- bpo-36470: Fix dataclasses with InitVars and replace().
Patch by Claudiu Popa.
- bpo-32745: Fix a regression in the handling of ctypes’
ctypes.c_wchar_p type: embedded null characters would cause
a ValueError to be raised. Patch by Zackery Spytz.
* Documentation
- bpo-43959: The documentation on the PyContextVar C-API was
clarified.
- bpo-43938: Update dataclasses documentation to express that
FrozenInstanceError is derived from AttributeError.
- bpo-43755: Update documentation to reflect that
unparenthesized lambda expressions can no longer be the
expression part in an if clause in comprehensions and
generator expressions since Python 3.9.
- bpo-43739: Fixing the example code in
Doc/extending/extending.rst to declare and initialize the
pmodule variable to be of the right type.
* Tests
- bpo-43961: Fix
test_logging.test_namer_rotator_inheritance() on Windows:
use os.replace() rather than os.rename(). Patch by Victor
Stinner.
- bpo-43842: Fix a race condition in the SMTP test of
test_logging. Don’t close a file descriptor (socket) from
a different thread while asyncore.loop() is polling the
file descriptor. Patch by Victor Stinner.
- bpo-43811: Tests multiple OpenSSL versions on GitHub
Actions. Use ccache to speed up testing.
- bpo-43791: OpenSSL 3.0.0: Disable testing of legacy
protocols TLS 1.0 and 1.1. Tests are failing with
TLSV1_ALERT_INTERNAL_ERROR.
- Refreshed patches:
- bpo-31046_ensurepip_honours_prefix.patch
- python-3.3.0b1-fix_date_time_compiler.patch
- Add vendorized files from bluez-devel to enable building support for
Bluetooth.
OBS-URL: https://build.opensuse.org/request/show/890779
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=66
- bpo#43710: Reverted the fix for https://bugs.python.org/issue42500
as it changed the PyThreadState struct size and broke the 3.9.x ABI
in the 3.9.3 release (visible on 32-bit platforms using binaries
compiled using an earlier version of Python 3.9.x headers).
- bpo#26053: Fixed bug where the pdb interactive run command echoed
the args from the shell command line, even if those have been
overridden at the pdb prompt.
- bpo#42988 (bsc#1183374) CVE-2021-3426: Remove the getfile
feature of the pydoc module which could be abused to read
arbitrary files on the disk (directory traversal
vulnerability). Moreover, even source code of Python modules
can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.
- bpo#43285: ftplib no longer trusts the IP address value
returned from the server in response to the PASV command by
default. This prevents a malicious FTP server from using the
response to probe IPv4 address and port combinations on the
client network. Code that requires the former vulnerable
behavior may set a trust_server_pasv_ipv4_address attribute
on their ftplib.FTP instances to True to re-enable it.
- bpo#43439: Add audit hooks for gc.get_objects(),
gc.get_referrers() and gc.get_referents(). Patch by Pablo
Galindo.
- bpo#43660: Fix crash that happens when replacing sys.stderr
with a callable that can remove the object while an exception
is being printed. Patch by Pablo Galindo.
- bpo#43555: Report the column offset for SyntaxError for
invalid line continuation characters. Patch by Pablo Galindo.
- bpo#43517: Fix misdetection of circular imports when using
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=62
- bpo#42938 (bsc#1181126): Avoid static buffers when computing
the repr of ctypes.c_double and ctypes.c_longdouble
values. This issue was assigned CVE-2021-3177.
- bpo#42967 (bso#1182379): Fix web cache poisoning
vulnerability by defaulting the query args separator to &,
and allowing the user to choose a custom separator. This
issue was assigned CVE-2021-23336.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=53
* remove importlib_resources and importlib-metadata
provides/obsoletes
* import importlib_resources is not the same as
import importlib.resources, same for metadata
* The backport packages from PyPI needed for older flavors are
specified as such for setuptools or in pyproject.toml. If a
package requires them they typically add them with a python
version qualifier and the packages have their own version
numbers.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=40
* Core and Builtins
- bpo-38156: Handle interrupts that come after EOF
correctly in PyOS_StdioReadline.
* Library
- bpo-41497: Fix potential UnicodeDecodeError in dis
module.
- bpo-41490: Update ensurepip to install pip 20.2.1 and
setuptools 49.2.1.
- bpo-41467: On Windows, fix asyncio recv_into() return
value when the socket/pipe is closed (BrokenPipeError):
return 0 rather than an empty byte string (b'').
- bpo-41425: Make tkinter doc example runnable.
- bpo-41384: Raise TclError instead of TypeError when an
unknown option is passed to tkinter.OptionMenu.
- bpo-38731: Fix NameError in command-line interface of
py_compile.
- bpo-41317: Use add_done_callback() in
asyncio.loop.sock_accept() to unsubscribe reader early on
cancellation.
- bpo-41364: Reduce import overhead of uuid.
- bpo-41341: Recursive evaluation of typing.ForwardRef in
get_type_hints.
- bpo-41182: selector: use DefaultSelector based upon
implementation
- bpo-40726: Handle cases where the end_lineno is None on
ast.increment_lineno().
* Documentation
- bpo-41045: Add documentation for debug feature of
f-strings.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=26
- Removed CVE-2019-20907_tarfile-inf-loop.patch: fixed in upstream
- Removed recursion.tar: contained in upstream
- Update to 3.9.0b5:
- bpo-41304: Fixes python3x._pth being ignored on Windows, caused
by the fix for bpo-29778 (CVE-2020-15801).
- bpo-41162: Audit hooks are now cleared later during
finalization to avoid missing events.
- bpo-29778: Ensure python3.dll is loaded from correct locations
when Python is embedded (CVE-2020-15523).
- bpo-39603: Prevent http header injection by rejecting control
characters in http.client.putrequest(…).
- bpo-41295: Resolve a regression in CPython 3.8.4 where defining
“__setattr__” in a multi-inheritance setup and
calling up the hierarchy chain could fail if builtins/extension
types were involved in the base types.
- bpo-41247: Always cache the running loop holder when running
asyncio.set_running_loop.
- bpo-41252: Fix incorrect refcounting in
_ssl.c’s _servername_callback().
- bpo-41215: Use non-NULL default values in the PEG parser
keyword list to overcome a bug that was '
preventing Python from being properly compiled when using the
XLC compiler. Patch by Pablo Galindo.
- bpo-41218: Python 3.8.3 had a regression where compiling with
ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would
aggressively mark list comprehension with CO_COROUTINE. Now only
list comprehension making use of async/await will tagged as so.
- bpo-41175: Guard against a NULL pointer dereference within
bytearrayobject triggered by the bytearray() + bytearray() operation.
- bpo-39960: The “hackcheck” that prevents sneaking around a type’s
__setattr__() by calling the superclass method was
rewritten to allow C implemented heap types.
- bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the
C implementation raises now UnpicklingError instead of crashing.
- bpo-39017: Avoid infinite loop when reading specially crafted
TAR files using the tarfile module (CVE-2019-20907, bsc#1174091).
- bpo-41235: Fix the error handling in ssl.SSLContext.load_dh_params().
- bpo-41207: In distutils.spawn, restore expectation that
DistutilsExecError is raised when the command is not found.
- bpo-39168: Remove the __new__ method of typing.Generic.
- bpo-41194: Fix a crash in the _ast module: it can no longer be
loaded more than once. It now uses a global state rather than a module state.
- bpo-39384: Fixed email.contentmanager to allow set_content() to set a
null string.
- bpo-41300: Save files with non-ascii chars.
Fix regression released in 3.9.0b4 and 3.8.4.
- bpo-37765: Add keywords to module name completion list.
Rewrite Completions section of IDLE doc.
- bpo-40170: Revert PyType_HasFeature() change: it reads
again directly the PyTypeObject.tp_flags
member when the limited C API is not used, rather than always calling
PyType_GetFlags() which hides implementation details.
OBS-URL: https://build.opensuse.org/request/show/822056
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=18
