- Update to 3.9.13:
- Core and Builtins
- gh-92311: Fixed a bug where setting frame.f_lineno to jump
over a list comprehension could misbehave or crash.
- gh-92112: Fix crash triggered by an evil custom mro() on
a metaclass.
- gh-92036: Fix a crash in subinterpreters related to the
garbage collector. When a subinterpreter is deleted,
untrack all objects tracked by its GC. To prevent a crash
in deallocator functions expecting objects to be tracked by
the GC, leak a strong reference to these objects on
purpose, so they are never deleted and their deallocator
functions are not called. Patch by Victor Stinner.
- gh-91421: Fix a potential integer overflow in
_Py_DecodeUTF8Ex.
- bpo-46775: Some Windows system error codes(>= 10000) are
now mapped into the correct errno and may now raise
a subclass of OSError. Patch by Dong-hee Na.
- bpo-46962: Classes and functions that unconditionally
declared their docstrings ignoring the
--without-doc-strings compilation flag no longer do so.
- The classes affected are pickle.PickleBuffer,
testcapi.RecursingInfinitelyError, and types.GenericAlias.
- The functions affected are 24 methods in ctypes.
- Patch by Oleg Iarygin.
- bpo-36819: Fix crashes in built-in encoders with error
handlers that return position less or equal than the
starting position of non-encodable characters.
- Library
- gh-91581: utcfromtimestamp() no longer attempts to resolve
fold in the pure Python implementation, since the fold is
never 1 in UTC. In addition to being slightly faster in the
common case, this also prevents some errors when the
timestamp is close to datetime.min. Patch by Paul Ganssle.
- gh-92530: Fix an issue that occurred after interrupting
threading.Condition.notify().
- gh-92049: Forbid pickling constants re._constants.SUCCESS
etc. Previously, pickling did not fail, but the result
could not be unpickled.
- bpo-47029: Always close the read end of the pipe used by
multiprocessing.Queue after the last write of buffered data
to the write end of the pipe to avoid BrokenPipeError at
garbage collection and at multiprocessing.Queue.close()
calls. Patch by Géry Ogam.
- gh-91910: Add missing f prefix to f-strings in error
messages from the multiprocessing and asyncio modules.
- gh-91810: ElementTree method write() and function
tostring() now use the text file’s encoding (“UTF-8” if not
available) instead of locale encoding in XML declaration
when encoding="unicode" is specified.
- gh-91832: Add required attribute to argparse.Action repr
output.
- gh-91734: Fix OSS audio support on Solaris.
- gh-91700: Compilation of regular expression containing
a conditional expression (?(group)...) now raises an
appropriate re.error if the group number refers to not
defined group. Previously an internal RuntimeError was
raised.
- gh-91676: Fix unittest.IsolatedAsyncioTestCase to shutdown
the per test event loop executor before returning from its
run method so that a not yet stopped or garbage collected
executor state does not persist beyond the test.
- gh-90568: Parsing \N escapes of Unicode Named Character
Sequences in a regular expression raises now re.error
instead of TypeError.
- gh-91595: Fix the comparison of character and integer
inside Tools.gdb.libpython.write_repr(). Patch by Yu Liu.
- gh-90622: Worker processes for
concurrent.futures.ProcessPoolExecutor are no longer
spawned on demand (a feature added in 3.9) when the
multiprocessing context start method is "fork" as that can
lead to deadlocks in the child processes due to a fork
happening while threads are running.
- gh-91575: Update case-insensitive matching in the re module
to the latest Unicode version.
- gh-91581: Remove an unhandled error case in the
C implementation of calls to datetime.fromtimestamp with no
time zone (i.e. getting a local time from an epoch
timestamp). This should have no user-facing effect other
than giving a possibly more accurate error message when
called with timestamps that fall on 10000-01-01 in the
local time. Patch by Paul Ganssle.
- bpo-34480: Fix a bug where _markupbase raised an
UnboundLocalError when an invalid keyword was found in
marked section. Patch by Marek Suscak.
- bpo-27929: Fix asyncio.loop.sock_connect() to only resolve
names for socket.AF_INET or socket.AF_INET6 families.
Resolution may not make sense for other families, like
socket.AF_BLUETOOTH and socket.AF_UNIX.
- bpo-43323: Fix errors in the email module if the charset
itself contains undecodable/unencodable characters.
- bpo-46787: Fix concurrent.futures.ProcessPoolExecutor
exception memory leak
- bpo-46415: Fix ipaddress.ip_{address,interface,network}
raising TypeError instead of ValueError if given invalid
tuple as address parameter.
- bpo-44911: IsolatedAsyncioTestCase will no longer throw an
exception while cancelling leaked tasks. Patch by Bar
Harel.
- bpo-44493: Add missing terminated NUL in sockaddr_un’s
length
- This was potentially observable when using non-abstract
AF_UNIX datagram sockets to processes written in another
programming language.
- bpo-42627: Fix incorrect parsing of Windows registry proxy
settings
- bpo-36073: Raise ProgrammingError instead of segfaulting on
recursive usage of cursors in sqlite3 converters. Patch by
Sergey Fedoseev.
- Documentation
- gh-91888: Add a new gh role to the documentation to link to
GitHub issues.
- gh-91783: Document security issues concerning the use of
the function shutil.unpack_archive()
- gh-91547: Remove “Undocumented modules” page.
- bpo-44347: Clarify the meaning of dirs_exist_ok, a kwarg of
shutil.copytree().
- bpo-38668: Update the introduction to documentation for
os.path to remove warnings that became irrelevant after the
implementations of PEP 383 and PEP 529.
- bpo-47138: Pin Jinja to a version compatible with Sphinx
version 2.4.4.
- bpo-46962: All docstrings in code snippets are now wrapped
into PyDoc_STR() to follow the guideline of PEP 7’s
Documentation Strings paragraph. Patch by Oleg Iarygin.
- bpo-26792: Improve the docstrings of runpy.run_module() and
runpy.run_path(). Original patch by Andrew Brezovsky.
- bpo-45790: Adjust inaccurate phrasing in Defining Extension
Types: Tutorial about the ob_base field and the macros used
to access its contents.
- bpo-42340: Document that in some circumstances
KeyboardInterrupt may cause the code to enter an
inconsistent state. Provided a sample workaround to avoid
it if needed.
- bpo-41233: Link the errnos referenced in
Doc/library/exceptions.rst to their respective section in
Doc/library/errno.rst, and vice versa. Previously this was
only done for EINTR and InterruptedError. Patch by Yan
“yyyyyyyan” Orestes.
- bpo-38056: Overhaul the Error Handlers documentation in
codecs.
- bpo-13553: Document tkinter.Tk args.
- Tests
- gh-91607: Fix test_concurrent_futures to test the correct
multiprocessing start method context in several cases where
the test logic mixed this up.
- bpo-47205: Skip test for sched_getaffinity() and
sched_setaffinity() error case on FreeBSD.
- bpo-29890: Add tests for ipaddress.IPv4Interface and
ipaddress.IPv6Interface construction with tuple arguments.
Original patch and tests by louisom.
- Build
- bpo-47103: Windows PGInstrument builds now copy a required
DLL into the output directory, making it easier to run the
profile stage of a PGO build.
- Windows
- bpo-47194: Update zlib to v1.2.12 to resolve
CVE-2018-25032.
- bpo-46785: Fix race condition between os.stat() and
unlinking a file on Windows, by using errors codes returned
by FindFirstFileW() when appropriate in win32_xstat_impl.
- bpo-40859: Update Windows build to use xz-5.2.5
- Tools/Demos
- gh-91583: Fix regression in the code generated by Argument
Clinic for functions with the defining_class parameter.
- Add patch support-expat-245.patch:
* Support Expat >= 2.4.4 (jsc#SLE-21253)
OBS-URL: https://build.opensuse.org/request/show/978332
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=29
- Core and Builtins
- gh-92311: Fixed a bug where setting frame.f_lineno to jump
over a list comprehension could misbehave or crash.
- gh-92112: Fix crash triggered by an evil custom mro() on
a metaclass.
- gh-92036: Fix a crash in subinterpreters related to the
garbage collector. When a subinterpreter is deleted,
untrack all objects tracked by its GC. To prevent a crash
in deallocator functions expecting objects to be tracked by
the GC, leak a strong reference to these objects on
purpose, so they are never deleted and their deallocator
functions are not called. Patch by Victor Stinner.
- gh-91421: Fix a potential integer overflow in
_Py_DecodeUTF8Ex.
- bpo-46775: Some Windows system error codes(>= 10000) are
now mapped into the correct errno and may now raise
a subclass of OSError. Patch by Dong-hee Na.
- bpo-46962: Classes and functions that unconditionally
declared their docstrings ignoring the
--without-doc-strings compilation flag no longer do so.
- The classes affected are pickle.PickleBuffer,
testcapi.RecursingInfinitelyError, and types.GenericAlias.
- The functions affected are 24 methods in ctypes.
- Patch by Oleg Iarygin.
- bpo-36819: Fix crashes in built-in encoders with error
handlers that return position less or equal than the
starting position of non-encodable characters.
- Library
- gh-91581: utcfromtimestamp() no longer attempts to resolve
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=98
- Update to 3.9.12:
- bpo-46968: Check for the existence of the “sys/auxv.h” header
in faulthandler to avoid compilation problems in systems
where this header doesn’t exist. Patch by Pablo Galindo
- bpo-47101: hashlib.algorithms_available now lists only
algorithms that are provided by activated crypto providers on
OpenSSL 3.0. Legacy algorithms are not listed unless the
legacy provider has been loaded into the default OSSL
context.
- bpo-23691: Protect the re.finditer() iterator from
re-entering.
- bpo-42369: Fix thread safety of zipfile._SharedFile.tell() to
avoid a “zipfile.BadZipFile: Bad CRC-32 for file” exception
when reading a ZipFile from multiple threads.
- bpo-38256: Fix binascii.crc32() when it is compiled to use
zlib’c crc32 to work properly on inputs 4+GiB in length
instead of returning the wrong result. The workaround prior
to this was to always feed the function data in increments
smaller than 4GiB or to just call the zlib module function.
- bpo-39394: A warning about inline flags not at the start of
the regular expression now contains the position of the flag.
- bpo-47061: Deprecate the various modules listed by PEP 594:
- aifc, asynchat, asyncore, audioop, cgi, cgitb, chunk, crypt,
imghdr, msilib, nntplib, nis, ossaudiodev, pipes, smtpd,
sndhdr, spwd, sunau, telnetlib, uu, xdrlib
- bpo-2604: Fix bug where doctests using globals would fail
when run multiple times.
- bpo-45997: Fix asyncio.Semaphore re-aquiring FIFO order.
- bpo-47022: The asynchat, asyncore and smtpd modules have been
deprecated since at least Python 3.6. Their documentation has
OBS-URL: https://build.opensuse.org/request/show/965121
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=28
- bpo-46968: Check for the existence of the “sys/auxv.h” header
in faulthandler to avoid compilation problems in systems
where this header doesn’t exist. Patch by Pablo Galindo
- bpo-47101: hashlib.algorithms_available now lists only
algorithms that are provided by activated crypto providers on
OpenSSL 3.0. Legacy algorithms are not listed unless the
legacy provider has been loaded into the default OSSL
context.
- bpo-23691: Protect the re.finditer() iterator from
re-entering.
- bpo-42369: Fix thread safety of zipfile._SharedFile.tell() to
avoid a “zipfile.BadZipFile: Bad CRC-32 for file” exception
when reading a ZipFile from multiple threads.
- bpo-38256: Fix binascii.crc32() when it is compiled to use
zlib’c crc32 to work properly on inputs 4+GiB in length
instead of returning the wrong result. The workaround prior
to this was to always feed the function data in increments
smaller than 4GiB or to just call the zlib module function.
- bpo-39394: A warning about inline flags not at the start of
the regular expression now contains the position of the flag.
- bpo-47061: Deprecate the various modules listed by PEP 594:
- aifc, asynchat, asyncore, audioop, cgi, cgitb, chunk, crypt,
imghdr, msilib, nntplib, nis, ossaudiodev, pipes, smtpd,
sndhdr, spwd, sunau, telnetlib, uu, xdrlib
- bpo-2604: Fix bug where doctests using globals would fail
when run multiple times.
- bpo-45997: Fix asyncio.Semaphore re-aquiring FIFO order.
- bpo-47022: The asynchat, asyncore and smtpd modules have been
deprecated since at least Python 3.6. Their documentation has
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=96
- Update to 3.9.9:
* Core and Builtins
+ bpo-30570: Fixed a crash in issubclass() from infinite recursion when searching pathological __bases__ tuples.
+ bpo-45494: Fix parser crash when reporting errors involving invalid continuation characters. Patch by Pablo Galindo.
+ bpo-45385: Fix reference leak from descr_check. Patch by Dong-hee Na.
+ bpo-45167: Fix deepcopying of types.GenericAlias objects.
+ bpo-44219: Release the GIL while performing isatty system calls on arbitrary file descriptors. In particular, this affects os.isatty(), os.device_encoding() and io.TextIOWrapper. By extension, io.open() in text mode is also affected. This change solves a deadlock in os.isatty(). Patch by Vincent Michel in bpo-44219.
+ bpo-44959: Added fallback to extension modules with ‘.sl’ suffix on HP-UX
+ bpo-44050: Extensions that indicate they use global state (by setting m_size to -1) can again be used in multiple interpreters. This reverts to behavior of Python 3.8.
+ bpo-45121: Fix issue where Protocol.__init__ raises RecursionError when it’s called directly or via super(). Patch provided by Yurii Karabas.
+ bpo-45083: When the interpreter renders an exception, its name now has a complete qualname. Previously only the class name was concatenated to the module name, which sometimes resulted in an incorrect full name being displayed.
+ bpo-45738: Fix computation of error location for invalid continuation characters in the parser. Patch by Pablo Galindo.
+ Library
+ bpo-45678: Fix bug in Python 3.9 that meant functools.singledispatchmethod failed to properly wrap the attributes of the target method. Patch by Alex Waygood.
+ bpo-45679: Fix caching of multi-value typing.Literal. Literal[True, 2] is no longer equal to Literal[1, 2].
+ bpo-45438: Fix typing.Signature string representation for generic builtin types.
+ bpo-45581: sqlite3.connect() now correctly raises MemoryError if the underlying SQLite API signals memory error. Patch by Erlend E. Aasland.
+ bpo-39679: Fix bug in functools.singledispatchmethod that caused it to fail when attempting to register a classmethod() or staticmethod() using type annotations. Patch contributed by Alex Waygood.
+ bpo-45515: Add references to zoneinfo in the datetime documentation, mostly replacing outdated references to dateutil.tz. Change by Paul Ganssle.
+ bpo-45467: Fix incremental decoder and stream reader in the “raw-unicode-escape” codec. Previously they failed if the escape sequence was split.
+ bpo-45461: Fix incremental decoder and stream reader in the “unicode-escape” codec. Previously they failed if the escape sequence was split.
+ bpo-45239: Fixed email.utils.parsedate_tz() crashing with UnboundLocalError on certain invalid input instead of returning None. Patch by Ben Hoyt.
+ bpo-44904: Fix bug in the doctest module that caused it to fail if a docstring included an example with a classmethod property. Patch by Alex Waygood.
+ bpo-45406: Make inspect.getmodule() catch FileNotFoundError raised by :’func:inspect.getabsfile, and return None to indicate that the module could not be determined.
+ bpo-45262: Prevent use-after-free in asyncio. Make sure the cached running loop holder gets cleared on dealloc to prevent use-after-free in get_running_loop
+ bpo-45386: Make xmlrpc.client more robust to C runtimes where the underlying C strftime function results in a ValueError when testing for year formatting options.
+ bpo-45371: Fix clang rpath issue in distutils. The UnixCCompiler now uses correct clang option to add a runtime library directory (rpath) to a shared library.
+ bpo-20028: Improve error message of csv.Dialect when initializing. Patch by Vajrasky Kok and Dong-hee Na.
+ bpo-45343: Update bundled pip to 21.2.4 and setuptools to 58.1.0
+ bpo-41710: On Unix, if the sem_clockwait() function is available in the C library (glibc 2.30 and newer), the threading.Lock.acquire() method now uses the monotonic clock (time.CLOCK_MONOTONIC) for the timeout, rather than using the system clock (time.CLOCK_REALTIME), to not be affected by system clock changes. Patch by Victor Stinner.
OBS-URL: https://build.opensuse.org/request/show/931924
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=24
* Core and Builtins
+ bpo-30570: Fixed a crash in issubclass() from infinite recursion when searching pathological __bases__ tuples.
+ bpo-45494: Fix parser crash when reporting errors involving invalid continuation characters. Patch by Pablo Galindo.
+ bpo-45385: Fix reference leak from descr_check. Patch by Dong-hee Na.
+ bpo-45167: Fix deepcopying of types.GenericAlias objects.
+ bpo-44219: Release the GIL while performing isatty system calls on arbitrary file descriptors. In particular, this affects os.isatty(), os.device_encoding() and io.TextIOWrapper. By extension, io.open() in text mode is also affected. This change solves a deadlock in os.isatty(). Patch by Vincent Michel in bpo-44219.
+ bpo-44959: Added fallback to extension modules with ‘.sl’ suffix on HP-UX
+ bpo-44050: Extensions that indicate they use global state (by setting m_size to -1) can again be used in multiple interpreters. This reverts to behavior of Python 3.8.
+ bpo-45121: Fix issue where Protocol.__init__ raises RecursionError when it’s called directly or via super(). Patch provided by Yurii Karabas.
+ bpo-45083: When the interpreter renders an exception, its name now has a complete qualname. Previously only the class name was concatenated to the module name, which sometimes resulted in an incorrect full name being displayed.
+ bpo-45738: Fix computation of error location for invalid continuation characters in the parser. Patch by Pablo Galindo.
+ Library
+ bpo-45678: Fix bug in Python 3.9 that meant functools.singledispatchmethod failed to properly wrap the attributes of the target method. Patch by Alex Waygood.
+ bpo-45679: Fix caching of multi-value typing.Literal. Literal[True, 2] is no longer equal to Literal[1, 2].
+ bpo-45438: Fix typing.Signature string representation for generic builtin types.
+ bpo-45581: sqlite3.connect() now correctly raises MemoryError if the underlying SQLite API signals memory error. Patch by Erlend E. Aasland.
+ bpo-39679: Fix bug in functools.singledispatchmethod that caused it to fail when attempting to register a classmethod() or staticmethod() using type annotations. Patch contributed by Alex Waygood.
+ bpo-45515: Add references to zoneinfo in the datetime documentation, mostly replacing outdated references to dateutil.tz. Change by Paul Ganssle.
+ bpo-45467: Fix incremental decoder and stream reader in the “raw-unicode-escape” codec. Previously they failed if the escape sequence was split.
+ bpo-45461: Fix incremental decoder and stream reader in the “unicode-escape” codec. Previously they failed if the escape sequence was split.
+ bpo-45239: Fixed email.utils.parsedate_tz() crashing with UnboundLocalError on certain invalid input instead of returning None. Patch by Ben Hoyt.
+ bpo-44904: Fix bug in the doctest module that caused it to fail if a docstring included an example with a classmethod property. Patch by Alex Waygood.
+ bpo-45406: Make inspect.getmodule() catch FileNotFoundError raised by :’func:inspect.getabsfile, and return None to indicate that the module could not be determined.
+ bpo-45262: Prevent use-after-free in asyncio. Make sure the cached running loop holder gets cleared on dealloc to prevent use-after-free in get_running_loop
+ bpo-45386: Make xmlrpc.client more robust to C runtimes where the underlying C strftime function results in a ValueError when testing for year formatting options.
+ bpo-45371: Fix clang rpath issue in distutils. The UnixCCompiler now uses correct clang option to add a runtime library directory (rpath) to a shared library.
+ bpo-20028: Improve error message of csv.Dialect when initializing. Patch by Vajrasky Kok and Dong-hee Na.
+ bpo-45343: Update bundled pip to 21.2.4 and setuptools to 58.1.0
+ bpo-41710: On Unix, if the sem_clockwait() function is available in the C library (glibc 2.30 and newer), the threading.Lock.acquire() method now uses the monotonic clock (time.CLOCK_MONOTONIC) for the timeout, rather than using the system clock (time.CLOCK_REALTIME), to not be affected by system clock changes. Patch by Victor Stinner.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=87
- bpo-44022 (bsc#1189241, CVE-2021-3737): http.client now
avoids infinitely reading potential HTTP headers after
a 100 Continue status response from the server.
- bpo-43075 (CVE-2021-3733, bsc#1189287): Fix Regular
Expression Denial of Service (ReDoS) vulnerability in
urllib.request.AbstractBasicAuthHandler. The
ReDoS-vulnerable regex has quadratic worst-case complexity
and it allows cause a denial of service when identifying
crafted invalid RFCs. This ReDoS issue is on the client
side and needs remote attackers to control the HTTP server.
OBS-URL: https://build.opensuse.org/request/show/919259
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=22
- Security
- Replaced usage of tempfile.mktemp() with TemporaryDirectory
to avoid a potential race condition.
- Add auditing events to the marshal module, and stop raising
code.__init__ events for every unmarshalled code object.
Directly instantiated code objects will continue to raise
an event, and audit event handlers should inspect or
collect the raw marshal data. This reduces a significant
performance overhead when loading from .pyc files.
- Made the internal putcmd function in smtplib sanitize input
for presence of \r and \n characters to avoid (unlikely)
command injection.
- Core and Builtins
- Fixed pickling of range iterators that iterated for over
2**32 times.
- Fix a race in WeakKeyDictionary, WeakValueDictionary and
WeakSet when two threads attempt to commit the last pending
removal. This fixes asyncio.create_task and fixes a data
loss in asyncio.run where shutdown_asyncgens is not run
- Fixed a corner case bug where the result of
float.fromhex('0x.8p-1074') was rounded the wrong way.
- Refine the syntax error for trailing commas in import
statements. Patch by Pablo Galindo.
- Restore behaviour of complex exponentiation with
integer-valued exponent of type float or complex.
- Correct the ast locations of f-strings with format specs
and repeated expressions. Patch by Pablo Galindo
- Use new trashcan macros (Py_TRASHCAN_BEGIN/END) in
frameobject.c instead of the old ones
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=83
- Update to 3.9.6:
* Security
- bpo-44022: mod:http.client now avoids infinitely reading
potential HTTP headers after a 100 Continue status response
from the server.
* Core and Builtins
- bpo-44168: Fix error message in the parser involving keyword
arguments with invalid expressions. Patch by Pablo Galindo
- bpo-44114: Fix incorrect dictkeys_reversed and
dictitems_reversed function signatures in C code, which broke
webassembly builds.
- bpo-44070: No longer eagerly makes import filenames absolute,
except for extension modules, which was introduced in 3.9.5.
- bpo-28146: Fix a confusing error message in str.format().
- bpo-11105: When compiling ast.AST objects with recursive
references through compile(), the interpreter doesn’t crash
anymore instead it raises a RecursionError.
* Library
- bpo-43972: When http.server.SimpleHTTPRequestHandler sends a
301 (Moved Permanently) for a directory path not ending with
/, add a Content-Length: 0 header. This improves the behavior
for certain clients.
- bpo-43776: When subprocess.Popen args are provided as a
string or as pathlib.Path, the Popen instance repr now shows
the right thing.
- bpo-43318: Fix a bug where pdb does not always echo cleared
breakpoints.
- bpo-43295: datetime.datetime.strptime() now raises ValueError
instead of IndexError when matching 'z' with the %z format
specifier.
OBS-URL: https://build.opensuse.org/request/show/911061
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=20
- Update to 3.9.6:
* Security
- bpo-44022: mod:http.client now avoids infinitely reading
potential HTTP headers after a 100 Continue status response
from the server.
* Core and Builtins
- bpo-44409: Fix error location information for tokenizer
errors raised on initialization of the tokenizer. Patch by
Pablo Galindo.
- bpo-43667: Improve Unicode support in non-UTF locales on
Oracle Solaris. This issue does not affect other Solaris
systems.
- bpo-44168: Fix error message in the parser involving keyword
arguments with invalid expressions. Patch by Pablo Galindo
- bpo-44114: Fix incorrect dictkeys_reversed and
dictitems_reversed function signatures in C code, which broke
webassembly builds.
- bpo-44070: No longer eagerly makes import filenames absolute,
except for extension modules, which was introduced in 3.9.5.
- bpo-28146: Fix a confusing error message in str.format().
- bpo-11105: When compiling ast.AST objects with recursive
references through compile(), the interpreter doesn’t crash
anymore instead it raises a RecursionError.
* Library
- bpo-44516: Update vendored pip to 21.1.3
- bpo-44482: Fix very unlikely resource leak in glob in
alternate Python implementations.
- bpo-44439: Fix in bz2.BZ2File.write() / lzma.LZMAFile.write()
methods, when the input data is an object that supports the
buffer protocol, the file length may be wrong.
OBS-URL: https://build.opensuse.org/request/show/910899
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=76
- Update to 3.9.5:
* Security
- bpo-43434: Creating a sqlite3.Connection object now also
produces a sqlite3.connect auditing event. Previously this
event was only produced by sqlite3.connect() calls. Patch
by Erlend E. Aasland.
- bpo-43882: The presence of newline or tab characters in
parts of a URL could allow some forms of attacks.
- Following the controlling specification for URLs defined by
WHATWG urllib.parse() now removes ASCII newlines and tabs
from URLs, preventing such attacks.
- bpo-43472: Ensures interpreter-level audit hooks receive
the cpython.PyInterpreterState_New event when called
through the _xxsubinterpreters module.
- bpo-36384: ipaddress module no longer accepts any leading
zeros in IPv4 address strings. Leading zeros are ambiguous
and interpreted as octal notation by some libraries. For
example the legacy function socket.inet_aton() treats
leading zeros as octal notatation. glibc implementation of
modern inet_pton() does not accept any leading zeros. For
a while the ipaddress module used to accept ambiguous
leading zeros.
- bpo-43075: Fix Regular Expression Denial of Service (ReDoS)
vulnerability in urllib.request.AbstractBasicAuthHandler.
The ReDoS-vulnerable regex has quadratic worst-case
complexity and it allows cause a denial of service when
identifying crafted invalid RFCs. This ReDoS issue is on
the client side and needs remote attackers to control the
HTTP server.
- bpo-42800: Audit hooks are now fired for frame.f_code,
traceback.tb_frame, and generator code/frame attribute
access.
* Core and Builtins
- bpo-43105: Importlib now resolves relative paths when
creating module spec objects from file locations.
- bpo-42924: Fix bytearray repetition incorrectly copying
data from the start of the buffer, even if the data is
offset within the buffer (e.g. after reassigning a slice at
the start of the bytearray to a shorter byte string).
* Library
- bpo-43993: Update bundled pip to 21.1.1.
- bpo-43937: Fixed the turtle module working with non-default
root window.
- bpo-43930: Update bundled pip to 21.1 and setuptools to
56.0.0
- bpo-43920: OpenSSL 3.0.0: load_verify_locations() now
returns a consistent error message when cadata contains no
valid certificate.
- bpo-43607: urllib can now convert Windows paths with \\?\
prefixes into URL paths.
- bpo-43284: platform.win32_ver derives the windows version
from sys.getwindowsversion().platform_version which in turn
derives the version from kernel32.dll (which can be of
a different version than Windows itself). Therefore change
the platform.win32_ver to determine the version using the
platform module’s _syscmd_ver private function to return an
accurate version.
- bpo-42248: [Enum] ensure exceptions raised in _missing__
are released
- bpo-43799: OpenSSL 3.0.0: define OPENSSL_API_COMPAT 1.1.1
to suppress deprecation warnings. Python requires OpenSSL
1.1.1 APIs.
- bpo-43794: Add ssl.OP_IGNORE_UNEXPECTED_EOF constants
(OpenSSL 3.0.0)
- bpo-43789: OpenSSL 3.0.0: Don’t call the password callback
function a second time when first call has signaled an
error condition.
- bpo-43788: The header files for ssl error codes are now
OpenSSL version-specific. Exceptions will now show correct
reason and library codes. The make_ssl_data.py script has
been rewritten to use OpenSSL’s text file with error codes.
- bpo-43655: tkinter dialog windows are now recognized as
dialogs by window managers on macOS and X Window.
- bpo-43534: turtle.textinput() and turtle.numinput() create
now a transient window working on behalf of the canvas
window.
- bpo-43522: Fix problem with hostname_checks_common_name.
OpenSSL does not copy hostflags from struct SSL_CTX to
struct SSL.
- bpo-42967: Allow bytes separator argument in
urllib.parse.parse_qs and urllib.parse.parse_qsl when
parsing str query strings. Previously, this raised
a TypeError.
- bpo-43176: Fixed processing of a dataclass that inherits
from a frozen dataclass with no fields. It is now correctly
detected as an error.
- bpo-41735: Fix thread locks in zlib module may go wrong in
rare case. Patch by Ma Lin.
- bpo-36470: Fix dataclasses with InitVars and replace().
Patch by Claudiu Popa.
- bpo-32745: Fix a regression in the handling of ctypes’
ctypes.c_wchar_p type: embedded null characters would cause
a ValueError to be raised. Patch by Zackery Spytz.
* Documentation
- bpo-43959: The documentation on the PyContextVar C-API was
clarified.
- bpo-43938: Update dataclasses documentation to express that
FrozenInstanceError is derived from AttributeError.
- bpo-43755: Update documentation to reflect that
unparenthesized lambda expressions can no longer be the
expression part in an if clause in comprehensions and
generator expressions since Python 3.9.
- bpo-43739: Fixing the example code in
Doc/extending/extending.rst to declare and initialize the
pmodule variable to be of the right type.
* Tests
- bpo-43961: Fix
test_logging.test_namer_rotator_inheritance() on Windows:
use os.replace() rather than os.rename(). Patch by Victor
Stinner.
- bpo-43842: Fix a race condition in the SMTP test of
test_logging. Don’t close a file descriptor (socket) from
a different thread while asyncore.loop() is polling the
file descriptor. Patch by Victor Stinner.
- bpo-43811: Tests multiple OpenSSL versions on GitHub
Actions. Use ccache to speed up testing.
- bpo-43791: OpenSSL 3.0.0: Disable testing of legacy
protocols TLS 1.0 and 1.1. Tests are failing with
TLSV1_ALERT_INTERNAL_ERROR.
- Refreshed patches:
- bpo-31046_ensurepip_honours_prefix.patch
- python-3.3.0b1-fix_date_time_compiler.patch
- Add vendorized files from bluez-devel to enable building support for
Bluetooth.
OBS-URL: https://build.opensuse.org/request/show/890779
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=66
- Update to 3.9.4:
- bpo#43710: Reverted the fix for https://bugs.python.org/issue42500
as it changed the PyThreadState struct size and broke the 3.9.x ABI
in the 3.9.3 release (visible on 32-bit platforms using binaries
compiled using an earlier version of Python 3.9.x headers).
- bpo#26053: Fixed bug where the pdb interactive run command echoed
the args from the shell command line, even if those have been
overridden at the pdb prompt.
- bpo#42988 (bsc#1183374) CVE-2021-3426: Remove the getfile
feature of the pydoc module which could be abused to read
arbitrary files on the disk (directory traversal
vulnerability). Moreover, even source code of Python modules
can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.
- bpo#43285: ftplib no longer trusts the IP address value
returned from the server in response to the PASV command by
default. This prevents a malicious FTP server from using the
response to probe IPv4 address and port combinations on the
client network. Code that requires the former vulnerable
behavior may set a trust_server_pasv_ipv4_address attribute
on their ftplib.FTP instances to True to re-enable it.
- bpo#43439: Add audit hooks for gc.get_objects(),
gc.get_referrers() and gc.get_referents(). Patch by Pablo
Galindo.
- bpo#43660: Fix crash that happens when replacing sys.stderr
with a callable that can remove the object while an exception
is being printed. Patch by Pablo Galindo.
- bpo#43555: Report the column offset for SyntaxError for
invalid line continuation characters. Patch by Pablo Galindo.
- bpo#43517: Fix misdetection of circular imports when using
OBS-URL: https://build.opensuse.org/request/show/889130
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=15
- bpo#43710: Reverted the fix for https://bugs.python.org/issue42500
as it changed the PyThreadState struct size and broke the 3.9.x ABI
in the 3.9.3 release (visible on 32-bit platforms using binaries
compiled using an earlier version of Python 3.9.x headers).
- bpo#26053: Fixed bug where the pdb interactive run command echoed
the args from the shell command line, even if those have been
overridden at the pdb prompt.
- bpo#42988 (bsc#1183374) CVE-2021-3426: Remove the getfile
feature of the pydoc module which could be abused to read
arbitrary files on the disk (directory traversal
vulnerability). Moreover, even source code of Python modules
can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.
- bpo#43285: ftplib no longer trusts the IP address value
returned from the server in response to the PASV command by
default. This prevents a malicious FTP server from using the
response to probe IPv4 address and port combinations on the
client network. Code that requires the former vulnerable
behavior may set a trust_server_pasv_ipv4_address attribute
on their ftplib.FTP instances to True to re-enable it.
- bpo#43439: Add audit hooks for gc.get_objects(),
gc.get_referrers() and gc.get_referents(). Patch by Pablo
Galindo.
- bpo#43660: Fix crash that happens when replacing sys.stderr
with a callable that can remove the object while an exception
is being printed. Patch by Pablo Galindo.
- bpo#43555: Report the column offset for SyntaxError for
invalid line continuation characters. Patch by Pablo Galindo.
- bpo#43517: Fix misdetection of circular imports when using
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=62
