- Update to 3.12.10:
- gh-131852: msgfmt no longer adds the POT-Creation-Date to
generated .mo files for consistency with GNU msgfmt.
- gh-85012: Correctly reset msgctxt when compiling messages in
msgfmt.
- gh-131050: test_ssl.test_dh_params is skipped if the
underlying TLS library does not support finite-field
ephemeral Diffie-Hellman.
- gh-119727: Add --single-process command line option to Python
test runner (regrtest). Patch by Victor Stinner.
- gh-131809: Update bundled libexpat to 2.7.1
- gh-131261: Upgrade to libexpat 2.7.0
- gh-127371: Avoid unbounded buffering for
tempfile.SpooledTemporaryFile.writelines(). Previously, disk
spillover was only checked after the lines iterator had been
exhausted. This is now done after each line is written.
- gh-121284: Fix bug in the folding of rfc2047 encoded-words
when flattening an email message using a modern email
policy. Previously when an encoded-word was too long for
a line, it would be decoded, split across lines, and
re-encoded. But commas and other special characters in the
original text could be left unencoded and unquoted. This
could theoretically be used to spoof header lines using a
carefully constructed encoded-word if the resulting rendered
email was transmitted or re-parsed.
- gh-116608: undeprecate functional API for importlib.resources
- gh-132075: Fix possible use of socket address structures
with uninitialized members. Now all structure members are
initialized with zeroes by default.
- gh-132002: Fix crash when deallocating contextvars.ContextVar
OBS-URL: https://build.opensuse.org/request/show/1269059
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python312?expand=0&rev=30
- gh-131852: msgfmt no longer adds the POT-Creation-Date to
generated .mo files for consistency with GNU msgfmt.
- gh-85012: Correctly reset msgctxt when compiling messages in
msgfmt.
- gh-131050: test_ssl.test_dh_params is skipped if the
underlying TLS library does not support finite-field
ephemeral Diffie-Hellman.
- gh-119727: Add --single-process command line option to Python
test runner (regrtest). Patch by Victor Stinner.
- gh-131809: Update bundled libexpat to 2.7.1
- gh-131261: Upgrade to libexpat 2.7.0
- gh-127371: Avoid unbounded buffering for
tempfile.SpooledTemporaryFile.writelines(). Previously, disk
spillover was only checked after the lines iterator had been
exhausted. This is now done after each line is written.
- gh-121284: Fix bug in the folding of rfc2047 encoded-words
when flattening an email message using a modern email
policy. Previously when an encoded-word was too long for
a line, it would be decoded, split across lines, and
re-encoded. But commas and other special characters in the
original text could be left unencoded and unquoted. This
could theoretically be used to spoof header lines using a
carefully constructed encoded-word if the resulting rendered
email was transmitted or re-parsed.
- gh-116608: undeprecate functional API for importlib.resources
- gh-132075: Fix possible use of socket address structures
with uninitialized members. Now all structure members are
initialized with zeroes by default.
- gh-132002: Fix crash when deallocating contextvars.ContextVar
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=108
- Update to 3.12.9:
- Tests
- gh-127906: Test the limited C API in test_cppext. Patch by
Victor Stinner.
- gh-127906: Backport test_cext from the main branch. Patch
by Victor Stinner.
- gh-127637: Add tests for the dis command-line
interface. Patch by Bénédikt Tran.
- Security
- gh-105704: When using urllib.parse.urlsplit() and
urllib.parse.urlparse() host parsing would not reject
domain names containing square brackets ([ and ]). Square
brackets are only valid for IPv6 and IPvFuture hosts
according to RFC 3986 Section 3.2.2. (CVE-2025-0938,
bsc#1236705)
- gh-127655: Fixed the
asyncio.selector_events._SelectorSocketTransport
transport not pausing writes for the protocol when
the buffer reaches the high water mark when using
asyncio.WriteTransport.writelines() (CVE-2024-12254,
bsc#1234290).
- gh-126108: Fix a possible NULL pointer dereference in
PySys_AddWarnOptionUnicode().
- gh-80222: Fix bug in the folding of quoted strings
when flattening an email message using a modern email
policy. Previously when a quoted string was folded so
that it spanned more than one line, the surrounding
quotes and internal escapes would be omitted. This could
theoretically be used to spoof header lines using a
carefully constructed quoted string if the resulting
OBS-URL: https://build.opensuse.org/request/show/1244005
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python312?expand=0&rev=28
- Tests
- gh-127906: Test the limited C API in test_cppext. Patch by
Victor Stinner.
- gh-127906: Backport test_cext from the main branch. Patch
by Victor Stinner.
- gh-127637: Add tests for the dis command-line
interface. Patch by Bénédikt Tran.
- Security
- gh-105704: When using urllib.parse.urlsplit() and
urllib.parse.urlparse() host parsing would not reject
domain names containing square brackets ([ and ]). Square
brackets are only valid for IPv6 and IPvFuture hosts
according to RFC 3986 Section 3.2.2. (CVE-2025-0938,
bsc#1236705)
- gh-127655: Fixed the
asyncio.selector_events._SelectorSocketTransport
transport not pausing writes for the protocol when
the buffer reaches the high water mark when using
asyncio.WriteTransport.writelines() (CVE-2024-12254,
bsc#1234290).
- gh-126108: Fix a possible NULL pointer dereference in
PySys_AddWarnOptionUnicode().
- gh-80222: Fix bug in the folding of quoted strings
when flattening an email message using a modern email
policy. Previously when a quoted string was folded so
that it spanned more than one line, the surrounding
quotes and internal escapes would be omitted. This could
theoretically be used to spoof header lines using a
carefully constructed quoted string if the resulting
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=94
- Add CVE-2024-12254-unbound-mem-buffering-SelectorSocketTransport.writelines.patch
preventing exhaustion of memory (gh#python/cpython#127655,
bsc#1234290, CVE-2024-12254).
- Update to 3.12.8:
- Tools/Demos
- gh-126807: Fix extraction warnings in pygettext.py caused
by mistaking function definitions for function calls.
- Tests
- gh-126909: Fix test_os extended attribute tests to work on
filesystems with 1 KiB xattr size limit.
- gh-125041: Re-enable skipped tests for zlib on the
s390x architecture: only skip checks of the compressed
bytes, which can be different between zlib’s software
implementation and the hardware-accelerated implementation.
- gh-124295: Add translation tests to the argparse module.
- Security
- gh-126623: Upgrade libexpat to 2.6.4
- Library
- gh-127303: Publicly expose EXACT_TOKEN_TYPES in
token.__all__.
- gh-123967: Fix faulthandler for trampoline frames. If the
top-most frame is a trampoline frame, skip it. Patch by
Victor Stinner.
- gh-127182: Fix io.StringIO.__setstate__() crash, when None
was passed as the first value.
- gh-127217: Fix urllib.request.pathname2url() for paths
starting with multiple slashes on Posix.
- gh-127035: Fix shutil.which on Windows. Now it looks at
direct match if and only if the command ends with a PATHEXT
extension or X_OK is not in mode. Support extensionless
files if “.” is in PATHEXT. Support PATHEXT extensions that
end with a dot.
- gh-127078: Fix issue where urllib.request.url2pathname()
failed to discard an extra slash before a UNC drive in the
URL path on Windows.
- gh-126766: Fix issue where urllib.request.url2pathname()
failed to discard any ‘localhost’ authority present in the
URL.
- gh-126997: Fix support of STRING and GLOBAL opcodes with
non-ASCII arguments in pickletools. pickletools.dis()
now outputs non-ASCII bytes in STRING, BINSTRING and
SHORT_BINSTRING arguments as escaped (\xXX).
- gh-126618: Fix the representation of itertools.count
objects when the count value is sys.maxsize.
- gh-85168: Fix issue where urllib.request.url2pathname() and
pathname2url() always used UTF-8 when quoting and unquoting
file URIs. They now use the filesystem encoding and error
handler.
- gh-67877: Fix memory leaks when regular expression matching
terminates abruptly, either because of a signal or because
memory allocation fails.
- gh-126789: Fixed the values of sysconfig.get_config_vars(),
sysconfig.get_paths(), and their siblings when the site
initialization happens after sysconfig has built a cache
for sysconfig.get_config_vars().
- gh-126188: Update bundled pip to 24.3.1
- gh-126766: Fix issue where urllib.request.url2pathname()
failed to discard two leading slashes introducing an empty
authority section.
- gh-126727: locale.nl_langinfo(locale.ERA) now returns
multiple era description segments separated by
semicolons. Previously it only returned the first segment
on platforms with Glibc.
- gh-126699: Allow collections.abc.AsyncIterator to be a base
for Protocols.
- gh-104745: Limit starting a patcher (from
unittest.mock.patch() or unittest.mock.patch.object()) more
than once without stopping it
- gh-126595: Fix a crash when instantiating itertools.count
with an initial count of sys.maxsize on debug builds. Patch
by Bénédikt Tran.
- gh-120423: Fix issue where urllib.request.pathname2url()
mishandled Windows paths with embedded forward slashes.
- gh-126565: Improve performances of zipfile.Path.open() for
non-reading modes.
- gh-126505: Fix bugs in compiling case-insensitive regular
expressions with character classes containing non-BMP
characters: upper-case non-BMP character did was ignored
and the ASCII flag was ignored when matching a character
range whose upper bound is beyond the BMP region.
- gh-117378: Fixed the multiprocessing "forkserver"
start method forkserver process to correctly inherit
the parent’s sys.path during the importing of
multiprocessing.set_forkserver_preload() modules in the
same manner as sys.path is configured in workers before
executing work items.
This bug caused some forkserver module preloading to silently
fail to preload. This manifested as a performance degration
in child processes when the sys.path was required due to
additional repeated work in every worker.
It could also have a side effect of "" remaining in
sys.path during forkserver preload imports instead of the
absolute path from os.getcwd() at multiprocessing import time
used in the worker sys.path.
The sys.path differences between phases in the child
process could potentially have caused preload to import incorrect
things from the wrong location. We are unaware of that actually
having happened in practice.
- gh-125679: The multiprocessing.Lock and
multiprocessing.RLock repr values no longer say “unknown”
on macOS.
- gh-126476: Raise calendar.IllegalMonthError (now a subclass
of IndexError) for calendar.month() when the input month is
not correct.
- gh-126489: The Python implementation of pickle no longer
calls pickle.Pickler.persistent_id() for the result of
persistent_id().
- gh-126303: Fix pickling and copying of os.sched_param
objects.
- gh-126138: Fix a use-after-free crash on asyncio.Task
objects whose underlying coroutine yields an object that
implements an evil __getattribute__(). Patch by Nico
Posada.
- gh-126220: Fix crash in cProfile.Profile and
_lsprof.Profiler when their callbacks were directly called
with 0 arguments.
- gh-126212: Fix issue where urllib.request.pathname2url()
and url2pathname() removed slashes from Windows DOS drive
paths and URLs.
- gh-126205: Fix issue where urllib.request.pathname2url()
generated URLs beginning with four slashes (rather than
two) when given a Windows UNC path.
- gh-126105: Fix a crash in ast when the ast.AST._fields
attribute is deleted.
- gh-126106: Fixes a possible NULL pointer dereference in
ssl.
- gh-126080: Fix a use-after-free crash on asyncio.Task
objects for which the underlying event loop implements an
evil __getattribute__(). Reported by Nico-Posada. Patch by
Bénédikt Tran.
- gh-126083: Fixed a reference leak in asyncio.Task objects
when reinitializing the same object with a non-None
context. Patch by Nico Posada.
- gh-125984: Fix use-after-free crashes on asyncio.Future
objects for which the underlying event loop implements an
evil __getattribute__(). Reported by Nico-Posada. Patch by
Bénédikt Tran.
- gh-125969: Fix an out-of-bounds crash when an evil
asyncio.loop.call_soon() mutates the length of the internal
callbacks list. Patch by Bénédikt Tran.
- gh-125966: Fix a use-after-free crash in
asyncio.Future.remove_done_callback(). Patch by Bénédikt
Tran.
- gh-125789: Fix possible crash when mutating list of
callbacks returned by asyncio.Future._callbacks. It
now always returns a new copy in C implementation
_asyncio. Patch by Kumar Aditya.
- gh-124452: Fix an issue in
email.policy.EmailPolicy.header_source_parse() and
email.policy.Compat32.header_source_parse() that introduced
spurious leading whitespaces into header values when the
header includes a newline character after the header name
delimiter (:) and before the value.
- gh-125884: Fixed the bug for pdb where it can’t set
breakpoints on functions with certain annotations.
- gh-125355: Fix several bugs in
argparse.ArgumentParser.parse_intermixed_args().
The parser no longer changes temporarily during parsing.
Default values are not processed twice.
Required mutually exclusive groups containing positional
arguments are now supported.
The missing arguments report now includes the names of
all required optional and positional arguments.
Unknown options can be intermixed with positional
arguments in parse_known_intermixed_args().
- gh-125682: Reject non-ASCII digits in the Python
implementation of json.loads() conforming to the JSON
specification.
- gh-125660: Reject invalid unicode escapes for Python
implementation of json.loads().
- gh-125259: Fix the notes removal logic for errors thrown in
enum initialization.
- gh-125519: Improve traceback if importlib.reload() is
called with an object that is not a module. Patch by Alex
Waygood.
- gh-125451: Fix deadlock when
concurrent.futures.ProcessPoolExecutor shuts down
concurrently with an error when feeding a job to a worker
process.
- gh-125422: Fixed the bug where pdb and bdb can step into
the bottom caller frame.
- gh-100141: Fixed the bug where pdb will be stuck in an
infinite loop when debugging an empty file.
- gh-53203: Fix time.strptime() for %c, %x and %X formats
in many locales that use non-ASCII digits, like Persian,
Burmese, Odia and Shan.
- gh-125254: Fix a bug where ArgumentError includes the
incorrect ambiguous option in argparse.
- gh-61011: Fix inheritance of nested mutually
exclusive groups from parent parser in
argparse.ArgumentParser. Previously, all nested mutually
exclusive groups lost their connection to the group
containing them and were displayed as belonging directly to
the parser.
- gh-52551: Fix encoding issues in time.strftime(), the
strftime() method of the datetime classes datetime, date
and time and formatting of these classes. Characters
not encodable in the current locale are now acceptable
in the format string. Surrogate pairs and sequence
of surrogatescape-encoded bytes are no longer
recombinated. Embedded null character no longer terminates
the format string.
- gh-125118: Don’t copy arbitrary values to _Bool in the
struct module.
- gh-125069: Fix an issue where providing a pathlib.PurePath
object as an initializer argument to a second PurePath
object with a different flavour resulted in arguments to
the former object’s initializer being joined by the latter
object’s flavour.
- gh-124969: Fix locale.nl_langinfo(locale.ALT_DIGITS) on
platforms with glibc. Now it returns a string consisting of
up to 100 semicolon-separated symbols (an empty string in
most locales) on all Posix platforms. Previously it only
returned the first symbol or an empty string.
- gh-124958: Fix refcycles in exceptions raised from
asyncio.TaskGroup and the python implementation of
asyncio.Future
- gh-53203: Fix time.strptime() for %c and %x formats in many
locales: Arabic, Bislama, Breton, Bodo, Kashubian, Chuvash,
Estonian, French, Irish, Ge’ez, Gurajati, Manx Gaelic,
Hebrew, Hindi, Chhattisgarhi, Haitian Kreyol, Japanese,
Kannada, Korean, Marathi, Malay, Norwegian, Nynorsk,
Punjabi, Rajasthani, Tok Pisin, Yoruba, Yue Chinese,
Yau/Nungon and Chinese.
- gh-124917: Allow calling os.path.exists() and
os.path.lexists() with keyword arguments on Windows. Fixes
a regression in 3.12.4.
- gh-124653: Fix detection of the minimal Queue API needed by
the logging module. Patch by Bénédikt Tran.
- gh-124858: Fix reference cycles left in tracebacks
in asyncio.open_connection() when used with
happy_eyeballs_delay
- gh-124390: Fixed AssertionError when using
asyncio.staggered.staggered_race() with
asyncio.eager_task_factory.
- gh-124651: Properly quote template strings in venv
activation scripts.
- gh-124594: All asyncio REPL prompts run in the same
context. Contributed by Bartosz Sławecki.
- gh-120378: Fix a crash related to an integer overflow in
curses.resizeterm() and curses.resize_term().
- gh-123884: Fixed bug in itertools.tee() handling of other
tee inputs (a tee in a tee). The output now has the
promised n independent new iterators. Formerly, the first
iterator was identical (not independent) to the input
iterator. This would sometimes give surprising results.
- gh-123978: Remove broken time.thread_time() and
time.thread_time_ns() on NetBSD.
- gh-124008: Fix possible crash (in debug build), incorrect
output or returning incorrect value from raw binary write()
when writing to console on Windows.
- gh-123370: Fix the canvas not clearing after running
turtledemo clock.
- gh-120754: Update unbounded read calls in zipfile to
specify an explicit size putting a limit on how much data
they may read. This also updates handling around ZIP max
comment size to match the standard instead of reading
comments that are one byte too long.
- gh-70764: Fixed an issue where inspect.getclosurevars()
would incorrectly classify an attribute name as a global
variable when the name exists both as an attribute name and
a global variable.
- gh-119826: Always return an absolute path for
os.path.abspath() on Windows.
- gh-117766: Always use str() to print choices in argparse.
- gh-101955: Fix SystemError when match regular expression
pattern containing some combination of possessive
quantifier, alternative and capture group.
- gh-88110: Fixed multiprocessing.Process reporting a
.exitcode of 1 even on success when using the "fork" start
method while using a concurrent.futures.ThreadPoolExecutor.
- gh-71936: Fix a race condition in
multiprocessing.pool.Pool.
- bpo-46128: Strip unittest.IsolatedAsyncioTestCase stack
frames from reported stacktraces.
- bpo-14074: Fix argparse metavar processing to allow
positional arguments to have a tuple metavar.
- IDLE
- gh-122392: Increase currently inadequate vertical spacing
for the IDLE browsers (path, module, and stack) on
high-resolution monitors.
- Documentation
- gh-125277: Require Sphinx 7.2.6 or later to build the
Python documentation. Patch by Adam Turner.
- gh-125018: The importlib.metadata documentation now
includes semantic cross-reference targets for the
significant documented APIs. This means intersphinx
references like importlib.metadata.version() will now work
as expected.
- gh-121277: Writers of CPython’s documentation can now use
next as the version for the versionchanged, versionadded,
deprecated directives.
- gh-60712: Include the object type in the lists of
documented types. Change by Furkan Onder and Martin Panter.
- Core and Builtins
- gh-113841: Fix possible undefined behavior division by zero
in complex’s _Py_c_pow().
- gh-126341: Now ValueError is raised instead of SystemError
when trying to iterate over a released memoryview object.
- gh-126066: Fix importlib to not write an incomplete
.pyc files when a ulimit or some other operating system
mechanism is preventing the write to go through fully.
- gh-126139: Provide better error location when attempting to
use a future statement with an unknown future feature.
- gh-125008: Fix tokenize.untokenize() producing invalid
syntax for double braces preceded by certain escape
characters.
- gh-123378: Fix a crash in the __str__() method of
UnicodeError objects when the UnicodeError.start and
UnicodeError.end values are invalid or out-of-range. Patch
by Bénédikt Tran.
- gh-116510: Fix a crash caused by immortal interned strings
being shared between sub-interpreters that use basic
single-phase init. In that case, the string can be used
by an interpreter that outlives the interpreter that
created and interned it. For interpreters that share
obmalloc state, also share the interned dict with the main
interpreter.
- gh-118950: Fix bug where SSLProtocol.connection_lost wasn’t
getting called when OSError was thrown on writing to
socket.
- gh-113570: Fixed a bug in reprlib.repr where it incorrectly
called the repr method on shadowed Python built-in types.
- gh-109746: If _thread.start_new_thread() fails to start a
new thread, it deletes its state from interpreter and thus
avoids its repeated cleanup on finalization.
- C API
- gh-113601: Removed debug build assertions related to
interning strings, which were falsely triggered by stable
ABI extensions.
- Build
- gh-89640: Hard-code float word ordering as little endian on
WASM.
- gh-89640: Improve detection of float word ordering on Linux
when link-time optimizations are enabled.
- Remove upstreamed patches:
- CVE-2024-9287-venv_path_unquoted.patch
OBS-URL: https://build.opensuse.org/request/show/1228975
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python312?expand=0&rev=26
