forked from pool/python313
Matěj Cepl
056300b56b
- Security
- gh-145986: xml.parsers.expat: Fixed a crash caused by
unbounded C recursion when converting deeply nested XML
content models with ElementDeclHandler(). This addresses
CVE 2026-4224 (bsc#1259735, CVE-2026-4224).
- gh-145599: Reject control characters in http.cookies.Morsel
update() and js_output(). This addresses CVE 2026-3644
(bsc#1259734, CVE-2026-3644).
- gh-145506: Fixes CVE 2026-2297 by ensuring that
SourcelessFileLoader uses io.open_code() when opening .pyc
files (bsc#1259240, CVE-2026-2297).
- gh-144370: Disallow usage of control characters in status
in wsgiref.handlers to prevent HTTP header injections.
Patch by Benedikt Johannes.
- gh-143930: Reject leading dashes in URLs passed to
webbrowser.open() (bsc#1260026, CVE-2026-4519).
- Library
- gh-144503: Fix a regression introduced in 3.14.3 and
3.13.12 where the multiprocessing forkserver start method
would fail with BrokenPipeError when the parent process had
a very large sys.argv. The argv is now passed to the
forkserver as separate command-line arguments rather than
being embedded in the -c command string, avoiding the
operating system’s per-argument length limit.
- gh-146613: itertools: Fix a crash in itertools.groupby()
when the grouper iterator is concurrently mutated.
- gh-146080: ssl: fix a crash when an SNI callback tries to
use an SSL object that has already been garbage-collected.
Patch by Bénédikt Tran.
- gh-146090: sqlite3: fix a crash when
sqlite3.Connection.create_collation() fails with
SQLITE_BUSY. Patch by Bénédikt Tran.
- gh-146090: sqlite3: properly raise MemoryError instead of
SystemError when a context callback fails to be allocated.
Patch by Bénédikt Tran.
- gh-145633: Fix struct.pack('f', float): use PyFloat_Pack4()
to raise OverflowError. Patch by Sergey B Kirpichev and
Victor Stinner.
- gh-146310: The ensurepip module no longer looks for
pip-*.whl wheel packages in the current directory.
- gh-146083: Update bundled libexpat to version 2.7.5.
- gh-146076: zoneinfo: fix crashes when deleting _weak_cache
from a zoneinfo.ZoneInfo subclass.
- gh-146054: Limit the size of encodings.search_function()
cache. Found by OSS Fuzz in #493449985.
- gh-145883: zoneinfo: Fix heap buffer overflow reads from
malformed TZif data. Found by OSS Fuzz, issues #492245058
and #492230068.
- gh-145750: Avoid undefined behaviour from signed integer
overflow when parsing format strings in the struct module.
Found by OSS Fuzz in #488466741.
- gh-145492: Fix infinite recursion in
collections.defaultdict __repr__ when a defaultdict
contains itself. Based on analysis by KowalskiThomas in
gh-145492.
- gh-145623: Fix crash in struct when calling repr() or
__sizeof__() on an uninitialized struct.Struct object
created via Struct.__new__() without calling __init__().
- gh-145616: Detect Android sysconfig ABI correctly on 32-bit
ARM Android on 64-bit ARM kernel
- gh-145376: Fix null pointer dereference in unusual error
scenario in hashlib.
- gh-145551: Fix InvalidStateError when cancelling process
created by asyncio.create_subprocess_exec() or
asyncio.create_subprocess_shell(). Patch by Daan De Meyer.
- gh-145417: venv: Prevent incorrect preservation of SELinux
context when copying the Activate.ps1 script. The script
inherited the SELinux security context of the system
template directory, rather than the destination project
directory.
- gh-145301: hashlib: fix a crash when the initialization of
the underlying C extension module fails.
- gh-145264: Base64 decoder (see binascii.a2b_base64(),
base64.b64decode(), etc) no longer ignores excess data
after the first padded quad in non-strict (default) mode.
Instead, in conformance with RFC 4648, section 3.3, it now
ignores the pad character, “=”, if it is present before the
end of the encoded data.
- gh-145158: Avoid undefined behaviour from signed integer
overflow when parsing format strings in the struct module.
- gh-144984: Fix crash in
xml.parsers.expat.xmlparser.ExternalEntityParserCreate()
when an allocation fails. The error paths could dereference
NULL handlers and double-decrement the parent parser’s
reference count.
- gh-88091: Fix unicodedata.decomposition() for Hangul
characters.
- gh-144835: Added missing explanations for some parameters
in glob.glob() and glob.iglob().
- gh-144833: Fixed a use-after-free in ssl when SSL_new()
returns NULL in newPySSLSocket(). The error was reported
via a dangling pointer after the object had already been
freed.
- gh-144259: Fix inconsistent display of long multiline
pasted content in the REPL.
- gh-144156: Fix the folding of headers by the email library
when RFC 2047 encoded words are used. Now whitespace is
correctly preserved and also correctly added between
adjacent encoded words. The latter property was broken by
the fix for gh-92081, which mostly fixed previous failures
to preserve whitespace.
- gh-66305: Fixed a hang on Windows in the tempfile module
when trying to create a temporary file or subdirectory in
a non-writable directory.
- gh-140814: multiprocessing.freeze_support() no longer sets
the default start method as a side effect, which previously
caused a subsequent multiprocessing.set_start_method() call
to raise RuntimeError.
- gh-144475: Calling repr() on functools.partial() is now
safer when the partial object’s internal attributes are
replaced while the string representation is being
generated.
- gh-144538: Bump the version of pip bundled in ensurepip to
version 26.0.1
- gh-144363: Update bundled libexpat to 2.7.4
- gh-143637: Fixed a crash in socket.sendmsg() that could
occur if ancillary data is mutated re-entrantly during
argument parsing.
- gh-143880: Fix data race in functools.partial() in the free
threading build.
- gh-143543: Fix a crash in itertools.groupby that could
occur when a user-defined __eq__() method re-enters the
iterator during key comparison.
- gh-140652: Fix a crash in _interpchannels.list_all() after
closing a channel.
- gh-143698: Allow scheduler and setpgroup arguments to be
explicitly None when calling os.posix_spawn() or
os.posix_spawnp(). Patch by Bénédikt Tran.
- gh-143698: Raise TypeError instead of SystemError when the
scheduler in os.posix_spawn() or os.posix_spawnp() is not
a tuple. Patch by Bénédikt Tran.
- gh-143304: Fix ctypes.CDLL to honor the handle parameter on
POSIX systems.
- gh-142781: zoneinfo: fix a crash when instantiating
ZoneInfo objects for which the internal class-level cache
is inconsistent.
- gh-142763: Fix a race condition between zoneinfo.ZoneInfo
creation and zoneinfo.ZoneInfo.clear_cache() that could
raise KeyError.
- gh-142787: Fix assertion failure in sqlite3 blob subscript
when slicing with indices that result in an empty slice.
- gh-142352: Fix asyncio.StreamWriter.start_tls() to transfer
buffered data from StreamReader to the SSL layer,
preventing data loss when upgrading a connection to TLS
mid-stream (e.g., when implementing PROXY protocol
support).
- gh-141707: Don’t change tarfile.TarInfo type from AREGTYPE
to DIRTYPE when parsing GNU long name or link headers
(bsc#1259611, CVE-2025-13462).
- gh-139933: Improve AttributeError suggestions for classes
with a custom __dir__() method returning a list of
unsortable values. Patch by Bénédikt Tran.
- gh-138891: Fix SyntaxError when inspect.get_annotations(f,
eval_str=True) is called on a function annotated with a PEP
646 star_expression
- gh-137335: Get rid of any possibility of a name conflict
for named pipes in multiprocessing and asyncio on Windows,
no matter how small.
- gh-80667: Support lookup for Tangut Ideographs in
unicodedata.
- bpo-40243: Fix unicodedata.ucd_3_2_0.numeric() for
non-decimal values.
- Documentation
- gh-126676: Expand argparse documentation for type=bool with
a demonstration of the surprising behavior and pointers to
common alternatives.
- gh-145450: Document missing public wave.Wave_write getter
methods.
- Core and Builtins
- gh-148157: Fix an unlikely crash when parsing an invalid
type comments for function parameters. Found by OSS Fuzz in
#492782951.
- gh-146615: Fix a crash in __get__() for METH_METHOD
descriptors when an invalid (non-type) object is passed as
the second argument. Patch by Steven Sun.
- gh-146128: Fix a bug which could cause constant values to
be partially corrupted in AArch64 JIT code. This issue is
theoretical, and hasn’t actually been observed in
unmodified Python interpreters.
- gh-146250: Fixed a memory leak in SyntaxError when
re-initializing it.
- gh-146245: Fixed reference leaks in socket when audit hooks
raise exceptions in socket.getaddrinfo() and
socket.sendto().
- gh-146227: Fix wrong type in _Py_atomic_load_uint16 in the
C11 atomics backend (pyatomic_std.h), which used a 32-bit
atomic load instead of 16-bit. Found by Mohammed Zuhaib.
- gh-146056: Fix repr() for lists containing NULLs.
- gh-145990: python --help-env sections are now sorted by
environment variable name.
- gh-145376: Fix GC tracking in structseq.__replace__().
- gh-142183: Avoid a pathological case where repeated calls
at a specific stack depth could be significantly slower.
- gh-145783: Fix an unlikely crash in the parser when certain
errors were erroneously not propagated. Found by OSS Fuzz
in #491369109.
- gh-145701: Fix SystemError when __classdict__ or
__conditional_annotations__ is in a class-scope inlined
comprehension. Found by OSS Fuzz in #491105000.
- gh-145335: Fix a crash in os.pathconf() when called with -1
as the path argument.
- gh-145234: Fixed a SystemError in the parser when an
encoding cookie (for example, UTF-7) decodes to carriage
returns (\r). Newlines are now normalized after decoding in
the string tokenizer.
- Patch by Pablo Galindo.
- gh-130555: Fix use-after-free in dict.clear() when the
dictionary values are embedded in an object and
a destructor causes re-entrant mutation of the dictionary.
- gh-145008: Fix a bug when calling certain methods at the
recursion limit which manifested as a corruption of
Python’s operand stack. Patch by Ken Jin.
- gh-144872: Fix heap buffer overflow in the parser found by
OSS-Fuzz.
- gh-144766: Fix a crash in fork child process when perf
support is enabled.
- gh-144759: Fix undefined behavior in the lexer when start
and multi_line_start pointers are NULL in
_PyLexer_remember_fstring_buffers() and
_PyLexer_restore_fstring_buffers(). The NULL pointer
arithmetic (NULL - valid_pointer) is now guarded with
explicit NULL checks.
- gh-144601: Fix crash when importing a module whose PyInit
function raises an exception from a subinterpreter.
- gh-143636: Fix a crash when calling
SimpleNamespace.__replace__() on non-namespace instances.
Patch by Bénédikt Tran.
- gh-143650: Fix race condition in importlib where a thread
could receive a stale module reference when another
thread’s import fails.
- gh-140594: Fix an out of bounds read when a single NUL
character is read from the standard input. Patch by Shamil
Abdulaev.
- gh-91636: While performing garbage collection, clear
weakrefs to unreachable objects that are created during
running of finalizers. If those weakrefs were are not
cleared, they could reveal unreachable objects.
- gh-130327: Fix erroneous clearing of an object’s __dict__
if overwritten at runtime.
- gh-80667: Literals using the \N{name} escape syntax can now
construct CJK ideographs and Hangul syllables using
case-insensitive names.
- Build
- gh-146541: The Android testbed can now be built for 32-bit
ARM and x86 targets.
- gh-146450: The Android build script was modified to improve
parity with other platform build scripts.
- gh-145801: When Python build is optimized with GCC using
PGO, use -fprofile-update=atomic option to use atomic
operations when updating profile information. This option
reduces the risk of gcov Data Files (.gcda) corruption
which can cause random GCC crashes. Patch by Victor
Stinner.
- gh-129259: Fix AIX build failures caused by incorrect
struct alignment in _Py_CODEUNIT and _Py_BackoffCounter by
adding AIX-specific #pragma pack directives.
- Tests
- gh-144418: The Android testbed’s emulator RAM has been
increased from 2 GB to 4 GB.
- gh-146202: Fix a race condition in regrtest: make sure that
the temporary directory is created in the worker process.
Previously, temp_cwd() could fail on Windows if the “build”
directory was not created. Patch by Victor Stinner.
- gh-144739: When Python was compiled with system expat older
then 2.7.2 but tests run with newer expat, still skip
test.test_pyexpat.MemoryProtectionTest.
Removed upstreamed patches:
- CVE-2025-13462-tarinfo-header-parse.patch
- CVE-2026-2297-SourcelessFileLoader-io_open_code.patch
- CVE-2026-3479-pkgutil_get_data.patch
- CVE-2026-3644-cookies-Morsel-update-II.patch
- CVE-2026-4224-expat-unbound-C-recursion.patch
- CVE-2026-4519-webbrowser-open-dashes.patch
Python 3 in SUSE
==============
* Subpackages *
Python 3 is split into several subpackages, based on external dependencies.
The main package 'python3' has soft dependencies on all subpackages needed to
assemble the standard library; however, these might not all be installed by default.
If you attempt to import a module that is currently not installed, an ImportError is thrown,
with instructions to install the missing subpackage. Installing the subpackage might result
in installing libraries that the subpackage requires to function.
* ensurepip *
The 'ensurepip' module from Python 3 standard library (PEP 453) is supposed to deploy
a bundled copy of the pip installer. This makes no sense in a managed distribution like SUSE.
Instead, you need to install package 'python3-pip'. Usually this will be installed automatically
with 'python3'.
Using 'ensurepip' when pip is not installed will result in an ImportError with instructions
to install 'python3-pip'.
* Documentation *
You can find documentation in seprarate packages: python3-doc and
python3-doc-pdf. These contan following documents:
Tutorial, What's New in Python, Global Module Index, Library Reference,
Macintosh Module Reference, Installing Python Modules, Distributing Python
Modules, Language Reference, Extending and Embedding, Python/C API,
Documenting Python
The python3-doc package constains many text files from source tarball.
* Interactive mode *
Interactive mode is by default enhanced with of history and command completion.
If you don't like these features, you can unset the PYTHONSTARTUP variable
in your .profile or disable it system wide in /etc/profile.d/python.sh.