- Security
- gh-135034: Fixes multiple issues that allowed tarfile
extraction filters (filter="data" and filter="tar") to be
bypassed using crafted symlinks and hard links.
Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
(bsc#1244059), CVE-2025-4330 (bsc#1244060), and
CVE-2025-4517 (bsc#1244032).
- gh-133767: Fix use-after-free in the “unicode-escape”
decoder with a non-“strict” error handler (CVE-2025-4516,
bsc#1243273).
- gh-128840: Short-circuit the processing of long IPv6
addresses early in ipaddress to prevent excessive memory
consumption and a minor denial-of-service.
- Library
- gh-134718: ast.dump() now only omits None and [] values if
they are default values.
- gh-128840: Fix parsing long IPv6 addresses with embedded
IPv4 address.
- gh-134696: Built-in HACL* and OpenSSL implementations of
hash function constructors now correctly accept the same
documented named arguments. For instance, md5() could be
previously invoked as md5(data=data) or md5(string=string)
depending on the underlying implementation but these calls
were not compatible. Patch by Bénédikt Tran.
- gh-134210: curses.window.getch() now correctly handles
signals. Patch by Bénédikt Tran.
- gh-80334: multiprocessing.freeze_support() now checks for
work on any “spawn” start method platform rather than only
on Windows.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=100
- Security
- gh-113659: Skip .pth files with names starting with a dot or
hidden file attribute.
- gh-112302: Created a Software Bill-of-Materials document and
tooling for tracking dependencies.
- Core and Builtins
- gh-107901: Compiler duplicates basic blocks that have an eval
breaker check, no line number, and multiple predecessors.
- gh-107901: A jump leaving an exception handler back to normal
code no longer checks the eval breaker.
- gh-113655: Set the C recursion limit to 4000 on Windows, and
10000 on Linux/OSX. This seems to be near the sweet spot to
maintain safety, but not compromise backwards compatibility.
- gh-113710: Add typed stack effects to the interpreter DSL, along
with various instruction annotations.
- gh-77046: On Windows, file descriptors wrapping Windows handles
are now created non inheritable by default (PEP 446). Patch by
Zackery Spytz and Victor Stinner.
- gh-113853: Guarantee that all executors make progress. This then
guarantees that tier 2 execution always makes progress.
- gh-113753: Fix an issue where the finalizer of PyAsyncGenASend
objects might not be called if they were allocated from a free
list.
- gh-107901: Compiler changed so that synthetic jumps which are
not at loop end no longer check the eval breaker.
- gh-113703: Fix a regression in the codeop module that was
causing it to incorrectly identify incomplete f-strings. Patch
by Pablo Galindo
- gh-89811: Check for a valid tp_version_tag before performing
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=3
