- Security
- gh-135034: Fixes multiple issues that allowed tarfile
extraction filters (filter="data" and filter="tar") to be
bypassed using crafted symlinks and hard links.
Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
(bsc#1244059), CVE-2025-4330 (bsc#1244060), and
CVE-2025-4517 (bsc#1244032).
- gh-133767: Fix use-after-free in the “unicode-escape”
decoder with a non-“strict” error handler (CVE-2025-4516,
bsc#1243273).
- gh-128840: Short-circuit the processing of long IPv6
addresses early in ipaddress to prevent excessive memory
consumption and a minor denial-of-service.
- Library
- gh-134718: ast.dump() now only omits None and [] values if
they are default values.
- gh-128840: Fix parsing long IPv6 addresses with embedded
IPv4 address.
- gh-134696: Built-in HACL* and OpenSSL implementations of
hash function constructors now correctly accept the same
documented named arguments. For instance, md5() could be
previously invoked as md5(data=data) or md5(string=string)
depending on the underlying implementation but these calls
were not compatible. Patch by Bénédikt Tran.
- gh-134210: curses.window.getch() now correctly handles
signals. Patch by Bénédikt Tran.
- gh-80334: multiprocessing.freeze_support() now checks for
work on any “spawn” start method platform rather than only
on Windows.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=100
- Tools/Demos
- gh-131852: msgfmt no longer adds the POT-Creation-Date to
generated .mo files for consistency with GNU msgfmt.
- gh-85012: Correctly reset msgctxt when compiling messages
in msgfmt.
- gh-130025: The iOS testbed now correctly handles symlinks
used as Python framework references.
- Tests
- gh-131050: test_ssl.test_dh_params is skipped if the
underlying TLS library does not support finite-field
ephemeral Diffie-Hellman.
- gh-129200: Multiple iOS testbed runners can now be started
at the same time without introducing an ambiguity over
simulator ownership.
- gh-130292: The iOS testbed will now run successfully on a
machine that has not previously run Xcode tests (such as CI
configurations).
- gh-130293: The tests of terminal colorization are no longer
sensitive to the value of the TERM variable in the testing
environment.
- gh-126332: Add unit tests for pyrepl.
- Security
- gh-131809: Update bundled libexpat to 2.7.1
- gh-131261: Upgrade to libexpat 2.7.0
- gh-127371: Avoid unbounded buffering for
tempfile.SpooledTemporaryFile.writelines(). Previously,
disk spillover was only checked after the lines iterator
had been exhausted. This is now done after each line is
written.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=87
* Core and Builtins
- gh-119462: Make sure that invariants of type versioning are
maintained:
* Superclasses always have their version number assigned
before subclasses
* The version tag is always zero if the tag is not valid.
* The version tag is always non-zero if the tag is valid.
- gh-120437: Fix _CHECK_STACK_SPACE optimization problems
introduced in gh-118322.
- gh-120722: Correctly set the bytecode position on return
instructions within lambdas. Patch by Jelle Zijlstra.
- gh-120367: Fix bug where compiler creates a redundant
jump during pseudo-op replacement. Can only happen with
a synthetic AST that has a try on the same line as the
instruction following the exception handler.
- gh-113993: Strings interned with sys.intern() are again
garbage-collected when no longer used, as per the
documentation. Strings interned with the C function
PyUnicode_InternInPlace() are still immortal. Internals of
the string interning mechanism have been changed. This may
affect performance and identities of str objects.
- gh-120384: Fix an array out of bounds crash in
list_ass_subscript, which could be invoked via some
specificly tailored input: including concurrent
modification of a list object, where one thread assigns a
slice and another clears it.
- gh-120367: Fix crash in compiler on code with redundant
NOPs and JUMPs which show up after exception handlers are
moved to the end of the code.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=19
- Security
- gh-113659: Skip .pth files with names starting with a dot or
hidden file attribute.
- gh-112302: Created a Software Bill-of-Materials document and
tooling for tracking dependencies.
- Core and Builtins
- gh-107901: Compiler duplicates basic blocks that have an eval
breaker check, no line number, and multiple predecessors.
- gh-107901: A jump leaving an exception handler back to normal
code no longer checks the eval breaker.
- gh-113655: Set the C recursion limit to 4000 on Windows, and
10000 on Linux/OSX. This seems to be near the sweet spot to
maintain safety, but not compromise backwards compatibility.
- gh-113710: Add typed stack effects to the interpreter DSL, along
with various instruction annotations.
- gh-77046: On Windows, file descriptors wrapping Windows handles
are now created non inheritable by default (PEP 446). Patch by
Zackery Spytz and Victor Stinner.
- gh-113853: Guarantee that all executors make progress. This then
guarantees that tier 2 execution always makes progress.
- gh-113753: Fix an issue where the finalizer of PyAsyncGenASend
objects might not be called if they were allocated from a free
list.
- gh-107901: Compiler changed so that synthetic jumps which are
not at loop end no longer check the eval breaker.
- gh-113703: Fix a regression in the codeop module that was
causing it to incorrectly identify incomplete f-strings. Patch
by Pablo Galindo
- gh-89811: Check for a valid tp_version_tag before performing
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=3
