------------------------------------------------------------------- Tue Nov 4 16:44:05 UTC 2025 - Matej Cepl - Add CVE-2025-8291-consistency-zip64.patch which checks consistency of the zip64 end of central directory record, and preventing obfuscation of the payload, i.e., you scanning for malicious content in a ZIP file with one ZIP parser (let's say a Rust one) then unpack it in production with another (e.g., the Python one) and get malicious content that the other parser did not see (CVE-2025-8291, bsc#1251305) - Readjust patches while synchronizing between openSUSE and SLE trees: - F00251-change-user-install-location.patch - doc-py38-to-py36.patch - gh126985-mv-pyvenv.cfg2getpath.patch ------------------------------------------------------------------- Wed Oct 15 09:15:38 UTC 2025 - Daniel Garcia - Update to 3.13.9: - Library - gh-139783: Fix inspect.getsourcelines() for the case when a decorator is followed by a comment or an empty line. - Update to 3.13.8: - macOS - gh-124111: Update macOS installer to use Tcl/Tk 8.6.17. - gh-139573: Updated bundled version of OpenSSL to 3.0.18. - Windows - gh-139573: Updated bundled version of OpenSSL to 3.0.18. - gh-138896: Fix error installing C runtime on non-updated Windows machines - Tools/Demos - gh-139330: SBOM generation tool didn’t cross-check the version and checksum values against the Modules/expat/refresh.sh script, leading to the values becoming out-of-date during routine updates. - gh-137873: The iOS test runner has been simplified, resolving some issues that have been observed using the runner in GitHub Actions and Azure Pipelines test environments. - Tests - gh-139208: Fix regrtest --fast-ci --verbose: don’t ignore the --verbose option anymore. Patch by Victor Stinner. - Security - gh-139400: xml.parsers.expat: Make sure that parent Expat parsers are only garbage-collected once they are no longer referenced by subparsers created by ExternalEntityParserCreate(). Patch by Sebastian Pipping. - gh-139283: sqlite3: correctly handle maximum number of rows to fetch in Cursor.fetchmany and reject negative values for Cursor.arraysize. Patch by Bénédikt Tran. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - Library - gh-139312: Upgrade bundled libexpat to 2.7.3 - gh-139289: Do a real lazy-import on rlcompleter in pdb and restore the existing completer after importing rlcompleter. - gh-139210: Fix use-after-free when reporting unknown event in xml.etree.ElementTree.iterparse(). Patch by Ken Jin. - gh-138860: Lazy import rlcompleter in pdb to avoid deadlock in subprocess. - gh-112729: Fix crash when calling _interpreters.create when the process is out of memory. - gh-139076: Fix a bug in the pydoc module that was hiding functions in a Python module if they were implemented in an extension module and the module did not have __all__. - gh-138998: Update bundled libexpat to 2.7.2 - gh-130567: Fix possible crash in locale.strxfrm() due to a platform bug on macOS. - gh-138779: Support device numbers larger than 2**63-1 for the st_rdev field of the os.stat_result structure. - gh-128636: Fix crash in PyREPL when os.environ is overwritten with an invalid value for mac - gh-88375: Fix normalization of the robots.txt rules and URLs in the urllib.robotparser module. No longer ignore trailing ?. Distinguish raw special characters ?, = and & from the percent-encoded ones. - gh-138515: email is added to Emscripten build. - gh-111788: Fix parsing errors in the urllib.robotparser module. Don’t fail trying to parse weird paths. Don’t fail trying to decode non-UTF-8 robots.txt files. - gh-138432: zoneinfo.reset_tzpath() will now convert any os.PathLike objects it receives into strings before adding them to TZPATH. It will raise TypeError if anything other than a string is found after this conversion. If given an os.PathLike object that represents a relative path, it will now raise ValueError instead of TypeError, and present a more informative error message. - gh-138008: Fix segmentation faults in the ctypes module due to invalid argtypes. Patch by Dung Nguyen. - gh-60462: Fix locale.strxfrm() on Solaris (and possibly other platforms). - gh-138204: Forbid expansion of shared anonymous memory maps on Linux, which caused a bus error. - gh-138010: Fix an issue where defining a class with a @warnings.deprecated-decorated base class may not invoke the correct __init_subclass__() method in cases involving multiple inheritance. Patch by Brian Schubert. - gh-138133: Prevent infinite traceback loop when sending CTRL^C to Python through strace. - gh-134869: Fix an issue where pressing Ctrl+C during tab completion in the REPL would leave the autocompletion menu in a corrupted state. - gh-137317: inspect.signature() now correctly handles classes that use a descriptor on a wrapped __init__() or __new__() method. Contributed by Yongyu Yan. - gh-137754: Fix import of the zoneinfo module if the C implementation of the datetime module is not available. - gh-137490: Handle ECANCELED in the same way as EINTR in signal.sigwaitinfo() on NetBSD. - gh-137477: Fix inspect.getblock(), inspect.getsourcelines() and inspect.getsource() for generator expressions. - gh-137017: Fix threading.Thread.is_alive to remain True until the underlying OS thread is fully cleaned up. This avoids false negatives in edge cases involving thread monitoring or premature threading.Thread.is_alive calls. - gh-136134: SMTP.auth_cram_md5() now raises an SMTPException instead of a ValueError if Python has been built without MD5 support. In particular, SMTP clients will not attempt to use this method even if the remote server is assumed to support it. Patch by Bénédikt Tran. - gh-136134: IMAP4.login_cram_md5 now raises an IMAP4.error if CRAM-MD5 authentication is not supported. Patch by Bénédikt Tran. - gh-135386: Fix opening a dbm.sqlite3 database for reading from read-only file or directory. - gh-126631: Fix multiprocessing forkserver bug which prevented __main__ from being preloaded. - gh-123085: In a bare call to importlib.resources.files(), ensure the caller’s frame is properly detected when importlib.resources is itself available as a compiled module only (no source). - gh-118981: Fix potential hang in multiprocessing.popen_spawn_posix that can happen when the child proc dies early by closing the child fds right away. - gh-78319: UTF8 support for the IMAP APPEND command has been made RFC compliant. - bpo-38735: Fix failure when importing a module from the root directory on unix-like platforms with sys.pycache_prefix set. - bpo-41839: Allow negative priority values from os.sched_get_priority_min() and os.sched_get_priority_max() functions. - Core and Builtins - gh-134466: Don’t run PyREPL in a degraded environment where setting termios attributes is not allowed. - gh-71810: Raise OverflowError for (-1).to_bytes() for signed conversions when bytes count is zero. Patch by Sergey B Kirpichev. - gh-105487: Remove non-existent __copy__(), __deepcopy__(), and __bases__ from the __dir__() entries of types.GenericAlias. - gh-134163: Fix a hang when the process is out of memory inside an exception handler. - gh-138479: Fix a crash when a generic object’s __typing_subst__ returns an object that isn’t a tuple. - gh-137576: Fix for incorrect source code being shown in tracebacks from the Basic REPL when PYTHONSTARTUP is given. Patch by Adam Hartz. - gh-132744: Certain calls now check for runaway recursion and respect the system recursion limit. - C API - gh-87135: Attempting to acquire the GIL after runtime finalization has begun in a different thread now causes the thread to hang rather than terminate, which avoids potential crashes or memory corruption caused by attempting to terminate a thread that is running code not specifically designed to support termination. In most cases this hanging is harmless since the process will soon exit anyway. While not officially marked deprecated until 3.14, PyThread_exit_thread is no longer called internally and remains solely for interface compatibility. Its behavior is inconsistent across platforms, and it can only be used safely in the unlikely case that every function in the entire call stack has been designed to support the platform-dependent termination mechanism. It is recommended that users of this function change their design to not require thread termination. In the unlikely case that thread termination is needed and can be done safely, users may migrate to calling platform-specific APIs such as pthread_exit (POSIX) or _endthreadex (Windows) directly. - Build - gh-135734: Python can correctly be configured and built with ./configure --enable-optimizations --disable-test-modules. Previously, the profile data generation step failed due to PGO tests where immortalization couldn’t be properly suppressed. Patch by Bénédikt Tran. ------------------------------------------------------------------- Mon Sep 29 06:52:07 UTC 2025 - Daniel Garcia - Add gh139257-Support-docutils-0.22.patch to fix build with latest docutils (>=0.22) gh#python/cpython#139257 ------------------------------------------------------------------- Mon Sep 22 06:41:53 UTC 2025 - Dominique Leuenberger - Drop AppStream: this results in a different cycle than appstream-glib. As the appdata.xml is controlled by ourselves, we can get away with just manually validating it when changing it. ------------------------------------------------------------------- Thu Sep 18 08:15:31 UTC 2025 - Dominique Leuenberger - Require AppStream to validate appdata file instead of deprecated appstream-glib. - Update idle3.appdata.xml to pass the more pedantic appstreamcli. ------------------------------------------------------------------- Tue Sep 9 10:11:58 UTC 2025 - Daniel Garcia - Add gh138131-exclude-pycache-from-digest.patch fixing reproducible build for python-nogil. (bsc#1244680, gh#python/cpython#138131) ------------------------------------------------------------------- Fri Aug 15 12:31:08 UTC 2025 - Matej Cepl - Update to 3.13.7: - gh-137583: Fix a deadlock introduced in 3.13.6 when a call to ssl.SSLSocket.recv was blocked in one thread, and then another method on the object (such as ssl.SSLSocket.send) was subsequently called in another thread. - gh-137044: Return large limit values as positive integers instead of negative integers in resource.getrlimit(). Accept large values and reject negative values (except RLIM_INFINITY) for limits in resource.setrlimit(). - gh-136914: Fix retrieval of doctest.DocTest.lineno for objects decorated with functools.cache() or functools.cached_property. - gh-131788: Make ResourceTracker.send from multiprocessing re-entrant safe - gh-136155: We are now checking for fatal errors in EPUB builds in CI. - gh-137400: Fix a crash in the free threading build when disabling profiling or tracing across all threads with PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads() or their Python equivalents threading.settrace_all_threads() and threading.setprofile_all_threads(). - Remove upstreamed patch: - gh137583-only-lock-SSL-context.patch ------------------------------------------------------------------- Tue Aug 12 09:16:40 UTC 2025 - Matej Cepl - Add gh137583-only-lock-SSL-context.patch fixing the regression in 3.13.6 by breaking non-blocking TLS connections (gh#python/cpython#137583). ------------------------------------------------------------------- Thu Aug 7 10:08:11 UTC 2025 - Matej Cepl - Update to 3.13.6: - Security - gh-135661: Fix parsing start and end tags in html.parser.HTMLParser according to the HTML5 standard. - Whitespaces no longer accepted between does not end the script section. - Vertical tabulation (\v) and non-ASCII whitespaces no longer recognized as whitespaces. The only whitespaces are \t\n\r\f and space. - Null character (U+0000) no longer ends the tag name. - Attributes and slashes after the tag name in end tags are now ignored, instead of terminating after the first > in quoted attribute value. E.g. . - Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . - Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored (CVE-2025-6069, bsc#1244705). - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - Core and Builtins - gh-58124: Fix name of the Python encoding in Unicode errors of the code page codec: use “cp65000” and “cp65001” instead of “CP_UTF7” and “CP_UTF8” which are not valid Python code names. Patch by Victor Stinner. - gh-137314: Fixed a regression where raw f-strings incorrectly interpreted escape sequences in format specifications. Raw f-strings now properly preserve literal backslashes in format specs, matching the behavior from Python 3.11. For example, rf"{obj:\xFF}" now correctly produces '\\xFF' instead of 'ÿ'. Patch by Pablo Galindo. - gh-136541: Fix some issues with the perf trampolines on x86-64 and aarch64. The trampolines were not being generated correctly for some cases, which could lead to the perf integration not working correctly. Patch by Pablo Galindo. - gh-109700: Fix memory error handling in PyDict_SetDefault(). - gh-78465: Fix error message for cls.__new__(cls, ...) where cls is not instantiable builtin or extension type (with tp_new set to NULL). - gh-135871: Non-blocking mutex lock attempts now return immediately when the lock is busy instead of briefly spinning in the free threading build. - gh-135607: Fix potential weakref races in an object’s destructor on the free threaded build. - gh-135496: Fix typo in the f-string conversion type error (“exclamanation” -> “exclamation”). - gh-130077: Properly raise custom syntax errors when incorrect syntax containing names that are prefixes of soft keywords is encountered. Patch by Pablo Galindo. - gh-135148: Fixed a bug where f-string debug expressions (using =) would incorrectly strip out parts of strings containing escaped quotes and # characters. Patch by Pablo Galindo. - gh-133136: Limit excess memory usage in the free threading build when a large dictionary or list is resized and accessed by multiple threads. - gh-132617: Fix dict.update() modification check that could incorrectly raise a “dict mutated during update” error when a different dictionary was modified that happens to share the same underlying keys object. - gh-91153: Fix a crash when a bytearray is concurrently mutated during item assignment. - gh-127971: Fix off-by-one read beyond the end of a string in string search. - gh-125723: Fix crash with gi_frame.f_locals when generator frames outlive their generator. Patch by Mikhail Efimov. - Library - gh-132710: If possible, ensure that uuid.getnode() returns the same result even across different processes. Previously, the result was constant only within the same process. Patch by Bénédikt Tran. - gh-137273: Fix debug assertion failure in locale.setlocale() on Windows. - gh-137257: Bump the version of pip bundled in ensurepip to version 25.2 - gh-81325: tarfile.TarFile now accepts a path-like when working on a tar archive. (Contributed by Alexander Enrique Urieles Nieto in gh-81325.) - gh-130522: Fix unraisable TypeError raised during interpreter shutdown in the threading module. - gh-130577: tarfile now validates archives to ensure member offsets are non-negative. (Contributed by Alexander Enrique Urieles Nieto in gh-130577; CVE-2025-8194, bsc#1247249). - gh-136549: Fix signature of threading.excepthook(). - gh-136523: Fix wave.Wave_write emitting an unraisable when open raises. - gh-52876: Add missing keepends (default True) parameter to codecs.StreamReaderWriter.readline() and codecs.StreamReaderWriter.readlines(). - gh-85702: If zoneinfo._common.load_tzdata is given a package without a resource a zoneinfo.ZoneInfoNotFoundError is raised rather than a PermissionError. Patch by Victor Stinner. - gh-134759: Fix UnboundLocalError in email.message.Message.get_payload() when the payload to decode is a bytes object. Patch by Kliment Lamonov. - gh-136028: Fix parsing month names containing “İ” (U+0130, LATIN CAPITAL LETTER I WITH DOT ABOVE) in time.strptime(). This affects locales az_AZ, ber_DZ, ber_MA and crh_UA. - gh-135995: In the palmos encoding, make byte 0x9b decode to › (U+203A - SINGLE RIGHT-POINTING ANGLE QUOTATION MARK). - gh-53203: Fix time.strptime() for %c and %x formats on locales byn_ER, wal_ET and lzh_TW, and for %X format on locales ar_SA, bg_BG and lzh_TW. - gh-91555: An earlier change, which was introduced in 3.13.4, has been reverted. It disabled logging for a logger during handling of log messages for that logger. Since the reversion, the behaviour should be as it was before 3.13.4. - gh-135878: Fixes a crash of types.SimpleNamespace on free threading builds, when several threads were calling its __repr__() method at the same time. - gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when non-OSError exception is raised during connection and socket’s close() raises OSError. - gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when the Happy Eyeballs algorithm resulted in an empty exceptions list during connection attempts. - gh-135855: Raise TypeError instead of SystemError when _interpreters.set___main___attrs() is passed a non-dict object. Patch by Brian Schubert. - gh-135815: netrc: skip security checks if os.getuid() is missing. Patch by Bénédikt Tran. - gh-135640: Address bug where it was possible to call xml.etree.ElementTree.ElementTree.write() on an ElementTree object with an invalid root element. This behavior blanked the file passed to write if it already existed. - gh-135444: Fix asyncio.DatagramTransport.sendto() to account for datagram header size when data cannot be sent. - gh-135497: Fix os.getlogin() failing for longer usernames on BSD-based platforms. - gh-135487: Fix reprlib.Repr.repr_int() when given integers with more than sys.get_int_max_str_digits() digits. Patch by Bénédikt Tran. - gh-135335: multiprocessing: Flush stdout and stderr after preloading modules in the forkserver. - gh-135244: uuid: when the MAC address cannot be determined, the 48-bit node ID is now generated with a cryptographically-secure pseudo-random number generator (CSPRNG) as per RFC 9562, §6.10.3. This affects uuid1(). - gh-135069: Fix the “Invalid error handling” exception in encodings.idna.IncrementalDecoder to correctly replace the ‘errors’ parameter. - gh-134698: Fix a crash when calling methods of ssl.SSLContext or ssl.SSLSocket across multiple threads. - gh-132124: On POSIX-compliant systems, multiprocessing.util.get_temp_dir() now ignores TMPDIR (and similar environment variables) if the path length of AF_UNIX socket files exceeds the platform-specific maximum length when using the forkserver start method. Patch by Bénédikt Tran. - gh-133439: Fix dot commands with trailing spaces are mistaken for multi-line SQL statements in the sqlite3 command-line interface. - gh-132969: Prevent the ProcessPoolExecutor executor thread, which remains running when shutdown(wait=False), from attempting to adjust the pool’s worker processes after the object state has already been reset during shutdown. A combination of conditions, including a worker process having terminated abormally, resulted in an exception and a potential hang when the still-running executor thread attempted to replace dead workers within the pool. - gh-130664: Support the '_' digit separator in formatting of the integral part of Decimal’s. Patch by Sergey B Kirpichev. - gh-85702: If zoneinfo._common.load_tzdata is given a package without a resource a ZoneInfoNotFoundError is raised rather than a IsADirectoryError. - gh-130664: Handle corner-case for Fraction’s formatting: treat zero-padding (preceding the width field by a zero ('0') character) as an equivalent to a fill character of '0' with an alignment type of '=', just as in case of float’s. - Tools/Demos - gh-135968: Stubs for strip are now provided as part of an iOS install. - Tests - gh-135966: The iOS testbed now handles the app_packages folder as a site directory. - gh-135494: Fix regrtest to support excluding tests from --pgo tests. Patch by Victor Stinner. - gh-135489: Show verbose output for failing tests during PGO profiling step with –enable-optimizations. - Documentation - gh-135171: Document that the iterator for the leftmost for clause in the generator expression is created immediately. - Build - gh-135497: Fix the detection of MAXLOGNAME in the configure.ac script. - Remove upstreamed patches: - CVE-2025-8194-tarfile-no-neg-offsets.patch - CVE-2025-6069-quad-complex-HTMLParser.patch ------------------------------------------------------------------- Fri Aug 1 20:09:24 UTC 2025 - Matej Cepl - Add CVE-2025-8194-tarfile-no-neg-offsets.patch which now validates archives to ensure member offsets are non-negative (gh#python/cpython#130577, CVE-2025-8194, bsc#1247249). ------------------------------------------------------------------- Thu Jul 10 09:33:26 UTC 2025 - Daniel Garcia - Fix gil/nogil package description, bsc#1246229 ------------------------------------------------------------------- Wed Jul 2 14:47:20 UTC 2025 - Matej Cepl - Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst case quadratic complexity when processing certain crafted malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705). ------------------------------------------------------------------- Wed Jul 2 13:14:28 UTC 2025 - Matej Cepl - Add bsc1243155-sphinx-non-determinism.patch (bsc#1243155) to generate ids for audit_events using docname (reproducible builds). ------------------------------------------------------------------- Tue Jul 1 08:23:22 UTC 2025 - Daniel Garcia - Use one core to build doc. This will make sphinx doc build reproducible. bsc#1243155 ------------------------------------------------------------------- Sat Jun 21 14:32:16 UTC 2025 - Marcus Meissner - adjusted sofilename for "nogil" build correctly. ------------------------------------------------------------------- Wed Jun 11 22:02:59 UTC 2025 - Matej Cepl - Update to 3.13.5: - Tests - gh-135120: Add test.support.subTests(). - Library - gh-133967: Do not normalize locale name ‘C.UTF-8’ to ‘en_US.UTF-8’. - gh-135326: Restore support of integer-like objects with __index__() in random.getrandbits(). - gh-135321: Raise a correct exception for values greater than 0x7fffffff for the BINSTRING opcode in the C implementation of pickle. - gh-135276: Backported bugfixes in zipfile.Path from zipp 3.23. Fixed .name, .stem and other basename-based properties on Windows when working with a zipfile on disk. - gh-134151: email: Fix TypeError in email.utils.decode_params() when sorting RFC 2231 continuations that contain an unnumbered section. - gh-134152: email: Fix parsing of email message ID with invalid domain. - gh-127081: Fix libc thread safety issues with os by replacing getlogin with getlogin_r re-entrant version. - gh-131884: Fix formatting issues in json.dump() when both indent and skipkeys are used. - Core and Builtins - gh-135171: Roll back changes to generator and list comprehensions that went into 3.13.4 to fix gh-127682, but which involved semantic and bytecode changes not appropriate for a bugfix release. - C API - gh-134989: Fix Py_RETURN_NONE, Py_RETURN_TRUE and Py_RETURN_FALSE macros in the limited C API 3.11 and older: don’t treat Py_None, Py_True and Py_False as immortal. Patch by Victor Stinner. - gh-134989: Implement PyObject_DelAttr() and PyObject_DelAttrString() as macros in the limited C API 3.12 and older. Patch by Victor Stinner. - Substantially rewritten doc-py38-to-py36.patch patch to be more flexible and covering even unexpected changes. ------------------------------------------------------------------- Mon Jun 9 21:24:09 UTC 2025 - Matej Cepl - Update to 3.13.4: - Security - gh-135034: Fixes multiple issues that allowed tarfile extraction filters (filter="data" and filter="tar") to be bypassed using crafted symlinks and hard links. Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138 (bsc#1244059), CVE-2025-4330 (bsc#1244060), and CVE-2025-4517 (bsc#1244032). Also addresses CVE-2025-4435 (gh#135034, bsc#1244061). - gh-133767: Fix use-after-free in the “unicode-escape” decoder with a non-“strict” error handler (CVE-2025-4516, bsc#1243273). - gh-128840: Short-circuit the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service. - Library - gh-134718: ast.dump() now only omits None and [] values if they are default values. - gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address. - gh-134696: Built-in HACL* and OpenSSL implementations of hash function constructors now correctly accept the same documented named arguments. For instance, md5() could be previously invoked as md5(data=data) or md5(string=string) depending on the underlying implementation but these calls were not compatible. Patch by Bénédikt Tran. - gh-134210: curses.window.getch() now correctly handles signals. Patch by Bénédikt Tran. - gh-80334: multiprocessing.freeze_support() now checks for work on any “spawn” start method platform rather than only on Windows. - gh-114177: Fix asyncio to not close subprocess pipes which would otherwise error out when the event loop is already closed. - gh-134152: Fixed UnboundLocalError that could occur during email header parsing if an expected trailing delimiter is missing in some contexts. - gh-62184: Remove import of C implementation of io.FileIO from Python implementation which has its own implementation - gh-133982: Emit RuntimeWarning in the Python implementation of io when the file-like object is not closed explicitly in the presence of multiple I/O layers. - gh-133890: The tarfile module now handles UnicodeEncodeError in the same way as OSError when cannot extract a member. - gh-134097: Fix interaction of the new REPL and -X showrefcount command line option. - gh-133889: The generated directory listing page in http.server.SimpleHTTPRequestHandler now only shows the decoded path component of the requested URL, and not the query and fragment. - gh-134098: Fix handling paths that end with a percent-encoded slash (%2f or %2F) in http.server.SimpleHTTPRequestHandler. - gh-134062: ipaddress: fix collisions in __hash__() for IPv4Network and IPv6Network objects. - gh-133745: In 3.13.3 we accidentally changed the signature of the asyncio create_task() family of methods and how it calls a custom task factory in a backwards incompatible way. Since some 3rd party libraries have already made changes to work around the issue that might break if we simply reverted the changes, we’re instead changing things to be backwards compatible with 3.13.2 while still supporting those workarounds for 3.13.3. In particular, the special-casing of name and context is back (until 3.14) and consequently eager tasks may still find that their name hasn’t been set before they execute their first yielding await. - gh-71253: Raise ValueError in open() if opener returns a negative file-descriptor in the Python implementation of io to match the C implementation. - gh-77057: Fix handling of invalid markup declarations in html.parser.HTMLParser. - gh-133489: random.getrandbits() can now generate more that 231 bits. random.randbytes() can now generate more that 256 MiB. - gh-133290: Fix attribute caching issue when setting ctypes._Pointer._type_ in the undocumented and deprecated ctypes.SetPointerType() function and the undocumented set_type() method. - gh-132876: ldexp() on Windows doesn’t round subnormal results before Windows 11, but should. Python’s math.ldexp() wrapper now does round them, so results may change slightly, in rare cases of very small results, on Windows versions before 11. - gh-133089: Use original timeout value for subprocess.TimeoutExpired when the func subprocess.run() is called with a timeout instead of sometimes a confusing partial remaining time out value used internally on the final wait(). - gh-133009: xml.etree.ElementTree: Fix a crash in Element.__deepcopy__ when the element is concurrently mutated. Patch by Bénédikt Tran. - gh-132995: Bump the version of pip bundled in ensurepip to version 25.1.1 - gh-132017: Fix error when pyrepl is suspended, then resumed and terminated. - gh-132673: Fix a crash when using _align_ = 0 and _fields_ = [] in a ctypes.Structure. - gh-132527: Include the valid typecode ‘w’ in the error message when an invalid typecode is passed to array.array. - gh-132439: Fix PyREPL on Windows: characters entered via AltGr are swallowed. Patch by Chris Eibl. - gh-132429: Fix support of Bluetooth sockets on NetBSD and DragonFly BSD. - gh-132106: QueueListener.start now raises a RuntimeError if the listener is already started. - gh-132417: Fix a NULL pointer dereference when a C function called using ctypes with restype py_object returns NULL. - gh-132385: Fix instance error suggestions trigger potential exceptions in object.__getattr__() in traceback. - gh-132308: A traceback.TracebackException now correctly renders the __context__ and __cause__ attributes from falsey Exception, and the exceptions attribute from falsey ExceptionGroup. - gh-132250: Fixed the SystemError in cProfile when locating the actual C function of a method raises an exception. - gh-132063: Prevent exceptions that evaluate as falsey (namely, when their __bool__ method returns False or their __len__ method returns 0) from being ignored by concurrent.futures.ProcessPoolExecutor and concurrent.futures.ThreadPoolExecutor. - gh-119605: Respect follow_wrapped for __init__() and __new__() methods when getting the class signature for a class with inspect.signature(). Preserve class signature after wrapping with warnings.deprecated(). Patch by Xuehai Pan. - gh-91555: Ignore log messages generated during handling of log messages, to avoid deadlock or infinite recursion. - gh-131434: Improve error reporting for incorrect format in time.strptime(). - gh-131127: Systems using LibreSSL now successfully build. - gh-130999: Avoid exiting the new REPL and offer suggestions even if there are non-string candidates when errors occur. - gh-130941: Fix configparser.ConfigParser parsing empty interpolation with allow_no_value set to True. - gh-129098: Fix REPL traceback reporting when using compile() with an inexisting file. Patch by Bénédikt Tran. - gh-130631: http.cookiejar.join_header_words() is now more similar to the original Perl version. It now quotes the same set of characters and always quote values that end with "\n". - gh-129719: Fix missing socket.CAN_RAW_ERR_FILTER constant in the socket module on Linux systems. It was missing since Python 3.11. - gh-124096: Turn on virtual terminal mode and enable bracketed paste in REPL on Windows console. (If the terminal does not support bracketed paste, enabling it does nothing.) - gh-122559: Remove __reduce__() and __reduce_ex__() methods that always raise TypeError in the C implementation of io.FileIO, io.BufferedReader, io.BufferedWriter and io.BufferedRandom and replace them with default __getstate__() methods that raise TypeError. This restores fine details of behavior of Python 3.11 and older versions. - gh-122179: hashlib.file_digest() now raises BlockingIOError when no data is available during non-blocking I/O. Before, it added spurious null bytes to the digest. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the