forked from pool/python314
mcepl
691d982d29
- Security
- gh-148178: Hardened _remote_debugging by validating remote
debug offset tables before using them to size memory reads
or interpret remote layouts (bsc#1262132, CVE-2026-5713).
- gh-149254: Update Android and iOS installer to use OpenSSL
3.0.20.
- gh-149017: Update bundled libexpat to version 2.8.0.
- gh-90309: Base64-encode values when embedding cookies to
JavaScript using the http.cookies.BaseCookie.js_output()
method to avoid injection and escaping (bsc#1262654,
CVE-2026-6019).
- gh-148808: Added buffer boundary check when using nbytes
parameter with
asyncio.AbstractEventLoop.sock_recvfrom_into(). Only
relevant for Windows and the asyncio.ProactorEventLoop.
- gh-148395: Fix a dangling input pointer in
lzma.LZMADecompressor, bz2.BZ2Decompressor, and internal
zlib._ZlibDecompressor when memory allocation fails with
MemoryError, which could let a subsequent decompress() call
read or write through a stale pointer to the
already-released caller buffer (bsc#1262098, CVE-2026-6100).
- gh-148169: A bypass in webbrowser allowed URLs prefixed
with %action to pass the dash-prefix safety check
(bsc#1262319, CVE-2026-4786).
- gh-146581: Fix vulnerability in shutil.unpack_archive() for
ZIP files on Windows which allowed to write files outside
of the destination tree if the patch in the archive
contains a Windows drive prefix. Now such invalid paths
will be skipped. Files containing “..” in the name (like
“foo..bar”) are no longer skipped.
- gh-146333: Fix quadratic backtracking in
configparser.RawConfigParser option parsing regexes (OPTCRE
and OPTCRE_NV). A crafted configuration line with many
whitespace characters could cause excessive CPU usage.
- gh-146211: Reject CR/LF characters in tunnel request
headers for the HTTPConnection.set_tunnel() method
(bsc#1261969, CVE-2026-1502).
- Core and Builtins
- gh-146270: Fix a sequential consistency bug in
structmember.c.
- gh-137293: Fix SystemError when searching ELF Files in
sys.remote_exec().
- gh-149122: Fix a crash in optimized calls to all(), any(),
tuple(), list(), and set() with an async generator
expression argument (for example, tuple(await x for x in
y)). These calls now correctly raise TypeError instead of
crashing.
- gh-113956: Fix a data race in sys.intern() in the
free-threaded build when interning a string owned by
another thread. An interned copy owned by the current
thread is used instead when it is not safe to immortalize
the original.
- gh-148820: Fix a race in _PyRawMutex on the free-threaded
build where a Py_PARK_INTR return from _PySemaphore_Wait
could let the waiter destroy its semaphore before the
unlocking thread’s _PySemaphore_Wakeup completed, causing
a fatal ReleaseSemaphore error.
- gh-148653: Forbid marshalling recursive code objects and
slice objects which cannot be correctly unmarshalled.
- gh-142516: Forward-port the generational cycle garbage
collector to the default 3.14 build, replacing the
incremental collector while leaving the free-threaded
collector unchanged.
- gh-148390: Fix an undefined behavior in memoryview when
using the native boolean format (?) in cast(). Previously,
on some common platforms, calling
memoryview(b).cast("?").tolist() incorrectly returned
[False] instead of [True] for any even byte b. Patch by
Bénédikt Tran.
- gh-148418: Fix a possible reference leak in a corrupted
TYPE_CODE marshal stream.
- gh-148393: Fix data races between PyDict_Watch()
/ PyDict_Unwatch() and concurrent dict mutation in the
free-threaded build.
- gh-148284: Fix high stack consumption in Python’s
interpreter loop on Clang 22 by setting function limits for
inlining when building with computed gotos.
- gh-148037: Remove critical section from PyCode_Addr2Line()
in free-threading.
- gh-148222: Fix vectorcall support in types.GenericAlias
when the underlying type does not support the vectorcall
protocol. Fix possible leaks in types.GenericAlias and
types.UnionType in case of memory error.
- gh-148208: Fix recursion depth leak in PyObject_Print()
- gh-137814: Fix the __qualname__ attribute of __annotate__
functions on functions.
- gh-147998: Fixed a memory leak in interpreter helper calls
so cleanup works when an operation falls across interpreter
boundaries. Patch by Maurycy Pawłowski-Wieroński.
- gh-146455: Fix O(N²) compile-time regression in constant
folding after it was moved from AST to CFG optimizer.
- Library
- gh-149388: Make asyncio.windows_utils.PipeHandle closing
idempotent.
- gh-149377: Update bundled pip to 26.1.1
- gh-138907: Support RFC 9309 in urllib.robotparser.
- gh-148615: Fix pdb to accept standard – end of options
separator. Reported by haampie. Patched by Shrey Naithani.
- gh-130750: Restore quoting of choices in argparse error
messages for improved clarity and consistency with
documentation.
- gh-141449: Improve tests and documentation for non-function
callables as annotate functions.
- gh-149221: Catch rare math domain error for
random.binomialvariate().
- gh-149117: Fix runpy.run_module() and runpy.run_path() to
set the name attribute on the ImportError they raise.
- gh-149148: ensurepip: Upgrade bundled pip to 26.1. This
version fixes the CVE 2026-3219 vulnerability. Patch by
Victor Stinner.
- gh-148093: Fix an out-of-bounds read of one byte in
binascii.a2b_uu(). Raise binascii.Error, instead of reading
past the buffer end.
- gh-148914: Fix memoization of in-band PickleBuffer in the
Python implementation of pickle. Previously, identical
PickleBuffers did not preserve identity, and empty writable
PickleBuffer memoized an empty bytearray object in place of
b'', so the following references to b'' were unpickled as
an empty bytearray object.
- gh-148947: Fix crash in @dataclasses.dataclass with
slots=True that occurred when a function found within the
class had an empty __class__ cell.
- gh-148680: ForwardRef objects that contain internal names
to represent known objects now show the type_repr of the
known object rather than the internal
__annotationlib_name_x__ name when evaluated as strings.
- gh-148801: xml.etree.ElementTree: Fix a crash in
Element.__deepcopy__ on deeply nested trees.
- gh-148735: xml.etree.ElementTree: Fix a use-after-free in
Element.findtext when the element tree is mutated
concurrently during the search.
- gh-148740: Fix usage for uuid command-line interface to
support a custom namespace be provided for uuid3 and uuid5.
- gh-148651: Fix reference leak in
compression.zstd.ZstdDecompressor when an invalid option
key is passed.
- gh-146553: Fix infinite loop in typing.get_type_hints()
when __wrapped__ forms a cycle. Patch by Shamil Abdulaev.
- gh-148508: An intermittent timing error when running SSL
tests on iOS has been resolved.
- gh-148518: If an email containing an address header that
ended in an open double quote was parsed with
a non-compat32 policy, accessing the username attribute of
the mailbox accessed through that header object would
result in an IndexError. It now correctly returns an empty
string as the result.
- gh-148464: Add missing __ctype_le/be__ attributes for
c_float_complex and c_double_complex. Patch by Sergey
B Kirpichev.
- gh-148370: configparser: prevent quadratic behavior when
a ParsingError is raised after a parser fails to parse
multiple lines. Patch by Bénédikt Tran.
- gh-148254: Use singular “sec” instead of “secs” in timeit
verbose output for consistency with other time units.
- gh-148192: email.generator.Generator._make_boundary could
fail to detect a duplicate boundary string if linesep was
not n. It now correctly detects boundary strings when
linesep is rn as well.
- gh-146313: Fix a deadlock in multiprocessing’s resource
tracker where the parent process could hang indefinitely in
os.waitpid() during interpreter shutdown if a child created
via os.fork() still held the resource tracker’s pipe open.
- gh-145831: Fix email.quoprimime.decode() leaving a stray \r
when eol='\r\n' by stripping the full eol string instead of
one character.
- gh-145105: Fix crash in csv reader when iterating with
a re-entrant iterator that calls next() on the same reader
from within __next__.
- gh-105936: Attempting to mutate non-field attributes of
dataclasses with both frozen and slots being True now
raises FrozenInstanceError instead of TypeError. Their
non-dataclass subclasses can now freely mutate non-field
attributes, and the original non-slotted class can be
garbage collected.
- gh-140287: The asyncio REPL now handles exceptions when
executing PYTHONSTARTUP scripts. Patch by Bartosz Sławecki.
- gh-132631: Fix “I/O operation on closed file” when parsing
JSON Lines file with JSON CLI.
- gh-70039: Fixed bug where smtplib.SMTP.starttls() could
fail if smtplib.SMTP.connect() is called explicitly rather
than implicitly.
- gh-83281: email: improve handling trailing garbage in
address lists to avoid throwing AttributeError in certain
edge cases
- Documentation
- gh-148663: Document that calendar.IllegalMonthError is
a subclass of both ValueError and IndexError since Python
3.12.
- gh-146646: Document that glob.glob(), glob.iglob(),
pathlib.Path.glob(), and pathlib.Path.rglob() silently
suppress OSError exceptions raised from scanning the
filesystem.
- Build
- gh-149351: Avoid possible broken macOS framework install
names when DESTDIR is specified during builds.
- gh-146475: Block Apple Clang from being used to build the
JIT as it ships without required LLVM tools.
- gh-148535: No longer use the gcc -fprofile-update=atomic
flag on i686. The flag has been added to fix a random GCC
internal error on PGO build (gh-145801) caused by
corruption of profile data (.gcda files). The problem is
that it makes the PGO build way slower (up to 47x slower)
on i686. Since the GCC internal error was not seen on i686
so far, don’t use -fprofile-update=atomic on i686 anymore.
Patch by Victor Stinner.
- gh-146264: Fix static module builds on non-WASI targets by
linking HACL dependencies as static libraries when
MODULE_BUILDTYPE=static, preventing duplicate _Py_LibHacl_*
symbol errors at link time.
Remove upstreamed patches:
- CVE-2026-6019-Morsel-js_output.patch
- CVE-2026-1502-reject-CRLF-HTTP-tunnel.patch
- CVE-2026-5713-validate-debug-load.patch
- CVE-2026-4786-webbrowser-open-action.patch
- CVE-2026-6100-use-after-free-decompression.patch
- gh-149425: Increase time delta in test.test_zipfile.test_core.OtherTests.test_write_without_source_date_epoch
- gh-145736: Fix test_tkinter test_configure_values test case backport miss for Tk 9.
macOS
- gh-142295: For Python macOS framework builds, update Info.plist files to be more compliant with current Apple guidelines. Original patch contributed by Martinus Verburg.
- gh-124111: Update macOS installer to use Tcl/Tk 9.0.3.
Python 3 in SUSE
==============
* Subpackages *
Python 3 is split into several subpackages, based on external dependencies.
The main package 'python3' has soft dependencies on all subpackages needed to
assemble the standard library; however, these might not all be installed by default.
If you attempt to import a module that is currently not installed, an ImportError is thrown,
with instructions to install the missing subpackage. Installing the subpackage might result
in installing libraries that the subpackage requires to function.
* ensurepip *
The 'ensurepip' module from Python 3 standard library (PEP 453) is supposed to deploy
a bundled copy of the pip installer. This makes no sense in a managed distribution like SUSE.
Instead, you need to install package 'python3-pip'. Usually this will be installed automatically
with 'python3'.
Using 'ensurepip' when pip is not installed will result in an ImportError with instructions
to install 'python3-pip'.
* Documentation *
You can find documentation in seprarate packages: python3-doc and
python3-doc-pdf. These contan following documents:
Tutorial, What's New in Python, Global Module Index, Library Reference,
Macintosh Module Reference, Installing Python Modules, Distributing Python
Modules, Language Reference, Extending and Embedding, Python/C API,
Documenting Python
The python3-doc package constains many text files from source tarball.
* Interactive mode *
Interactive mode is by default enhanced with of history and command completion.
If you don't like these features, you can unset the PYTHONSTARTUP variable
in your .profile or disable it system wide in /etc/profile.d/python.sh.