------------------------------------------------------------------- Thu Dec 11 17:37:09 UTC 2025 - Matej Cepl * Update to 3.14.2: - Security - gh-142145: Remove quadratic behavior in xml.minidom node ID cache clearing. - gh-119452: Fix a potential memory denial of service in the http.server module. When a malicious user is connected to the CGI server on Windows, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes. - Library - gh-140797: Revert changes to the undocumented re.Scanner class. Capturing groups are still allowed for backward compatibility, although using them can lead to incorrect result. They will be forbidden in future Python versions. - gh-142206: The resource tracker in the multiprocessing module now uses the original communication protocol, as in Python 3.14.0 and below, by default. This avoids issues with upgrading Python while it is running. (Note that such ‘in-place’ upgrades are not tested.) The tracker remains compatible with subprocesses that use new protocol (that is, subprocesses using Python 3.13.10, 3.14.1 and 3.15). - gh-142214: Fix two regressions in dataclasses in Python 3.14.1 related to annotations. An exception is no longer raised if slots=True is used and the __init__ method does not have an __annotate__ attribute (likely because init=False was used). An exception is no longer raised if annotations are requested on the __init__ method and one of the fields is not present in the class annotations. This can occur in certain dynamic scenarios. Patch by Jelle Zijlstra. - Core and Builtins - gh-142218: Fix crash when inserting into a split table dictionary with a non str key that matches an existing key. - gh-116738: Fix cmath data race when initializing trigonometric tables with subinterpreters. * Update to 3.14.1: - Tools/Demos - gh-141692: Each slice of an iOS XCframework now contains a lib folder that contains a symlink to the libpython dylib. This allows binary modules to be compiled for iOS using dynamic libreary linking, rather than Framework linking. - gh-141442: The iOS testbed now correctly handles test arguments that contain spaces. - gh-140702: The iOS testbed app will now expose the GITHUB_ACTIONS environment variable to iOS apps being tested. - gh-137484: Have Tools/wasm/wasi put the build Python into a directory named after the build triple instead of “build”. - gh-137248: Add a --logdir option to Tools/wasm/wasi for specifying where to write log files. - gh-137243: Have Tools/wasm/wasi detect a WASI SDK install in /opt when it was directly extracted from a release tarball. - Tests - gh-140482: Preserve and restore the state of stty echo as part of the test environment. - gh-140082: Update python -m test to set FORCE_COLOR=1 when being run with color enabled so that unittest which is run by it with redirected output will output in color. - gh-139208: Fix regrtest --fast-ci --verbose: don’t ignore the --verbose option anymore. Patch by Victor Stinner. - gh-136442: Use exitcode 1 instead of 5 if unittest.TestCase.setUpClass() raises an exception - Security - gh-139700: Check consistency of the zip64 end of central directory record. Support records with “zip64 extensible data” if there are no bytes prepended to the ZIP file. - gh-139283: sqlite3: correctly handle maximum number of rows to fetch in Cursor.fetchmany and reject negative values for Cursor.arraysize. Patch by Bénédikt Tran. (CVE-2025-8291, bsc#1251305) - gh-137836: Add support of the “plaintext” element, RAWTEXT elements “xmp”, “iframe”, “noembed” and “noframes”, and optionally RAWTEXT element “noscript” in html.parser.HTMLParser. - gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by Bénédikt Tran. - gh-136065: Fix quadratic complexity in os.path.expandvars() (CVE-2025-6075, bsc#1252974) - gh-119451: Fix a potential memory denial of service in the http.client module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes (CVE-2025-13836, bsc#1254400) - gh-119342: Fix a potential memory denial of service in the plistlib module. When reading a Plist file received from untrusted source, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes (CVE-2025-13837, bsc#1254401). - Library - gh-74389: When the stdin being used by a subprocess.Popen instance is closed, this is now ignored in subprocess.Popen.communicate() instead of leaving the class in an inconsistent state. - gh-87512: Fix subprocess.Popen.communicate() timeout handling on Windows when writing large input. Previously, the timeout was ignored during stdin writing, causing the method to block indefinitely if the child process did not consume input quickly. The stdin write is now performed in a background thread, allowing the timeout to be properly enforced. - gh-141473: When subprocess.Popen.communicate() was called with input and a timeout and is called for a second time after a TimeoutExpired exception before the process has died, it should no longer hang. - gh-59000: Fix pdb breakpoint resolution for class methods when the module defining the class is not imported. - gh-141570: Support file-like object raising OSError from fileno() in color detection (_colorize.can_colorize()). This can occur when sys.stdout is redirected. - gh-141659: Fix bad file descriptor errors from _posixsubprocess on AIX. - gh-141600: Fix musl version detection on Void Linux. - gh-141497: ipaddress: ensure that the methods IPv4Network.hosts() and IPv6Network.hosts() always return an iterator. - gh-140938: The statistics.stdev() and statistics.pstdev() functions now raise a ValueError when the input contains an infinity or a NaN. - gh-124111: Updated Tcl threading configuration in _tkinter to assume that threads are always available in Tcl 9 and later. - gh-137109: The os.fork and related forking APIs will no longer warn in the common case where Linux or macOS platform APIs return the number of threads in a process and find the answer to be 1 even when a os.register_at_fork() after_in_parent= callback (re)starts a thread. - gh-141314: Fix assertion failure in io.TextIOWrapper.tell() when reading files with standalone carriage return (\r) line endings. - gh-141311: Fix assertion failure in io.BytesIO.readinto() and undefined behavior arising when read position is above capcity in io.BytesIO. - gh-141141: Fix a thread safety issue with base64.b85decode(). Contributed by Benel Tayar. - gh-137969: Fix annotationlib.ForwardRef.evaluate() returning ForwardRef objects which don’t update with new globals. - gh-140911: collections: Ensure that the methods UserString.rindex() and UserString.index() accept collections.UserString instances as the sub argument. - gh-140797: The undocumented re.Scanner class now forbids regular expressions containing capturing groups in its lexicon patterns. Patterns using capturing groups could previously lead to crashes with segmentation fault. Use non-capturing groups (?:…) instead. - gh-125115: Refactor the pdb parsing issue so positional arguments can pass through intuitively. - gh-140815: faulthandler now detects if a frame or a code object is invalid or freed. Patch by Victor Stinner. - gh-100218: Correctly set errno when socket.if_nametoindex() or socket.if_indextoname() raise an OSError. Patch by Bénédikt Tran. - gh-140875: Fix handling of unclosed character references (named and numerical) followed by the end of file in html.parser.HTMLParser with convert_charrefs=False. - gh-140734: multiprocessing: fix off-by-one error when checking the length of a temporary socket file path. Patch by Bénédikt Tran. - gh-140874: Bump the version of pip bundled in ensurepip to version 25.3 - gh-140691: In urllib.request, when opening a FTP URL fails because a data connection cannot be made, the control connection’s socket is now closed to avoid a ResourceWarning. - gh-103847: Fix hang when cancelling process created by asyncio.create_subprocess_exec() or asyncio.create_subprocess_shell(). Patch by Kumar Aditya. - gh-120057: Add os.reload_environ() to os.__all__. - gh-140228: Avoid making unnecessary filesystem calls for frozen modules in linecache when the global module cache is not present. - gh-140590: Fix arguments checking for the functools.partial.__setstate__() that may lead to internal state corruption and crash. Patch by Sergey Miryanov. - gh-125434: Display thread name in faulthandler on Windows. Patch by Victor Stinner. - gh-140634: Fix a reference counting bug in os.sched_param.__reduce__(). - gh-140633: Ignore AttributeError when setting a module’s __file__ attribute when loading an extension module packaged as Apple Framework. - gh-140593: xml.parsers.expat: Fix a memory leak that could affect users with ElementDeclHandler() set to a custom element declaration handler. Patch by Sebastian Pipping. - gh-140607: Inside io.RawIOBase.read(), validate that the count of bytes returned by io.RawIOBase.readinto() is valid (inside the provided buffer). - gh-138162: Fix logging.LoggerAdapter with merge_extra=True and without the extra argument. - gh-138774: ast.unparse() now generates full source code when handling ast.Interpolation nodes that do not have a specified source. - gh-140474: Fix memory leak in array.array when creating arrays from an empty str and the u type code. - gh-137530: dataclasses Fix annotations for generated __init__ methods by replacing the annotations that were in-line in the generated source code with __annotate__ functions attached to the methods. - gh-140348: Fix regression in Python 3.14.0 where using the | operator on a typing.Union object combined with an object that is not a type would raise an error. - gh-140272: Fix memory leak in the clear() method of the dbm.gnu database. - gh-140041: Fix import of ctypes on Android and Cygwin when ABI flags are present. - gh-140120: Fixed a memory leak in hmac when it was using the hacl-star backend. Discovered by @ashm-dev using AddressSanitizer. - gh-139905: Add suggestion to error message for typing.Generic subclasses when cls.__parameters__ is missing due to a parent class failing to call super().__init_subclass__() in its __init_subclass__. - gh-139894: Fix incorrect sharing of current task with the child process while forking in asyncio. Patch by Kumar Aditya. - gh-139845: Fix to not print KeyboardInterrupt twice in default asyncio REPL. - gh-139783: Fix inspect.getsourcelines() for the case when a decorator is followed by a comment or an empty line. - gh-139809: Prevent premature colorization of subparser prog in argparse.ArgumentParser.add_subparsers() to respect color environment variable changes after parser creation. - gh-139736: Fix excessive indentation in the default argparse HelpFormatter. Patch by Alexander Edland. - gh-70765: http.server: fix default handling of HTTP/0.9 requests in BaseHTTPRequestHandler. Previously, BaseHTTPRequestHandler.parse_request() incorrectly waited for headers in the request although those are not supported in HTTP/0.9. Patch by Bénédikt Tran. - gh-63161: Fix tokenize.detect_encoding(). Support non-UTF-8 shebang and comments if non-UTF-8 encoding is specified. Detect decoding error for non-UTF-8 encoding. Detect null bytes in source code. - gh-139391: Fix an issue when, on non-Windows platforms, it was not possible to gracefully exit a python -m asyncio process suspended by Ctrl+Z and later resumed by fg other than with kill. - gh-101828: Fix 'shift_jisx0213', 'shift_jis_2004', 'euc_jisx0213' and 'euc_jis_2004' codecs truncating null chars as they were treated as part of multi-character sequences. - gh-139289: Do a real lazy-import on rlcompleter in pdb and restore the existing completer after importing rlcompleter. - gh-139246: fix: paste zero-width in default repl width is wrong. - gh-90949: Add SetAllocTrackerActivationThreshold() and SetAllocTrackerMaximumAmplification() to xmlparser objects to prevent use of disproportional amounts of dynamic memory from within an Expat parser. Patch by Bénédikt Tran. - gh-139210: Fix use-after-free when reporting unknown event in xml.etree.ElementTree.iterparse(). Patch by Ken Jin. - gh-138860: Lazy import rlcompleter in pdb to avoid deadlock in subprocess. - gh-112729: Fix crash when calling concurrent.interpreters.create() when the process is out of memory. - gh-135729: Fix unraisable exception during finalization when using concurrent.interpreters in the REPL. - gh-139076: Fix a bug in the pydoc module that was hiding functions in a Python module if they were implemented in an extension module and the module did not have __all__. - gh-139065: Fix trailing space before a wrapped long word if the line length is exactly width in textwrap. - gh-139001: Fix race condition in pathlib.Path on the internal _raw_paths field. - gh-138813: multiprocessing.BaseProcess defaults kwargs to None instead of a shared dictionary. - gh-138993: Dedent credits text. - gh-138891: Fix SyntaxError when inspect.get_annotations(f, eval_str=True) is called on a function annotated with a PEP 646 star_expression - gh-130567: Fix possible crash in locale.strxfrm() due to a platform bug on macOS. - gh-138859: Fix generic type parameterization raising a TypeError when omitting a ParamSpec that has a default which is not a list of types. - gh-138764: Prevent annotationlib.call_annotate_function() from calling __annotate__ functions that don’t support VALUE_WITH_FAKE_GLOBALS in a fake globals namespace with empty globals. Make FORWARDREF and STRING annotations fall back to using VALUE annotations in the case that neither their own format, nor VALUE_WITH_FAKE_GLOBALS are supported. - gh-138775: Use of python -m with base64 has been fixed to detect input from a terminal so that it properly notices EOF. - gh-138779: Support device numbers larger than 2**63-1 for the st_rdev field of the os.stat_result structure. - gh-137706: Fix the partial evaluation of annotations that use typing.Annotated[T, x] where T is a forward reference. - gh-88375: Fix normalization of the robots.txt rules and URLs in the urllib.robotparser module. No longer ignore trailing ?. Distinguish raw special characters ?, = and & from the percent-encoded ones. - gh-111788: Fix parsing errors in the urllib.robotparser module. Don’t fail trying to parse weird paths. Don’t fail trying to decode non-UTF-8 robots.txt files. - gh-98896: Fix a failure in multiprocessing resource_tracker when SharedMemory names contain colons. Patch by Rani Pinchuk. - gh-138425: Fix partial evaluation of annotationlib.ForwardRef objects which rely on names defined as globals. - gh-138432: zoneinfo.reset_tzpath() will now convert any os.PathLike objects it receives into strings before adding them to TZPATH. It will raise TypeError if anything other than a string is found after this conversion. If given an os.PathLike object that represents a relative path, it will now raise ValueError instead of TypeError, and present a more informative error message. - gh-138008: Fix segmentation faults in the ctypes module due to invalid argtypes. Patch by Dung Nguyen. - gh-60462: Fix locale.strxfrm() on Solaris (and possibly other platforms). - gh-138239: The REPL now highlights type as a soft keyword in type statements. - gh-138204: Forbid expansion of shared anonymous memory maps on Linux, which caused a bus error. - gh-138010: Fix an issue where defining a class with an @warnings.deprecated-decorated base class may not invoke the correct __init_subclass__() method in cases involving multiple inheritance. Patch by Brian Schubert. - gh-138151: In annotationlib, improve evaluation of forward references to nonlocal variables that are not yet defined when the annotations are initially evaluated. - gh-137317: inspect.signature() now correctly handles classes that use a descriptor on a wrapped __init__() or __new__() method. Contributed by Yongyu Yan. - gh-137754: Fix import of the zoneinfo module if the C implementation of the datetime module is not available. - gh-137490: Handle ECANCELED in the same way as EINTR in signal.sigwaitinfo() on NetBSD. - gh-137477: Fix inspect.getblock(), inspect.getsourcelines() and inspect.getsource() for generator expressions. - gh-137044: Return large limit values as positive integers instead of negative integers in resource.getrlimit(). Accept large values and reject negative values (except RLIM_INFINITY) for limits in resource.setrlimit(). - gh-75989: tarfile.TarFile.extractall() and tarfile.TarFile.extract() now overwrite symlinks when extracting hardlinks. (Contributed by Alexander Enrique Urieles Nieto in gh-75989.) - gh-137017: Fix threading.Thread.is_alive to remain True until the underlying OS thread is fully cleaned up. This avoids false negatives in edge cases involving thread monitoring or premature threading.Thread.is_alive calls. - gh-137273: Fix debug assertion failure in locale.setlocale() on Windows. - gh-137239: heapq: Update heapq.__all__ with *_max functions. - gh-81325: tarfile.TarFile now accepts a path-like when working on a tar archive. (Contributed by Alexander Enrique Urieles Nieto in gh-81325.) - gh-137185: Fix a potential async-signal-safety issue in faulthandler when printing C stack traces. - gh-136914: Fix retrieval of doctest.DocTest.lineno for objects decorated with functools.cache() or functools.cached_property. - gh-136912: hmac.digest() now properly handles large keys and messages by falling back to the pure Python implementation when necessary. Patch by Bénédikt Tran. - gh-83424: Allows creating a ctypes.CDLL without name when passing a handle as an argument. - gh-136234: Fix asyncio.WriteTransport.writelines() to be robust to connection failure, by using the same behavior as write(). - gh-136507: Fix mimetypes CLI to handle multiple file parameters. - gh-136057: Fixed the bug in pdb and bdb where next and step can’t go over the line if a loop exists in the line. - gh-135386: Fix opening a dbm.sqlite3 database for reading from read-only file or directory. - gh-135444: Fix asyncio.DatagramTransport.sendto() to account for datagram header size when data cannot be sent. - gh-126631: Fix multiprocessing forkserver bug which prevented __main__ from being preloaded. - gh-135307: email: Fix exception in set_content() when encoding text and max_line_length is set to 0 or None (unlimited). - gh-134453: Fixed subprocess.Popen.communicate() input= handling of memoryview instances that were non-byte shaped on POSIX platforms. Those are now properly cast to a byte shaped view instead of truncating the input. Windows platforms did not have this bug. - gh-134698: Fix a crash when calling methods of ssl.SSLContext or ssl.SSLSocket across multiple threads. - gh-125996: Fix thread safety of collections.OrderedDict. Patch by Kumar Aditya. - gh-133789: Fix unpickling of pathlib objects that were pickled in Python 3.13. - gh-127081: Fix libc thread safety issues with dbm by performing stateful operations in critical sections. - gh-132551: Make io.BytesIO safe in free-threaded build. - gh-131788: Make ResourceTracker.send from multiprocessing re-entrant safe - gh-118981: Fix potential hang in multiprocessing.popen_spawn_posix that can happen when the child proc dies early by closing the child fds right away. - gh-102431: Clarify constraints for “logical” arguments in methods of decimal.Context. - gh-78319: UTF8 support for the IMAP APPEND command has been made RFC compliant. bpo-38735: Fix failure when importing a module from the root directory on unix-like platforms with sys.pycache_prefix set. bpo-41839: Allow negative priority values from os.sched_get_priority_min() and os.sched_get_priority_max() functions. - IDLE - gh-96491: Deduplicate version number in IDLE shell title bar after saving to a file. - gh-139742: Colorize t-string prefixes for template strings in IDLE, as done for f-string prefixes. - Documentation - gh-141994: xml.sax.handler: Make Documentation of xml.sax.handler.feature_external_ges warn of opening up to external entity attacks. Patch by Sebastian Pipping. - gh-140578: Remove outdated sencence in the documentation for multiprocessing, that implied that concurrent.futures.ThreadPoolExecutor did not exist. - Core and Builtins - gh-142048: Fix quadratically increasing garbage collection delays in free-threaded build. - gh-116738: Fix thread safety issue with re scanner objects in free-threaded builds. - gh-141930: When importing a module, use Python’s regular file object to ensure that writes to .pyc files are complete or an appropriate error is raised. - gh-120158: Fix inconsistent state when enabling or disabling monitoring events too many times. - gh-139653: Only raise a RecursionError or trigger a fatal error if the stack pointer is both below the limit pointer and above the stack base. If outside of these bounds assume that it is OK. This prevents false positives when user-space threads swap stacks. - gh-139103: Improve multithreaded scaling of dataclasses on the free-threaded build. - gh-141579: Fix sys.activate_stack_trampoline() to properly support the perf_jit backend. Patch by Pablo Galindo. - gh-114203: Skip locking if object is already locked by two-mutex critical section. - gh-141528: Suggest using concurrent.interpreters.Interpreter.close() instead of the private _interpreters.destroy function when warning about remaining subinterpreters. Patch by Sergey Miryanov. - gh-141312: Fix the assertion failure in the __setstate__ method of the range iterator when a non-integer argument is passed. Patch by Sergey Miryanov. - gh-116738: Make csv module thread-safe on the free threaded build. - gh-140939: Fix memory leak when bytearray or bytes is formated with the %*b format with a large width that results in a MemoryError. - gh-140260: Fix struct data race in endian table initialization with subinterpreters. Patch by Shamil Abdulaev. - gh-140530: Fix a reference leak when raise exc from cause fails. Patch by Bénédikt Tran. - gh-140373: Correctly emit PY_UNWIND event when generator object is closed. Patch by Mikhail Efimov. - gh-140576: Fixed crash in tokenize.generate_tokens() in case of specific incorrect input. Patch by Mikhail Efimov. - gh-140551: Fixed crash in dict if dict.clear() is called at the lookup stage. Patch by Mikhail Efimov and Inada Naoki. - gh-140517: Fixed a reference leak when iterating over the result of map() with strict=True when the input iterables have different lengths. Patch by Mikhail Efimov. - gh-140471: Fix potential buffer overflow in ast.AST node initialization when encountering malformed _fields containing non-str. - gh-140431: Fix a crash in Python’s garbage collector due to partially initialized coroutine objects when coroutine origin tracking depth is enabled (sys.set_coroutine_origin_tracking_depth()). - gh-140398: Fix memory leaks in readline functions read_init_file(), read_history_file(), write_history_file(), and append_history_file() when PySys_Audit() fails. - gh-140406: Fix memory leak when an object’s __hash__() method returns an object that isn’t an int. - gh-140358: Restore elapsed time and unreachable object count in GC debug output. These were inadvertently removed during a refactor of gc.c. The debug log now again reports elapsed collection time and the number of unreachable objects. Contributed by Pål Grønås Drange. - gh-140306: Fix memory leaks in cross-interpreter channel operations and shared namespace handling. - gh-140301: Fix memory leak of PyConfig in subinterpreters. - gh-140257: Fix data race between interpreter_clear() and take_gil() on eval_breaker during finalization with daemon threads. - gh-139951: Fixes a regression in GC performance for a growing heap composed mostly of small tuples. Counts number of actually tracked objects, instead of trackable objects. This ensures that untracking tuples has the desired effect of reducing GC overhead. Does not track most untrackable tuples during creation. This prevents large numbers of small tuples causing excessive GCs. - gh-140104: Fix a bug with exception handling in the JIT. Patch by Ken Jin. Bug reported by Daniel Diniz. - gh-140061: Fixing the checking of whether an object is uniquely referenced to ensure free-threaded compatibility. Patch by Sergey Miryanov. - gh-140067: Fix memory leak in sub-interpreter creation. - gh-140000: Fix potential memory leak when a reference cycle exists between an instance of typing.TypeAliasType, typing.TypeVar, typing.ParamSpec, or typing.TypeVarTuple and its __name__ attribute. Patch by Mikhail Efimov. - gh-139914: Restore support for HP PA-RISC, which has an upwards-growing stack. - gh-139988: Fix a memory leak when failing to create a Union type. Patch by Bénédikt Tran. - gh-139748: Fix reference leaks in error branches of functions accepting path strings or bytes such as compile() and os.system(). Patch by Bénédikt Tran. - gh-139516: Fix lambda colon erroneously start format spec in f-string in tokenizer. - gh-139640: ast.parse() no longer emits syntax warnings for return/break/continue in finally (see PEP 765) – they are only emitted during compilation. - gh-139640: Fix swallowing some syntax warnings in different modules if they accidentally have the same message and are emitted from the same line. Fix duplicated warnings in the finally block. - gh-63161: Support non-UTF-8 shebang and comments in Python source files if non-UTF-8 encoding is specified. Detect decoding error in comments for default (UTF-8) encoding. Show the line and position of decoding error for default encoding in a traceback. Show the line containing the coding cookie when it conflicts with the BOM in a traceback. - gh-116738: Make mmap thread-safe on the free threaded build. - gh-138558: Fix handling of unusual t-string annotations in annotationlib. Patch by Dave Peck. - gh-134466: Don’t run PyREPL in a degraded environment where setting termios attributes is not allowed. - gh-138944: Fix SyntaxError message when invalid syntax appears on the same line as a valid import ... as ... or from ... import ... as ... statement. Patch by Brian Schubert. - gh-105487: Remove non-existent __copy__(), __deepcopy__(), and __bases__ from the __dir__() entries of types.GenericAlias. - gh-69605: Fix some standard library submodules missing from the REPL auto-completion of imports. - gh-116738: Make cProfile thread-safe on the free threaded build. - gh-138004: On Solaris/Illumos platforms, thread names are now encoded as ASCII to avoid errors on systems (e.g. OpenIndiana) that don’t support non-ASCII names. - gh-137433: Fix a potential deadlock in the free threading build when daemon threads enable or disable profiling or tracing while the main thread is shutting down the interpreter. - gh-137400: Fix a crash in the free threading build when disabling profiling or tracing across all threads with PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads() or their Python equivalents threading.settrace_all_threads() and threading.setprofile_all_threads(). - gh-58124: Fix name of the Python encoding in Unicode errors of the code page codec: use “cp65000” and “cp65001” instead of “CP_UTF7” and “CP_UTF8” which are not valid Python code names. Patch by Victor Stinner. - gh-132657: Improve performance of frozenset by removing locks in the free-threading build. - gh-133400: Fixed Ctrl+D (^D) behavior in _pyrepl module to match old pre-3.13 REPL behavior. - gh-128640: Fix a crash when using threads inside of a subinterpreter. - C API - gh-137422: Fix free threading race condition in PyImport_AddModuleRef(). It was previously possible for two calls to the function return two different objects, only one of which was stored in sys.modules. - gh-140042: Removed the sqlite3_shutdown call that could cause closing connections for sqlite when used with multiple sub interpreters. - gh-141042: Make qNaN in PyFloat_Pack2() and PyFloat_Pack4(), if while conversion to a narrower precision floating-point format — the remaining after truncation payload will be zero. Patch by Sergey B Kirpichev. - gh-140487: Fix Py_RETURN_NOTIMPLEMENTED in limited C API 3.11 and older: don’t treat Py_NotImplemented as immortal. Patch by Victor Stinner. - gh-140153: Fix Py_REFCNT() definition on limited C API 3.11-3.13. Patch by Victor Stinner. - gh-139653: Add PyUnstable_ThreadState_SetStackProtection() and PyUnstable_ThreadState_ResetStackProtection() functions to set the stack protection base address and stack protection size of a Python thread state. Patch by Victor Stinner. - Build - gh-141808: Do not generate the jit stencils twice in case of PGO builds on Windows. - gh-141784: Fix _remote_debugging_module.c compilation on 32-bit Linux. Include Python.h before system headers to make sure that _remote_debugging_module.c uses the same types (ABI) than Python. Patch by Victor Stinner. - gh-140768: Warn when the WASI SDK version doesn’t match what’s supported. - gh-140513: Generate a clear compilation error when _Py_TAIL_CALL_INTERP is enabled but either preserve_none or musttail is not supported. - gh-140189: iOS builds were added to CI. - gh-138489: When cross-compiling for WASI by build_wasm or build_emscripten, the build-details.json step is now included in the build process, just like with native builds. This fixes the libinstall task which requires the build-details.json file during the process. - gh-137618: PYTHON_FOR_REGEN now requires Python 3.10 to Python 3.15. Patch by Adam Turner. - gh-123681: Check the strftime() behavior at runtime instead of at the compile time to support cross-compiling. Remove the internal macro _Py_NORMALIZE_CENTURY. - Remove upstreamed patches: - CVE-2025-6075-expandvars-perf-degrad.patch - CVE-2025-8291-consistency-zip64.patch ------------------------------------------------------------------- Thu Nov 13 17:13:03 UTC 2025 - Matej Cepl - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). ------------------------------------------------------------------- Tue Nov 4 16:44:05 UTC 2025 - Matej Cepl - Add CVE-2025-8291-consistency-zip64.patch which checks consistency of the zip64 end of central directory record, and preventing obfuscation of the payload, i.e., you scanning for malicious content in a ZIP file with one ZIP parser (let's say a Rust one) then unpack it in production with another (e.g., the Python one) and get malicious content that the other parser did not see (CVE-2025-8291, bsc#1251305) - Remove subprocess-raise-timeout.patch, which seems irrelevant now. ------------------------------------------------------------------- Wed Oct 15 09:22:40 UTC 2025 - Daniel Garcia - Use sed to remove "--fail-on-warning" config from Makefile instead of the patch gh139257-Support-docutils-0.22.patch ------------------------------------------------------------------- Thu Oct 9 09:10:23 UTC 2025 - Daniel Garcia - Fix python314:doc package build with docutils 0.22. Remove the "SPHINXERRORHANDLING = --fail-on-warning" from Doc/Makefile using the gh139257-Support-docutils-0.22.patch. ------------------------------------------------------------------- Wed Oct 8 08:55:51 UTC 2025 - Matej Cepl - Summary – Release highlights Python 3.14 is the latest stable release of the Python programming language, with a mix of changes to the language, the implementation, and the standard library. The biggest changes include template string literals, deferred evaluation of annotations, and support for subinterpreters in the standard library. The library changes include significantly improved capabilities for introspection in asyncio, support for Zstandard via a new compression.zstd module, syntax highlighting in the REPL, as well as the usual deprecations and removals, and improvements in user-friendliness and correctness. - Interpreter improvements: - PEP 649 and PEP 749: Deferred evaluation of annotations - PEP 734: Multiple interpreters in the standard library - PEP 750: Template strings - PEP 758: Allow except and except* expressions without brackets - PEP 765: Control flow in finally blocks - PEP 768: Safe external debugger interface for CPython - A new type of interpreter - Free-threaded mode improvements - Improved error messages - Incremental garbage collection - Significant improvements in the standard library: - PEP 784: Zstandard support in the standard library - Asyncio introspection capabilities - Concurrent safe warnings control - Syntax highlighting in the default interactive shell, and color output in several standard library CLIs - C API improvements: - PEP 741: Python configuration C API - Platform support: - PEP 776: Emscripten is now an officially supported platform, at tier 3. - Release changes: - PEP 779: Free-threaded Python is officially supported - PEP 761: PGP signatures have been discontinued for official releases - Windows and macOS binary releases now support the experimental just-in-time compiler - Binary releases for Android are now provided ------------------------------------------------------------------- Wed Oct 1 05:31:47 UTC 2025 - Daniel Garcia - Add _zstd to the built package and libzstd as BuildRequries, boo#1250659 ------------------------------------------------------------------- Mon Sep 29 06:52:07 UTC 2025 - Daniel Garcia - Add gh139257-Support-docutils-0.22.patch to fix build with latest docutils (>=0.22) gh#python/cpython#139257 ------------------------------------------------------------------- Thu Sep 18 16:17:21 UTC 2025 - Matej Cepl - Update to 3.14.0~rc3: - Tools/Demos - gh-137873: The iOS test runner has been simplified, resolving some issues that have been observed using the runner in GitHub Actions and Azure Pipelines test environments. - Security - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - Library - gh-138998: Update bundled libexpat to 2.7.2 - gh-118803: Add back collections.abc.ByteString and typing.ByteString. Both had been removed in prior alpha, beta and release candidates for Python 3.14, but their removal has now been postponed to Python 3.17. - gh-137226: Fix typing.get_type_hints() calls on generic typing.TypedDict classes defined with string annotations. - gh-138804: Raise TypeError instead of AttributeError when an argument of incorrect type is passed to shlex.quote(). This restores the behavior of the function prior to 3.14. - gh-128636: Fix crash in PyREPL when os.environ is overwritten with an invalid value for mac - gh-138514: Raise ValueError when a multi-character string is passed to the echo_char parameter of getpass.getpass(). Patch by Benjamin Johnson. - gh-138515: email is added to Emscripten build. - gh-99948: ctypes.util.find_library() now works in Emscripten build. - gh-138253: Add the block parameter in the put() and get() methods of the concurrent.interpreters queues for compatibility with the queue.Queue interface. - gh-138133: Prevent infinite traceback loop when sending CTRL^C to Python through strace. - gh-134869: Fix an issue where pressing Ctrl+C during tab completion in the REPL would leave the autocompletion menu in a corrupted state. - gh-90548: Fix musl detection for platform.libc_ver() on Alpine Linux if compiled with –strip-all. - gh-136134: SMTP.auth_cram_md5() now raises an SMTPException instead of a ValueError if Python has been built without MD5 support. In particular, SMTP clients will not attempt to use this method even if the remote server is assumed to support it. Patch by Bénédikt Tran. - gh-136134: IMAP4.login_cram_md5 now raises an IMAP4.error if CRAM-MD5 authentication is not supported. Patch by Bénédikt Tran. - gh-134953: Expand _colorize theme with keyword_constant and implement in repl. - Core and Builtins - gh-71810: Raise OverflowError for (-1).to_bytes() for signed conversions when bytes count is zero. Patch by Sergey B Kirpichev. - gh-138192: Fix contextvars initialization so that all subinterpreters are assigned the MISSING value. - gh-138479: Fix a crash when a generic object’s __typing_subst__ returns an object that isn’t a tuple. - gh-138372: Fix SyntaxWarning emitted for erroneous subscript expressions involving template string literals. Patch by Brian Schubert. - gh-138318: The default REPL now avoids highlighting built-in names (for instance set or format()) when they are used as attribute names (for instance in value.set or text.format). - gh-138349: Fix crash in certain cases where a module contains both a module-level annotation and a comprehension. - gh-137384: Fix a crash when using the warnings module in a finalizer at shutdown. Patch by Kumar Aditya. - gh-137883: Fix runaway recursion when calling a function with keyword arguments. - gh-137079: Fix keyword typo recognition when parsing files. Patch by Pablo Galindo. - gh-137728: Fix the JIT’s handling of many local variables. This previously caused a segfault. - gh-137576: Fix for incorrect source code being shown in tracebacks from the Basic REPL when PYTHONSTARTUP is given. Patch by Adam Hartz. ------------------------------------------------------------------- Fri Sep 12 07:46:55 UTC 2025 - Daniel Garcia - Add gh138131-exclude-pycache-from-digest.patch fixing reproducible build for python-nogil. (bsc#1244680, gh#python/cpython#138131) ------------------------------------------------------------------- Tue Sep 9 07:48:08 UTC 2025 - Dirk Müller - fix import_failed.map for python 3.14 ------------------------------------------------------------------- Fri Sep 5 06:47:57 UTC 2025 - Daniel Garcia - Move compression folder to python-base where it should be. This module is used internally in gzip.py. ------------------------------------------------------------------- Fri Aug 15 14:12:35 UTC 2025 - Matej Cepl - Update to 3.14.0~rc2: - Library - gh-137426: Remove the code deprecation of importlib.abc.ResourceLoader. It is documented as deprecated, but left for backwards compatibility with other classes in importlib.abc. - gh-137282: Fix tab completion and dir() on concurrent.futures. - gh-137257: Bump the version of pip bundled in ensurepip to version 25.2 - gh-137226: Fix behavior of annotationlib.ForwardRef.evaluate() when the type_params parameter is passed and the name of a type param is also present in an enclosing scope. - gh-130522: Fix unraisable TypeError raised during interpreter shutdown in the threading module. - gh-137059: Fix handling of file URLs with a Windows drive letter in the URL authority by urllib.request.url2pathname(). This fixes a regression in earlier pre-releases of Python 3.14. - gh-130577: tarfile now validates archives to ensure member offsets are non-negative. (Contributed by Alexander Enrique Urieles Nieto in gh-130577; CVE-2025-8194, bsc#1247249). - gh-135228: When dataclasses replaces a class with a slotted dataclass, the original class can now be garbage collected again. Earlier changes in Python 3.14 caused this class to always remain in existence together with the replacement class synthesized by dataclasses. - Documentation - gh-136155: We are now checking for fatal errors in EPUB builds in CI. - Core and Builtins - gh-137400: Fix a crash in the free threading build when disabling profiling or tracing across all threads with PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads() or their Python equivalents threading.settrace_all_threads() and threading.setprofile_all_threads(). - gh-137314: Fixed a regression where raw f-strings incorrectly interpreted escape sequences in format specifications. Raw f-strings now properly preserve literal backslashes in format specs, matching the behavior from Python 3.11. For example, rf"{obj:\xFF}" now correctly produces '\\xFF' instead of 'ÿ'. Patch by Pablo Galindo. - gh-137308: A standalone docstring in a node body is optimized as a pass statement to ensure that the node’s body is never empty. There was a ValueError in compile() otherwise. - gh-137288: Fix bug where some bytecode instructions of a boolean expression are not associated with the correct exception handler. - gh-134291: Remove some newer macOS API usage from the JIT compiler in order to restore compatibility with older OSX 10.15 deployment targets. - gh-131338: Disable computed stack limit checks on non-glibc linux platforms to fix crashes on deep recursion. - gh-136870: Fix data races while de-instrumenting bytecode of code objects running concurrently in threads. - C API - gh-137573: Mark _PyOptimizer_Optimize as Py_NO_INLINE to prevent stack overflow crashes on macOS. - Build - gh-132339: Add support for OpenSSL 3.5. - Replaces upstreamed patches: - CVE-2025-8194-tarfile-no-neg-offsets.patch ------------------------------------------------------------------- Fri Aug 1 20:09:24 UTC 2025 - Matej Cepl - Add CVE-2025-8194-tarfile-no-neg-offsets.patch which now validates archives to ensure member offsets are non-negative (gh#python/cpython#130577, CVE-2025-8194, bsc#1247249). ------------------------------------------------------------------- Wed Jul 23 08:05:20 UTC 2025 - Matej Cepl - Update to 3.14.0~rc1: - Tools/Demos - gh-136251: Fixes and usability improvements for Tools/wasm/emscripten/web_example - Security - gh-135661: Fix parsing attributes with whitespaces around the = separator in html.parser.HTMLParser according to the HTML5 standard. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - Library - gh-136170: Removed the unreleased zipfile.ZipFile.data_offset property added in 3.14.0a7 as it wasn’t fully clear which behavior it should have in some situations so the result was not always what a user might expect. - gh-124621: pyrepl now works in Emscripten. - gh-136874: Discard URL query and fragment in urllib.request.url2pathname(). - gh-130645: Enable color help by default in argparse. - gh-136549: Fix signature of threading.excepthook(). - gh-136523: Fix wave.Wave_write emitting an unraisable when open raises. - gh-52876: Add missing keepends (default True) parameter to codecs.StreamReaderWriter.readline() and codecs.StreamReaderWriter.readlines(). - gh-136470: Correct concurrent.futures.InterpreterPoolExecutor’s default thread name. - gh-136476: Fix a bug that was causing the get_async_stack_trace function to miss some frames in the stack trace. - gh-136434: Fix docs generation of UnboundItem in concurrent.interpreters when running with -OO. - gh-136380: Raises AttributeError when accessing concurrent.futures.InterpreterPoolExecutor and subinterpreters are not available. - gh-134759: Fix UnboundLocalError in email.message.Message.get_payload() when the payload to decode is a bytes object. Patch by Kliment Lamonov. - gh-134657: asyncio: Remove some private names from asyncio.__all__. - Core and Builtins - gh-136801: Fix PyREPL syntax highlighting on match cases after multi-line case. Contributed by Olga Matoula. - gh-136421: Fix crash when initializing datetime concurrently. - gh-136541: Fix some issues with the perf trampolines on x86-64 and aarch64. The trampolines were not being generated correctly for some cases, which could lead to the perf integration not working correctly. Patch by Pablo Galindo. - gh-136517: Fixed a typo that prevented printing of uncollectable objects when the gc.DEBUG_UNCOLLECTABLE mode was set. - gh-136525: Fix issue where per-thread bytecode was not instrumented for newly created threads. - gh-132661: Interpolation.expression now has a default, the empty string. - gh-132661: Reflect recent PEP 750 change. - Disallow concatenation of string.templatelib.Template and str. Also, disallow implicit concatenation of t-string literals with string or f-string literals. - gh-116738: Make functions in grp thread-safe on the free threaded build. - gh-135148: Fixed a bug where f-string debug expressions (using =) would incorrectly strip out parts of strings containing escaped quotes and # characters. Patch by Pablo Galindo. - gh-133136: Limit excess memory usage in the free threading build when a large dictionary or list is resized and accessed by multiple threads. - gh-91153: Fix a crash when a bytearray is concurrently mutated during item assignment. - gh-127971: Fix off-by-one read beyond the end of a string in string search. - C API - gh-112068: Revert support of nullable arguments in PyArg_Parse(). - gh-133296: New variants for the critical section API that accept one or two PyMutex pointers rather than PyObject instances are now public in the non-limited C API. - gh-134009: Expose PyMutex_IsLocked() as part of the public C API. - Build - gh-135621: PyREPL no longer depends on the curses standard library. Contributed by Łukasz Langa. ------------------------------------------------------------------- Thu Jul 10 10:17:47 UTC 2025 - Daniel Garcia - Fix gil/nogil package description, bsc#1246229 ------------------------------------------------------------------- Wed Jul 9 05:50:32 UTC 2025 - Matej Cepl - Update to 3.14.0~b4: - Tools/Demos - gh-135968: Stubs for strip are now provided as part of an iOS install. - gh-133600: Backport file reorganization for Tools/wasm/wasi This should make backporting future code changes easier. It also simplifies instructions around how to do WASI builds in the devguide. - Tests - gh-135966: The iOS testbed now handles the app_packages folder as a site directory. - gh-135494: Fix regrtest to support excluding tests from --pgo tests. Patch by Victor Stinner. - Security - gh-136053: marshal: fix a possible crash when deserializing slice objects. - gh-135661: Fix parsing start and end tags in html.parser.HTMLParser according to the HTML5 standard. - Whitespaces no longer accepted between does not end the script section. - Vertical tabulation (\v) and non-ASCII whitespaces no longer recognized as whitespaces. The only whitespaces are \t\n\r\f and space. - Null character (U+0000) no longer ends the tag name. - Attributes and slashes after the tag name in end tags are now ignored, instead of terminating after the first > in quoted attribute value. E.g. . - Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . - Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - Whitespaces between the = separator and attribute name or value are no longer ignored. E.g. produces two attributes “foo” and “=bar”, both with value None; produces two attributes: “foo” with value “” and “bar” with value None. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - Library - gh-136286: Fix pickling failures for protocols 0 and 1 for many objects realted to subinterpreters. - gh-136316: Improve support for evaluating nested forward references in typing.evaluate_forward_ref(). - gh-85702: If zoneinfo._common.load_tzdata is given a package without a resource a zoneinfo.ZoneInfoNotFoundError is raised rather than a PermissionError. Patch by Victor Stinner. - gh-136028: Fix parsing month names containing “İ” (U+0130, LATIN CAPITAL LETTER I WITH DOT ABOVE) in time.strptime(). This affects locales az_AZ, ber_DZ, ber_MA and crh_UA. - gh-135995: In the palmos encoding, make byte 0x9b decode to › (U+203A - SINGLE RIGHT-POINTING ANGLE QUOTATION MARK). - gh-53203: Fix time.strptime() for %c and %x formats on locales byn_ER, wal_ET and lzh_TW, and for %X format on locales ar_SA, bg_BG and lzh_TW. - gh-91555: An earlier change, which was introduced in 3.14.0b2, has been reverted. It disabled logging for a logger during handling of log messages for that logger. Since the reversion, the behaviour should be as it was before 3.14.0b2. - gh-135878: Fixes a crash of types.SimpleNamespace on free threading builds, when several threads were calling its __repr__() method at the same time. - gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when non-OSError exception is raised during connection and socket’s close() raises OSError. - gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when the Happy Eyeballs algorithm resulted in an empty exceptions list during connection attempts. - gh-135855: Raise TypeError instead of SystemError when _interpreters.set___main___attrs() is passed a non-dict object. Patch by Brian Schubert. - gh-135815: netrc: skip security checks if os.getuid() is missing. Patch by Bénédikt Tran. - gh-135640: Address bug where it was possible to call xml.etree.ElementTree.ElementTree.write() on an ElementTree object with an invalid root element. This behavior blanked the file passed to write if it already existed. - gh-135645: Added supports_isolated_interpreters field to sys.implementation. - gh-135646: Raise consistent NameError exceptions in annotationlib.ForwardRef.evaluate() - gh-135557: Fix races on heapq updates and list reads on the free threaded build. - gh-119180: Only fetch globals and locals if necessary in annotationlib.get_annotations() - gh-135561: Fix a crash on DEBUG builds when an HACL* HMAC routine fails. Patch by Bénédikt Tran. - gh-135487: Fix reprlib.Repr.repr_int() when given integers with more than sys.get_int_max_str_digits() digits. Patch by Bénédikt Tran. - gh-135335: multiprocessing: Flush stdout and stderr after preloading modules in the forkserver. - gh-135069: Fix the “Invalid error handling” exception in encodings.idna.IncrementalDecoder to correctly replace the ‘errors’ parameter. - gh-130662: +Accept leading zeros in precision and width fields for +:class:Decimal formatting, for example format(Decimal(1.25), '.016f'). - gh-130662: Accept leading zeros in precision and width fields for Fraction formatting, for example format(Fraction(1, 3), '.016f'). - gh-87790: Support underscore and comma as thousands separators in the fractional part for Fraction’s formatting. Patch by Sergey B Kirpichev. - gh-87790: Support underscore and comma as thousands separators in the fractional part for Decimal’s formatting. Patch by Sergey B Kirpichev. - gh-130664: Handle corner-case for Fraction’s formatting: treat zero-padding (preceding the width field by a zero ('0') character) as an equivalent to a fill character of '0' with an alignment type of '=', just as in case of float’s. - Documentation - gh-136155: EPUB builds are fixed by excluding non-XHTML-compatible tags. - Core and Builtins - gh-109700: Fix memory error handling in PyDict_SetDefault(). - gh-78465: Fix error message for cls.__new__(cls, ...) where cls is not instantiable builtin or extension type (with tp_new set to NULL). - gh-129958: Differentiate between t-strings and f-strings in syntax error for newlines in format specifiers of single-quoted interpolated strings. - gh-135871: Non-blocking mutex lock attempts now return immediately when the lock is busy instead of briefly spinning in the free threading build. - gh-135106: Restrict the trashcan mechanism to GC’ed objects and untrack them while in the trashcan to prevent the GC and trashcan mechanisms conflicting. - gh-135607: Fix potential weakref races in an object’s destructor on the free threaded build. - gh-135608: Fix a crash in the JIT involving attributes of modules. - gh-135543: Emit sys.remote_exec audit event when sys.remote_exec() is called and migrate remote_debugger_script to cpython.remote_debugger_script. - gh-134280: Disable constant folding for ~ with a boolean argument. This moves the deprecation warning from compile time to runtime. - C API - gh-135906: Fix compilation errors when compiling the internal headers with a C++ compiler. - Build - gh-134273: Add support for configuring compiler flags for the JIT with CFLAGS_JIT ------------------------------------------------------------------- Wed Jul 2 13:14:28 UTC 2025 - Matej Cepl - Add bsc1243155-sphinx-non-determinism.patch (bsc#1243155) to generate ids for audit_events using docname (reproducible builds). ------------------------------------------------------------------- Tue Jul 1 08:24:53 UTC 2025 - Daniel Garcia - Use one core to build doc. This will make sphinx doc build reproducible. bsc#1243155 ------------------------------------------------------------------- Sat Jun 21 22:30:08 UTC 2025 - Matej Cepl - Update to 3.14.0~b3: - Tests - gh-132815: Fix test__opcode: add JUMP_BACKWARD to specialization stats. - gh-135489: Show verbose output for failing tests during PGO profiling step with –enable-optimizations. - gh-135120: Add test.support.subTests(). - Security - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored (bsc#1244705, CVE-2025-6069). - gh-135034: Fixes multiple issues that allowed tarfile extraction filters (filter="data" and filter="tar") to be bypassed using crafted symlinks and hard links. Addresses CVE 2024-12718, CVE 2025-4138, CVE 2025-4330, and CVE 2025-4517. Also addresses CVE-2025-4435 (gh#135034, bsc#1244061). - Library - gh-65697: configparser’s error message when attempting to write an invalid key is now more helpful. - gh-135497: Fix os.getlogin() failing for longer usernames on BSD-based platforms. - gh-135429: Fix the argument mismatch in _lsprof for PY_THROW event. - gh-135368: Fix unittest.mock.Mock generation on dataclasses.dataclass() objects. Now all special attributes are set as it was before gh-124429. - gh-133967: Do not normalize locale name ‘C.UTF-8’ to ‘en_US.UTF-8’. - gh-135321: Raise a correct exception for values greater than 0x7fffffff for the BINSTRING opcode in the C implementation of pickle. - gh-135276: Backported bugfixes in zipfile.Path from zipp 3.23. Fixed .name, .stem and other basename-based properties on Windows when working with a zipfile on disk. - gh-135244: uuid: when the MAC address cannot be determined, the 48-bit node ID is now generated with a cryptographically-secure pseudo-random number generator (CSPRNG) as per RFC 9562, §6.10.3. This affects uuid1() and uuid6(). - gh-134970: Fix the “unknown action” exception in argparse.ArgumentParser.add_argument_group() to correctly replace the action class. - gh-134718: ast.dump() now only omits None and [] values if they are default values. - gh-134939: Add the concurrent.interpreters module. See PEP 734. - gh-134885: Fix possible crash in the compression.zstd module related to setting parameter types. Patch by Jelle Zijlstra. - gh-134857: Improve error report for doctests run with unittest. Remove doctest module frames from tracebacks and redundant newline character from a failure message. - gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address. - gh-134637: Fix performance regression in calling a ctypes function pointer in free threading. - gh-134696: Built-in HACL* and OpenSSL implementations of hash function constructors now correctly accept the same documented named arguments. For instance, md5() could be previously invoked as md5(data=data) or md5(string=string) depending on the underlying implementation but these calls were not compatible. Patch by Bénédikt Tran. - gh-134151: email: Fix TypeError in email.utils.decode_params() when sorting RFC 2231 continuations that contain an unnumbered section. - gh-134210: curses.window.getch() now correctly handles signals. Patch by Bénédikt Tran. - gh-134152: email: Fix parsing of email message ID with invalid domain. - gh-133489: random.getrandbits() can now generate more that 231 bits. random.randbytes() can now generate more that 256 MiB. - gh-132813: Improve error messages for incorrect types and values of csv.Dialect attributes. - gh-132969: Prevent the ProcessPoolExecutor executor thread, which remains running when shutdown(wait=False), from attempting to adjust the pool’s worker processes after the object state has already been reset during shutdown. A combination of conditions, including a worker process having terminated abormally, resulted in an exception and a potential hang when the still-running executor thread attempted to replace dead workers within the pool. - gh-127081: Fix libc thread safety issues with os by replacing getlogin with getlogin_r re-entrant version. - gh-131884: Fix formatting issues in json.dump() when both indent and skipkeys are used. - gh-130999: Avoid exiting the new REPL and offer suggestions even if there are non-string candidates when errors occur. - Documentation - gh-135171: Document that the iterator for the leftmost for clause in the generator expression is created immediately. - bpo-45210: Document that error indicator may be set in tp_dealloc, and how to avoid clobbering it. - Core and Builtins - gh-135496: Fix typo in the f-string conversion type error (“exclamanation” -> “exclamation”). - gh-135371: Fixed asyncio debugging tools to properly display internal coroutine call stacks alongside external task dependencies. The python -m asyncio ps and python -m asyncio pstree commands now show complete execution context. Patch by Pablo Galindo. - gh-127319: Set the allow_reuse_port class variable to False on the XMLRPC, logging, and HTTP servers. This matches the behavior in prior Python releases, which is to not allow port reuse. - gh-135171: Reverts the behavior of async generator expressions when created with object w/o __aiter__ method to the pre-3.13 behavior of raising a TypeError. - gh-130077: Properly raise custom syntax errors when incorrect syntax containing names that are prefixes of soft keywords is encountered. Patch by Pablo Galindo. - gh-135171: Reverts the behavior of generator expressions when created with a non-iterable to the pre-3.13 behavior of raising a TypeError. It is no longer possible to cause a crash in the debugger by altering the generator expression’s local variables. This is achieved by moving the GET_ITER instruction back to the creation of the generator expression and adding an additional check to FOR_ITER. - gh-116738: Make methods in heapq thread-safe on the free threaded build. - gh-134876: Add support to PEP 768 remote debugging for Linux kernels which don’t have CONFIG_CROSS_MEMORY_ATTACH configured. - gh-134889: Fix handling of a few opcodes that leave operands on the stack when optimizing LOAD_FAST. - gh-134908: Fix crash when iterating over lines in a text file on the free threaded build. - gh-132617: Fix dict.update() modification check that could incorrectly raise a “dict mutated during update” error when a different dictionary was modified that happens to share the same underlying keys object. - gh-134679: Fix crash in the free threading build’s QSBR code that could occur when changing an object’s __dict__ attribute. - gh-127682: No longer call __iter__ twice in list comprehensions. This brings the behavior of list comprehensions in line with other forms of iteration - gh-133912: Fix the C API function PyObject_GenericSetDict to handle extension classes with inline values. - C API - gh-134989: Fix Py_RETURN_NONE, Py_RETURN_TRUE and Py_RETURN_FALSE macros in the limited C API 3.11 and older: don’t treat Py_None, Py_True and Py_False as immortal. Patch by Victor Stinner. - gh-134989: Implement PyObject_DelAttr() and PyObject_DelAttrString() as macros in the limited C API 3.12 and older. Patch by Victor Stinner. - gh-133968: Add PyUnicodeWriter_WriteASCII() function to write an ASCII string into a PyUnicodeWriter. The function is faster than PyUnicodeWriter_WriteUTF8(), but has an undefined behavior if the input string contains non-ASCII characters. Patch by Victor Stinner. - Build - gh-119132: Remove “experimental” tag from the CPython free-threading build. - gh-135497: Fix the detection of MAXLOGNAME in the configure.ac script. - gh-134923: Windows builds with profile-guided optimization enabled now use /GENPROFILE and /USEPROFILE instead of deprecated /LTCG: options. - gh-134774: Fix Py_DEBUG macro redefinition warnings on Windows debug builds. Patch by Chris Eibl. - gh-134632: Fixed build-details.json generation to use INCLUDEPY, in order to reference the pythonX.Y subdirectory of the include directory, as required in PEP 739, instead of the top-level include directory. ------------------------------------------------------------------- Thu May 29 11:42:15 UTC 2025 - Matej Cepl - Update to 3.14.0~b2: - Tools/Demos - gh-134215: REPL import autocomplete only suggests private modules when explicitly specified. - Tests - gh-133744: Fix multiprocessing interrupt test. Add an event to synchronize the parent process with the child process: wait until the child process starts sleeping. Patch by Victor Stinner. - gh-133682: Fixed test case test.test_annotationlib.TestStringFormat.test_displays which ensures proper handling of complex data structures (lists, sets, dictionaries, and tuples) in string annotations. - gh-133639: Fix TestPyReplAutoindent.test_auto_indent_default() doesn’t run input_code. - Security - gh-133767: Fix use-after-free in the “unicode-escape” decoder with a non-“strict” error handler (CVE-2025-4516 bsc#1243273). - gh-128840: Short-circuit the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service. - Library - gh-132710: If possible, ensure that uuid.getnode() returns the same result even across different processes. Previously, the result was constant only within the same process. Patch by Bénédikt Tran. - gh-80334: multiprocessing.freeze_support() now checks for work on any “spawn” start method platform rather than only on Windows. - gh-134582: Fix tokenize.untokenize() round-trip errors related to t-strings braces escaping - gh-134546: Ensure pdb remote debugging script is readable by remote Python process. - gh-134451: Converted asyncio.tools.CycleFoundException from dataclass to a regular exception type. - gh-114177: Fix asyncio to not close subprocess pipes which would otherwise error out when the event loop is already closed. - gh-90871: Fixed an off by one error concerning the backlog parameter in create_unix_server(). Contributed by Christian Harries. - gh-134323: Fix the threading.RLock.locked() method. - gh-86802: Fixed asyncio memory leak in cancelled shield tasks. For shielded tasks where the shield was cancelled, log potential exceptions through the exception handler. Contributed by Christian Harries. - gh-134209: curses: The curses.window.instr() and curses.window.getstr() methods now allocate their internal buffer on the heap instead of the stack; in addition, the max buffer size is increased from 1023 to 2047. - gh-134235: Updated tab completion on REPL to include builtin modules. Contributed by Tom Wang, Hunter Young - gh-134152: Fixed UnboundLocalError that could occur during email header parsing if an expected trailing delimiter is missing in some contexts. - gh-134168: http.server: Fix IPv6 address binding and --directory handling when using HTTPS. - gh-62184: Remove import of C implementation of io.FileIO from Python implementation which has its own implementation - gh-133982: Emit RuntimeWarning in the Python implementation of io when the file-like object is not closed explicitly in the presence of multiple I/O layers. - gh-133890: The tarfile module now handles UnicodeEncodeError in the same way as OSError when cannot extract a member. - gh-134097: Fix interaction of the new REPL and -X showrefcount command line option. - gh-133889: The generated directory listing page in http.server.SimpleHTTPRequestHandler now only shows the decoded path component of the requested URL, and not the query and fragment. - gh-134098: Fix handling paths that end with a percent-encoded slash (%2f or %2F) in http.server.SimpleHTTPRequestHandler. - gh-132124: On POSIX-compliant systems, multiprocessing.util.get_temp_dir() now ignores TMPDIR (and similar environment variables) if the path length of AF_UNIX socket files exceeds the platform-specific maximum length when using the forkserver start method. Patch by Bénédikt Tran. - gh-134062: ipaddress: fix collisions in __hash__() for IPv4Network and IPv6Network objects. - gh-133970: Make string.templatelib.Template and string.templatelib.Interpolation generic. - gh-71253: Raise ValueError in open() if opener returns a negative file-descriptor in the Python implementation of io to match the C implementation. - gh-133960: Simplify and improve typing.evaluate_forward_ref(). It now no longer raises errors on certain invalid types. In several situations, it is now able to evaluate forward references that were previously unsupported. - gh-133925: Make the private class typing._UnionGenericAlias hashable. - gh-133653: Fix argparse.ArgumentParser with the formatter_class argument. Fix TypeError when formatter_class is a custom subclass of HelpFormatter. Fix TypeError when formatter_class is not a subclass of HelpFormatter and non-standard prefix_char is used. Fix support of colorizing when formatter_class is not a subclass of HelpFormatter. - gh-132641: Fixed a race in functools.lru_cache() under free-threading. - gh-133783: Fix bug with applying copy.replace() to ast objects. Attributes that default to None were incorrectly treated as required for manually created AST nodes. - gh-133684: Fix bug where annotationlib.get_annotations() would return the wrong result for certain classes that are part of a class hierarchy where from __future__ import annotations is used. - gh-77057: Fix handling of invalid markup declarations in html.parser.HTMLParser. - gh-130328: Speedup pasting in PyREPL on Windows in a legacy console. Patch by Chris Eibl. - gh-133701: Fix bug where typing.TypedDict classes defined under from __future__ import annotations and inheriting from another TypedDict had an incorrect __annotations__ attribute. - gh-133581: Improve unparsing of t-strings in ast.unparse() and from __future__ import annotations. Empty t-strings now round-trip correctly and formatting in interpolations is preserved. Patch by Jelle Zijlstra. - gh-133551: Support t-strings (PEP 750) in annotationlib. Patch by Jelle Zijlstra. - gh-133439: Fix dot commands with trailing spaces are mistaken for multi-line SQL statements in the sqlite3 command-line interface. - gh-132493: Avoid accessing __annotations__ unnecessarily in inspect.signature(). - gh-132876: ldexp() on Windows doesn’t round subnormal results before Windows 11, but should. Python’s math.ldexp() wrapper now does round them, so results may change slightly, in rare cases of very small results, on Windows versions before 11. - gh-133009: xml.etree.ElementTree: Fix a crash in Element.__deepcopy__ when the element is concurrently mutated. Patch by Bénédikt Tran. - gh-91555: Ignore log messages generated during handling of log messages, to avoid deadlock or infinite recursion. - gh-125028: functools.Placeholder cannot be passed to functools.partial() as a keyword argument. - gh-62824: Fix aliases for iso8859_8 encoding. Patch by Dave Goncalves. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the