forked from pool/python314
mcepl
ca66cf4616
- Security
- gh-151159: Update Android and iOS installers to use OpenSSL
3.5.7.
- gh-150599: Fix a possible stack buffer overflow in bz2 when
a bz2.BZ2Decompressor is reused after a decompression
error. The decompressor now becomes unusable after libbz2
reports an error.
- gh-149835: shutil.move() now resolves symlinks via
os.path.realpath() when checking whether the destination is
inside the source directory, preventing a symlink-based
bypass of that guard.
- gh-149698: Update bundled libexpat to version 2.8.1 for the
fix for CVE 2026-45186.
- gh-87451: The ftplib module’s undocumented ftpcp function
no longer trusts the IPv4 address value returned from the
source server in response to the PASV command by default,
completing the fix for CVE-2021-4189. As with ftplib.FTP,
the former behavior can be re-enabled by setting the
trust_server_pasv_ipv4_address attribute on the source
ftplib.FTP instance to True. Thanks to Qi Deng at Aurascape
AI for the report.
- gh-149486: tarfile.data_filter() now validates link targets
using the same normalised value that is written to disk,
strips trailing separators from the member name when
resolving a symlink’s directory, and rejects link members
that would replace the destination directory itself. This
closes several path-traversal bypasses of the data
extraction filter.
- gh-149079: Fix a potential denial of service in
unicodedata.normalize(). The canonical ordering step of
Unicode normalization used a quadratic-time insertion sort
for reordering combining characters, which could be
exploited with crafted input containing many combining
characters in non-canonical order. Replaced with
a linear-time counting sort for long runs.
- gh-149018: Improved protection against XML hash-flooding
attacks in xml.parsers.expat and xml.etree.ElementTree when
Python is compiled with libExpat 2.8.0 or later.
- Core and Builtins
- gh-151112: Fix a crash in the compiler that could occur
when running out of memory.
- gh-151126: Fix a crash, when there’s no memory left on
a device, which happened in:
- code compilation - _winapi.CreateProcess()
- Now these places raise proper MemoryError errors.
- gh-150700: Fix a SystemError when compiling a class-scope
comprehension containing a lambda that references
__class__, __classdict__, or __conditional_annotations__.
Patch by Bartosz Sławecki.
- gh-150633: Fix the frozen importer accepting module names
with embedded null bytes, which caused it to bypass the
sys.modules cache and create duplicate module objects.
- gh-148613: Fix a data race in the free-threaded build
between gc.set_threshold() and garbage collection
scheduling during object allocation.
- gh-149156: Fix an intermittent crash after os.fork() when
perf trampoline profiling is enabled and the child returns
through trampoline frames inherited from the parent
process.
- gh-149449: Fix a use-after-free crash when the unicodedata
module was removed from sys.modules and garbage-collected
between calls that decode \N{...} escapes or use the
namereplace codec error handler.
- gh-150207: Fix a crash when a memory allocation fails
during tokenizer initialization. A proper MemoryError is
now raised instead.
- gh-150107: asyncio: sendfile() and sock_sendfile() event
loop methods now call file.seek(offset) if file has
a seek() method, even if offset is 0 (default value).
- gh-150146: Fix a crash on a complex type variable
substitution.
- from typing import TypeVar;
memoryview[TypeVar("")][*typing.Mapping[..., ...]] used to
fail due to missing NULL check on _unpack_args C function
call.
- gh-149590: Fix crash when faulthandler is imported more
than once.
- gh-149816: Fix a race condition in _PyBytes_FromList in
free-threading mode.
- gh-149816: Fix a race condition in memoryview with
free-threading.
- gh-149805: Fix a SystemError when compiling a compiling
__classdict__ class annotation. Found by OSS-Fuzz in
#512907042.
- gh-149738: sqlite3: Disallow removing row_factory and
text_factory attributes of a connection to prevent a crash
on a query.
- gh-139808: Add branch protections for AArch64 (BTI/PAC) in
assembly code used by -X perf_jit (Linux perf profiler
integration).
- gh-148450: Fix abc.register() so it invalidates type
version tags for registered classes.
- Library
- gh-151039: Fix a crash when static datetime types outlive
the _datetime module.
- gh-150913: Fix sqlite3.Blob slice assignment to raise
TypeError and IndexError for type and size mismatches
respectively, even when the target slice is empty.
- gh-143008: Fix race conditions when re-initializing
a io.TextIOWrapper object.
- gh-150750: Fix a race condition in
collections.deque.index() with free-threading.
- gh-150685: Update bundled pip to 26.1.2
- gh-150406: Fix a possible crash occurring during socket
module initialization when the system is out of memory on
platforms without a reentrant gethostbyname.
- gh-150372: readline: Fix a potential crash during tab
completion caused by an out-of-memory error during module
initialization.
- gh-150157: Fix a crash in free-threaded builds that occurs
when pickling by name objects without a __module__
attribute while sys.modules is concurrently being modified.
- gh-150175: Fix race condition in
unittest.mock.ThreadingMock where concurrent calls could
lose increments to call_count and other attributes due to
a missing lock in _increment_mock_call.
- gh-84353: Preserve non-UTF-8 encoded filenames when
appending to a zipfile.ZipFile. Previously, non-ASCII names
stored in a legacy encoding (without the UTF-8 flag bit
set) could be corrupted when the central directory was
rewritten: they were decoded as cp437 and then re-stored as
UTF-8.
- gh-149816: Fix race condition in
ssl.SSLContext.sni_callback
- gh-149995: Update various docstrings in typing.
- gh-88726: The email package now uses standard MIME charset
names “gb2312” and “big5” instead of non-standard names
“eucgb2312_cn” and “big5_tw”.
- gh-149571: Fix the C implementation of
xml.etree.ElementTree.Element.itertext(): it no longer
emits text for comments and processing instructions.
- gh-149921: Fix reference leaks in error paths of the
_interpchannels and _interpqueues extension modules.
- gh-149816: Fix a race condition in _random.Random.__init__
method in free-threading mode.
- gh-149801: Add IANA registered names and aliases with
leading zeros before number (like IBM00858, CP00858,
IBM01140, CP01140) for corresponding codecs.
- gh-149701: Fix bad return code from Lib/venv/bin/activate
if hashing is disabled
- gh-112821: In the REPL, autocompletion might run arbitrary
code in the getter of a descriptor. If that getter raised
an exception, autocompletion would fail to present any
options for the entire object. Autocompletion now works as
expected for these objects.
- gh-149489: Fix ElementTree serialization to HTML. The
content of elements “xmp”, “iframe”, “noembed”, “noframes”,
and “plaintext” is no longer escaped. The “plaintext”
element no longer have the closing tag.
- gh-149231: In tomllib, the number of parts in TOML keys is
now limited.
- gh-149046: io: Fix io.StringIO serialization: no longer
call str(obj) on str subclasses. Patch by Thomas Kowalski.
- gh-148954: Fix XML injection vulnerability in
xmlrpc.client.dumps() where the methodname was not being
escaped before interpolation into the XML body.
- gh-148441: xml.parsers.expat: prevent a crash in
CharacterDataHandler() when the character data size exceeds
the parser’s buffer size.
- gh-146452: Fix segfault in pickle when pickling
a dictionary concurrently mutated by another thread in the
free-threaded build.
- gh-142831: Fix a crash in the json module where
a use-after-free could occur if the object being encoded is
modified during serialization.
- gh-90949: Add
SetBillionLaughsAttackProtectionActivationThreshold() and
SetBillionLaughsAttackProtectionMaximumAmplification() to
xmlparser objects to tune protections against billion
laughs attacks. Patch by Bénédikt Tran.
- gh-134261: zip: On reproducible builds, ZipFile uses UTC
instead of the local time when writing file datetimes to
avoid underflows.
- gh-128110: Fix bug in the parsing of email address headers
that could result in extraneous spaces in the decoded text
when using a modern email policy. Space between pairs of
adjacent RFC 2047 encoded-words is now ignored, per section
6.2 (and consistent with existing parsing of unstructured
headers like Subject).
- gh-107398: Fix tarfile stream mode exception when process
the file with the gzip extra field.
- gh-123853: Update the table of Windows language code
identifiers (LCIDs) used by locale.getdefaultlocale() on
Windows to protocol version 16.0 (2024-04-23).
- gh-91099: imaplib.IMAP4.login() now raises exceptions with
str instead of bytes. Patch by Florian Best.
- Documentation
- gh-150319: Generic builtin and standard library types now
document the meaning of their type parameters.
- gh-109503: Fix documentation for shutil.move() on usage of
os.rename() since nonatomic move might be used even if the
files are on the same filesystem. Patch by Fang Li
- Tests
- gh-151130: Add more tests for PyWeakref_* C API.
- gh-149776: Fix test_socket on Linux kernel 7.1 and newer:
skip UDP Lite tests if it’s not supported. Patch by Victor
Stinner.
- Build
- gh-148294: Corrected the use of AC_PATH_TOOL in
configure.ac to allow a C++ compiler to be found on PATH.
- IDLE
- bpo-6699: Warn the user if a file will be overwritten when
saving.
- C API
- gh-150907: Fix dynamic_annotations.h header file when built
with C++ and Valgrind: add extern "C++" scope for the C++
template. Patch by Victor Stinner.
- gh-145235: Made PyDict_AddWatcher(), PyDict_ClearWatcher(),
PyDict_Watch(), and PyDict_Unwatch() thread-safe on the
free threaded build.
Refreshed patches:
- bpo-31046_ensurepip_honours_prefix.patch
- CVE-2023-52425-libexpat-2.6.0-backport-15.6.patch
- CVE-2024-6923-follow-up-EOL-email-headers.patch
- CVE-2025-12781-b64decode-alt-chars.patch
- CVE-2025-15366-imap-ctrl-chars.patch
- gh139257-Support-docutils-0.22.patch
- test_UDPLITE_support.patch
Python 3 in SUSE
==============
* Subpackages *
Python 3 is split into several subpackages, based on external dependencies.
The main package 'python3' has soft dependencies on all subpackages needed to
assemble the standard library; however, these might not all be installed by default.
If you attempt to import a module that is currently not installed, an ImportError is thrown,
with instructions to install the missing subpackage. Installing the subpackage might result
in installing libraries that the subpackage requires to function.
* ensurepip *
The 'ensurepip' module from Python 3 standard library (PEP 453) is supposed to deploy
a bundled copy of the pip installer. This makes no sense in a managed distribution like SUSE.
Instead, you need to install package 'python3-pip'. Usually this will be installed automatically
with 'python3'.
Using 'ensurepip' when pip is not installed will result in an ImportError with instructions
to install 'python3-pip'.
* Documentation *
You can find documentation in seprarate packages: python3-doc and
python3-doc-pdf. These contan following documents:
Tutorial, What's New in Python, Global Module Index, Library Reference,
Macintosh Module Reference, Installing Python Modules, Distributing Python
Modules, Language Reference, Extending and Embedding, Python/C API,
Documenting Python
The python3-doc package constains many text files from source tarball.
* Interactive mode *
Interactive mode is by default enhanced with of history and command completion.
If you don't like these features, you can unset the PYTHONSTARTUP variable
in your .profile or disable it system wide in /etc/profile.d/python.sh.