python-interpreters/python315
SHA256
6
0
Fork 0
forked from pool/python315
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update to 3.15.0~a3

Browse Source 
Security
    - gh-142145: Remove quadratic behavior in xml.minidom node ID
      cache clearing.
    - gh-42400: Fix buffer overflow in _Py_wrealpath() for paths
      exceeding MAXPATHLEN bytes by using dynamic memory
      allocation instead of fixed-size buffer. Patch by Shamil
      Abdulaev.
    - gh-119451: Fix a potential memory denial of service in the
      http.client module. When connecting to a malicious server,
      it could cause an arbitrary amount of memory to be
      allocated. This could have led to symptoms including
      a MemoryError, swapping, out of memory (OOM) killed
      processes or containers, or even system crashes
      (CVE-2025-13836, bsc#1254400).
    - gh-119342: Fix a potential memory denial of service in the
      plistlib module. When reading a Plist file received from
      untrusted source, it could cause an arbitrary amount of
      memory to be allocated. This could have led to symptoms
      including a MemoryError, swapping, out of memory (OOM)
      killed processes or containers, or even system crashes
      (CVE-2025-13837, bsc#1254401).
Library
    - gh-142754: Add the ownerDocument attribute to
      xml.dom.minidom elements and attributes created by directly
      instantiating the Element or Attr class. Note that this way
      of creating nodes is not supported; creator functions like
      xml.dom.Document.documentElement() should be used instead.
    - gh-142594: Fix crash in TextIOWrapper.close() when the
      underlying buffer’s closed property calls detach().
    - gh-76007: Deprecate __version__ from ctypes. Patch by Hugo
      van Kemenade.
    - gh-76007: Deprecate __version__ from wsgiref.simple_server.
      Patch by Hugo van Kemenade.
    - gh-142651: unittest.mock: fix a thread safety issue where
      Mock.call_count may return inaccurate values when the mock
      is called concurrently from multiple threads.
    - gh-76007: Deprecate __version__ from http.server. Patch by
      Hugo van Kemenade.
    - gh-138122: Add --subprocesses flag to profiling.sampling
      CLI to automatically profile subprocesses spawned by the
      target. When enabled, the profiler monitors for new Python
      subprocesses and profiles each one separately, writing
      results to individual output files. This is useful for
      profiling applications that use multiprocessing,
      ProcessPoolExecutor, or other subprocess-based parallelism.
      Patch by Pablo Galindo.
    - gh-142595: Added type check during initialization of the
      decimal module to prevent a crash in case of broken stdlib.
      Patch by Sergey B Kirpichev.
    - gh-142556: Fix crash when a task gets re-registered during
      finalization in asyncio. Patch by Kumar Aditya.
    - gh-138122: Add --mode=exception to the sampling profiler to
      capture samples only from threads with an active exception,
      useful for analyzing exception handling overhead. Patch by
      Pablo Galindo.
    - gh-142539: traceback: Fix location of carets in
      SyntaxErrors when the source contains wide characters.
    - gh-123241: Avoid reference count operations in garbage
      collection of ctypes objects.
    - gh-142451: hmac: correctly copy HMAC attributes for objects
      copied through HMAC.copy(). Patch by Bénédikt Tran.
    - gh-138122: The profiling.sampling flamegraph profiler now
      supports inverted flamegraph view that aggregates all leaf
      nodes. In a standard flamegraph, if a hot function is
      called from multiple locations, it appears multiple times
      as separate leaf nodes. In the inverted flamegraph, all
      occurrences of the same leaf function are merged into
      a single aggregated node at the root, showing the total
      hotness of that function in one place. The children of each
      aggregated node represent its callers, making it easier to
      identify which functions consume the most CPU time and
      where they are called from.
    - gh-112527: The help text for required options in argparse
      no longer extended with “ (default: None)”.
    - gh-142438: Fixed a possible leaked GIL in
      _PySSL_keylog_callback.
    - gh-138122: Add bytecode-level instruction profiling to the
      sampling profiler via the new --opcodes flag. When enabled,
      the profiler captures which bytecode opcode is executing at
      each sample, including Python 3.11+ adaptive
      specializations, and visualizes this data in the heatmap,
      flamegraph, gecko, and live output formats. Patch by Pablo
      Galindo
    - gh-142389: Add backtick markup support in argparse
      description and epilog text to highlight inline code when
      color output is enabled.
    - gh-142346: Fix usage formatting for mutually exclusive
      groups in argparse when they are preceded by positional
      arguments or followed or intermixed with other optional
      arguments.
    - gh-142374: Fix cumulative percentage calculation for
      recursive functions in the new sampling profiler. When
      profiling recursive functions, cumulative statistics
      (cumul%, cumtime) could exceed 100% because each recursive
      frame in a stack was counted separately. For example,
      a function recursing 500 times in every sample would show
      50000% cumulative presence. The fix deduplicates locations
      within each sample so cumulative stats correctly represent
      “percentage of samples where this function was on the
      stack”. Patch by Pablo Galindo.
    - gh-142315: Pdb can now run scripts from anonymous pipes
      used in process substitution. Patch by Bartosz Sławecki.
    - gh-64532: Subparser help now includes required optional
      arguments from the parent parser in the usage, making it
      clearer what arguments are needed to run a subcommand.
      Patch by Savannah Ostrowski.
    - gh-142207: Fix: profiling.sampling may cause assertion
      !(has_gil && gil_requested)
    - gh-142332: Fix usage formatting for positional arguments in
      mutually exclusive groups in argparse. in argparse.
    - gh-142282: Fix winreg.QueryValueEx() to not accidentally
      read garbage buffer under race condition.
    - gh-142318: Fix typing 'q' at the help of the interactive
      tachyon profiler exiting the profiler.
    - gh-75949: Fix argparse to preserve | separators in mutually
      exclusive groups when the usage line wraps due to length.
    - gh-142267: Improve argparse performance by caching the
      formatter used for argument validation.
    - gh-139862: Remove color parameter from
      argparse.HelpFormatter constructor. Color is controlled by
      ArgumentParser.
    - gh-68552: MisplacedEnvelopeHeaderDefect and Missing header
      name defects are now correctly passed to the handle_defect
      method of policy in FeedParser.
    - gh-142206: The resource tracker in the multiprocessing
      module can now understand messages from older versions of
      itself. This avoids issues with upgrading Python while it
      is running. (Note that such ‘in-place’ upgrades are not
      tested.)
    - gh-142214: Fix two regressions in dataclasses in Python
      3.14.1 related to annotations. An exception is no longer
      raised if slots=True is used and the __init__ method does
      not have an __annotate__ attribute (likely because
      init=False was used). An exception is no longer raised if
      annotations are requested on the __init__ method and one of
      the fields is not present in the class annotations. This
      can occur in certain dynamic scenarios. Patch by Jelle
      Zijlstra.
    - gh-142203: Remove the debug_override parameter from
      importlib.util.cache_from_source() which has been
      deprecated since Python 3.5.
    - gh-138122: The _remote_debugging module now implements
      frame caching in the RemoteUnwinder class to reduce memory
      reads when profiling remote processes. When
      cache_frames=True, unchanged portions of the call stack are
      reused from previous samples, significantly improving
      profiling performance for deep call stacks.
    - gh-116738: Fix cmath data race when initializing
      trigonometric tables with subinterpreters.
    - gh-141982: Allow pdb to set breakpoints on async functions
      with function names.
    - gh-74389: When the stdin being used by a subprocess.Popen
      instance is closed, this is now ignored in
      subprocess.Popen.communicate() instead of leaving the class
      in an inconsistent state.
    - gh-87512: Fix subprocess.Popen.communicate() timeout
      handling on Windows when writing large input. Previously,
      the timeout was ignored during stdin writing, causing the
      method to block indefinitely if the child process did not
      consume input quickly. The stdin write is now performed in
      a background thread, allowing the timeout to be properly
      enforced.
    - gh-141939: Add color to all interpolated values in argparse
      help, like %(default)s or %(choices)s. Patch by Alex
      Prengère.
    - gh-141473: When subprocess.Popen.communicate() was called
      with input and a timeout and is called for a second time
      after a TimeoutExpired exception before the process has
      died, it should no longer hang.
    - gh-141999: Correctly allow KeyboardInterrupt to stop the
      process when using profiling.sampling.
    - gh-142006: Fix a bug in the email.policy.default folding
      algorithm which incorrectly resulted in a doubled newline
      when a line ending at exactly max_line_length was followed
      by an unfoldable token.
    - gh-141968: Remove data copy from re compilation of regexes
      with large charsets by using bytearray.take_bytes().
    - gh-141968: Remove data copy from encodings.idna encode()
      and encode() by using bytearray.take_bytes().
    - gh-141968: Remove data copy from codecs punycode encoding
      by using bytearray.take_bytes().
    - gh-141968: Remove data copy from
      wave.Wave_read.readframes() and
      wave.Wave_write.writeframes() by using
      bytearray.take_bytes().
    - gh-141968: Remove a data copy from base64.b32decode() and
      base64.b32encode() by using bytearray.take_bytes().
    - gh-59000: Fix pdb breakpoint resolution for class methods
      when the module defining the class is not imported.
    - gh-116738: Fix thread safety issue with re scanner objects
      in free-threaded builds.
    - gh-138122: The profiling.sampling flamegraph profiler now
      displays thread status statistics showing the percentage of
      time threads spend holding the GIL, running without the
      GIL, waiting for the GIL, and performing garbage
      collection. These statistics help identify GIL contention
      and thread behavior patterns. When filtering by thread, the
      display shows per-thread metrics.
    - gh-141781: Fixed an issue where pdb.line_prefix assignment
      was ignored if assigned after the module was imported.
    - gh-141863: Update Streams to use bytearray.take_bytes() for
      a over 10% performance improvement on pyperformance
      asyncio_tcp benchmark.
    - gh-141817: Add socket.IPV6_HDRINCL constant.
    - gh-105836: Fix asyncio.run_coroutine_threadsafe() leaving
      underlying cancelled asyncio task running.
    - gh-141570: Support file-like object raising OSError from
      fileno() in color detection (_colorize.can_colorize()).
      This can occur when sys.stdout is redirected.
    - gh-141679: Add colour to defaults in argparse help. Patch
      by Hugo van Kemenade.
    - gh-141686: Break reference cycles created by each call to
      json.dump() or json.JSONEncoder.iterencode().
    - gh-141659: Fix bad file descriptor errors from
      _posixsubprocess on AIX.
    - gh-141645: Add a new --live mode to the tachyon profiler in
      profiling.sampling module. This mode consist of a live TUI
      that displays real-time profiling statistics as the target
      application runs, similar to top. Patch by Pablo Galindo
    - gh-141615: Check stdin instead of stdout for use_rawinput
      in pdb.
    - gh-69113: Fix doctest to correctly report line numbers for
      doctests in __test__ dictionary when formatted as
      triple-quoted strings by finding unique lines in the string
      and matching them in the source file.
    - gh-141600: Fix musl version detection on Void Linux.
    - gh-48752: Add readline.get_pre_input_hook() function to
      retrieve the current pre-input hook. This allows
      applications to save and restore the hook without
      overwriting user settings. Patch by Sanyam Khurana.
    - gh-141565: Add async-aware profiling to the Tachyon
      sampling profiler. The profiler now reconstructs and
      displays async task hierarchies in flamegraphs, making the
      output more actionable for users. Patch by Savannah
      Ostrowski and Pablo Galindo Salgado.
    - gh-60107: Remove a copy from io.RawIOBase.read(). If the
      underlying I/O class keeps a reference to the mutable
      memory, raise a BufferError.
    - gh-116738: Make csv module thread-safe on the free threaded
      build.
    - gh-140911: collections: Ensure that the methods
      UserString.rindex() and UserString.index() accept
      collections.UserString instances as the sub argument.
    - gh-140875: Fix handling of unclosed character references
      (named and numerical) followed by the end of file in
      html.parser.HTMLParser with convert_charrefs=False.
    - gh-140677: Add heatmap visualization mode to the Tachyon
      sampling profiler. The new --heatmap output format provides
      a line-by-line view showing execution intensity with
      color-coded samples, inline statistics, and interactive
      call graph navigation between callers and callees.
    - gh-139946: Distinguish stdout and stderr when colorizing
      output in argparse module.
    - gh-76007: pydoc: Fix DeprecationWarning being raised when
      generating doc for stdlib modules.
    - gh-139686: Make importlib.reload no-op for lazy modules.
    - gh-138697: Fix inferring dest from a single-dash long
      option in argparse. If a short option and a single-dash
      long option are passed to add_argument(), dest is now
      inferred from the single-dash long option.
    - gh-138525: Add support for single-dash long options and
      alternate prefix characters in
      argparse.BooleanOptionalAction.
    - gh-79986: Add parsing for References and In-Reply-To
      headers to the email library that parses the header content
      as lists of message id tokens. This prevents them from
      being folded incorrectly.
    - gh-135559: Flag: a dir() on a Flag enumeration now shows
      non-canonical members. (i.e. aliases).
    - gh-134453: Fixed subprocess.Popen.communicate() input=
      handling of memoryview instances that were non-byte shaped
      on POSIX platforms. Those are now properly cast to a byte
      shaped view instead of truncating the input. Windows
      platforms did not have this bug.
    - gh-127930: Add __all__ to tkinter.simpledialog.
    - gh-115952: Fix a potential memory denial of service in the
      pickle module. When reading a pickled data received from
      untrusted source, it could cause an arbitrary amount of
      memory to be allocated, even if the code that is allowed to
      execute is restricted by overriding the find_class()
      method. This could have led to symptoms including
      a MemoryError, swapping, out of memory (OOM) killed
      processes or containers, or even system crashes. bpo-40350:
      Fix support for namespace packages in modulefinder.
Documentation
    - gh-141994: xml.sax.handler: Make Documentation of
      xml.sax.handler.feature_external_ges warn of opening up to
      external entity attacks. Patch by Sebastian Pipping.
Core and Builtins
    - gh-134584: Eliminate redundant refcounting from
      _STORE_ATTR_INSTANCE_VALUE.
    - gh-142718: JIT: Fix segfault caused by not flushing the
      stack to memory at side exits.
    - gh-142737: Tracebacks will be displayed in fallback mode
      even if io.open() is lost. Previously, this would crash the
      interpreter. Patch by Bartosz Sławecki.
    - gh-116738: Make the attributes in bz2 thread-safe on the
      free threaded build.
    - gh-134584: Eliminate redundant refcounting from
      _CALL_LIST_APPEND.
    - gh-142554: Fix a crash in divmod() when
      _pylong.int_divmod() does not return a tuple of length two
      exactly. Patch by Bénédikt Tran.
    - gh-142531: Fix a free-threaded GC performance regression.
      If there are many untracked tuples, the GC will run too
      often, resulting in poor performance. The fix is to include
      untracked tuples in the “long lived” object count. The
      number of frozen objects is also now included since the
      free-threaded GC must scan those too.
    - gh-142402: Fix reference counting when adjacent literal
      parts are merged while constructing
      string.templatelib.Template, preventing the displaced
      string object from leaking.
    - gh-116738: Make the attributes in zlib thread-safe on the
      free threaded build.
    - gh-142343: Fix SIGILL crash on m68k due to incorrect
      assembly constraint.
    - gh-142236: Improve the “Perhaps you forgot a comma?” syntax
      error for multi-line string concatenations to point to the
      last string instead of the first, making it easier to
      locate where the comma is missing. Patch by Pablo Galindo.
    - gh-142236: Fix incorrect keyword suggestions for syntax
      errors in traceback. The keyword typo suggestion mechanism
      would incorrectly suggest replacements when the extracted
      source code was incomplete rather than containing an actual
      typo. Patch by Pablo Galindo.
    - gh-142305: Decrease the size of the generated stencils and
      the runtime JIT code. Patch by Diego Russo.
    - gh-135379: Implement a limited form of register allocation
      known as “top of stack caching” in the JIT. It works by
      keeping 0-3 of the top items in the stack in registers. The
      code generator generates multiple versions of those uops
      that do not escape and are relatively small. During JIT
      compilation, the copy that produces the least memory
      traffic is selected, spilling or reloading values when
      needed.
    - gh-142276: Fix missing type watcher when promoting
      attribute loads to constants in the JIT. Patch by Ken Jin.
      Reproducer by Yuancheng Jiang.
    - gh-142218: Fix crash when inserting into a split table
      dictionary with a non str key that matches an existing key.
    - gh-141976: Check against abstract stack overflow in the JIT
      optimizer.
    - gh-97850: Remove all *.load_module() usage and definitions
      from the import system and importlib. The method has been
      deprecated in favor of importlib.abc.Loader.exec_module()
      since Python 3.4.
    - gh-142048: Fix quadratically increasing garbage collection
      delays in free-threaded build.
    - gh-65961: Stop setting __cached__ on modules.
    - gh-141770: Annotate anonymous mmap usage only when
      supported by the Linux kernel and if -X dev is used or
      Python is built in debug mode. Patch by Donghee Na.
    - gh-142029: Raise ModuleNotFoundError instead of crashing
      when a nonexistent module is used as a name in
      _imp.create_builtin().
    - gh-142029: Raise ValueError instead of crashing when empty
      string is used as a name in _imp.create_builtin().
    - gh-141976: Protect against specialization failures in the
      tracing JIT compiler for performance reasons.
    - gh-141861: Fix invalid memory read in the ENTER_EXECUTOR
      instruction.
    - gh-141930: When importing a module, use Python’s regular
      file object to ensure that writes to .pyc files are
      complete or an appropriate error is raised.
    - gh-138122: Add incomplete sample detection to prevent
      corrupted profiling data. Each thread state now contains an
      embedded base frame (sentinel at the bottom of the frame
      stack) with owner type FRAME_OWNED_BY_INTERPRETER. The
      profiler validates that stack unwinding terminates at this
      sentinel frame. Samples that fail to reach the base frame
      (due to race conditions, memory corruption, or other
      errors) are now rejected rather than being included as
      spurious data.
    - gh-120158: Fix inconsistent state when enabling or
      disabling monitoring events too many times.
    - gh-140638: Expose a "candidates" stat in gc.get_stats() and
      gc.callbacks.
    - gh-141780: Fix Py_mod_gil with API added in PEP 793:
      PyModule_FromSlotsAndSpec() and PyModExport hooks
    - gh-141732: Ensure the __repr__() for ExceptionGroup and
      BaseExceptionGroup does not change when the exception
      sequence that was original passed in to its constructor is
      subsequently mutated.
    - gh-140638: Expose a "duration" stat in gc.get_stats() and
      gc.callbacks.
    - gh-139653: Only raise a RecursionError or trigger a fatal
      error if the stack pointer is both below the limit pointer
      and above the stack base. If outside of these bounds assume
      that it is OK. This prevents false positives when
      user-space threads swap stacks.
    - gh-41779: Allowed defining the __dict__ and __weakref__
      __slots__ for any class.
    - gh-139103: Improve multithreaded scaling of dataclasses on
      the free-threaded build.
    - gh-141589: Change backoff counter to use prime numbers
      instead of powers of 2. Use only 3 bits for counter and 13
      bits for value. This allows to support values up to 8191.
      Patch by Mikhail Efimov.
    - gh-137007: Fix a bug during JIT compilation failure which
      caused garbage collection debug assertions to fail.
    - gh-132657: For the free-threaded build, avoid locking the
      set object for the __contains__ method.
    - gh-134584: Eliminate redundant refcounting from
      _CALL_STR_1.
    - gh-134584: Eliminate redundant refcounting from
      _CALL_BUILTIN_O.
    - gh-134584: Eliminate redundant refcounting from
      _CALL_TUPLE_1. Patch by Noam Cohen
C API
    - gh-142589: Fix
      PyUnstable_Object_IsUniqueReferencedTemporary() handling of
      tagged ints on the interpreter stack.
    - gh-142571: PyUnstable_CopyPerfMapFile() now checks that
      opening the file succeeded before flushing.
    - gh-142225: Fixed the PyABIInfo_VAR macro.
    - gh-141049: _PyObject_CallMethodId(), _PyObject_GetAttrId()
      and _PyUnicode_FromId() are deprecated since 3.15 and will
      be removed in 3.20. Instead, use
      PyUnicode_InternFromString() and cache the result in the
      module state, then call PyObject_CallMethod() or
      PyObject_GetAttr(). Patch by Victor Stinner.
    - gh-142163: Fix the HAVE_THREAD_LOCAL macro being defined
      without the Py_BUILD_CORE macro set after including
      Python.h.
    - gh-137422: Fix free threading race condition in
      PyImport_AddModuleRef(). It was previously possible for two
      calls to the function return two different objects, only
      one of which was stored in sys.modules.
    - gh-141726: Add PyDict_SetDefaultRef() to the Stable ABI.
    - gh-140042: Removed the sqlite3_shutdown call that could
      cause closing connections for sqlite when used with
      multiple sub interpreters.
    - gh-141070: Add PyUnstable_Object_Dump() to dump an object
      to stderr. It should only be used for debugging. Patch by
      Victor Stinner.
    - gh-139165: Expose the functions Py_SIZE(), Py_IS_TYPE() and
      Py_SET_SIZE() in the Stable ABI.
Build
    - gh-131372: Add LDVERSION and EXE to the base_interpreter
      value of build-details.json.
    - gh-142454: When calculating the digest of the JIT stencils
      input, sort the hashed files by filenames before adding
      their content to the hasher. This ensures deterministic
      hash input and hence deterministic hash, independent on
      filesystem order.
    - gh-131372: build-details.py will only be installed as part
      of the main install (make install). make altinstall will no
      longer include it.
    - gh-142234: Allow --enable-wasm-dynamic-linking for WASI.
      While CPython doesn’t directly support it so
      external/downstream users do not have to patch in support
      for the flag.
    - gh-142050: Fixed a bug where JIT stencils produced on
      Windows contained debug data. Patch by Chris Eibl.
    - gh-141808: Do not generate the jit stencils twice in case
      of PGO builds on Windows.
    - gh-141926: RUNSHARED is no longer cleared when
      cross-compiling. Previously, RUNSHARED was cleared when
      cross-compiling, which breaks PGO when using
      --enabled-shared on systems where the cross-compiled
      CPython is otherwise executable (e.g., via transparent
      emulation).
    - gh-141808: When running make clean-retain-profile, keep the
      generated JIT stencils. That way, the stencils are not
      generated twice when Profile-guided optimization (PGO) is
      used. It also allows distributors to supply their own
      pre-built JIT stencils.
    - gh-141784: Fix _remote_debugging_module.c compilation on
      32-bit Linux. Include Python.h before system headers to
      make sure that _remote_debugging_module.c uses the same
      types (ABI) than Python. Patch by Victor Stinner.
    - gh-141172: Update to WASI SDK 29.
    - gh-139707: Add configure option
      --with-missing-stdlib-config=FILE allows which distributors
      to pass a JSON configuration file containing custom error
      messages for missing standard library modules.
    - gh-108819: Honor --with-platlibdir in the pure-Python
      standard library installation path, if PLATLIBDIR doesn’t
      match the value used in LIBDIR.
Tests
    - gh-140381: Fix flaky test_profiling tests on i686 and s390x
      architectures by increasing slow_fibonacci call frequency
      from every 5th iteration to every 2nd iteration.
    - gh-140210: Make
      test_sysconfig.test_parse_makefile_renamed_vars less
      fragile by clearing the environment variables before
      parsing the Makefile.
This commit is contained in:
Matej Cepl
2025-12-19 17:49:47 +01:00
parent 2544c41d2e
commit aa61ff92f2
11 changed files with 549 additions and 219 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
CVE-2023-52425-libexpat-2.6.0-backport-15.6.patch
View File

@@ -4,11 +4,11 @@
Lib/test/test_xml_etree.py | 10 ++++++++++
3 files changed, 17 insertions(+)
Index: Python-3.15.0a1/Lib/test/test_pyexpat.py
Index: Python-3.15.0a3/Lib/test/test_pyexpat.py
===================================================================
--- Python-3.15.0a1.orig/Lib/test/test_pyexpat.py 2025-10-24 23:53:24.356893960 +0200
+++ Python-3.15.0a1/Lib/test/test_pyexpat.py 2025-10-24 23:53:50.136311340 +0200
@@ -843,6 +843,10 @@
--- Python-3.15.0a3.orig/Lib/test/test_pyexpat.py 2025-12-16 13:26:12.000000000 +0100
+++ Python-3.15.0a3/Lib/test/test_pyexpat.py 2025-12-19 02:26:33.964969539 +0100
@@ -860,6 +860,10 @@
self.assertEqual(started, ['doc'])
def test_reparse_deferral_disabled(self):
@@ -19,10 +19,10 @@ Index: Python-3.15.0a1/Lib/test/test_pyexpat.py
started = []
def start_element(name, _):
Index: Python-3.15.0a1/Lib/test/test_sax.py
Index: Python-3.15.0a3/Lib/test/test_sax.py
===================================================================
--- Python-3.15.0a1.orig/Lib/test/test_sax.py 2025-10-24 23:53:24.425039914 +0200
+++ Python-3.15.0a1/Lib/test/test_sax.py 2025-10-24 23:53:50.136951370 +0200
--- Python-3.15.0a3.orig/Lib/test/test_sax.py 2025-12-16 13:26:12.000000000 +0100
+++ Python-3.15.0a3/Lib/test/test_sax.py 2025-12-19 02:26:33.966048947 +0100
@@ -1241,6 +1241,9 @@
self.assertEqual(result.getvalue(), start + b"<doc></doc>")
@@ -33,10 +33,10 @@ Index: Python-3.15.0a1/Lib/test/test_sax.py
def test_flush_reparse_deferral_disabled(self):
result = BytesIO()
xmlgen = XMLGenerator(result)
Index: Python-3.15.0a1/Lib/test/test_xml_etree.py
Index: Python-3.15.0a3/Lib/test/test_xml_etree.py
===================================================================
--- Python-3.15.0a1.orig/Lib/test/test_xml_etree.py 2025-10-24 23:53:24.855327755 +0200
+++ Python-3.15.0a1/Lib/test/test_xml_etree.py 2025-10-24 23:53:50.137646227 +0200
--- Python-3.15.0a3.orig/Lib/test/test_xml_etree.py 2025-12-16 13:26:12.000000000 +0100
+++ Python-3.15.0a3/Lib/test/test_xml_etree.py 2025-12-19 02:26:33.966681016 +0100
@@ -138,6 +138,11 @@
return mock.patch.object(cls, "__eq__", autospec=True, wraps=eq)
@@ -49,7 +49,7 @@ Index: Python-3.15.0a1/Lib/test/test_xml_etree.py
def checkwarnings(*filters, quiet=False):
def decorator(test):
def newtest(*args, **kwargs):
@@ -1547,9 +1552,11 @@
@@ -1620,9 +1625,11 @@
self.assert_event_tags(parser, [('end', 'root')])
self.assertIsNone(parser.close())
@@ -61,7 +61,7 @@ Index: Python-3.15.0a1/Lib/test/test_xml_etree.py
def test_simple_xml_chunk_5(self):
self.test_simple_xml(chunk_size=5, flush=True)
@@ -1776,6 +1783,9 @@
@@ -1849,6 +1856,9 @@
self.assert_event_tags(parser, [('end', 'doc')])

154
CVE-2025-13836-http-resp-cont-len.patch
View File

@@ -1,154 +0,0 @@
From b3a7998115e195c40e00cfa662bcaa899d937c05 Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Mon, 1 Dec 2025 17:26:07 +0200
Subject: [PATCH] gh-119451: Fix a potential denial of service in http.client
(GH-119454)
Reading the whole body of the HTTP response could cause OOM if
the Content-Length value is too large even if the server does not send
a large amount of data. Now the HTTP client reads large data by chunks,
therefore the amount of consumed memory is proportional to the amount
of sent data.
(cherry picked from commit 5a4c4a033a4a54481be6870aa1896fad732555b5)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
---
Lib/http/client.py | 28 +++-
Lib/test/test_httplib.py | 66 ++++++++++
Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst | 5
3 files changed, 95 insertions(+), 4 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst
Index: Python-3.15.0a2/Lib/http/client.py
===================================================================
--- Python-3.15.0a2.orig/Lib/http/client.py 2025-12-18 22:39:49.435421792 +0100
+++ Python-3.15.0a2/Lib/http/client.py 2025-12-18 22:40:02.599038188 +0100
@@ -111,6 +111,11 @@
_MAXLINE = 65536
_MAXHEADERS = 100
+# Data larger than this will be read in chunks, to prevent extreme
+# overallocation.
+_MIN_READ_BUF_SIZE = 1 << 20
+
+
# Header name/value ABNF (http://tools.ietf.org/html/rfc7230#section-3.2)
#
# VCHAR = %x21-7E
@@ -642,10 +647,25 @@
reading. If the bytes are truly not available (due to EOF), then the
IncompleteRead exception can be used to detect the problem.
"""
- data = self.fp.read(amt)
- if len(data) < amt:
- raise IncompleteRead(data, amt-len(data))
- return data
+ cursize = min(amt, _MIN_READ_BUF_SIZE)
+ data = self.fp.read(cursize)
+ if len(data) >= amt:
+ return data
+ if len(data) < cursize:
+ raise IncompleteRead(data, amt - len(data))
+
+ data = io.BytesIO(data)
+ data.seek(0, 2)
+ while True:
+ # This is a geometric increase in read size (never more than
+ # doubling out the current length of data per loop iteration).
+ delta = min(cursize, amt - cursize)
+ data.write(self.fp.read(delta))
+ if data.tell() >= amt:
+ return data.getvalue()
+ cursize += delta
+ if data.tell() < cursize:
+ raise IncompleteRead(data.getvalue(), amt - data.tell())
def _safe_readinto(self, b):
"""Same as _safe_read, but for reading into a buffer."""
Index: Python-3.15.0a2/Lib/test/test_httplib.py
===================================================================
--- Python-3.15.0a2.orig/Lib/test/test_httplib.py 2025-12-18 22:39:51.081332214 +0100
+++ Python-3.15.0a2/Lib/test/test_httplib.py 2025-12-18 22:40:02.599675565 +0100
@@ -1511,6 +1511,72 @@
thread.join()
self.assertEqual(result, b"proxied data\n")
+ def test_large_content_length(self):
+ serv = socket.create_server((HOST, 0))
+ self.addCleanup(serv.close)
+
+ def run_server():
+ [conn, address] = serv.accept()
+ with conn:
+ while conn.recv(1024):
+ conn.sendall(
+ b"HTTP/1.1 200 Ok\r\n"
+ b"Content-Length: %d\r\n"
+ b"\r\n" % size)
+ conn.sendall(b'A' * (size//3))
+ conn.sendall(b'B' * (size - size//3))
+
+ thread = threading.Thread(target=run_server)
+ thread.start()
+ self.addCleanup(thread.join, 1.0)
+
+ conn = client.HTTPConnection(*serv.getsockname())
+ try:
+ for w in range(15, 27):
+ size = 1 << w
+ conn.request("GET", "/")
+ with conn.getresponse() as response:
+ self.assertEqual(len(response.read()), size)
+ finally:
+ conn.close()
+ thread.join(1.0)
+
+ def test_large_content_length_truncated(self):
+ serv = socket.create_server((HOST, 0))
+ self.addCleanup(serv.close)
+
+ def run_server():
+ while True:
+ [conn, address] = serv.accept()
+ with conn:
+ conn.recv(1024)
+ if not size:
+ break
+ conn.sendall(
+ b"HTTP/1.1 200 Ok\r\n"
+ b"Content-Length: %d\r\n"
+ b"\r\n"
+ b"Text" % size)
+
+ thread = threading.Thread(target=run_server)
+ thread.start()
+ self.addCleanup(thread.join, 1.0)
+
+ conn = client.HTTPConnection(*serv.getsockname())
+ try:
+ for w in range(18, 65):
+ size = 1 << w
+ conn.request("GET", "/")
+ with conn.getresponse() as response:
+ self.assertRaises(client.IncompleteRead, response.read)
+ conn.close()
+ finally:
+ conn.close()
+ size = 0
+ conn.request("GET", "/")
+ conn.close()
+ thread.join(1.0)
+
def test_putrequest_override_domain_validation(self):
"""
It should be possible to override the default validation
Index: Python-3.15.0a2/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.15.0a2/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst 2025-12-18 22:40:02.600168090 +0100
@@ -0,0 +1,5 @@
+Fix a potential memory denial of service in the :mod:`http.client` module.
+When connecting to a malicious server, it could cause
+an arbitrary amount of memory to be allocated.
+This could have led to symptoms including a :exc:`MemoryError`, swapping, out
+of memory (OOM) killed processes or containers, or even system crashes.

BIN
Python-3.15.0a2.tar.xz LFS
View File

Binary file not shown.

1
Python-3.15.0a2.tar.xz.sigstore
View File

File diff suppressed because one or more lines are too long

BIN
Python-3.15.0a3.tar.xz LFS Normal file
View File

Binary file not shown.

1
Python-3.15.0a3.tar.xz.sigstore Normal file
View File

File diff suppressed because one or more lines are too long

40
bpo-31046_ensurepip_honours_prefix.patch
View File

@@ -13,11 +13,11 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
5 files changed, 37 insertions(+), 9 deletions(-)
create mode 100644 Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst
Index: Python-3.15.0a1/Doc/library/ensurepip.rst
Index: Python-3.15.0a3/Doc/library/ensurepip.rst
===================================================================
--- Python-3.15.0a1.orig/Doc/library/ensurepip.rst 2025-10-14 12:46:08.000000000 +0200
+++ Python-3.15.0a1/Doc/library/ensurepip.rst 2025-10-24 23:53:43.587408643 +0200
@@ -61,7 +61,11 @@
--- Python-3.15.0a3.orig/Doc/library/ensurepip.rst 2025-12-16 13:26:12.000000000 +0100
+++ Python-3.15.0a3/Doc/library/ensurepip.rst 2025-12-19 02:25:25.531895542 +0100
@@ -65,7 +65,11 @@
By default, ``pip`` is installed into the current virtual environment
(if one is active) or into the system site packages (if there is no
active virtual environment). The installation location can be controlled
@@ -30,7 +30,7 @@ Index: Python-3.15.0a1/Doc/library/ensurepip.rst
.. option:: --root <dir>
@@ -102,7 +106,7 @@
@@ -106,7 +110,7 @@
Returns a string specifying the available version of pip that will be
installed when bootstrapping an environment.
@@ -39,7 +39,7 @@ Index: Python-3.15.0a1/Doc/library/ensurepip.rst
altinstall=False, default_pip=False, \
verbosity=0)
@@ -112,6 +116,8 @@
@@ -116,6 +120,8 @@
If *root* is ``None``, then installation uses the default install location
for the current environment.
@@ -48,7 +48,7 @@ Index: Python-3.15.0a1/Doc/library/ensurepip.rst
*upgrade* indicates whether or not to upgrade an existing installation
of an earlier version of ``pip`` to the available version.
@@ -132,6 +138,8 @@
@@ -136,6 +142,8 @@
*verbosity* controls the level of output to :data:`sys.stdout` from the
bootstrapping operation.
@@ -57,10 +57,10 @@ Index: Python-3.15.0a1/Doc/library/ensurepip.rst
.. audit-event:: ensurepip.bootstrap root ensurepip.bootstrap
.. note::
Index: Python-3.15.0a1/Lib/ensurepip/__init__.py
Index: Python-3.15.0a3/Lib/ensurepip/__init__.py
===================================================================
--- Python-3.15.0a1.orig/Lib/ensurepip/__init__.py 2025-10-24 23:53:22.118065622 +0200
+++ Python-3.15.0a1/Lib/ensurepip/__init__.py 2025-10-24 23:53:43.587899003 +0200
--- Python-3.15.0a3.orig/Lib/ensurepip/__init__.py 2025-12-19 02:25:10.205902876 +0100
+++ Python-3.15.0a3/Lib/ensurepip/__init__.py 2025-12-19 02:25:25.532348886 +0100
@@ -106,27 +106,27 @@
os.environ['PIP_CONFIG_FILE'] = os.devnull
@@ -123,10 +123,10 @@ Index: Python-3.15.0a1/Lib/ensurepip/__init__.py
upgrade=args.upgrade,
user=args.user,
verbosity=args.verbosity,
Index: Python-3.15.0a1/Lib/test/test_ensurepip.py
Index: Python-3.15.0a3/Lib/test/test_ensurepip.py
===================================================================
--- Python-3.15.0a1.orig/Lib/test/test_ensurepip.py 2025-10-24 23:53:23.546712597 +0200
+++ Python-3.15.0a1/Lib/test/test_ensurepip.py 2025-10-24 23:53:43.588286136 +0200
--- Python-3.15.0a3.orig/Lib/test/test_ensurepip.py 2025-12-19 02:25:11.631602338 +0100
+++ Python-3.15.0a3/Lib/test/test_ensurepip.py 2025-12-19 02:25:25.532817735 +0100
@@ -105,6 +105,17 @@
unittest.mock.ANY,
)
@@ -145,11 +145,11 @@ Index: Python-3.15.0a1/Lib/test/test_ensurepip.py
def test_bootstrapping_with_user(self):
ensurepip.bootstrap(user=True)
Index: Python-3.15.0a1/Makefile.pre.in
Index: Python-3.15.0a3/Makefile.pre.in
===================================================================
--- Python-3.15.0a1.orig/Makefile.pre.in 2025-10-24 23:53:39.419910772 +0200
+++ Python-3.15.0a1/Makefile.pre.in 2025-10-24 23:53:43.588889640 +0200
@@ -2378,7 +2378,7 @@
--- Python-3.15.0a3.orig/Makefile.pre.in 2025-12-19 02:25:24.201299566 +0100
+++ Python-3.15.0a3/Makefile.pre.in 2025-12-19 02:25:25.533184405 +0100
@@ -2389,7 +2389,7 @@
install|*) ensurepip="" ;; \
esac; \
$(RUNSHARED) $(PYTHON_FOR_BUILD) -m ensurepip \
@@ -158,7 +158,7 @@ Index: Python-3.15.0a1/Makefile.pre.in
fi
.PHONY: altinstall
@@ -2389,7 +2389,7 @@
@@ -2400,7 +2400,7 @@
install|*) ensurepip="--altinstall" ;; \
esac; \
$(RUNSHARED) $(PYTHON_FOR_BUILD) -m ensurepip \
@@ -167,9 +167,9 @@ Index: Python-3.15.0a1/Makefile.pre.in
fi
.PHONY: commoninstall
Index: Python-3.15.0a1/Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst
Index: Python-3.15.0a3/Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.15.0a1/Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst 2025-10-24 23:53:43.589498870 +0200
+++ Python-3.15.0a3/Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst 2025-12-19 02:25:25.534506792 +0100
@@ -0,0 +1 @@
+A directory prefix can now be specified when using :mod:`ensurepip`.

30
gh139257-Support-docutils-0.22.patch
View File

@@ -4,17 +4,18 @@ Date: Tue, 23 Sep 2025 10:20:16 +0200
Subject: [PATCH 1/2] gh-139257: Support docutils >= 0.22
---
Doc/tools/extensions/pyspecific.py | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
Doc/tools/extensions/pyspecific.py | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
Index: Python-3.15.0a1/Doc/tools/extensions/pyspecific.py
Index: Python-3.15.0a3/Doc/tools/extensions/pyspecific.py
===================================================================
--- Python-3.15.0a1.orig/Doc/tools/extensions/pyspecific.py 2025-10-14 12:46:08.000000000 +0200
+++ Python-3.15.0a1/Doc/tools/extensions/pyspecific.py 2025-10-24 23:55:02.700550007 +0200
@@ -25,11 +25,21 @@
--- Python-3.15.0a3.orig/Doc/tools/extensions/pyspecific.py 2025-12-16 13:26:12.000000000 +0100
+++ Python-3.15.0a3/Doc/tools/extensions/pyspecific.py 2025-12-19 02:27:34.493094269 +0100
@@ -24,6 +24,24 @@
# Used in conf.py and updated here by python/release-tools/run_release.py
SOURCE_URI = 'https://github.com/python/cpython/tree/main/%s'
# monkey-patch reST parser to disable alphabetic and roman enumerated lists
+# monkey-patch reST parser to disable alphabetic and roman enumerated lists
+def _disable_alphabetic_and_roman(text):
+ try:
+ # docutils >= 0.22
@@ -25,12 +26,13 @@ Index: Python-3.15.0a1/Doc/tools/extensions/pyspecific.py
+ return None
+
+
from docutils.parsers.rst.states import Body
Body.enum.converters['loweralpha'] = \
Body.enum.converters['upperalpha'] = \
Body.enum.converters['lowerroman'] = \
- Body.enum.converters['upperroman'] = lambda x: None
+from docutils.parsers.rst.states import Body
+Body.enum.converters['loweralpha'] = \
+ Body.enum.converters['upperalpha'] = \
+ Body.enum.converters['lowerroman'] = \
+ Body.enum.converters['upperroman'] = _disable_alphabetic_and_roman
+
+
class PyAwaitableMixin(object):
def handle_signature(self, sig, signode):
ret = super(PyAwaitableMixin, self).handle_signature(sig, signode)

8
python-3.3.0b1-fix_date_time_compiler.patch
View File

@@ -2,11 +2,11 @@
Makefile.pre.in | 5 +++++
1 file changed, 5 insertions(+)
Index: Python-3.15.0a1/Makefile.pre.in
Index: Python-3.15.0a3/Makefile.pre.in
===================================================================
--- Python-3.15.0a1.orig/Makefile.pre.in 2025-10-14 12:46:08.000000000 +0200
+++ Python-3.15.0a1/Makefile.pre.in 2025-10-24 23:53:39.419910772 +0200
@@ -1917,6 +1917,11 @@
--- Python-3.15.0a3.orig/Makefile.pre.in 2025-12-19 02:26:23.594002103 +0100
+++ Python-3.15.0a3/Makefile.pre.in 2025-12-19 02:26:28.185444105 +0100
@@ -1926,6 +1926,11 @@
-DGITBRANCH="\"`LC_ALL=C $(GITBRANCH)`\"" \
-o $@ $(srcdir)/Modules/getbuildinfo.c

495
python315.changes
View File

@@ -1,10 +1,495 @@
-------------------------------------------------------------------
Thu Dec 18 10:33:44 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
Fri Dec 19 01:05:54 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
- Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400,
CVE-2025-13836) to prevent reading an HTTP response from
a server, if no read amount is specified, with using
Content-Length per default as the length.
Update to 3.15.0~a3:
- Security
- gh-142145: Remove quadratic behavior in xml.minidom node ID
cache clearing (CVE-2025-12084, bsc#1254997).
- gh-42400: Fix buffer overflow in _Py_wrealpath() for paths
exceeding MAXPATHLEN bytes by using dynamic memory
allocation instead of fixed-size buffer. Patch by Shamil
Abdulaev.
- gh-119451: Fix a potential memory denial of service in the
http.client module. When connecting to a malicious server,
it could cause an arbitrary amount of memory to be
allocated. This could have led to symptoms including
a MemoryError, swapping, out of memory (OOM) killed
processes or containers, or even system crashes
(CVE-2025-13836, bsc#1254400).
- gh-119342: Fix a potential memory denial of service in the
plistlib module. When reading a Plist file received from
untrusted source, it could cause an arbitrary amount of
memory to be allocated. This could have led to symptoms
including a MemoryError, swapping, out of memory (OOM)
killed processes or containers, or even system crashes
(CVE-2025-13837, bsc#1254401).
- Library
- gh-142754: Add the ownerDocument attribute to
xml.dom.minidom elements and attributes created by directly
instantiating the Element or Attr class. Note that this way
of creating nodes is not supported; creator functions like
xml.dom.Document.documentElement() should be used instead.
- gh-142594: Fix crash in TextIOWrapper.close() when the
underlying buffers closed property calls detach().
- gh-76007: Deprecate __version__ from ctypes. Patch by Hugo
van Kemenade.
- gh-76007: Deprecate __version__ from wsgiref.simple_server.
Patch by Hugo van Kemenade.
- gh-142651: unittest.mock: fix a thread safety issue where
Mock.call_count may return inaccurate values when the mock
is called concurrently from multiple threads.
- gh-76007: Deprecate __version__ from http.server. Patch by
Hugo van Kemenade.
- gh-138122: Add --subprocesses flag to profiling.sampling
CLI to automatically profile subprocesses spawned by the
target. When enabled, the profiler monitors for new Python
subprocesses and profiles each one separately, writing
results to individual output files. This is useful for
profiling applications that use multiprocessing,
ProcessPoolExecutor, or other subprocess-based parallelism.
Patch by Pablo Galindo.
- gh-142595: Added type check during initialization of the
decimal module to prevent a crash in case of broken stdlib.
Patch by Sergey B Kirpichev.
- gh-142556: Fix crash when a task gets re-registered during
finalization in asyncio. Patch by Kumar Aditya.
- gh-138122: Add --mode=exception to the sampling profiler to
capture samples only from threads with an active exception,
useful for analyzing exception handling overhead. Patch by
Pablo Galindo.
- gh-142539: traceback: Fix location of carets in
SyntaxErrors when the source contains wide characters.
- gh-123241: Avoid reference count operations in garbage
collection of ctypes objects.
- gh-142451: hmac: correctly copy HMAC attributes for objects
copied through HMAC.copy(). Patch by Bénédikt Tran.
- gh-138122: The profiling.sampling flamegraph profiler now
supports inverted flamegraph view that aggregates all leaf
nodes. In a standard flamegraph, if a hot function is
called from multiple locations, it appears multiple times
as separate leaf nodes. In the inverted flamegraph, all
occurrences of the same leaf function are merged into
a single aggregated node at the root, showing the total
hotness of that function in one place. The children of each
aggregated node represent its callers, making it easier to
identify which functions consume the most CPU time and
where they are called from.
- gh-112527: The help text for required options in argparse
no longer extended with “ (default: None)”.
- gh-142438: Fixed a possible leaked GIL in
_PySSL_keylog_callback.
- gh-138122: Add bytecode-level instruction profiling to the
sampling profiler via the new --opcodes flag. When enabled,
the profiler captures which bytecode opcode is executing at
each sample, including Python 3.11+ adaptive
specializations, and visualizes this data in the heatmap,
flamegraph, gecko, and live output formats. Patch by Pablo
Galindo
- gh-142389: Add backtick markup support in argparse
description and epilog text to highlight inline code when
color output is enabled.
- gh-142346: Fix usage formatting for mutually exclusive
groups in argparse when they are preceded by positional
arguments or followed or intermixed with other optional
arguments.
- gh-142374: Fix cumulative percentage calculation for
recursive functions in the new sampling profiler. When
profiling recursive functions, cumulative statistics
(cumul%, cumtime) could exceed 100% because each recursive
frame in a stack was counted separately. For example,
a function recursing 500 times in every sample would show
50000% cumulative presence. The fix deduplicates locations
within each sample so cumulative stats correctly represent
“percentage of samples where this function was on the
stack”. Patch by Pablo Galindo.
- gh-142315: Pdb can now run scripts from anonymous pipes
used in process substitution. Patch by Bartosz Sławecki.
- gh-64532: Subparser help now includes required optional
arguments from the parent parser in the usage, making it
clearer what arguments are needed to run a subcommand.
Patch by Savannah Ostrowski.
- gh-142207: Fix: profiling.sampling may cause assertion
!(has_gil && gil_requested)
- gh-142332: Fix usage formatting for positional arguments in
mutually exclusive groups in argparse. in argparse.
- gh-142282: Fix winreg.QueryValueEx() to not accidentally
read garbage buffer under race condition.
- gh-142318: Fix typing 'q' at the help of the interactive
tachyon profiler exiting the profiler.
- gh-75949: Fix argparse to preserve | separators in mutually
exclusive groups when the usage line wraps due to length.
- gh-142267: Improve argparse performance by caching the
formatter used for argument validation.
- gh-139862: Remove color parameter from
argparse.HelpFormatter constructor. Color is controlled by
ArgumentParser.
- gh-68552: MisplacedEnvelopeHeaderDefect and Missing header
name defects are now correctly passed to the handle_defect
method of policy in FeedParser.
- gh-142206: The resource tracker in the multiprocessing
module can now understand messages from older versions of
itself. This avoids issues with upgrading Python while it
is running. (Note that such in-place upgrades are not
tested.)
- gh-142214: Fix two regressions in dataclasses in Python
3.14.1 related to annotations. An exception is no longer
raised if slots=True is used and the __init__ method does
not have an __annotate__ attribute (likely because
init=False was used). An exception is no longer raised if
annotations are requested on the __init__ method and one of
the fields is not present in the class annotations. This
can occur in certain dynamic scenarios. Patch by Jelle
Zijlstra.
- gh-142203: Remove the debug_override parameter from
importlib.util.cache_from_source() which has been
deprecated since Python 3.5.
- gh-138122: The _remote_debugging module now implements
frame caching in the RemoteUnwinder class to reduce memory
reads when profiling remote processes. When
cache_frames=True, unchanged portions of the call stack are
reused from previous samples, significantly improving
profiling performance for deep call stacks.
- gh-116738: Fix cmath data race when initializing
trigonometric tables with subinterpreters.
- gh-141982: Allow pdb to set breakpoints on async functions
with function names.
- gh-74389: When the stdin being used by a subprocess.Popen
instance is closed, this is now ignored in
subprocess.Popen.communicate() instead of leaving the class
in an inconsistent state.
- gh-87512: Fix subprocess.Popen.communicate() timeout
handling on Windows when writing large input. Previously,
the timeout was ignored during stdin writing, causing the
method to block indefinitely if the child process did not
consume input quickly. The stdin write is now performed in
a background thread, allowing the timeout to be properly
enforced.
- gh-141939: Add color to all interpolated values in argparse
help, like %(default)s or %(choices)s. Patch by Alex
Prengère.
- gh-141473: When subprocess.Popen.communicate() was called
with input and a timeout and is called for a second time
after a TimeoutExpired exception before the process has
died, it should no longer hang.
- gh-141999: Correctly allow KeyboardInterrupt to stop the
process when using profiling.sampling.
- gh-142006: Fix a bug in the email.policy.default folding
algorithm which incorrectly resulted in a doubled newline
when a line ending at exactly max_line_length was followed
by an unfoldable token.
- gh-141968: Remove data copy from re compilation of regexes
with large charsets by using bytearray.take_bytes().
- gh-141968: Remove data copy from encodings.idna encode()
and encode() by using bytearray.take_bytes().
- gh-141968: Remove data copy from codecs punycode encoding
by using bytearray.take_bytes().
- gh-141968: Remove data copy from
wave.Wave_read.readframes() and
wave.Wave_write.writeframes() by using
bytearray.take_bytes().
- gh-141968: Remove a data copy from base64.b32decode() and
base64.b32encode() by using bytearray.take_bytes().
- gh-59000: Fix pdb breakpoint resolution for class methods
when the module defining the class is not imported.
- gh-116738: Fix thread safety issue with re scanner objects
in free-threaded builds.
- gh-138122: The profiling.sampling flamegraph profiler now
displays thread status statistics showing the percentage of
time threads spend holding the GIL, running without the
GIL, waiting for the GIL, and performing garbage
collection. These statistics help identify GIL contention
and thread behavior patterns. When filtering by thread, the
display shows per-thread metrics.
- gh-141781: Fixed an issue where pdb.line_prefix assignment
was ignored if assigned after the module was imported.
- gh-141863: Update Streams to use bytearray.take_bytes() for
a over 10% performance improvement on pyperformance
asyncio_tcp benchmark.
- gh-141817: Add socket.IPV6_HDRINCL constant.
- gh-105836: Fix asyncio.run_coroutine_threadsafe() leaving
underlying cancelled asyncio task running.
- gh-141570: Support file-like object raising OSError from
fileno() in color detection (_colorize.can_colorize()).
This can occur when sys.stdout is redirected.
- gh-141679: Add colour to defaults in argparse help. Patch
by Hugo van Kemenade.
- gh-141686: Break reference cycles created by each call to
json.dump() or json.JSONEncoder.iterencode().
- gh-141659: Fix bad file descriptor errors from
_posixsubprocess on AIX.
- gh-141645: Add a new --live mode to the tachyon profiler in
profiling.sampling module. This mode consist of a live TUI
that displays real-time profiling statistics as the target
application runs, similar to top. Patch by Pablo Galindo
- gh-141615: Check stdin instead of stdout for use_rawinput
in pdb.
- gh-69113: Fix doctest to correctly report line numbers for
doctests in __test__ dictionary when formatted as
triple-quoted strings by finding unique lines in the string
and matching them in the source file.
- gh-141600: Fix musl version detection on Void Linux.
- gh-48752: Add readline.get_pre_input_hook() function to
retrieve the current pre-input hook. This allows
applications to save and restore the hook without
overwriting user settings. Patch by Sanyam Khurana.
- gh-141565: Add async-aware profiling to the Tachyon
sampling profiler. The profiler now reconstructs and
displays async task hierarchies in flamegraphs, making the
output more actionable for users. Patch by Savannah
Ostrowski and Pablo Galindo Salgado.
- gh-60107: Remove a copy from io.RawIOBase.read(). If the
underlying I/O class keeps a reference to the mutable
memory, raise a BufferError.
- gh-116738: Make csv module thread-safe on the free threaded
build.
- gh-140911: collections: Ensure that the methods
UserString.rindex() and UserString.index() accept
collections.UserString instances as the sub argument.
- gh-140875: Fix handling of unclosed character references
(named and numerical) followed by the end of file in
html.parser.HTMLParser with convert_charrefs=False.
- gh-140677: Add heatmap visualization mode to the Tachyon
sampling profiler. The new --heatmap output format provides
a line-by-line view showing execution intensity with
color-coded samples, inline statistics, and interactive
call graph navigation between callers and callees.
- gh-139946: Distinguish stdout and stderr when colorizing
output in argparse module.
- gh-76007: pydoc: Fix DeprecationWarning being raised when
generating doc for stdlib modules.
- gh-139686: Make importlib.reload no-op for lazy modules.
- gh-138697: Fix inferring dest from a single-dash long
option in argparse. If a short option and a single-dash
long option are passed to add_argument(), dest is now
inferred from the single-dash long option.
- gh-138525: Add support for single-dash long options and
alternate prefix characters in
argparse.BooleanOptionalAction.
- gh-79986: Add parsing for References and In-Reply-To
headers to the email library that parses the header content
as lists of message id tokens. This prevents them from
being folded incorrectly.
- gh-135559: Flag: a dir() on a Flag enumeration now shows
non-canonical members. (i.e. aliases).
- gh-134453: Fixed subprocess.Popen.communicate() input=
handling of memoryview instances that were non-byte shaped
on POSIX platforms. Those are now properly cast to a byte
shaped view instead of truncating the input. Windows
platforms did not have this bug.
- gh-127930: Add __all__ to tkinter.simpledialog.
- gh-115952: Fix a potential memory denial of service in the
pickle module. When reading a pickled data received from
untrusted source, it could cause an arbitrary amount of
memory to be allocated, even if the code that is allowed to
execute is restricted by overriding the find_class()
method. This could have led to symptoms including
a MemoryError, swapping, out of memory (OOM) killed
processes or containers, or even system crashes. bpo-40350:
Fix support for namespace packages in modulefinder.
- Documentation
- gh-141994: xml.sax.handler: Make Documentation of
xml.sax.handler.feature_external_ges warn of opening up to
external entity attacks. Patch by Sebastian Pipping.
- Core and Builtins
- gh-134584: Eliminate redundant refcounting from
_STORE_ATTR_INSTANCE_VALUE.
- gh-142718: JIT: Fix segfault caused by not flushing the
stack to memory at side exits.
- gh-142737: Tracebacks will be displayed in fallback mode
even if io.open() is lost. Previously, this would crash the
interpreter. Patch by Bartosz Sławecki.
- gh-116738: Make the attributes in bz2 thread-safe on the
free threaded build.
- gh-134584: Eliminate redundant refcounting from
_CALL_LIST_APPEND.
- gh-142554: Fix a crash in divmod() when
_pylong.int_divmod() does not return a tuple of length two
exactly. Patch by Bénédikt Tran.
- gh-142531: Fix a free-threaded GC performance regression.
If there are many untracked tuples, the GC will run too
often, resulting in poor performance. The fix is to include
untracked tuples in the “long lived” object count. The
number of frozen objects is also now included since the
free-threaded GC must scan those too.
- gh-142402: Fix reference counting when adjacent literal
parts are merged while constructing
string.templatelib.Template, preventing the displaced
string object from leaking.
- gh-116738: Make the attributes in zlib thread-safe on the
free threaded build.
- gh-142343: Fix SIGILL crash on m68k due to incorrect
assembly constraint.
- gh-142236: Improve the “Perhaps you forgot a comma?” syntax
error for multi-line string concatenations to point to the
last string instead of the first, making it easier to
locate where the comma is missing. Patch by Pablo Galindo.
- gh-142236: Fix incorrect keyword suggestions for syntax
errors in traceback. The keyword typo suggestion mechanism
would incorrectly suggest replacements when the extracted
source code was incomplete rather than containing an actual
typo. Patch by Pablo Galindo.
- gh-142305: Decrease the size of the generated stencils and
the runtime JIT code. Patch by Diego Russo.
- gh-135379: Implement a limited form of register allocation
known as “top of stack caching” in the JIT. It works by
keeping 0-3 of the top items in the stack in registers. The
code generator generates multiple versions of those uops
that do not escape and are relatively small. During JIT
compilation, the copy that produces the least memory
traffic is selected, spilling or reloading values when
needed.
- gh-142276: Fix missing type watcher when promoting
attribute loads to constants in the JIT. Patch by Ken Jin.
Reproducer by Yuancheng Jiang.
- gh-142218: Fix crash when inserting into a split table
dictionary with a non str key that matches an existing key.
- gh-141976: Check against abstract stack overflow in the JIT
optimizer.
- gh-97850: Remove all *.load_module() usage and definitions
from the import system and importlib. The method has been
deprecated in favor of importlib.abc.Loader.exec_module()
since Python 3.4.
- gh-142048: Fix quadratically increasing garbage collection
delays in free-threaded build.
- gh-65961: Stop setting __cached__ on modules.
- gh-141770: Annotate anonymous mmap usage only when
supported by the Linux kernel and if -X dev is used or
Python is built in debug mode. Patch by Donghee Na.
- gh-142029: Raise ModuleNotFoundError instead of crashing
when a nonexistent module is used as a name in
_imp.create_builtin().
- gh-142029: Raise ValueError instead of crashing when empty
string is used as a name in _imp.create_builtin().
- gh-141976: Protect against specialization failures in the
tracing JIT compiler for performance reasons.
- gh-141861: Fix invalid memory read in the ENTER_EXECUTOR
instruction.
- gh-141930: When importing a module, use Pythons regular
file object to ensure that writes to .pyc files are
complete or an appropriate error is raised.
- gh-138122: Add incomplete sample detection to prevent
corrupted profiling data. Each thread state now contains an
embedded base frame (sentinel at the bottom of the frame
stack) with owner type FRAME_OWNED_BY_INTERPRETER. The
profiler validates that stack unwinding terminates at this
sentinel frame. Samples that fail to reach the base frame
(due to race conditions, memory corruption, or other
errors) are now rejected rather than being included as
spurious data.
- gh-120158: Fix inconsistent state when enabling or
disabling monitoring events too many times.
- gh-140638: Expose a "candidates" stat in gc.get_stats() and
gc.callbacks.
- gh-141780: Fix Py_mod_gil with API added in PEP 793:
PyModule_FromSlotsAndSpec() and PyModExport hooks
- gh-141732: Ensure the __repr__() for ExceptionGroup and
BaseExceptionGroup does not change when the exception
sequence that was original passed in to its constructor is
subsequently mutated.
- gh-140638: Expose a "duration" stat in gc.get_stats() and
gc.callbacks.
- gh-139653: Only raise a RecursionError or trigger a fatal
error if the stack pointer is both below the limit pointer
and above the stack base. If outside of these bounds assume
that it is OK. This prevents false positives when
user-space threads swap stacks.
- gh-41779: Allowed defining the __dict__ and __weakref__
__slots__ for any class.
- gh-139103: Improve multithreaded scaling of dataclasses on
the free-threaded build.
- gh-141589: Change backoff counter to use prime numbers
instead of powers of 2. Use only 3 bits for counter and 13
bits for value. This allows to support values up to 8191.
Patch by Mikhail Efimov.
- gh-137007: Fix a bug during JIT compilation failure which
caused garbage collection debug assertions to fail.
- gh-132657: For the free-threaded build, avoid locking the
set object for the __contains__ method.
- gh-134584: Eliminate redundant refcounting from
_CALL_STR_1.
- gh-134584: Eliminate redundant refcounting from
_CALL_BUILTIN_O.
- gh-134584: Eliminate redundant refcounting from
_CALL_TUPLE_1. Patch by Noam Cohen
- C API
- gh-142589: Fix
PyUnstable_Object_IsUniqueReferencedTemporary() handling of
tagged ints on the interpreter stack.
- gh-142571: PyUnstable_CopyPerfMapFile() now checks that
opening the file succeeded before flushing.
- gh-142225: Fixed the PyABIInfo_VAR macro.
- gh-141049: _PyObject_CallMethodId(), _PyObject_GetAttrId()
and _PyUnicode_FromId() are deprecated since 3.15 and will
be removed in 3.20. Instead, use
PyUnicode_InternFromString() and cache the result in the
module state, then call PyObject_CallMethod() or
PyObject_GetAttr(). Patch by Victor Stinner.
- gh-142163: Fix the HAVE_THREAD_LOCAL macro being defined
without the Py_BUILD_CORE macro set after including
Python.h.
- gh-137422: Fix free threading race condition in
PyImport_AddModuleRef(). It was previously possible for two
calls to the function return two different objects, only
one of which was stored in sys.modules.
- gh-141726: Add PyDict_SetDefaultRef() to the Stable ABI.
- gh-140042: Removed the sqlite3_shutdown call that could
cause closing connections for sqlite when used with
multiple sub interpreters.
- gh-141070: Add PyUnstable_Object_Dump() to dump an object
to stderr. It should only be used for debugging. Patch by
Victor Stinner.
- gh-139165: Expose the functions Py_SIZE(), Py_IS_TYPE() and
Py_SET_SIZE() in the Stable ABI.
- Build
- gh-131372: Add LDVERSION and EXE to the base_interpreter
value of build-details.json.
- gh-142454: When calculating the digest of the JIT stencils
input, sort the hashed files by filenames before adding
their content to the hasher. This ensures deterministic
hash input and hence deterministic hash, independent on
filesystem order.
- gh-131372: build-details.py will only be installed as part
of the main install (make install). make altinstall will no
longer include it.
- gh-142234: Allow --enable-wasm-dynamic-linking for WASI.
While CPython doesnt directly support it so
external/downstream users do not have to patch in support
for the flag.
- gh-142050: Fixed a bug where JIT stencils produced on
Windows contained debug data. Patch by Chris Eibl.
- gh-141808: Do not generate the jit stencils twice in case
of PGO builds on Windows.
- gh-141926: RUNSHARED is no longer cleared when
cross-compiling. Previously, RUNSHARED was cleared when
cross-compiling, which breaks PGO when using
--enabled-shared on systems where the cross-compiled
CPython is otherwise executable (e.g., via transparent
emulation).
- gh-141808: When running make clean-retain-profile, keep the
generated JIT stencils. That way, the stencils are not
generated twice when Profile-guided optimization (PGO) is
used. It also allows distributors to supply their own
pre-built JIT stencils.
- gh-141784: Fix _remote_debugging_module.c compilation on
32-bit Linux. Include Python.h before system headers to
make sure that _remote_debugging_module.c uses the same
types (ABI) than Python. Patch by Victor Stinner.
- gh-141172: Update to WASI SDK 29.
- gh-139707: Add configure option
--with-missing-stdlib-config=FILE allows which distributors
to pass a JSON configuration file containing custom error
messages for missing standard library modules.
- gh-108819: Honor --with-platlibdir in the pure-Python
standard library installation path, if PLATLIBDIR doesnt
match the value used in LIBDIR.
- Tests
- gh-140381: Fix flaky test_profiling tests on i686 and s390x
architectures by increasing slow_fibonacci call frequency
from every 5th iteration to every 2nd iteration.
- gh-140210: Make
test_sysconfig.test_parse_makefile_renamed_vars less
fragile by clearing the environment variables before
parsing the Makefile.
-------------------------------------------------------------------
Wed Dec 10 03:48:24 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>

9
python315.spec
View File

@@ -162,8 +162,8 @@
# _md5.cpython-38m-x86_64-linux-gnu.so
%define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
Name: %{python_pkg_name}%{psuffix}
Version: 3.15.0~a2
%define tarversion 3.15.0a2
Version: 3.15.0~a3
%define tarversion 3.15.0a3
%define tarname Python-%{tarversion}
Release: 0
Summary: Python 3 Interpreter
@@ -224,9 +224,6 @@ Patch40: fix-test-recursion-limit-15.6.patch
Patch41: bsc1243155-sphinx-non-determinism.patch
# PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com
Patch42: gh139257-Support-docutils-0.22.patch
# PATCH-FIX-UPSTREAM CVE-2025-13836-http-resp-cont-len.patch bsc#1254400 mcepl@suse.com
# Avoid loading possibly compromised length of HTTP response
Patch43: CVE-2025-13836-http-resp-cont-len.patch
#### Python 3.15 DEVELOPMENT PATCHES
BuildRequires: autoconf-archive
BuildRequires: automake
@@ -577,7 +574,7 @@ export SUSE_VERSION="0%{?suse_version}"
export SLE_VERSION="0%{?sle_version}"
%if %{with doc}
TODAY_DATE=`date -r %{SOURCE0} "+%%B %%d, %%Y"`
TODAY_DATE=`date -r %{SOURCE0} "+%B %d, %Y"`
# TODO use not date of tarball but date of latest patch
cd Doc