forked from pool/python315
factory
29 Commits
| Author | SHA256 | Message | Date | |
|---|---|---|---|---|
f235122969
|
Skip test.test_buffer.TestBufferProtocol.test_array_alignment
Add skip-test_array_alignment.patch skipping failing test test.test_buffer.TestBufferProtocol.test_array_alignment (gh#python/cpython#144725). |
|||
|
6e06723682
|
Update to 3.15.0a6:
- Tests
- gh-144415: The Android testbed now distinguishes between
stdout/stderr messages which were triggered by a newline,
and those triggered by a manual call to flush. This fixes
logging of progress indicators and similar content.
- gh-65784: Add support for parametrized resource wantobjects
in regrtests, which allows to run Tkinter tests with the
specified value of tkinter.wantobjects, for example -u
wantobjects=0.
- Security
- CVE-2024-6923: BytesGenerator will now refuse to serialize
(write) headers that are unsafely folded or delimited; see
verify_generated_headers. (Contributed by Bas Bloemsaat and
Petr Viktorin in gh-121650). (bsc#1228780, gh-144125)
- CVE-2025-11468: Fixed a bug in the folding of comments when
flattening an email message using a modern email policy.
Comments consisting of a very long sequence of non-foldable
characters could trigger a forced line wrap that omitted
the required leading space on the continuation line,
causing the remainder of the comment to be interpreted as
a new header field. This enabled header injection with
carefully crafted inputs. (bsc#1257029, gh-143935)
- CVE-2025-15282: Reject control characters in data: URL
media types. (bsc#1257046, gh-143925)
- CVE-2025-15367: Reject control characters in POP3 commands.
(bsc#1257041, gh-143923)
- CVE-2025-15366: Reject control characters in IMAP commands.
(bsc#1257044, gh-143921)
- CVE-2026-0672: Reject control characters in
http.cookies.Morsel fields and values. (bsc#1257031,
gh-143919)
- CVE-2026-0865: Reject C0 control characters within
wsgiref.headers.Headers fields, values, and parameters.
(bsc#1257042, gh-143916)
- Library
- gh-144538: Bump the version of pip bundled in ensurepip to
version 26.0.1
- gh-144493: Improve an exception error message in
_overlapped.BindLocal() that is raised when
asyncio.loop.sock_connect() is called on
a asyncio.ProactorEventLoop with a socket that has an
invalid address family.
- gh-144386: Add support for arbitrary descriptors
__enter__(), __exit__(), __aenter__(), and __aexit__() in
contextlib.ExitStack and contextlib.AsyncExitStack, for
consistency with the with and async with statements.
- gh-123471: Make concurrent iteration over
itertools.combinations_with_replacement and
itertools.permutations safe under free-threading.
- gh-74453: Deprecate os.path.commonprefix() in favor of
os.path.commonpath() for path segment prefixes.
- The os.path.commonprefix() function is being deprecated due
to having a misleading name and module. The function is not
safe to use for path prefixes despite being included in
a module about path manipulation, meaning it is easy to
accidentally introduce path traversal vulnerabilities into
Python programs by using this function.
- gh-144380: Improve performance of io.BufferedReader line
iteration by ~49%.
- gh-144363: Update bundled libexpat to 2.7.4
- gh-140824: When faulthandler dumps the list of third-party
extension modules, ignore sub-modules of stdlib packages.
Patch by Victor Stinner.
- gh-144206: Improve error messages for buffer overflow in
fcntl.fcntl() and fcntl.ioctl().
- gh-144264: Speed up Base64 decoding of data containing
ignored characters (both in non-strict mode and with an
explicit ignorechars argument). It is now up to 2 times
faster for multiline Base64 data.
- gh-144249: Add filename context to OSError exceptions
raised by ssl.SSLContext.load_cert_chain(), allowing users
to have more context.
- gh-132888: Fix incorrect use of ctypes.GetLastError() and
add missing error checks for Windows API calls in
_pyrepl.windows_console.
- gh-142956: Updated tomllib to parse TOML 1.1.0.
- gh-144217: mimetypes: Add support for DICOM files (for
medical imaging) with the official MIME type
application/dicom. Patch by Benedikt Johannes.
- gh-144212: Mime type image/jxl is now supported by
mimetypes.
- gh-143594: Add symtable.Function.get_cells() and
symtable.Symbol.is_cell() methods.
- gh-144169: Fix three crashes when non-string keyword
arguments are supplied to objects in the ast module.
- gh-144128: Fix a crash in array.array.fromlist() when an
element’s __index__() method mutates the input list during
conversion.
- gh-144100: Fixed a crash in ctypes when using a deprecated
POINTER(str) type in argtypes. Instead of aborting, ctypes
now raises a proper Python exception when the pointer
target type is unresolved.
- gh-143658: importlib.metadata: Use str.lower() and
str.replace() to further improve performance of
importlib.metadata.Prepared.normalize(). Patch by Hugo van
Kemenade and Henry Schreiner.
- gh-144050: Fix stat.filemode() in the pure-Python
implementation to avoid misclassifying invalid mode values
as block devices.
- gh-83069: subprocess.Popen.wait(): when timeout is not
None, an efficient event-driven mechanism now waits for
process termination, if available. Linux >= 5.3 uses
os.pidfd_open() + select.poll(). macOS and other BSD
variants use select.kqueue() + KQ_FILTER_PROC
+ KQ_NOTE_EXIT. Windows keeps using WaitForSingleObject
(unchanged). If none of these mechanisms are available, the
function falls back to the traditional busy loop
(non-blocking call and short sleeps). Patch by Giampaolo
Rodola.
- gh-144030: The Python implementation of
functools.lru_cache() differed from the default
C implementation in that it did not check that its argument
is callable. This discrepancy is now fixed and both raise
a TypeError.
- gh-144001: Added the ignorechars parameter in
binascii.a2b_base64() and base64.b64decode().
- gh-144023: Fixed validation of file descriptor 0 in posix
functions when used with follow_symlinks parameter.
- gh-143999: Fix an issue where inspect.getgeneratorstate()
and inspect.getcoroutinestate() could fail for generators
wrapped by types.coroutine() in the suspended state.
- gh-143952: Fixed asyncio debugging tools to work with new
remote debugging API. Patch by Bartosz Sławecki.
- gh-143904: struct.pack_into() now raises OverflowError
instead of IndexError for too large offset argument.
- gh-143897: Remove the isxidstart() and isxidcontinue()
methods of unicodedata.ucd_3_2_0. They are now only exposed
as unicodedata.isxidstart() and
unicodedata.isxidcontinue().
- gh-143831: annotationlib.ForwardRef objects are now
hashable when created from annotation scopes with closures.
Previously, hashing such objects would throw an exception.
Patch by Bartosz Sławecki.
- gh-143874: Fixed a bug in pdb where expression results were
not sent back to remote client.
- gh-143754: Add new tkinter widget methods pack_content(),
place_content() and grid_content() which are alternative
spelling of old *_slaves() methods.
- gh-143756: Fix potential thread safety issues in ssl
module.
- gh-132604: Previously, Protocol classes that were not
decorated with @~typing.runtime_checkable, but that
inherited from another Protocol class that did have this
decorator, could be used in isinstance() and issubclass()
checks. This behavior is now deprecated and such checks
will throw a TypeError in Python 3.20. Patch by Bartosz
Sławecki.
- gh-143543: Fix a crash in itertools.groupby that could
occur when a user-defined __eq__() method re-enters the
iterator during key comparison.
- gh-143689: Fix io.BufferedReader.read1() state cleanup on
buffer allocation failure.
- gh-143602: Fix a inconsistency issue in write() that leads
to unexpected buffer overwrite by deduplicating the buffer
exports.
- gh-142434: Use ppoll() if available in select.poll() to
have a timeout resolution of 1 nanosecond, instead of
a resolution of 1 ms. Patch by Victor Stinner.
- gh-140557: array.array buffers now have the same alignment
when empty as when allocated. Unaligned buffers can still
be created by slicing.
- gh-143423: Fix free-threaded build detection in the
sampling profiler when Py_GIL_DISABLED is set to 0.
- gh-101178: Add Ascii85, Base85, and Z85 support to binascii
and improve the performance of the base-85 converters in
base64.
- gh-142966: Fix ctypes.POINTER.set_type() not updating the
format string to match the type.
- gh-142555: array: fix a crash in a[i] = v when converting
i to an index via i.__index__ or i.__float__ mutates the
array.
- gh-142438: Fix _decimal builds configured with
EXTRA_FUNCTIONALITY by correcting the Context.apply wrapper
to pass the right argument.
- gh-141860: Add an on_error keyword-only parameter to
multiprocessing.set_forkserver_preload() to control how
import failures during module preloading are handled.
Accepts 'ignore' (default, silent), 'warn' (emit
ImportWarning), or 'fail' (raise exception). Contributed by
Nick Neumann and Gregory P. Smith.
- CVE-2025-12781: Accepting + and / characters with an
alternative alphabet in base64.b64decode() and
base64.urlsafe_b64decode() is now deprecated. In future
Python versions they will be errors in the strict mode and
discarded in the non-strict mode. (bsc#1257108, gh-125346)
- gh-140715: Add '%F' support to strptime().
- gh-67041: Add the missing_as_none parameter to urlparse(),
urlsplit() and urldefrag() functions. Add the keep_empty
parameter to urlunparse() and urlunsplit() functions. This
allows to distinguish between empty and not defined URI
components and preserve empty components.
- gh-77188: The pickle module now properly handles
name-mangled private methods.
- IDLE
- gh-143774: Better explain the operation of Format / Format
Paragraph.
- Core and Builtins
- gh-134584: Optimize and eliminate ref-counting in
_BINARY_OP_SUBSCR_LIST_SLICE
- gh-144563: Fix interaction of the Tachyon profiler and
ctypes and other modules that load the Python shared
library (if present) in an independent map as this was
causing the mechanism that loads the binary information to
be confused. Patch by Pablo Galindo
- gh-144601: Fix crash when importing a module whose PyInit
function raises an exception from a subinterpreter.
- gh-144549: Fix building the tail calling interpreter on
Visual Studio 2026 with free-threading.
- gh-144513: Fix potential deadlock when using critical
sections during stop-the-world pauses in the free-threaded
build.
- gh-131798: Optimise _GUARD_TOS_SLICE in the JIT.
- gh-144330: Move classmethod and staticmethod initialization
from __init__() to __new__(). Patch by Victor Stinner.
- gh-144446: Fix data races in the free-threaded build when
reading frame object attributes while another thread is
executing the frame.
- gh-120321: Add gi_state, cr_state, and ag_state attributes
to generators, coroutines, and async generators that return
the current state as a string (e.g., GEN_RUNNING). The
inspect module functions getgeneratorstate(),
getcoroutinestate(), and getasyncgenstate() now return
these attributes directly.
- gh-141563: Fix thread safety of PyDateTime_IMPORT.
- gh-144280: Fix a bug in JIT where the predicate symbol had
no truthiness
- gh-140550: In PyModuleDef.m_slots, allow slots that repeat
information present in PyModuleDef.
- gh-139103: Improve scaling of namedtuple() instantiation in
the free-threaded build.
- gh-144307: Prevent a reference leak in module teardown at
interpreter finalization.
- gh-144319: Add huge pages support for the pymalloc
allocator. Patch by Pablo Galindo
- gh-120321: Made gi_yieldfrom thread-safe in the
free-threading build by using a lightweight lock on the
frame state.
- gh-144194: Fix error handling in perf jitdump
initialization on memory allocation failure.
- gh-143962: Name suggestion for not normalized name suggests
now the normalized name or the closest name to the
normalized name. If the suggested name is not ASCII,
include also its ASCII representation.
- gh-144157: bytes.translate() now allows the compiler to
unroll its loop more usefully for a 2x speedup in the
common no-deletions specified case.
- gh-144068: Fix JIT tracer memory leak, ensure the JIT
tracer state is freed when daemon threads are cleaned up
during interpreter shutdown.
- gh-144012: Check if the result is NULL in BINARY_OP_EXTENT
opcode.
- gh-144007: Eliminate redundant refcounting in the JIT for
BINARY_OP.
- gh-144005: Eliminate redundant refcounting from
BINARY_OP_EXTEND.
- gh-143939: Fix erroneous “cannot reuse already awaited
coroutine” error that could occur when a generator was run
during the process of clearing a coroutine’s frame.
- gh-141805: Fix crash in set when objects with the same hash
are concurrently added to the set after removing an element
with the same hash while the set still contains elements
with the same hash.
- gh-143670: Fixes a crash in ga_repr_items_list function.
- gh-143650: Fix race condition in importlib where a thread
could receive a stale module reference when another
thread’s import fails.
- gh-143569: Generator expressions in 3.15 now conform to the
documented behavior when the iterable does not support
iteration. This matches the behavior in 3.14 and earlier
- gh-143192: Improve performance of bitwise operations on
multi-digit ints.
- gh-132657: If we are specializing to LOAD_GLOBAL_MODULE or
LOAD_ATTR_MODULE, try to enable deferred reference counting
for the value, if the object is owned by a different
thread. This applies to the free-threaded build only and
should improve scaling of multi-threaded programs. Note
that when deferred reference counting is enabled, the
object will be deallocated by the GC, rather than by
Py_DECREF().
- gh-143055: Implement PEP 798 (Unpacking in Comprehensions).
Patch by Adam Hartz.
- gh-142037: Improve error messages for printf-style
formatting. For errors in the format string, always include
the position of the start of the format unit. For errors
related to the formatted arguments, always include the
number or the name of the argument. Raise more specific
errors and include more information (type and number of
arguments, most probable causes of error).
- gh-140557: bytearray buffers now have the same alignment
when empty as when allocated. Unaligned buffers can still
be created by slicing.
- gh-140232: Frozenset objects with immutable elements are no
longer tracked by the garbage collector.
- gh-115231: Setup __module__ attribute for built-in static
methods. Patch by Sergey B Kirpichev.
- C API
- gh-143869: Added PyLong_GetNativeLayout(), PyLongLayout,
PyLongExport, PyLong_Export(), PyLong_FreeExport(),
PyLongWriter, PyLongWriter_Create(), PyLongWriter_Finish()
and PyLongWriter_Discard() to the limited API.
- gh-141070: Renamed PyUnstable_Object_Dump() to
PyObject_Dump().
- Build
- gh-140421: Disable the perf trampoline on older macOS
versions where it cannot be built.
- gh-144309: Build Python with POSIX 2024, instead of POSIX
2008. Patch by Victor Stinner.
- gh-144278: Enables defining the _PY_IMPL_NAME and
_PY_IMPL_CACHE_TAG preprocessor definitions to override
sys.implementation at build time. Definitions need to
include quotes when setting to a string literal. Setting
the cache tag to NULL has the effect of completely
disabling automatic creation and use of .pyc files.
- gh-143960: Add support for OpenSSL 3.6, drop EOL 3.2. Patch
by Hugo van Kemenade.
- gh-143941: Move WASI-related files to Platforms/WASI. Along
the way, leave a deprecated Tools/wasm/wasi/__main__.py
behind for backwards-compatibility.
- gh-143842: Prevent static builds from clashing with curses
by making the optimizer COLORS table static.
Remove upstreamed patches:
- CVE-2024-6923-follow-up-EOL-email-headers.patch
- CVE-2025-11468-email-hdr-fold-comment.patch
- CVE-2025-12781-b64decode-alt-chars.patch
- CVE-2025-15282-urllib-ctrl-chars.patch
- CVE-2025-15366-imap-ctrl-chars.patch
- CVE-2025-15367-poplib-ctrl-chars.patch
- CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
- CVE-2026-0865-wsgiref-ctrl-chars.patch
|
|||
|
9205d3700f
|
Update to 3.15.0a5:
- Tools/Demos
- gh-142095: Make gdb ‘py-bt’ command use frame from thread
local state when available. Patch by Sam Gross and Victor
Stinner.
- Tests
- gh-143460: Skip tests relying on infinite recusion if stack
size is unlimited.
- gh-143553: Add support for parametrized resources, such as
-u xpickle=2.7.
- bpo-31391: Forward-port test_xpickle from Python 2 to
Python 3 and add the resource back to test’s command line.
- Library
- gh-143706: Fix multiprocessing forkserver so that sys.argv
is correctly set before __main__ is preloaded. Previously,
sys.argv was empty during main module import in forkserver
child processes. This fixes a regression introduced in
3.13.8 and 3.14.1. Root caused by Aaron Wieczorek, test
provided by Thomas Watson, thanks!
- gh-143638: Forbid reentrant calls of the pickle.Pickler and
pickle.Unpickler methods for the C implementation.
Previously, this could cause crash or data corruption, now
concurrent calls of methods of the same object raise
RuntimeError.
- gh-143658: importlib.metadata: Use str.translate() to
improve performance of
importlib.metadata.Prepared.normalize(). Patch by Hugo van
Kemenade and Henry Schreiner.
- gh-78724: Raise RuntimeError’s when user attempts to call
methods on half-initialized Struct objects, For example,
created by Struct.__new__(Struct). Patch by Sergey
B Kirpichev.
- gh-143196: Fix crash when the internal encoder object
returned by undocumented function
json.encoder.c_make_encoder() was called with non-zero
second (_current_indent_level) argument.
- gh-143191: _thread.stack_size() now raises ValueError if
the stack size is too small. Patch by Victor Stinner.
- gh-143547: Fix sys.unraisablehook() when the hook raises an
exception and changes sys.unraisablehook(): hold a strong
reference to the old hook. Patch by Victor Stinner.
- gh-139686: Revert 0a97941245f1dda6d838f9aaf0512104e5253929
and 57db12514ac686f0a752ec8fe1c08b6daa0c6219 which made
importlib.reload a no-op for lazy modules; caused Buildbot
failures.
- gh-143517: annotationlib.get_annotations() no longer raises
a SyntaxError when evaluating a stringified starred
annotation that starts with one or more whitespace
characters followed by a *. Patch by Bartosz Sławecki.
- gh-143474: Add os.RWF_ATOMIC constant for Linux 6.11+.
- gh-143445: Speed up copy.deepcopy() by 1.04x.
- gh-143378: Fix use-after-free crashes when a BytesIO object
is concurrently mutated during write() or writelines().
- gh-143368: Fix endless retry loop in profiling.sampling
blocking mode when threads cannot be seized due to EPERM.
Such threads are now skipped instead of causing repeated
error messages. Patch by Pablo Galindo.
- gh-143346: Fix incorrect wrapping of the Base64 data in
plistlib._PlistWriter when the indent contains a mix of
tabs and spaces.
- gh-140025: queue: Fix SimpleQueue.__sizeof__() computation.
- gh-143310: tkinter: fix a crash when a Python list is
mutated during the conversion to a Tcl object (e.g., when
setting a Tcl variable). Patch by Bénédikt Tran.
- gh-143309: Fix a crash in os.execve() on non-Windows
platforms when given a custom environment mapping which is
then mutated during parsing. Patch by Bénédikt Tran.
- gh-143308: pickle: fix use-after-free crashes when
a PickleBuffer is concurrently mutated by a custom buffer
callback during pickling. Patch by Bénédikt Tran and Aaron
Wieczorek.
- gh-142939: Performance optimisations for
difflib.get_close_matches()
- gh-124951: The base64 implementation behind the binascii,
base64, and related codec has been optimized for modern
pipelined CPU architectures and now performs 2-3x faster
across all platforms.
- gh-143237: Fix support of named pipes in the rotating
logging handlers.
- gh-143249: Fix possible buffer leaks in Windows overlapped
I/O on error handling.
- gh-143241: zoneinfo: fix infinite loop in
ZoneInfo.from_file when parsing a malformed TZif file.
Patch by Fatih Celik.
- gh-142830: sqlite3: fix use-after-free crashes when the
connection’s callbacks are mutated during a callback
execution. Patch by Bénédikt Tran.
- gh-143200: xml.etree.ElementTree: fix use-after-free
crashes in __getitem__() and __setitem__() methods of
Element when the element is concurrently mutated. Patch by
Bénédikt Tran.
- gh-143214: Add the wrapcol parameter in
binascii.b2a_base64() and base64.b64encode().
- gh-142195: Updated timeout evaluation logic in subprocess
to be compatible with deterministic environments like
Shadow where time moves exactly as requested.
- gh-140739: Fix several crashes due to reading invalid
memory in the new Tachyon sampling profiler. Patch by Pablo
Galindo.
- gh-142164: Fix the ctypes bitfield overflow error message
to report the correct offset and size calculation.
- gh-143145: Fixed a possible reference leak in ctypes when
constructing results with multiple output parameters on
error.
- gh-143103: Add padding support to base64.z85encode() via
the pad parameter.
- gh-130796: Undeprecate the locale.getdefaultlocale()
function. Patch by Victor Stinner.
- gh-74902: Add the iter_graphemes() function in the
unicodedata module to iterate over grapheme clusters
according to rules defined in Unicode Standard Annex #29,
“Unicode Text Segmentation”. Add grapheme_cluster_break(),
indic_conjunct_break() and extended_pictographic()
functions to get the properties of the character which are
related to the above algorithm.
- gh-143004: Fix a potential use-after-free in
collections.Counter.update() when user code mutates the
Counter during an update.
- gh-140648: The asyncio REPL now respects the -I flag
(isolated mode). Previously, it would load and execute
PYTHONSTARTUP even if the flag was set. Contributed by
Bartosz Sławecki.
- gh-142991: Fixed socket operations such as recvfrom() and
sendto() for FreeBSD divert(4) socket.
- gh-116738: Make the attributes in lzma thread-safe on the
free threaded build.
- gh-142950: Fix regression in argparse where format
specifiers in help strings raised ValueError.
- gh-142881: Fix concurrent and reentrant call of
atexit.unregister().
- gh-142615: Fix possible crashes when initializing
asyncio.Task or asyncio.Future multiple times. These
classes can now be initialized only once and any subsequent
initialization attempt will raise a RuntimeError. Patch by
Kumar Aditya.
- gh-142517: The non-compat32 email policies now correctly
handle refolding encoded words that contain bytes that can
not be decoded in their specified character set. Previously
this resulted in an encoding exception during folding.
- gh-138122: The Tachyon profiler’s live TUI now integrates
with the experimental _colorize theming system. Users can
customize colors via _colorize.set_theme() (experimental
API, subject to change). A LiveProfilerLight theme is
provided for light terminal backgrounds. Patch by Pablo
Galindo.
- gh-142306: Improve errors for Element.remove.
- gh-63016: Add a flags parameter to mmap.mmap.flush() to
control synchronization behavior.
- gh-139262: Some keystrokes can be swallowed in the new
PyREPL on Windows, especially when used together with the
ALT key. Fix by Chris Eibl.
- gh-138897: Improved license/copyright/credits display in
the REPL: now uses a pager.
- gh-135852: Add _winapi.RegisterEventSource(),
_winapi.DeregisterEventSource() and _winapi.ReportEvent().
Using these functions in NTEventLogHandler to replace
pywin32.
- gh-109263: Starting a process from spawn context in
multiprocessing no longer sets the start method globally.
- gh-132715: Skip writing objects during marshalling once
a failure has occurred.
- Documentation
- gh-140806: Add documentation for enum.bin().
- Core and Builtins
- gh-134584: Eliminate redundant refcounting from
_CONTAINS_OP, _CONTAINS_OP_SET and _CONTAINS_OP_DICT.
- gh-143604: Fix a reference counting issue in the JIT tracer
where the current executor could be prematurely freed
during tracing.
- gh-143469: Enable LOAD_ATTR_MODULE specialization even if
__getattr__() is defined in module.
- gh-134584: Eliminate redundant refcounting from
TO_BOOL_STR.
- gh-143377: Fix a crash in _interpreters.capture_exception()
when the exception is incorrectly formatted. Patch by
Bénédikt Tran.
- gh-139757: Add BINARY_OP_SUBSCR_USTR_INT to specialize
reading an ASCII character from any string. Patch by Chris
Eibl.
- gh-141504: Factor out tracing and optimization heuristics
into a single object. Patch by Donghee Na.
- gh-142982: Specialize CALL_FUNCTION_EX for Python and
non-Python callables.
- gh-136924: The interactive help mode in the REPL no longer
incorrectly syntax highlights text input as Python code.
Contributed by Olga Matoula.
- gh-139757: Fix unintended bytecode specialization for
non-ascii string. Patch by Donghee Na, Ken Jin and Chris
Eibl.
- gh-143361: Add PY_VECTORCALL_ARGUMENTS_OFFSET to
_Py_CallBuiltinClass_StackRefSteal to avoid redundant
allocations
- gh-131798: The JIT optimizer now understands more generator
instructions.
- gh-134584: Eliminate redundant refcounting from
_LOAD_ATTR_SLOT.
- gh-143189: Fix crash when inserting a non-str key into
a split table dictionary when the key matches an existing
key in the split table but has no corresponding value in
the dict.
- gh-143228: Fix use-after-free in perf trampoline when
toggling profiling while threads are running or during
interpreter finalization with daemon threads active. The
fix uses reference counting to ensure trampolines are not
freed while any code object could still reference them.
Pach by Pablo Galindo
- gh-142664: Fix a use-after-free crash in
memoryview.__hash__ when the __hash__ method of the
referenced object mutates that object or the view. Patch by
Bénédikt Tran.
- gh-142557: Fix a use-after-free crash in bytearray.__mod__
when the bytearray is mutated while formatting the %-style
arguments. Patch by Bénédikt Tran.
- gh-143195: Fix use-after-free crashes in bytearray.hex()
and memoryview.hex() when the separator’s __len__() mutates
the original object. Patch by Bénédikt Tran.
- gh-143183: Fix a bug in the JIT when dealing with
unsupported control-flow or operations.
- gh-142975: Fix crash after unfreezing all objects tracked
by the garbage collector on the free threaded build.
- gh-143135: Set sys.flags.inspect to 1 when PYTHONINSPECT is
0. Previously, it was set to 0 in this case.
- gh-143123: Protect the JIT against recursive tracing.
- gh-143092: Fix a crash in the JIT when dealing with
list.append(x) style code.
- gh-143003: Fix an overflow of the shared empty buffer in
bytearray.extend() when __length_hint__() returns 0 for
non-empty iterator.
- gh-143006: Fix a possible assertion error when comparing
negative non-integer float and int with the same number of
bits in the integer part.
- gh-116738: Fix thread safety of contextvars.Context.run().
- gh-142829: Fix a use-after-free crash in
contextvars.Context comparison when a custom __eq__ method
modifies the context via set().
- gh-142863: Generate optimized bytecode when calling list or
set with generator expression.
- gh-41779: Allowed defining any __slots__ for a class
derived from tuple (including classes created by
collections.namedtuple()).
- gh-69605: Fix edge-cases around already imported modules in
the REPL auto-completion of imports.
- gh-138568: Adjusted the built-in help() function so that
empty inputs are ignored in interactive mode.
- gh-131798: Remove bounds check when indexing into tuples
with a constant index.
- gh-134584: Eliminate redundant refcounting from
_CALL_TYPE_1. Patch by Tomas Roun
- gh-132108: Speed up int.from_bytes() when passed object
supports buffer protocol, like bytearray by ~1.2x.
- gh-128334: Make the slice class subscriptable at runtime to
be consistent with typing implementation.
- C API
- gh-141671: PyMODINIT_FUNC (and the new PyMODEXPORT_FUNC)
now adds a linkage declaration (__declspec(dllexport)) on
Windows.
Update to 3.15.0a4:
- Tests
- gh-142836: Accommodated Solaris in
test_pdb.test_script_target_anonymous_pipe.
- Library
- gh-122431: Corrected the error message in
readline.append_history_file() to state that nelements must
be non-negative instead of positive.
- gh-143046: The asyncio REPL no longer prints copyright and
version messages in the quiet mode (-q). Patch by Bartosz
Sławecki.
- gh-80744: Fix issue where pdb would read a .pdbrc twice if
launched from the home directory
- gh-138122: Add blocking mode to Tachyon for accurate stack
traces in applications with many generators or
fast-changing call stacks. Patch by Pablo Galindo.
- gh-143010: Fixed a bug in mailbox where the precise timing
of an external event could result in the library opening an
existing file instead of a file it expected to create.
- gh-112127: Fix possible use-after-free in
atexit.unregister() when the callback is unregistered
during comparison.
- gh-138122: Fix incomplete stack traces in the Tachyon
profiler’s frame cache when profiling code with deeply
nested generators. The frame cache now validates that stack
traces reach the base frame before caching, preventing
broken flamegraphs. Patch by Pablo Galindo.
- gh-142834: Change the pdb commands command to use the last
available breakpoint instead of failing when the most
recently created breakpoint was deleted.
- gh-142783: Fix zoneinfo use-after-free with descriptor
_weak_cache. a descriptor as _weak_cache could cause
crashes during object creation. The fix ensures proper
reference counting for descriptor-provided objects.
- gh-76007: Deprecate VERSION from xml.etree.ElementTree and
version from xml.sax.expatreader and xml.sax.handler. Patch
by Hugo van Kemenade.
- gh-142784: The asyncio REPL now properly closes the loop
upon the end of interactive session. Previously, it could
cause surprising warnings. Contributed by Bartosz Sławecki.
- gh-138122: Add binary output format to profiling.sampling
for compact storage of profiling data. The new --binary
option captures samples to a file that can be converted to
other formats using the replay command. Patch by Pablo
Galindo
- gh-142495: collections.defaultdict now prioritizes
__setitem__() when inserting default values from
default_factory. This prevents race conditions where
a default value would overwrite a value set before
default_factory returns.
- gh-142654: Show the clearer error message when using
profiling.sampling on an unknown PID.
- gh-142560: Fix use-after-free in bytearray search-like
methods (find(), count(), index(), rindex(), and rfind())
by marking the storage as exported which causes
reallocation attempts to raise BufferError. For contains(),
split(), and rsplit() the buffer protocol is used for this.
- gh-142419: mmap.mmap.set_name() method added to annotate an
anonymous memory map if Linux kernel supports
PR_SET_VMA_ANON_NAME (Linux 5.17 or newer). Patch by
Donghee Na.
- gh-139971: pydoc: Ensure that the link to the online
documentation of a stdlib module is correct.
- gh-124098: Fix issue where methods in handlers that lacked
the protocol name but matched a valid base handler method
(e.g., _open() or error()) were incorrectly added to
urllib.request.OpenerDirector’s handlers. Contributed by
Andrea Mattei.
- gh-136282: Add support for UNNAMED_SECTION when creating
a section via the mapping protocol access
- Core and Builtins
- gh-143057: Avoid locking in PyTraceMalloc_Track() and
PyTraceMalloc_Untrack() when tracemalloc is not enabled.
- gh-139109: Add missing terminator in certain cases when
tracing in the new JIT compiler.
- gh-142961: Fix a segfault in the JIT when constant folding
len(tuple).
- gh-142776: Fix a file descriptor leak in import.c
- gh-139757: Fix building JIT stencils on free-threaded
builds.
- gh-129068: Make concurrent iteration over the same range
iterator thread-safe in the free threading build.
- gh-142543: Fix a stack overflow on Clang JIT build
configurations with full LTO.
- gh-142448: Fix a bug when using monitoring with the JIT.
- gh-142766: Clear the frame of a generator when
generator.close() is called.
- gh-134584: Eliminate redundant refcounting from
_LOAD_ATTR_INSTANCE_VALUE.
- gh-134584: Eliminate redundant refcounting from
_STORE_ATTR_WITH_HINT.
- gh-142476: Fix a memory leak in the experimental Tier
2 optimizer when creating executors. Patched by Shamil
Abdulaev.
- gh-100964: Fix reference cycle in exhausted generator
frames. Patch by Savannah Ostrowski.
- gh-139922: Allow building CPython with the tail calling
interpreter on Visual Studio 2026 MSVC. This provides
a performance gain over the prior interpreter for MSVC.
Patch by Ken Jin, Brandt Bucher, and Chris Eibl. With help
from the MSVC team including Hulon Jenkins.
Remove upstreamed patch:
- longer-time-test_thread_time.patch
|
|||
|
3312e86ee4
|
Fix bsc#1257041 (CVE-2025-15367)
Add CVE-2025-15367-poplib-ctrl-chars.patch fixing bsc#1257041 (CVE-2025-15367) using gh#python/cpython!143924 and doing basically the same as the previous patch for poplib library. |
|||
|
e5495e2b21
|
Fix CVE-2025-15282 (bsc#1257046)
Add CVE-2025-15282-urllib-ctrl-chars.patch fixing bsc#1257046 (CVE-2025-15282) using gh#python/cpython!143926 and doing basically the same as the previous patch for urllib library. |
|||
|
e0030de7d3
|
Fixing bsc#1257044 (CVE-2025-15366)
Add CVE-2025-15366-imap-ctrl-chars.patch fixing bsc#1257044 (CVE-2025-15366) using gh#python/cpython!143922 and doing basically the same as the previous patch for IMAP protocol. |
|||
|
372e4a409e
|
Add CVE-2026-0865-wsgiref-ctrl-chars.patch fixing bsc#1257042
(CVE-2026-0865) rejecting control characters in wsgiref.headers.Headers, which could be abused for injecting false HTTP headers. |
|||
|
63187f7b8b
|
Fixing bsc#1257108 (CVE-2025-12781)
Add CVE-2025-12781-b64decode-alt-chars.patch fixing bsc#1257108 (CVE-2025-12781) combining gh#python/cpython!141061, gh#python/cpython!141128, and gh#python/cpython!141153. All `*b64decode` functions should not accept non-altchars. |
|||
|
6995744826
|
Add CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
Reject control characters in http cookies (bsc#1257031, CVE-2026-0672). |
|||
|
53765ad497
|
Add CVE-2025-11468-email-hdr-fold-comment.patch
Preserving parens when folding comments in email headers (bsc#1257029, CVE-2025-11468). |
|||
|
4c387b3dba
|
Add CVE-2024-6923-follow-up-EOL-email-headers.patch
It is a follow-up to the previous fix of CVE-2024-6923 further encoding EOL possibly hidden in email headers (bsc#1257181). |
|||
|
97fc2dfa82
|
doc: mention that we have already fixed also bsc#1257181 | |||
|
766a2fa6d3
|
Remodel python-3.3.0b1-fix_date_time_compiler.patch
It should be upstreamable (make it dependent on the environment variable $UNVERSIONED_COMPILER; gh#python/cpython#144121). |
|||
|
09dd0917b6
|
Replace skip-test_thread_time.patch with gh#python/cpython!143558 | |||
|
844aa52240
|
run obs-git-init | |||
|
5b4527bbb7
|
Add skip-test_thread_time.patch
Skip test.test_time.TimeTestCase.test_thread_time on s390x (gh#python/cpython#143528). |
|||
|
3a7c7aaaa8
|
Add missing changelog | |||
|
63b00a874b
|
fix: recover testing with test_curses
It seems that it was actually ncurses bug, which should be fixed with 20251123 (so 20251206 we have in Factory, should be covered) |
|||
|
aa61ff92f2
|
Update to 3.15.0~a3
Security
- gh-142145: Remove quadratic behavior in xml.minidom node ID
cache clearing.
- gh-42400: Fix buffer overflow in _Py_wrealpath() for paths
exceeding MAXPATHLEN bytes by using dynamic memory
allocation instead of fixed-size buffer. Patch by Shamil
Abdulaev.
- gh-119451: Fix a potential memory denial of service in the
http.client module. When connecting to a malicious server,
it could cause an arbitrary amount of memory to be
allocated. This could have led to symptoms including
a MemoryError, swapping, out of memory (OOM) killed
processes or containers, or even system crashes
(CVE-2025-13836, bsc#1254400).
- gh-119342: Fix a potential memory denial of service in the
plistlib module. When reading a Plist file received from
untrusted source, it could cause an arbitrary amount of
memory to be allocated. This could have led to symptoms
including a MemoryError, swapping, out of memory (OOM)
killed processes or containers, or even system crashes
(CVE-2025-13837, bsc#1254401).
Library
- gh-142754: Add the ownerDocument attribute to
xml.dom.minidom elements and attributes created by directly
instantiating the Element or Attr class. Note that this way
of creating nodes is not supported; creator functions like
xml.dom.Document.documentElement() should be used instead.
- gh-142594: Fix crash in TextIOWrapper.close() when the
underlying buffer’s closed property calls detach().
- gh-76007: Deprecate __version__ from ctypes. Patch by Hugo
van Kemenade.
- gh-76007: Deprecate __version__ from wsgiref.simple_server.
Patch by Hugo van Kemenade.
- gh-142651: unittest.mock: fix a thread safety issue where
Mock.call_count may return inaccurate values when the mock
is called concurrently from multiple threads.
- gh-76007: Deprecate __version__ from http.server. Patch by
Hugo van Kemenade.
- gh-138122: Add --subprocesses flag to profiling.sampling
CLI to automatically profile subprocesses spawned by the
target. When enabled, the profiler monitors for new Python
subprocesses and profiles each one separately, writing
results to individual output files. This is useful for
profiling applications that use multiprocessing,
ProcessPoolExecutor, or other subprocess-based parallelism.
Patch by Pablo Galindo.
- gh-142595: Added type check during initialization of the
decimal module to prevent a crash in case of broken stdlib.
Patch by Sergey B Kirpichev.
- gh-142556: Fix crash when a task gets re-registered during
finalization in asyncio. Patch by Kumar Aditya.
- gh-138122: Add --mode=exception to the sampling profiler to
capture samples only from threads with an active exception,
useful for analyzing exception handling overhead. Patch by
Pablo Galindo.
- gh-142539: traceback: Fix location of carets in
SyntaxErrors when the source contains wide characters.
- gh-123241: Avoid reference count operations in garbage
collection of ctypes objects.
- gh-142451: hmac: correctly copy HMAC attributes for objects
copied through HMAC.copy(). Patch by Bénédikt Tran.
- gh-138122: The profiling.sampling flamegraph profiler now
supports inverted flamegraph view that aggregates all leaf
nodes. In a standard flamegraph, if a hot function is
called from multiple locations, it appears multiple times
as separate leaf nodes. In the inverted flamegraph, all
occurrences of the same leaf function are merged into
a single aggregated node at the root, showing the total
hotness of that function in one place. The children of each
aggregated node represent its callers, making it easier to
identify which functions consume the most CPU time and
where they are called from.
- gh-112527: The help text for required options in argparse
no longer extended with “ (default: None)”.
- gh-142438: Fixed a possible leaked GIL in
_PySSL_keylog_callback.
- gh-138122: Add bytecode-level instruction profiling to the
sampling profiler via the new --opcodes flag. When enabled,
the profiler captures which bytecode opcode is executing at
each sample, including Python 3.11+ adaptive
specializations, and visualizes this data in the heatmap,
flamegraph, gecko, and live output formats. Patch by Pablo
Galindo
- gh-142389: Add backtick markup support in argparse
description and epilog text to highlight inline code when
color output is enabled.
- gh-142346: Fix usage formatting for mutually exclusive
groups in argparse when they are preceded by positional
arguments or followed or intermixed with other optional
arguments.
- gh-142374: Fix cumulative percentage calculation for
recursive functions in the new sampling profiler. When
profiling recursive functions, cumulative statistics
(cumul%, cumtime) could exceed 100% because each recursive
frame in a stack was counted separately. For example,
a function recursing 500 times in every sample would show
50000% cumulative presence. The fix deduplicates locations
within each sample so cumulative stats correctly represent
“percentage of samples where this function was on the
stack”. Patch by Pablo Galindo.
- gh-142315: Pdb can now run scripts from anonymous pipes
used in process substitution. Patch by Bartosz Sławecki.
- gh-64532: Subparser help now includes required optional
arguments from the parent parser in the usage, making it
clearer what arguments are needed to run a subcommand.
Patch by Savannah Ostrowski.
- gh-142207: Fix: profiling.sampling may cause assertion
!(has_gil && gil_requested)
- gh-142332: Fix usage formatting for positional arguments in
mutually exclusive groups in argparse. in argparse.
- gh-142282: Fix winreg.QueryValueEx() to not accidentally
read garbage buffer under race condition.
- gh-142318: Fix typing 'q' at the help of the interactive
tachyon profiler exiting the profiler.
- gh-75949: Fix argparse to preserve | separators in mutually
exclusive groups when the usage line wraps due to length.
- gh-142267: Improve argparse performance by caching the
formatter used for argument validation.
- gh-139862: Remove color parameter from
argparse.HelpFormatter constructor. Color is controlled by
ArgumentParser.
- gh-68552: MisplacedEnvelopeHeaderDefect and Missing header
name defects are now correctly passed to the handle_defect
method of policy in FeedParser.
- gh-142206: The resource tracker in the multiprocessing
module can now understand messages from older versions of
itself. This avoids issues with upgrading Python while it
is running. (Note that such ‘in-place’ upgrades are not
tested.)
- gh-142214: Fix two regressions in dataclasses in Python
3.14.1 related to annotations. An exception is no longer
raised if slots=True is used and the __init__ method does
not have an __annotate__ attribute (likely because
init=False was used). An exception is no longer raised if
annotations are requested on the __init__ method and one of
the fields is not present in the class annotations. This
can occur in certain dynamic scenarios. Patch by Jelle
Zijlstra.
- gh-142203: Remove the debug_override parameter from
importlib.util.cache_from_source() which has been
deprecated since Python 3.5.
- gh-138122: The _remote_debugging module now implements
frame caching in the RemoteUnwinder class to reduce memory
reads when profiling remote processes. When
cache_frames=True, unchanged portions of the call stack are
reused from previous samples, significantly improving
profiling performance for deep call stacks.
- gh-116738: Fix cmath data race when initializing
trigonometric tables with subinterpreters.
- gh-141982: Allow pdb to set breakpoints on async functions
with function names.
- gh-74389: When the stdin being used by a subprocess.Popen
instance is closed, this is now ignored in
subprocess.Popen.communicate() instead of leaving the class
in an inconsistent state.
- gh-87512: Fix subprocess.Popen.communicate() timeout
handling on Windows when writing large input. Previously,
the timeout was ignored during stdin writing, causing the
method to block indefinitely if the child process did not
consume input quickly. The stdin write is now performed in
a background thread, allowing the timeout to be properly
enforced.
- gh-141939: Add color to all interpolated values in argparse
help, like %(default)s or %(choices)s. Patch by Alex
Prengère.
- gh-141473: When subprocess.Popen.communicate() was called
with input and a timeout and is called for a second time
after a TimeoutExpired exception before the process has
died, it should no longer hang.
- gh-141999: Correctly allow KeyboardInterrupt to stop the
process when using profiling.sampling.
- gh-142006: Fix a bug in the email.policy.default folding
algorithm which incorrectly resulted in a doubled newline
when a line ending at exactly max_line_length was followed
by an unfoldable token.
- gh-141968: Remove data copy from re compilation of regexes
with large charsets by using bytearray.take_bytes().
- gh-141968: Remove data copy from encodings.idna encode()
and encode() by using bytearray.take_bytes().
- gh-141968: Remove data copy from codecs punycode encoding
by using bytearray.take_bytes().
- gh-141968: Remove data copy from
wave.Wave_read.readframes() and
wave.Wave_write.writeframes() by using
bytearray.take_bytes().
- gh-141968: Remove a data copy from base64.b32decode() and
base64.b32encode() by using bytearray.take_bytes().
- gh-59000: Fix pdb breakpoint resolution for class methods
when the module defining the class is not imported.
- gh-116738: Fix thread safety issue with re scanner objects
in free-threaded builds.
- gh-138122: The profiling.sampling flamegraph profiler now
displays thread status statistics showing the percentage of
time threads spend holding the GIL, running without the
GIL, waiting for the GIL, and performing garbage
collection. These statistics help identify GIL contention
and thread behavior patterns. When filtering by thread, the
display shows per-thread metrics.
- gh-141781: Fixed an issue where pdb.line_prefix assignment
was ignored if assigned after the module was imported.
- gh-141863: Update Streams to use bytearray.take_bytes() for
a over 10% performance improvement on pyperformance
asyncio_tcp benchmark.
- gh-141817: Add socket.IPV6_HDRINCL constant.
- gh-105836: Fix asyncio.run_coroutine_threadsafe() leaving
underlying cancelled asyncio task running.
- gh-141570: Support file-like object raising OSError from
fileno() in color detection (_colorize.can_colorize()).
This can occur when sys.stdout is redirected.
- gh-141679: Add colour to defaults in argparse help. Patch
by Hugo van Kemenade.
- gh-141686: Break reference cycles created by each call to
json.dump() or json.JSONEncoder.iterencode().
- gh-141659: Fix bad file descriptor errors from
_posixsubprocess on AIX.
- gh-141645: Add a new --live mode to the tachyon profiler in
profiling.sampling module. This mode consist of a live TUI
that displays real-time profiling statistics as the target
application runs, similar to top. Patch by Pablo Galindo
- gh-141615: Check stdin instead of stdout for use_rawinput
in pdb.
- gh-69113: Fix doctest to correctly report line numbers for
doctests in __test__ dictionary when formatted as
triple-quoted strings by finding unique lines in the string
and matching them in the source file.
- gh-141600: Fix musl version detection on Void Linux.
- gh-48752: Add readline.get_pre_input_hook() function to
retrieve the current pre-input hook. This allows
applications to save and restore the hook without
overwriting user settings. Patch by Sanyam Khurana.
- gh-141565: Add async-aware profiling to the Tachyon
sampling profiler. The profiler now reconstructs and
displays async task hierarchies in flamegraphs, making the
output more actionable for users. Patch by Savannah
Ostrowski and Pablo Galindo Salgado.
- gh-60107: Remove a copy from io.RawIOBase.read(). If the
underlying I/O class keeps a reference to the mutable
memory, raise a BufferError.
- gh-116738: Make csv module thread-safe on the free threaded
build.
- gh-140911: collections: Ensure that the methods
UserString.rindex() and UserString.index() accept
collections.UserString instances as the sub argument.
- gh-140875: Fix handling of unclosed character references
(named and numerical) followed by the end of file in
html.parser.HTMLParser with convert_charrefs=False.
- gh-140677: Add heatmap visualization mode to the Tachyon
sampling profiler. The new --heatmap output format provides
a line-by-line view showing execution intensity with
color-coded samples, inline statistics, and interactive
call graph navigation between callers and callees.
- gh-139946: Distinguish stdout and stderr when colorizing
output in argparse module.
- gh-76007: pydoc: Fix DeprecationWarning being raised when
generating doc for stdlib modules.
- gh-139686: Make importlib.reload no-op for lazy modules.
- gh-138697: Fix inferring dest from a single-dash long
option in argparse. If a short option and a single-dash
long option are passed to add_argument(), dest is now
inferred from the single-dash long option.
- gh-138525: Add support for single-dash long options and
alternate prefix characters in
argparse.BooleanOptionalAction.
- gh-79986: Add parsing for References and In-Reply-To
headers to the email library that parses the header content
as lists of message id tokens. This prevents them from
being folded incorrectly.
- gh-135559: Flag: a dir() on a Flag enumeration now shows
non-canonical members. (i.e. aliases).
- gh-134453: Fixed subprocess.Popen.communicate() input=
handling of memoryview instances that were non-byte shaped
on POSIX platforms. Those are now properly cast to a byte
shaped view instead of truncating the input. Windows
platforms did not have this bug.
- gh-127930: Add __all__ to tkinter.simpledialog.
- gh-115952: Fix a potential memory denial of service in the
pickle module. When reading a pickled data received from
untrusted source, it could cause an arbitrary amount of
memory to be allocated, even if the code that is allowed to
execute is restricted by overriding the find_class()
method. This could have led to symptoms including
a MemoryError, swapping, out of memory (OOM) killed
processes or containers, or even system crashes. bpo-40350:
Fix support for namespace packages in modulefinder.
Documentation
- gh-141994: xml.sax.handler: Make Documentation of
xml.sax.handler.feature_external_ges warn of opening up to
external entity attacks. Patch by Sebastian Pipping.
Core and Builtins
- gh-134584: Eliminate redundant refcounting from
_STORE_ATTR_INSTANCE_VALUE.
- gh-142718: JIT: Fix segfault caused by not flushing the
stack to memory at side exits.
- gh-142737: Tracebacks will be displayed in fallback mode
even if io.open() is lost. Previously, this would crash the
interpreter. Patch by Bartosz Sławecki.
- gh-116738: Make the attributes in bz2 thread-safe on the
free threaded build.
- gh-134584: Eliminate redundant refcounting from
_CALL_LIST_APPEND.
- gh-142554: Fix a crash in divmod() when
_pylong.int_divmod() does not return a tuple of length two
exactly. Patch by Bénédikt Tran.
- gh-142531: Fix a free-threaded GC performance regression.
If there are many untracked tuples, the GC will run too
often, resulting in poor performance. The fix is to include
untracked tuples in the “long lived” object count. The
number of frozen objects is also now included since the
free-threaded GC must scan those too.
- gh-142402: Fix reference counting when adjacent literal
parts are merged while constructing
string.templatelib.Template, preventing the displaced
string object from leaking.
- gh-116738: Make the attributes in zlib thread-safe on the
free threaded build.
- gh-142343: Fix SIGILL crash on m68k due to incorrect
assembly constraint.
- gh-142236: Improve the “Perhaps you forgot a comma?” syntax
error for multi-line string concatenations to point to the
last string instead of the first, making it easier to
locate where the comma is missing. Patch by Pablo Galindo.
- gh-142236: Fix incorrect keyword suggestions for syntax
errors in traceback. The keyword typo suggestion mechanism
would incorrectly suggest replacements when the extracted
source code was incomplete rather than containing an actual
typo. Patch by Pablo Galindo.
- gh-142305: Decrease the size of the generated stencils and
the runtime JIT code. Patch by Diego Russo.
- gh-135379: Implement a limited form of register allocation
known as “top of stack caching” in the JIT. It works by
keeping 0-3 of the top items in the stack in registers. The
code generator generates multiple versions of those uops
that do not escape and are relatively small. During JIT
compilation, the copy that produces the least memory
traffic is selected, spilling or reloading values when
needed.
- gh-142276: Fix missing type watcher when promoting
attribute loads to constants in the JIT. Patch by Ken Jin.
Reproducer by Yuancheng Jiang.
- gh-142218: Fix crash when inserting into a split table
dictionary with a non str key that matches an existing key.
- gh-141976: Check against abstract stack overflow in the JIT
optimizer.
- gh-97850: Remove all *.load_module() usage and definitions
from the import system and importlib. The method has been
deprecated in favor of importlib.abc.Loader.exec_module()
since Python 3.4.
- gh-142048: Fix quadratically increasing garbage collection
delays in free-threaded build.
- gh-65961: Stop setting __cached__ on modules.
- gh-141770: Annotate anonymous mmap usage only when
supported by the Linux kernel and if -X dev is used or
Python is built in debug mode. Patch by Donghee Na.
- gh-142029: Raise ModuleNotFoundError instead of crashing
when a nonexistent module is used as a name in
_imp.create_builtin().
- gh-142029: Raise ValueError instead of crashing when empty
string is used as a name in _imp.create_builtin().
- gh-141976: Protect against specialization failures in the
tracing JIT compiler for performance reasons.
- gh-141861: Fix invalid memory read in the ENTER_EXECUTOR
instruction.
- gh-141930: When importing a module, use Python’s regular
file object to ensure that writes to .pyc files are
complete or an appropriate error is raised.
- gh-138122: Add incomplete sample detection to prevent
corrupted profiling data. Each thread state now contains an
embedded base frame (sentinel at the bottom of the frame
stack) with owner type FRAME_OWNED_BY_INTERPRETER. The
profiler validates that stack unwinding terminates at this
sentinel frame. Samples that fail to reach the base frame
(due to race conditions, memory corruption, or other
errors) are now rejected rather than being included as
spurious data.
- gh-120158: Fix inconsistent state when enabling or
disabling monitoring events too many times.
- gh-140638: Expose a "candidates" stat in gc.get_stats() and
gc.callbacks.
- gh-141780: Fix Py_mod_gil with API added in PEP 793:
PyModule_FromSlotsAndSpec() and PyModExport hooks
- gh-141732: Ensure the __repr__() for ExceptionGroup and
BaseExceptionGroup does not change when the exception
sequence that was original passed in to its constructor is
subsequently mutated.
- gh-140638: Expose a "duration" stat in gc.get_stats() and
gc.callbacks.
- gh-139653: Only raise a RecursionError or trigger a fatal
error if the stack pointer is both below the limit pointer
and above the stack base. If outside of these bounds assume
that it is OK. This prevents false positives when
user-space threads swap stacks.
- gh-41779: Allowed defining the __dict__ and __weakref__
__slots__ for any class.
- gh-139103: Improve multithreaded scaling of dataclasses on
the free-threaded build.
- gh-141589: Change backoff counter to use prime numbers
instead of powers of 2. Use only 3 bits for counter and 13
bits for value. This allows to support values up to 8191.
Patch by Mikhail Efimov.
- gh-137007: Fix a bug during JIT compilation failure which
caused garbage collection debug assertions to fail.
- gh-132657: For the free-threaded build, avoid locking the
set object for the __contains__ method.
- gh-134584: Eliminate redundant refcounting from
_CALL_STR_1.
- gh-134584: Eliminate redundant refcounting from
_CALL_BUILTIN_O.
- gh-134584: Eliminate redundant refcounting from
_CALL_TUPLE_1. Patch by Noam Cohen
C API
- gh-142589: Fix
PyUnstable_Object_IsUniqueReferencedTemporary() handling of
tagged ints on the interpreter stack.
- gh-142571: PyUnstable_CopyPerfMapFile() now checks that
opening the file succeeded before flushing.
- gh-142225: Fixed the PyABIInfo_VAR macro.
- gh-141049: _PyObject_CallMethodId(), _PyObject_GetAttrId()
and _PyUnicode_FromId() are deprecated since 3.15 and will
be removed in 3.20. Instead, use
PyUnicode_InternFromString() and cache the result in the
module state, then call PyObject_CallMethod() or
PyObject_GetAttr(). Patch by Victor Stinner.
- gh-142163: Fix the HAVE_THREAD_LOCAL macro being defined
without the Py_BUILD_CORE macro set after including
Python.h.
- gh-137422: Fix free threading race condition in
PyImport_AddModuleRef(). It was previously possible for two
calls to the function return two different objects, only
one of which was stored in sys.modules.
- gh-141726: Add PyDict_SetDefaultRef() to the Stable ABI.
- gh-140042: Removed the sqlite3_shutdown call that could
cause closing connections for sqlite when used with
multiple sub interpreters.
- gh-141070: Add PyUnstable_Object_Dump() to dump an object
to stderr. It should only be used for debugging. Patch by
Victor Stinner.
- gh-139165: Expose the functions Py_SIZE(), Py_IS_TYPE() and
Py_SET_SIZE() in the Stable ABI.
Build
- gh-131372: Add LDVERSION and EXE to the base_interpreter
value of build-details.json.
- gh-142454: When calculating the digest of the JIT stencils
input, sort the hashed files by filenames before adding
their content to the hasher. This ensures deterministic
hash input and hence deterministic hash, independent on
filesystem order.
- gh-131372: build-details.py will only be installed as part
of the main install (make install). make altinstall will no
longer include it.
- gh-142234: Allow --enable-wasm-dynamic-linking for WASI.
While CPython doesn’t directly support it so
external/downstream users do not have to patch in support
for the flag.
- gh-142050: Fixed a bug where JIT stencils produced on
Windows contained debug data. Patch by Chris Eibl.
- gh-141808: Do not generate the jit stencils twice in case
of PGO builds on Windows.
- gh-141926: RUNSHARED is no longer cleared when
cross-compiling. Previously, RUNSHARED was cleared when
cross-compiling, which breaks PGO when using
--enabled-shared on systems where the cross-compiled
CPython is otherwise executable (e.g., via transparent
emulation).
- gh-141808: When running make clean-retain-profile, keep the
generated JIT stencils. That way, the stencils are not
generated twice when Profile-guided optimization (PGO) is
used. It also allows distributors to supply their own
pre-built JIT stencils.
- gh-141784: Fix _remote_debugging_module.c compilation on
32-bit Linux. Include Python.h before system headers to
make sure that _remote_debugging_module.c uses the same
types (ABI) than Python. Patch by Victor Stinner.
- gh-141172: Update to WASI SDK 29.
- gh-139707: Add configure option
--with-missing-stdlib-config=FILE allows which distributors
to pass a JSON configuration file containing custom error
messages for missing standard library modules.
- gh-108819: Honor --with-platlibdir in the pure-Python
standard library installation path, if PLATLIBDIR doesn’t
match the value used in LIBDIR.
Tests
- gh-140381: Fix flaky test_profiling tests on i686 and s390x
architectures by increasing slow_fibonacci call frequency
from every 5th iteration to every 2nd iteration.
- gh-140210: Make
test_sysconfig.test_parse_makefile_renamed_vars less
fragile by clearing the environment variables before
parsing the Makefile.
|
|||
|
2544c41d2e
|
Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836)
Prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. |
|||
Steve Kowalik
|
39c4b2a029 |
Update to Python 3.15.0~a2
Extremely long changelog omitted for clarity. |
||
|
e52bc99839
|
Add CVE-2025-6075-expandvars-perf-degrad.patch
Avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). Skip test_curses on ppc64le (gh#python/cpython#141534) |
|||
|
b563206f1a
|
Remove unnecessary patch and note that the bug has been already fixed. | |||
| 8825dfe9e6 | Update list of skipped tests in qemu linux-user emulation | |||
|
e4dc67aaa9
|
New subpackage profiling | |||
|
179f7e291d
|
Add CVE-2025-8291-consistency-zip64.patch | |||
|
d1ba494eb6
|
_asyncio is not in general package | |||
| 343b3f1136 |
- New development of new major version, update to 3.15.0~a1:
- Tools/Demos
- gh-139330: SBOM generation tool didn’t cross-check
the version and checksum values against the
Modules/expat/refresh.sh script, leading to the values
becoming out-of-date during routine updates.
- gh-132006: XCframeworks now include privacy manifests to
satisfy Apple App Store submission requirements.
- gh-138171: A script for building an iOS XCframework was
added. As part of this change, the top level iOS folder has
been moved to be a subdirectory of the Apple folder.
- gh-137873: The iOS test runner has been simplified,
resolving some issues that have been observed using
the runner in GitHub Actions and Azure Pipelines test
environments.
- gh-137484: Have Tools/wasm/wasi put the build Python into a
directory named after the build triple instead of “build”.
- gh-137025: The wasm_build.py script has been removed.
Tools/wasm/emscripten and Tools/wasm/wasi should be used
instead, as described in the Dev Guide.
- gh-137248: Add a --logdir option to Tools/wasm/wasi for
specifying where to write log files.
- gh-137243: Have Tools/wasm/wasi detect a WASI SDK install
in /opt when it was directly extracted from a release
tarball.
- gh-136251: Fixes and usability improvements for
Tools/wasm/emscripten/web_example
- gh-135968: Stubs for strip are now provided as part of an
iOS install.
- gh-135379: The cases generator no longer accepts type
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python315?expand=0&rev=3
|
|||
| 6d5b19dbfe | OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python315?expand=0&rev=2 |
