forked from pool/python315
9205d3700ff65727fcdef37bbdfd185dbd115191e4dc50d7ab38e07f8879cd3e
23 Commits
| Author | SHA256 | Message | Date | |
|---|---|---|---|---|
9205d3700f
|
Update to 3.15.0a5:
- Tools/Demos
- gh-142095: Make gdb ‘py-bt’ command use frame from thread
local state when available. Patch by Sam Gross and Victor
Stinner.
- Tests
- gh-143460: Skip tests relying on infinite recusion if stack
size is unlimited.
- gh-143553: Add support for parametrized resources, such as
-u xpickle=2.7.
- bpo-31391: Forward-port test_xpickle from Python 2 to
Python 3 and add the resource back to test’s command line.
- Library
- gh-143706: Fix multiprocessing forkserver so that sys.argv
is correctly set before __main__ is preloaded. Previously,
sys.argv was empty during main module import in forkserver
child processes. This fixes a regression introduced in
3.13.8 and 3.14.1. Root caused by Aaron Wieczorek, test
provided by Thomas Watson, thanks!
- gh-143638: Forbid reentrant calls of the pickle.Pickler and
pickle.Unpickler methods for the C implementation.
Previously, this could cause crash or data corruption, now
concurrent calls of methods of the same object raise
RuntimeError.
- gh-143658: importlib.metadata: Use str.translate() to
improve performance of
importlib.metadata.Prepared.normalize(). Patch by Hugo van
Kemenade and Henry Schreiner.
- gh-78724: Raise RuntimeError’s when user attempts to call
methods on half-initialized Struct objects, For example,
created by Struct.__new__(Struct). Patch by Sergey
B Kirpichev.
- gh-143196: Fix crash when the internal encoder object
returned by undocumented function
json.encoder.c_make_encoder() was called with non-zero
second (_current_indent_level) argument.
- gh-143191: _thread.stack_size() now raises ValueError if
the stack size is too small. Patch by Victor Stinner.
- gh-143547: Fix sys.unraisablehook() when the hook raises an
exception and changes sys.unraisablehook(): hold a strong
reference to the old hook. Patch by Victor Stinner.
- gh-139686: Revert 0a97941245f1dda6d838f9aaf0512104e5253929
and 57db12514ac686f0a752ec8fe1c08b6daa0c6219 which made
importlib.reload a no-op for lazy modules; caused Buildbot
failures.
- gh-143517: annotationlib.get_annotations() no longer raises
a SyntaxError when evaluating a stringified starred
annotation that starts with one or more whitespace
characters followed by a *. Patch by Bartosz Sławecki.
- gh-143474: Add os.RWF_ATOMIC constant for Linux 6.11+.
- gh-143445: Speed up copy.deepcopy() by 1.04x.
- gh-143378: Fix use-after-free crashes when a BytesIO object
is concurrently mutated during write() or writelines().
- gh-143368: Fix endless retry loop in profiling.sampling
blocking mode when threads cannot be seized due to EPERM.
Such threads are now skipped instead of causing repeated
error messages. Patch by Pablo Galindo.
- gh-143346: Fix incorrect wrapping of the Base64 data in
plistlib._PlistWriter when the indent contains a mix of
tabs and spaces.
- gh-140025: queue: Fix SimpleQueue.__sizeof__() computation.
- gh-143310: tkinter: fix a crash when a Python list is
mutated during the conversion to a Tcl object (e.g., when
setting a Tcl variable). Patch by Bénédikt Tran.
- gh-143309: Fix a crash in os.execve() on non-Windows
platforms when given a custom environment mapping which is
then mutated during parsing. Patch by Bénédikt Tran.
- gh-143308: pickle: fix use-after-free crashes when
a PickleBuffer is concurrently mutated by a custom buffer
callback during pickling. Patch by Bénédikt Tran and Aaron
Wieczorek.
- gh-142939: Performance optimisations for
difflib.get_close_matches()
- gh-124951: The base64 implementation behind the binascii,
base64, and related codec has been optimized for modern
pipelined CPU architectures and now performs 2-3x faster
across all platforms.
- gh-143237: Fix support of named pipes in the rotating
logging handlers.
- gh-143249: Fix possible buffer leaks in Windows overlapped
I/O on error handling.
- gh-143241: zoneinfo: fix infinite loop in
ZoneInfo.from_file when parsing a malformed TZif file.
Patch by Fatih Celik.
- gh-142830: sqlite3: fix use-after-free crashes when the
connection’s callbacks are mutated during a callback
execution. Patch by Bénédikt Tran.
- gh-143200: xml.etree.ElementTree: fix use-after-free
crashes in __getitem__() and __setitem__() methods of
Element when the element is concurrently mutated. Patch by
Bénédikt Tran.
- gh-143214: Add the wrapcol parameter in
binascii.b2a_base64() and base64.b64encode().
- gh-142195: Updated timeout evaluation logic in subprocess
to be compatible with deterministic environments like
Shadow where time moves exactly as requested.
- gh-140739: Fix several crashes due to reading invalid
memory in the new Tachyon sampling profiler. Patch by Pablo
Galindo.
- gh-142164: Fix the ctypes bitfield overflow error message
to report the correct offset and size calculation.
- gh-143145: Fixed a possible reference leak in ctypes when
constructing results with multiple output parameters on
error.
- gh-143103: Add padding support to base64.z85encode() via
the pad parameter.
- gh-130796: Undeprecate the locale.getdefaultlocale()
function. Patch by Victor Stinner.
- gh-74902: Add the iter_graphemes() function in the
unicodedata module to iterate over grapheme clusters
according to rules defined in Unicode Standard Annex #29,
“Unicode Text Segmentation”. Add grapheme_cluster_break(),
indic_conjunct_break() and extended_pictographic()
functions to get the properties of the character which are
related to the above algorithm.
- gh-143004: Fix a potential use-after-free in
collections.Counter.update() when user code mutates the
Counter during an update.
- gh-140648: The asyncio REPL now respects the -I flag
(isolated mode). Previously, it would load and execute
PYTHONSTARTUP even if the flag was set. Contributed by
Bartosz Sławecki.
- gh-142991: Fixed socket operations such as recvfrom() and
sendto() for FreeBSD divert(4) socket.
- gh-116738: Make the attributes in lzma thread-safe on the
free threaded build.
- gh-142950: Fix regression in argparse where format
specifiers in help strings raised ValueError.
- gh-142881: Fix concurrent and reentrant call of
atexit.unregister().
- gh-142615: Fix possible crashes when initializing
asyncio.Task or asyncio.Future multiple times. These
classes can now be initialized only once and any subsequent
initialization attempt will raise a RuntimeError. Patch by
Kumar Aditya.
- gh-142517: The non-compat32 email policies now correctly
handle refolding encoded words that contain bytes that can
not be decoded in their specified character set. Previously
this resulted in an encoding exception during folding.
- gh-138122: The Tachyon profiler’s live TUI now integrates
with the experimental _colorize theming system. Users can
customize colors via _colorize.set_theme() (experimental
API, subject to change). A LiveProfilerLight theme is
provided for light terminal backgrounds. Patch by Pablo
Galindo.
- gh-142306: Improve errors for Element.remove.
- gh-63016: Add a flags parameter to mmap.mmap.flush() to
control synchronization behavior.
- gh-139262: Some keystrokes can be swallowed in the new
PyREPL on Windows, especially when used together with the
ALT key. Fix by Chris Eibl.
- gh-138897: Improved license/copyright/credits display in
the REPL: now uses a pager.
- gh-135852: Add _winapi.RegisterEventSource(),
_winapi.DeregisterEventSource() and _winapi.ReportEvent().
Using these functions in NTEventLogHandler to replace
pywin32.
- gh-109263: Starting a process from spawn context in
multiprocessing no longer sets the start method globally.
- gh-132715: Skip writing objects during marshalling once
a failure has occurred.
- Documentation
- gh-140806: Add documentation for enum.bin().
- Core and Builtins
- gh-134584: Eliminate redundant refcounting from
_CONTAINS_OP, _CONTAINS_OP_SET and _CONTAINS_OP_DICT.
- gh-143604: Fix a reference counting issue in the JIT tracer
where the current executor could be prematurely freed
during tracing.
- gh-143469: Enable LOAD_ATTR_MODULE specialization even if
__getattr__() is defined in module.
- gh-134584: Eliminate redundant refcounting from
TO_BOOL_STR.
- gh-143377: Fix a crash in _interpreters.capture_exception()
when the exception is incorrectly formatted. Patch by
Bénédikt Tran.
- gh-139757: Add BINARY_OP_SUBSCR_USTR_INT to specialize
reading an ASCII character from any string. Patch by Chris
Eibl.
- gh-141504: Factor out tracing and optimization heuristics
into a single object. Patch by Donghee Na.
- gh-142982: Specialize CALL_FUNCTION_EX for Python and
non-Python callables.
- gh-136924: The interactive help mode in the REPL no longer
incorrectly syntax highlights text input as Python code.
Contributed by Olga Matoula.
- gh-139757: Fix unintended bytecode specialization for
non-ascii string. Patch by Donghee Na, Ken Jin and Chris
Eibl.
- gh-143361: Add PY_VECTORCALL_ARGUMENTS_OFFSET to
_Py_CallBuiltinClass_StackRefSteal to avoid redundant
allocations
- gh-131798: The JIT optimizer now understands more generator
instructions.
- gh-134584: Eliminate redundant refcounting from
_LOAD_ATTR_SLOT.
- gh-143189: Fix crash when inserting a non-str key into
a split table dictionary when the key matches an existing
key in the split table but has no corresponding value in
the dict.
- gh-143228: Fix use-after-free in perf trampoline when
toggling profiling while threads are running or during
interpreter finalization with daemon threads active. The
fix uses reference counting to ensure trampolines are not
freed while any code object could still reference them.
Pach by Pablo Galindo
- gh-142664: Fix a use-after-free crash in
memoryview.__hash__ when the __hash__ method of the
referenced object mutates that object or the view. Patch by
Bénédikt Tran.
- gh-142557: Fix a use-after-free crash in bytearray.__mod__
when the bytearray is mutated while formatting the %-style
arguments. Patch by Bénédikt Tran.
- gh-143195: Fix use-after-free crashes in bytearray.hex()
and memoryview.hex() when the separator’s __len__() mutates
the original object. Patch by Bénédikt Tran.
- gh-143183: Fix a bug in the JIT when dealing with
unsupported control-flow or operations.
- gh-142975: Fix crash after unfreezing all objects tracked
by the garbage collector on the free threaded build.
- gh-143135: Set sys.flags.inspect to 1 when PYTHONINSPECT is
0. Previously, it was set to 0 in this case.
- gh-143123: Protect the JIT against recursive tracing.
- gh-143092: Fix a crash in the JIT when dealing with
list.append(x) style code.
- gh-143003: Fix an overflow of the shared empty buffer in
bytearray.extend() when __length_hint__() returns 0 for
non-empty iterator.
- gh-143006: Fix a possible assertion error when comparing
negative non-integer float and int with the same number of
bits in the integer part.
- gh-116738: Fix thread safety of contextvars.Context.run().
- gh-142829: Fix a use-after-free crash in
contextvars.Context comparison when a custom __eq__ method
modifies the context via set().
- gh-142863: Generate optimized bytecode when calling list or
set with generator expression.
- gh-41779: Allowed defining any __slots__ for a class
derived from tuple (including classes created by
collections.namedtuple()).
- gh-69605: Fix edge-cases around already imported modules in
the REPL auto-completion of imports.
- gh-138568: Adjusted the built-in help() function so that
empty inputs are ignored in interactive mode.
- gh-131798: Remove bounds check when indexing into tuples
with a constant index.
- gh-134584: Eliminate redundant refcounting from
_CALL_TYPE_1. Patch by Tomas Roun
- gh-132108: Speed up int.from_bytes() when passed object
supports buffer protocol, like bytearray by ~1.2x.
- gh-128334: Make the slice class subscriptable at runtime to
be consistent with typing implementation.
- C API
- gh-141671: PyMODINIT_FUNC (and the new PyMODEXPORT_FUNC)
now adds a linkage declaration (__declspec(dllexport)) on
Windows.
Update to 3.15.0a4:
- Tests
- gh-142836: Accommodated Solaris in
test_pdb.test_script_target_anonymous_pipe.
- Library
- gh-122431: Corrected the error message in
readline.append_history_file() to state that nelements must
be non-negative instead of positive.
- gh-143046: The asyncio REPL no longer prints copyright and
version messages in the quiet mode (-q). Patch by Bartosz
Sławecki.
- gh-80744: Fix issue where pdb would read a .pdbrc twice if
launched from the home directory
- gh-138122: Add blocking mode to Tachyon for accurate stack
traces in applications with many generators or
fast-changing call stacks. Patch by Pablo Galindo.
- gh-143010: Fixed a bug in mailbox where the precise timing
of an external event could result in the library opening an
existing file instead of a file it expected to create.
- gh-112127: Fix possible use-after-free in
atexit.unregister() when the callback is unregistered
during comparison.
- gh-138122: Fix incomplete stack traces in the Tachyon
profiler’s frame cache when profiling code with deeply
nested generators. The frame cache now validates that stack
traces reach the base frame before caching, preventing
broken flamegraphs. Patch by Pablo Galindo.
- gh-142834: Change the pdb commands command to use the last
available breakpoint instead of failing when the most
recently created breakpoint was deleted.
- gh-142783: Fix zoneinfo use-after-free with descriptor
_weak_cache. a descriptor as _weak_cache could cause
crashes during object creation. The fix ensures proper
reference counting for descriptor-provided objects.
- gh-76007: Deprecate VERSION from xml.etree.ElementTree and
version from xml.sax.expatreader and xml.sax.handler. Patch
by Hugo van Kemenade.
- gh-142784: The asyncio REPL now properly closes the loop
upon the end of interactive session. Previously, it could
cause surprising warnings. Contributed by Bartosz Sławecki.
- gh-138122: Add binary output format to profiling.sampling
for compact storage of profiling data. The new --binary
option captures samples to a file that can be converted to
other formats using the replay command. Patch by Pablo
Galindo
- gh-142495: collections.defaultdict now prioritizes
__setitem__() when inserting default values from
default_factory. This prevents race conditions where
a default value would overwrite a value set before
default_factory returns.
- gh-142654: Show the clearer error message when using
profiling.sampling on an unknown PID.
- gh-142560: Fix use-after-free in bytearray search-like
methods (find(), count(), index(), rindex(), and rfind())
by marking the storage as exported which causes
reallocation attempts to raise BufferError. For contains(),
split(), and rsplit() the buffer protocol is used for this.
- gh-142419: mmap.mmap.set_name() method added to annotate an
anonymous memory map if Linux kernel supports
PR_SET_VMA_ANON_NAME (Linux 5.17 or newer). Patch by
Donghee Na.
- gh-139971: pydoc: Ensure that the link to the online
documentation of a stdlib module is correct.
- gh-124098: Fix issue where methods in handlers that lacked
the protocol name but matched a valid base handler method
(e.g., _open() or error()) were incorrectly added to
urllib.request.OpenerDirector’s handlers. Contributed by
Andrea Mattei.
- gh-136282: Add support for UNNAMED_SECTION when creating
a section via the mapping protocol access
- Core and Builtins
- gh-143057: Avoid locking in PyTraceMalloc_Track() and
PyTraceMalloc_Untrack() when tracemalloc is not enabled.
- gh-139109: Add missing terminator in certain cases when
tracing in the new JIT compiler.
- gh-142961: Fix a segfault in the JIT when constant folding
len(tuple).
- gh-142776: Fix a file descriptor leak in import.c
- gh-139757: Fix building JIT stencils on free-threaded
builds.
- gh-129068: Make concurrent iteration over the same range
iterator thread-safe in the free threading build.
- gh-142543: Fix a stack overflow on Clang JIT build
configurations with full LTO.
- gh-142448: Fix a bug when using monitoring with the JIT.
- gh-142766: Clear the frame of a generator when
generator.close() is called.
- gh-134584: Eliminate redundant refcounting from
_LOAD_ATTR_INSTANCE_VALUE.
- gh-134584: Eliminate redundant refcounting from
_STORE_ATTR_WITH_HINT.
- gh-142476: Fix a memory leak in the experimental Tier
2 optimizer when creating executors. Patched by Shamil
Abdulaev.
- gh-100964: Fix reference cycle in exhausted generator
frames. Patch by Savannah Ostrowski.
- gh-139922: Allow building CPython with the tail calling
interpreter on Visual Studio 2026 MSVC. This provides
a performance gain over the prior interpreter for MSVC.
Patch by Ken Jin, Brandt Bucher, and Chris Eibl. With help
from the MSVC team including Hulon Jenkins.
Remove upstreamed patch:
- longer-time-test_thread_time.patch
|
|||
|
3312e86ee4
|
Fix bsc#1257041 (CVE-2025-15367)
Add CVE-2025-15367-poplib-ctrl-chars.patch fixing bsc#1257041 (CVE-2025-15367) using gh#python/cpython!143924 and doing basically the same as the previous patch for poplib library. |
|||
|
e5495e2b21
|
Fix CVE-2025-15282 (bsc#1257046)
Add CVE-2025-15282-urllib-ctrl-chars.patch fixing bsc#1257046 (CVE-2025-15282) using gh#python/cpython!143926 and doing basically the same as the previous patch for urllib library. |
|||
|
e0030de7d3
|
Fixing bsc#1257044 (CVE-2025-15366)
Add CVE-2025-15366-imap-ctrl-chars.patch fixing bsc#1257044 (CVE-2025-15366) using gh#python/cpython!143922 and doing basically the same as the previous patch for IMAP protocol. |
|||
|
372e4a409e
|
Add CVE-2026-0865-wsgiref-ctrl-chars.patch fixing bsc#1257042
(CVE-2026-0865) rejecting control characters in wsgiref.headers.Headers, which could be abused for injecting false HTTP headers. |
|||
|
63187f7b8b
|
Fixing bsc#1257108 (CVE-2025-12781)
Add CVE-2025-12781-b64decode-alt-chars.patch fixing bsc#1257108 (CVE-2025-12781) combining gh#python/cpython!141061, gh#python/cpython!141128, and gh#python/cpython!141153. All `*b64decode` functions should not accept non-altchars. |
|||
|
6995744826
|
Add CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
Reject control characters in http cookies (bsc#1257031, CVE-2026-0672). |
|||
|
53765ad497
|
Add CVE-2025-11468-email-hdr-fold-comment.patch
Preserving parens when folding comments in email headers (bsc#1257029, CVE-2025-11468). |
|||
|
4c387b3dba
|
Add CVE-2024-6923-follow-up-EOL-email-headers.patch
It is a follow-up to the previous fix of CVE-2024-6923 further encoding EOL possibly hidden in email headers (bsc#1257181). |
|||
|
97fc2dfa82
|
doc: mention that we have already fixed also bsc#1257181 | |||
|
766a2fa6d3
|
Remodel python-3.3.0b1-fix_date_time_compiler.patch
It should be upstreamable (make it dependent on the environment variable $UNVERSIONED_COMPILER; gh#python/cpython#144121). |
|||
|
09dd0917b6
|
Replace skip-test_thread_time.patch with gh#python/cpython!143558 | |||
|
5b4527bbb7
|
Add skip-test_thread_time.patch
Skip test.test_time.TimeTestCase.test_thread_time on s390x (gh#python/cpython#143528). |
|||
|
3a7c7aaaa8
|
Add missing changelog | |||
|
aa61ff92f2
|
Update to 3.15.0~a3
Security
- gh-142145: Remove quadratic behavior in xml.minidom node ID
cache clearing.
- gh-42400: Fix buffer overflow in _Py_wrealpath() for paths
exceeding MAXPATHLEN bytes by using dynamic memory
allocation instead of fixed-size buffer. Patch by Shamil
Abdulaev.
- gh-119451: Fix a potential memory denial of service in the
http.client module. When connecting to a malicious server,
it could cause an arbitrary amount of memory to be
allocated. This could have led to symptoms including
a MemoryError, swapping, out of memory (OOM) killed
processes or containers, or even system crashes
(CVE-2025-13836, bsc#1254400).
- gh-119342: Fix a potential memory denial of service in the
plistlib module. When reading a Plist file received from
untrusted source, it could cause an arbitrary amount of
memory to be allocated. This could have led to symptoms
including a MemoryError, swapping, out of memory (OOM)
killed processes or containers, or even system crashes
(CVE-2025-13837, bsc#1254401).
Library
- gh-142754: Add the ownerDocument attribute to
xml.dom.minidom elements and attributes created by directly
instantiating the Element or Attr class. Note that this way
of creating nodes is not supported; creator functions like
xml.dom.Document.documentElement() should be used instead.
- gh-142594: Fix crash in TextIOWrapper.close() when the
underlying buffer’s closed property calls detach().
- gh-76007: Deprecate __version__ from ctypes. Patch by Hugo
van Kemenade.
- gh-76007: Deprecate __version__ from wsgiref.simple_server.
Patch by Hugo van Kemenade.
- gh-142651: unittest.mock: fix a thread safety issue where
Mock.call_count may return inaccurate values when the mock
is called concurrently from multiple threads.
- gh-76007: Deprecate __version__ from http.server. Patch by
Hugo van Kemenade.
- gh-138122: Add --subprocesses flag to profiling.sampling
CLI to automatically profile subprocesses spawned by the
target. When enabled, the profiler monitors for new Python
subprocesses and profiles each one separately, writing
results to individual output files. This is useful for
profiling applications that use multiprocessing,
ProcessPoolExecutor, or other subprocess-based parallelism.
Patch by Pablo Galindo.
- gh-142595: Added type check during initialization of the
decimal module to prevent a crash in case of broken stdlib.
Patch by Sergey B Kirpichev.
- gh-142556: Fix crash when a task gets re-registered during
finalization in asyncio. Patch by Kumar Aditya.
- gh-138122: Add --mode=exception to the sampling profiler to
capture samples only from threads with an active exception,
useful for analyzing exception handling overhead. Patch by
Pablo Galindo.
- gh-142539: traceback: Fix location of carets in
SyntaxErrors when the source contains wide characters.
- gh-123241: Avoid reference count operations in garbage
collection of ctypes objects.
- gh-142451: hmac: correctly copy HMAC attributes for objects
copied through HMAC.copy(). Patch by Bénédikt Tran.
- gh-138122: The profiling.sampling flamegraph profiler now
supports inverted flamegraph view that aggregates all leaf
nodes. In a standard flamegraph, if a hot function is
called from multiple locations, it appears multiple times
as separate leaf nodes. In the inverted flamegraph, all
occurrences of the same leaf function are merged into
a single aggregated node at the root, showing the total
hotness of that function in one place. The children of each
aggregated node represent its callers, making it easier to
identify which functions consume the most CPU time and
where they are called from.
- gh-112527: The help text for required options in argparse
no longer extended with “ (default: None)”.
- gh-142438: Fixed a possible leaked GIL in
_PySSL_keylog_callback.
- gh-138122: Add bytecode-level instruction profiling to the
sampling profiler via the new --opcodes flag. When enabled,
the profiler captures which bytecode opcode is executing at
each sample, including Python 3.11+ adaptive
specializations, and visualizes this data in the heatmap,
flamegraph, gecko, and live output formats. Patch by Pablo
Galindo
- gh-142389: Add backtick markup support in argparse
description and epilog text to highlight inline code when
color output is enabled.
- gh-142346: Fix usage formatting for mutually exclusive
groups in argparse when they are preceded by positional
arguments or followed or intermixed with other optional
arguments.
- gh-142374: Fix cumulative percentage calculation for
recursive functions in the new sampling profiler. When
profiling recursive functions, cumulative statistics
(cumul%, cumtime) could exceed 100% because each recursive
frame in a stack was counted separately. For example,
a function recursing 500 times in every sample would show
50000% cumulative presence. The fix deduplicates locations
within each sample so cumulative stats correctly represent
“percentage of samples where this function was on the
stack”. Patch by Pablo Galindo.
- gh-142315: Pdb can now run scripts from anonymous pipes
used in process substitution. Patch by Bartosz Sławecki.
- gh-64532: Subparser help now includes required optional
arguments from the parent parser in the usage, making it
clearer what arguments are needed to run a subcommand.
Patch by Savannah Ostrowski.
- gh-142207: Fix: profiling.sampling may cause assertion
!(has_gil && gil_requested)
- gh-142332: Fix usage formatting for positional arguments in
mutually exclusive groups in argparse. in argparse.
- gh-142282: Fix winreg.QueryValueEx() to not accidentally
read garbage buffer under race condition.
- gh-142318: Fix typing 'q' at the help of the interactive
tachyon profiler exiting the profiler.
- gh-75949: Fix argparse to preserve | separators in mutually
exclusive groups when the usage line wraps due to length.
- gh-142267: Improve argparse performance by caching the
formatter used for argument validation.
- gh-139862: Remove color parameter from
argparse.HelpFormatter constructor. Color is controlled by
ArgumentParser.
- gh-68552: MisplacedEnvelopeHeaderDefect and Missing header
name defects are now correctly passed to the handle_defect
method of policy in FeedParser.
- gh-142206: The resource tracker in the multiprocessing
module can now understand messages from older versions of
itself. This avoids issues with upgrading Python while it
is running. (Note that such ‘in-place’ upgrades are not
tested.)
- gh-142214: Fix two regressions in dataclasses in Python
3.14.1 related to annotations. An exception is no longer
raised if slots=True is used and the __init__ method does
not have an __annotate__ attribute (likely because
init=False was used). An exception is no longer raised if
annotations are requested on the __init__ method and one of
the fields is not present in the class annotations. This
can occur in certain dynamic scenarios. Patch by Jelle
Zijlstra.
- gh-142203: Remove the debug_override parameter from
importlib.util.cache_from_source() which has been
deprecated since Python 3.5.
- gh-138122: The _remote_debugging module now implements
frame caching in the RemoteUnwinder class to reduce memory
reads when profiling remote processes. When
cache_frames=True, unchanged portions of the call stack are
reused from previous samples, significantly improving
profiling performance for deep call stacks.
- gh-116738: Fix cmath data race when initializing
trigonometric tables with subinterpreters.
- gh-141982: Allow pdb to set breakpoints on async functions
with function names.
- gh-74389: When the stdin being used by a subprocess.Popen
instance is closed, this is now ignored in
subprocess.Popen.communicate() instead of leaving the class
in an inconsistent state.
- gh-87512: Fix subprocess.Popen.communicate() timeout
handling on Windows when writing large input. Previously,
the timeout was ignored during stdin writing, causing the
method to block indefinitely if the child process did not
consume input quickly. The stdin write is now performed in
a background thread, allowing the timeout to be properly
enforced.
- gh-141939: Add color to all interpolated values in argparse
help, like %(default)s or %(choices)s. Patch by Alex
Prengère.
- gh-141473: When subprocess.Popen.communicate() was called
with input and a timeout and is called for a second time
after a TimeoutExpired exception before the process has
died, it should no longer hang.
- gh-141999: Correctly allow KeyboardInterrupt to stop the
process when using profiling.sampling.
- gh-142006: Fix a bug in the email.policy.default folding
algorithm which incorrectly resulted in a doubled newline
when a line ending at exactly max_line_length was followed
by an unfoldable token.
- gh-141968: Remove data copy from re compilation of regexes
with large charsets by using bytearray.take_bytes().
- gh-141968: Remove data copy from encodings.idna encode()
and encode() by using bytearray.take_bytes().
- gh-141968: Remove data copy from codecs punycode encoding
by using bytearray.take_bytes().
- gh-141968: Remove data copy from
wave.Wave_read.readframes() and
wave.Wave_write.writeframes() by using
bytearray.take_bytes().
- gh-141968: Remove a data copy from base64.b32decode() and
base64.b32encode() by using bytearray.take_bytes().
- gh-59000: Fix pdb breakpoint resolution for class methods
when the module defining the class is not imported.
- gh-116738: Fix thread safety issue with re scanner objects
in free-threaded builds.
- gh-138122: The profiling.sampling flamegraph profiler now
displays thread status statistics showing the percentage of
time threads spend holding the GIL, running without the
GIL, waiting for the GIL, and performing garbage
collection. These statistics help identify GIL contention
and thread behavior patterns. When filtering by thread, the
display shows per-thread metrics.
- gh-141781: Fixed an issue where pdb.line_prefix assignment
was ignored if assigned after the module was imported.
- gh-141863: Update Streams to use bytearray.take_bytes() for
a over 10% performance improvement on pyperformance
asyncio_tcp benchmark.
- gh-141817: Add socket.IPV6_HDRINCL constant.
- gh-105836: Fix asyncio.run_coroutine_threadsafe() leaving
underlying cancelled asyncio task running.
- gh-141570: Support file-like object raising OSError from
fileno() in color detection (_colorize.can_colorize()).
This can occur when sys.stdout is redirected.
- gh-141679: Add colour to defaults in argparse help. Patch
by Hugo van Kemenade.
- gh-141686: Break reference cycles created by each call to
json.dump() or json.JSONEncoder.iterencode().
- gh-141659: Fix bad file descriptor errors from
_posixsubprocess on AIX.
- gh-141645: Add a new --live mode to the tachyon profiler in
profiling.sampling module. This mode consist of a live TUI
that displays real-time profiling statistics as the target
application runs, similar to top. Patch by Pablo Galindo
- gh-141615: Check stdin instead of stdout for use_rawinput
in pdb.
- gh-69113: Fix doctest to correctly report line numbers for
doctests in __test__ dictionary when formatted as
triple-quoted strings by finding unique lines in the string
and matching them in the source file.
- gh-141600: Fix musl version detection on Void Linux.
- gh-48752: Add readline.get_pre_input_hook() function to
retrieve the current pre-input hook. This allows
applications to save and restore the hook without
overwriting user settings. Patch by Sanyam Khurana.
- gh-141565: Add async-aware profiling to the Tachyon
sampling profiler. The profiler now reconstructs and
displays async task hierarchies in flamegraphs, making the
output more actionable for users. Patch by Savannah
Ostrowski and Pablo Galindo Salgado.
- gh-60107: Remove a copy from io.RawIOBase.read(). If the
underlying I/O class keeps a reference to the mutable
memory, raise a BufferError.
- gh-116738: Make csv module thread-safe on the free threaded
build.
- gh-140911: collections: Ensure that the methods
UserString.rindex() and UserString.index() accept
collections.UserString instances as the sub argument.
- gh-140875: Fix handling of unclosed character references
(named and numerical) followed by the end of file in
html.parser.HTMLParser with convert_charrefs=False.
- gh-140677: Add heatmap visualization mode to the Tachyon
sampling profiler. The new --heatmap output format provides
a line-by-line view showing execution intensity with
color-coded samples, inline statistics, and interactive
call graph navigation between callers and callees.
- gh-139946: Distinguish stdout and stderr when colorizing
output in argparse module.
- gh-76007: pydoc: Fix DeprecationWarning being raised when
generating doc for stdlib modules.
- gh-139686: Make importlib.reload no-op for lazy modules.
- gh-138697: Fix inferring dest from a single-dash long
option in argparse. If a short option and a single-dash
long option are passed to add_argument(), dest is now
inferred from the single-dash long option.
- gh-138525: Add support for single-dash long options and
alternate prefix characters in
argparse.BooleanOptionalAction.
- gh-79986: Add parsing for References and In-Reply-To
headers to the email library that parses the header content
as lists of message id tokens. This prevents them from
being folded incorrectly.
- gh-135559: Flag: a dir() on a Flag enumeration now shows
non-canonical members. (i.e. aliases).
- gh-134453: Fixed subprocess.Popen.communicate() input=
handling of memoryview instances that were non-byte shaped
on POSIX platforms. Those are now properly cast to a byte
shaped view instead of truncating the input. Windows
platforms did not have this bug.
- gh-127930: Add __all__ to tkinter.simpledialog.
- gh-115952: Fix a potential memory denial of service in the
pickle module. When reading a pickled data received from
untrusted source, it could cause an arbitrary amount of
memory to be allocated, even if the code that is allowed to
execute is restricted by overriding the find_class()
method. This could have led to symptoms including
a MemoryError, swapping, out of memory (OOM) killed
processes or containers, or even system crashes. bpo-40350:
Fix support for namespace packages in modulefinder.
Documentation
- gh-141994: xml.sax.handler: Make Documentation of
xml.sax.handler.feature_external_ges warn of opening up to
external entity attacks. Patch by Sebastian Pipping.
Core and Builtins
- gh-134584: Eliminate redundant refcounting from
_STORE_ATTR_INSTANCE_VALUE.
- gh-142718: JIT: Fix segfault caused by not flushing the
stack to memory at side exits.
- gh-142737: Tracebacks will be displayed in fallback mode
even if io.open() is lost. Previously, this would crash the
interpreter. Patch by Bartosz Sławecki.
- gh-116738: Make the attributes in bz2 thread-safe on the
free threaded build.
- gh-134584: Eliminate redundant refcounting from
_CALL_LIST_APPEND.
- gh-142554: Fix a crash in divmod() when
_pylong.int_divmod() does not return a tuple of length two
exactly. Patch by Bénédikt Tran.
- gh-142531: Fix a free-threaded GC performance regression.
If there are many untracked tuples, the GC will run too
often, resulting in poor performance. The fix is to include
untracked tuples in the “long lived” object count. The
number of frozen objects is also now included since the
free-threaded GC must scan those too.
- gh-142402: Fix reference counting when adjacent literal
parts are merged while constructing
string.templatelib.Template, preventing the displaced
string object from leaking.
- gh-116738: Make the attributes in zlib thread-safe on the
free threaded build.
- gh-142343: Fix SIGILL crash on m68k due to incorrect
assembly constraint.
- gh-142236: Improve the “Perhaps you forgot a comma?” syntax
error for multi-line string concatenations to point to the
last string instead of the first, making it easier to
locate where the comma is missing. Patch by Pablo Galindo.
- gh-142236: Fix incorrect keyword suggestions for syntax
errors in traceback. The keyword typo suggestion mechanism
would incorrectly suggest replacements when the extracted
source code was incomplete rather than containing an actual
typo. Patch by Pablo Galindo.
- gh-142305: Decrease the size of the generated stencils and
the runtime JIT code. Patch by Diego Russo.
- gh-135379: Implement a limited form of register allocation
known as “top of stack caching” in the JIT. It works by
keeping 0-3 of the top items in the stack in registers. The
code generator generates multiple versions of those uops
that do not escape and are relatively small. During JIT
compilation, the copy that produces the least memory
traffic is selected, spilling or reloading values when
needed.
- gh-142276: Fix missing type watcher when promoting
attribute loads to constants in the JIT. Patch by Ken Jin.
Reproducer by Yuancheng Jiang.
- gh-142218: Fix crash when inserting into a split table
dictionary with a non str key that matches an existing key.
- gh-141976: Check against abstract stack overflow in the JIT
optimizer.
- gh-97850: Remove all *.load_module() usage and definitions
from the import system and importlib. The method has been
deprecated in favor of importlib.abc.Loader.exec_module()
since Python 3.4.
- gh-142048: Fix quadratically increasing garbage collection
delays in free-threaded build.
- gh-65961: Stop setting __cached__ on modules.
- gh-141770: Annotate anonymous mmap usage only when
supported by the Linux kernel and if -X dev is used or
Python is built in debug mode. Patch by Donghee Na.
- gh-142029: Raise ModuleNotFoundError instead of crashing
when a nonexistent module is used as a name in
_imp.create_builtin().
- gh-142029: Raise ValueError instead of crashing when empty
string is used as a name in _imp.create_builtin().
- gh-141976: Protect against specialization failures in the
tracing JIT compiler for performance reasons.
- gh-141861: Fix invalid memory read in the ENTER_EXECUTOR
instruction.
- gh-141930: When importing a module, use Python’s regular
file object to ensure that writes to .pyc files are
complete or an appropriate error is raised.
- gh-138122: Add incomplete sample detection to prevent
corrupted profiling data. Each thread state now contains an
embedded base frame (sentinel at the bottom of the frame
stack) with owner type FRAME_OWNED_BY_INTERPRETER. The
profiler validates that stack unwinding terminates at this
sentinel frame. Samples that fail to reach the base frame
(due to race conditions, memory corruption, or other
errors) are now rejected rather than being included as
spurious data.
- gh-120158: Fix inconsistent state when enabling or
disabling monitoring events too many times.
- gh-140638: Expose a "candidates" stat in gc.get_stats() and
gc.callbacks.
- gh-141780: Fix Py_mod_gil with API added in PEP 793:
PyModule_FromSlotsAndSpec() and PyModExport hooks
- gh-141732: Ensure the __repr__() for ExceptionGroup and
BaseExceptionGroup does not change when the exception
sequence that was original passed in to its constructor is
subsequently mutated.
- gh-140638: Expose a "duration" stat in gc.get_stats() and
gc.callbacks.
- gh-139653: Only raise a RecursionError or trigger a fatal
error if the stack pointer is both below the limit pointer
and above the stack base. If outside of these bounds assume
that it is OK. This prevents false positives when
user-space threads swap stacks.
- gh-41779: Allowed defining the __dict__ and __weakref__
__slots__ for any class.
- gh-139103: Improve multithreaded scaling of dataclasses on
the free-threaded build.
- gh-141589: Change backoff counter to use prime numbers
instead of powers of 2. Use only 3 bits for counter and 13
bits for value. This allows to support values up to 8191.
Patch by Mikhail Efimov.
- gh-137007: Fix a bug during JIT compilation failure which
caused garbage collection debug assertions to fail.
- gh-132657: For the free-threaded build, avoid locking the
set object for the __contains__ method.
- gh-134584: Eliminate redundant refcounting from
_CALL_STR_1.
- gh-134584: Eliminate redundant refcounting from
_CALL_BUILTIN_O.
- gh-134584: Eliminate redundant refcounting from
_CALL_TUPLE_1. Patch by Noam Cohen
C API
- gh-142589: Fix
PyUnstable_Object_IsUniqueReferencedTemporary() handling of
tagged ints on the interpreter stack.
- gh-142571: PyUnstable_CopyPerfMapFile() now checks that
opening the file succeeded before flushing.
- gh-142225: Fixed the PyABIInfo_VAR macro.
- gh-141049: _PyObject_CallMethodId(), _PyObject_GetAttrId()
and _PyUnicode_FromId() are deprecated since 3.15 and will
be removed in 3.20. Instead, use
PyUnicode_InternFromString() and cache the result in the
module state, then call PyObject_CallMethod() or
PyObject_GetAttr(). Patch by Victor Stinner.
- gh-142163: Fix the HAVE_THREAD_LOCAL macro being defined
without the Py_BUILD_CORE macro set after including
Python.h.
- gh-137422: Fix free threading race condition in
PyImport_AddModuleRef(). It was previously possible for two
calls to the function return two different objects, only
one of which was stored in sys.modules.
- gh-141726: Add PyDict_SetDefaultRef() to the Stable ABI.
- gh-140042: Removed the sqlite3_shutdown call that could
cause closing connections for sqlite when used with
multiple sub interpreters.
- gh-141070: Add PyUnstable_Object_Dump() to dump an object
to stderr. It should only be used for debugging. Patch by
Victor Stinner.
- gh-139165: Expose the functions Py_SIZE(), Py_IS_TYPE() and
Py_SET_SIZE() in the Stable ABI.
Build
- gh-131372: Add LDVERSION and EXE to the base_interpreter
value of build-details.json.
- gh-142454: When calculating the digest of the JIT stencils
input, sort the hashed files by filenames before adding
their content to the hasher. This ensures deterministic
hash input and hence deterministic hash, independent on
filesystem order.
- gh-131372: build-details.py will only be installed as part
of the main install (make install). make altinstall will no
longer include it.
- gh-142234: Allow --enable-wasm-dynamic-linking for WASI.
While CPython doesn’t directly support it so
external/downstream users do not have to patch in support
for the flag.
- gh-142050: Fixed a bug where JIT stencils produced on
Windows contained debug data. Patch by Chris Eibl.
- gh-141808: Do not generate the jit stencils twice in case
of PGO builds on Windows.
- gh-141926: RUNSHARED is no longer cleared when
cross-compiling. Previously, RUNSHARED was cleared when
cross-compiling, which breaks PGO when using
--enabled-shared on systems where the cross-compiled
CPython is otherwise executable (e.g., via transparent
emulation).
- gh-141808: When running make clean-retain-profile, keep the
generated JIT stencils. That way, the stencils are not
generated twice when Profile-guided optimization (PGO) is
used. It also allows distributors to supply their own
pre-built JIT stencils.
- gh-141784: Fix _remote_debugging_module.c compilation on
32-bit Linux. Include Python.h before system headers to
make sure that _remote_debugging_module.c uses the same
types (ABI) than Python. Patch by Victor Stinner.
- gh-141172: Update to WASI SDK 29.
- gh-139707: Add configure option
--with-missing-stdlib-config=FILE allows which distributors
to pass a JSON configuration file containing custom error
messages for missing standard library modules.
- gh-108819: Honor --with-platlibdir in the pure-Python
standard library installation path, if PLATLIBDIR doesn’t
match the value used in LIBDIR.
Tests
- gh-140381: Fix flaky test_profiling tests on i686 and s390x
architectures by increasing slow_fibonacci call frequency
from every 5th iteration to every 2nd iteration.
- gh-140210: Make
test_sysconfig.test_parse_makefile_renamed_vars less
fragile by clearing the environment variables before
parsing the Makefile.
|
|||
|
2544c41d2e
|
Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836)
Prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. |
|||
Steve Kowalik
|
39c4b2a029 |
Update to Python 3.15.0~a2
Extremely long changelog omitted for clarity. |
||
|
e52bc99839
|
Add CVE-2025-6075-expandvars-perf-degrad.patch
Avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). Skip test_curses on ppc64le (gh#python/cpython#141534) |
|||
|
b563206f1a
|
Remove unnecessary patch and note that the bug has been already fixed. | |||
| 8825dfe9e6 | Update list of skipped tests in qemu linux-user emulation | |||
|
e4dc67aaa9
|
New subpackage profiling | |||
|
179f7e291d
|
Add CVE-2025-8291-consistency-zip64.patch | |||
| 343b3f1136 |
- New development of new major version, update to 3.15.0~a1:
- Tools/Demos
- gh-139330: SBOM generation tool didn’t cross-check
the version and checksum values against the
Modules/expat/refresh.sh script, leading to the values
becoming out-of-date during routine updates.
- gh-132006: XCframeworks now include privacy manifests to
satisfy Apple App Store submission requirements.
- gh-138171: A script for building an iOS XCframework was
added. As part of this change, the top level iOS folder has
been moved to be a subdirectory of the Apple folder.
- gh-137873: The iOS test runner has been simplified,
resolving some issues that have been observed using
the runner in GitHub Actions and Azure Pipelines test
environments.
- gh-137484: Have Tools/wasm/wasi put the build Python into a
directory named after the build triple instead of “build”.
- gh-137025: The wasm_build.py script has been removed.
Tools/wasm/emscripten and Tools/wasm/wasi should be used
instead, as described in the Dev Guide.
- gh-137248: Add a --logdir option to Tools/wasm/wasi for
specifying where to write log files.
- gh-137243: Have Tools/wasm/wasi detect a WASI SDK install
in /opt when it was directly extracted from a release
tarball.
- gh-136251: Fixes and usability improvements for
Tools/wasm/emscripten/web_example
- gh-135968: Stubs for strip are now provided as part of an
iOS install.
- gh-135379: The cases generator no longer accepts type
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python315?expand=0&rev=3
|
