------------------------------------------------------------------- Thu Nov 6 23:45:56 UTC 2025 - Matej Cepl - Add CVE-2025-8291-consistency-zip64.patch which checks consistency of the zip64 end of central directory record, and preventing obfuscation of the payload, i.e., you scanning for malicious content in a ZIP file with one ZIP parser (let's say a Rust one) then unpack it in production with another (e.g., the Python one) and get malicious content that the other parser did not see (CVE-2025-8291, bsc#1251305) ------------------------------------------------------------------- Fri Oct 24 21:45:47 UTC 2025 - Matej Cepl - New development of new major version, update to 3.15.0~a1: - Tools/Demos - gh-139330: SBOM generation tool didn’t cross-check the version and checksum values against the Modules/expat/refresh.sh script, leading to the values becoming out-of-date during routine updates. - gh-132006: XCframeworks now include privacy manifests to satisfy Apple App Store submission requirements. - gh-138171: A script for building an iOS XCframework was added. As part of this change, the top level iOS folder has been moved to be a subdirectory of the Apple folder. - gh-137873: The iOS test runner has been simplified, resolving some issues that have been observed using the runner in GitHub Actions and Azure Pipelines test environments. - gh-137484: Have Tools/wasm/wasi put the build Python into a directory named after the build triple instead of “build”. - gh-137025: The wasm_build.py script has been removed. Tools/wasm/emscripten and Tools/wasm/wasi should be used instead, as described in the Dev Guide. - gh-137248: Add a --logdir option to Tools/wasm/wasi for specifying where to write log files. - gh-137243: Have Tools/wasm/wasi detect a WASI SDK install in /opt when it was directly extracted from a release tarball. - gh-136251: Fixes and usability improvements for Tools/wasm/emscripten/web_example - gh-135968: Stubs for strip are now provided as part of an iOS install. - gh-135379: The cases generator no longer accepts type annotations on stack items. Conversions to non-default types are now done explicitly in bytecodes.c and optimizer_bytecodes.c. This will simplify code generation for top-of-stack caching and other future features. - gh-134215: REPL import autocomplete only suggests private modules when explicitly specified. - Tests - gh-139208: Fix regrtest --fast-ci --verbose: don’t ignore the --verbose option anymore. Patch by Victor Stinner. - gh-138313: Restore skipped test and add janky workaround to prevent select buildbots from failing with a ResourceWarning. - gh-135966: The iOS testbed now handles the app_packages folder as a site directory. - gh-135494: Fix regrtest to support excluding tests from --pgo tests. Patch by Victor Stinner. - gh-132815: Fix test__opcode: add JUMP_BACKWARD to specialization stats. - gh-135489: Show verbose output for failing tests during PGO profiling step with –enable-optimizations. - gh-135401: Add a new GitHub CI job to test the ssl module with AWS-LC as the backing cryptography and TLS library. - gh-135120: Add test.support.subTests(). - gh-134567: Expose log formatter to users in TestCase.assertLogs. unittest.TestCase.assertLogs() will now optionally accept a formatter that will be used to format the strings in output if provided. - gh-133744: Fix multiprocessing interrupt test. Add an event to synchronize the parent process with the child process: wait until the child process starts sleeping. Patch by Victor Stinner. - gh-133682: Fixed test case test.test_annotationlib.TestStringFormat.test_displays which ensures proper handling of complex data structures (lists, sets, dictionaries, and tuples) in string annotations. - gh-133639: Fix TestPyReplAutoindent.test_auto_indent_default() doesn’t run input_code. - Security - gh-139700: Check consistency of the zip64 end of central directory record. Support records with “zip64 extensible data” if there are no bytes prepended to the ZIP file. - gh-139400: xml.parsers.expat: Make sure that parent Expat parsers are only garbage-collected once they are no longer referenced by subparsers created by ExternalEntityParserCreate(). Patch by Sebastian Pipping. - gh-139283: sqlite3: correctly handle maximum number of rows to fetch in Cursor.fetchmany and reject negative values for Cursor.arraysize. Patch by Bénédikt Tran. - gh-136053: marshal: fix a possible crash when deserializing slice objects. - gh-135661: Fix parsing start and end tags in html.parser.HTMLParser according to the HTML5 standard. - Whitespaces no longer accepted between does not end the script section. - Vertical tabulation (\v) and non-ASCII whitespaces no longer recognized as whitespaces. The only whitespaces are \t\n\r\f and space. - Null character (U+0000) no longer ends the tag name. - Attributes and slashes after the tag name in end tags are now ignored, instead of terminating after the first > in quoted attribute value. E.g. . - Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . - Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. - gh-135034: Fixes multiple issues that allowed tarfile extraction filters (filter="data" and filter="tar") to be bypassed using crafted symlinks and hard links. - Addresses CVE 2024-12718, CVE 2025-4138, CVE 2025-4330, and CVE 2025-4517. - gh-133767: Fix use-after-free in the “unicode-escape” decoder with a non-“strict” error handler. - gh-133623: Indicate through ssl.HAS_PSK_TLS13 whether the ssl module supports “External PSKs” in TLSv1.3, as described in RFC 9258. Patch by Will Childs-Klein. - gh-128840: Short-circuit the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service. - Library - gh-139482: Optimize os.environ.clear() by calling clearenv(3) when this function is available. Patch by Victor Stinner. - gh-139958: The application/toml mime type is now supported by mimetypes. Patch by Gil Forcada. - gh-139823: ensurepip now fails with a nicer error message when the zlib module is not available. - gh-139905: Add suggestion to error message for typing.Generic subclasses when cls.__parameters__ is missing due to a parent class failing to call super().__init_subclass__() in its __init_subclass__. - gh-139894: Fix incorrect sharing of current task with the child process while forking in asyncio. Patch by Kumar Aditya. - gh-139845: Fix to not print KeyboardInterrupt twice in default asyncio REPL. - gh-139783: Fix inspect.getsourcelines() for the case when a decorator is followed by a comment or an empty line. - gh-139809: Prevent premature colorization of subparser prog in argparse.ArgumentParser.add_subparsers() to respect color environment variable changes after parser creation. - gh-139736: Fix excessive indentation in the default argparse HelpFormatter. Patch by Alexander Edland. - gh-70765: http.server: fix default handling of HTTP/0.9 requests in BaseHTTPRequestHandler. Previously, BaseHTTPRequestHandler.parse_request() incorrectly waited for headers in the request although those are not supported in HTTP/0.9. Patch by Bénédikt Tran. - gh-139322: Fix os.getlogin() error handling: fix the error number. Patch by Victor Stinner. - gh-135953: Add a Gecko format output to the tachyon profiler via --gecko. - gh-139184: os.forkpty() does now make the returned file descriptor non-inheritable. - gh-139391: Fix an issue when, on non-Windows platforms, it was not possible to gracefully exit a python -m asyncio process suspended by Ctrl+Z and later resumed by fg other than with kill. - gh-139374: timeit: Add color to error tracebacks. - gh-90949: Add SetBillionLaughsAttackProtectionActivationThreshold() and SetBillionLaughsAttackProtectionMaximumAmplification() to xmlparser objects to tune protections against billion laughs attacks. Patch by Bénédikt Tran. - gh-139312: Upgrade bundled libexpat to 2.7.3 - gh-139289: Do a real lazy-import on rlcompleter in pdb and restore the existing completer after importing rlcompleter. - gh-90949: Add SetAllocTrackerActivationThreshold() and SetAllocTrackerMaximumAmplification() to xmlparser objects to tune protections against disproportional amounts of dynamic memory usage from within an Expat parser. Patch by Bénédikt Tran. - gh-67795: Functions that take timestamp or timeout arguments now accept any real numbers (such as Decimal and Fraction), not only integers or floats, although this does not improve precision. - gh-95953: A CSS class, diff_changed, was added to the changed lines in the make_table output of difflib.HtmlDiff. Patch by Katie Gardner. - gh-139210: Fix use-after-free when reporting unknown event in xml.etree.ElementTree.iterparse(). Patch by Ken Jin. - gh-138860: Lazy import rlcompleter in pdb to avoid deadlock in subprocess. - gh-112729: Fix crash when calling concurrent.interpreters.create() when the process is out of memory. - gh-126016: Fix an assertion failure when sending KeyboardInterrupt to a Python process running a subinterpreter in a separate thread. - gh-118803: collections.abc.ByteString has been removed from collections.abc.__all__, and typing.ByteString has been removed from typing.__all__. The former has been deprecated since Python 3.12, and the latter has been deprecated since Python 3.9. Both classes are scheduled for removal in Python 3.17. - Additionally, the following statements now cause DeprecationWarnings to be emitted at runtime: from collections.abc import ByteString, from typing import ByteString, import collections.abc; collections.abc.ByteString and import typing; typing.ByteString. Both classes already caused DeprecationWarnings to be emitted if they were subclassed or used as the second argument to isinstance() or issubclass(), but they did not previously lead to DeprecationWarnings if they were merely imported or accessed from their respective modules. - gh-135729: Fix unraisable exception during finalization when using concurrent.interpreters in the REPL. - gh-139076: Fix a bug in the pydoc module that was hiding functions in a Python module if they were implemented in an extension module and the module did not have __all__. - gh-139090: Add os.RWF_DONTCACHE constant for Linux 6.14+. - gh-139065: Fix trailing space before a wrapped long word if the line length is exactly width in textwrap. - gh-139001: Fix race condition in pathlib.Path on the internal _raw_paths field. - gh-138813: multiprocessing.BaseProcess defaults kwargs to None instead of a shared dictionary. - gh-138998: Update bundled libexpat to 2.7.2 - gh-138993: Dedent credits text. - gh-118803: Add back collections.abc.ByteString and typing.ByteString. Both had been removed in prior alpha, beta and release candidates for Python 3.14, but their removal has now been postponed to Python 3.17. - gh-130567: Fix possible crash in locale.strxfrm() due to a platform bug on macOS. - gh-137226: Fix typing.get_type_hints() calls on generic typing.TypedDict classes defined with string annotations. - gh-138899: Executing quit command in pdb will raise bdb.BdbQuit when pdb is started from an asyncio console using breakpoint() or pdb.set_trace(). - gh-138804: Raise TypeError instead of AttributeError when an argument of incorrect type is passed to shlex.quote(). This restores the behavior of the function prior to 3.14. - gh-138779: Support device numbers larger than 2**63-1 for the st_rdev field of the os.stat_result structure. - gh-138682: Added symmetric difference support to collections.Counter objects. - gh-138712: Add os.NODEV. - gh-128636: Fix crash in PyREPL when os.environ is overwritten with an invalid value for mac - gh-138720: Fix an issue where io.BufferedWriter and io.BufferedRandom had different definitions of “closed” for close() and flush() which resulted in an exception when close called flush but flush thought the file was already closed. - gh-138706: Update unicodedata database to Unicode 17.0.0. - gh-76007: Deprecate __version__ from a number of standard library modules. Patch by Hugo van Kemenade. - gh-138535: Speed up os.stat() for files with reasonable timestamps. Contributed by Jeffrey Bosboom. - gh-116946: curses.panel: the type of curses.panel.new_panel() is now immutable. Patch by Bénédikt Tran. - gh-116946: zlib: the types of zlib.compressobj() and zlib.decompressobj() are now immutable. Patch by Bénédikt Tran. - gh-116946: os: the os.DirEntry type and the type of os.scandir() are now immutable. Patch by Bénédikt Tran. - gh-116946: tkinter: the types _tkinter.Tcl_Obj (wrapper for Tcl objects), _tkinter.tktimertoken (obtained by calling createtimerhandler() on a Tk application) and _tkinter.tkapp (the runtime type of Tk applications) are now immutable. Patch by Bénédikt Tran. - gh-138514: Raise ValueError when a multi-character string is passed to the echo_char parameter of getpass.getpass(). Patch by Benjamin Johnson. - gh-137706: Fix the partial evaluation of annotations that use typing.Annotated[T, x] where T is a forward reference. - gh-88375: Fix normalization of the robots.txt rules and URLs in the urllib.robotparser module. No longer ignore trailing ?. Distinguish raw special characters ?, = and & from the percent-encoded ones. - gh-138515: email is added to Emscripten build. - gh-99948: ctypes.util.find_library() now works in Emscripten build. - gh-111788: Fix parsing errors in the urllib.robotparser module. Don’t fail trying to parse weird paths. Don’t fail trying to decode non-UTF-8 robots.txt files. - gh-138432: zoneinfo.reset_tzpath() will now convert any os.PathLike objects it receives into strings before adding them to TZPATH. It will raise TypeError if anything other than a string is found after this conversion. If given an os.PathLike object that represents a relative path, it will now raise ValueError instead of TypeError, and present a more informative error message. - gh-132657: Improve the scaling of copy.copy() and copy.deepcopy() in the free-threading build. - gh-116946: The types of select.poll() and select.epoll() objects are now immutable. Patch by Bénédikt Tran. - gh-116946: The _random.Random C type is now immutable. Patch by Bénédikt Tran. - gh-57911: When extracting tar files on Windows, slashes in symlink targets will be replaced by backslashes to prevent corrupted links. - gh-138205: Removed the resize() method on platforms that don’t support the underlying syscall, instead of raising a SystemError. - gh-138008: Fix segmentation faults in the ctypes module due to invalid argtypes. Patch by Dung Nguyen. - gh-138252: ssl: SSLContext objects can now set client and server TLS signature algorithms. If Python has been built with OpenSSL 3.5 or later, SSLSocket objects can return the signature algorithms selected on a connection. - gh-138253: Add the block parameter in the put() and get() methods of the concurrent.interpreters queues for compatibility with the queue.Queue interface. - gh-60462: Fix locale.strxfrm() on Solaris (and possibly other platforms). - gh-138239: The REPL now highlights type as a soft keyword in type statements. - gh-78502: mmap.mmap now has a trackfd parameter on Windows; if it is False, the file handle corresponding to fileno will not be duplicated. - gh-138204: Forbid expansion of shared anonymous memory maps on Linux, which caused a bus error. - gh-138010: Fix an issue where defining a class with a @warnings.deprecated-decorated base class may not invoke the correct __init_subclass__() method in cases involving multiple inheritance. Patch by Brian Schubert. - gh-134716: Add support of regular expressions in the -W option and the PYTHONWARNINGS environment variable. - gh-138133: Prevent infinite traceback loop when sending CTRL^C to Python through strace. - gh-138122: Implement PEP 799 – A dedicated profiling package for organizing Python profiling tools. Patch by Pablo Galindo. - gh-138092: Fixed a bug in mmap.mmap.flush() where calling with only an offset parameter would fail. - gh-138044: Remove compatibility shim for deprecated parameter package in importlib.resources.files(). Patch by Semyon Moroz. - gh-86819: socket: Add missing constants for ISO-TP sockets. - gh-137884: Add threading.get_native_id() support for Illumos/Solaris. Patch by Yüce Tekol. - gh-134869: Fix an issue where pressing Ctrl+C during tab completion in the REPL would leave the autocompletion menu in a corrupted state. - gh-137840: typing.TypedDict now supports the closed and extra_items keyword arguments (as described in PEP 728) to control whether additional non-required keys are allowed and to specify their value type. - gh-132947: Applied changes to importlib.metadata from importlib_metadata 8.7, including dist now disallowed for EntryPoints.select; deferred imports for faster import times; added support for metadata with newlines (python/cpython#119650); and metadata() function now returns None when a metadata directory is present but no metadata is present. - gh-90548: Fix musl detection for platform.libc_ver() on Alpine Linux if compiled with –strip-all. - gh-137317: inspect.signature() now correctly handles classes that use a descriptor on a wrapped __init__() or __new__() method. Contributed by Yongyu Yan. - gh-137754: Fix import of the zoneinfo module if the C implementation of the datetime module is not available. - gh-125854: Improve error messages for invalid category in warnings.warn(). - gh-137729: locale.setlocale() now supports language codes with @-modifiers. @-modifier are no longer silently removed in locale.getlocale(), but included in the language code. - gh-73487: Speedup processing arguments (up to 1.5x) in the decimal module methods, that now using METH_FASTCALL calling convention. Patch by Sergey B Kirpichev. - gh-137634: Calendar pages generated by the calendar.HTMLCalendar class now support dark mode and have been migrated to the HTML5 standard for improved accessibility. - gh-137630: The _interpreters module now uses Argument Clinic to parse arguments. Patch by Adam Turner. - gh-137583: Fix a deadlock introduced in 3.13.6 when a call to ssl.SSLSocket.recv was blocked in one thread, and then another method on the object (such as ssl.SSLSocket.send) was subsequently called in another thread. - gh-92936: Update regex used by http.cookies.SimpleCookie to handle values containing double quotes. - gh-137426: Remove the code deprecation of importlib.abc.ResourceLoader. It is documented as deprecated, but left for backwards compatibility with other classes in importlib.abc. - gh-137490: Handle ECANCELED in the same way as EINTR in signal.sigwaitinfo() on NetBSD. - gh-137512: Add new constants in the resource module: RLIMIT_NTHR, RLIMIT_UMTXP, RLIMIT_PIPEBUF, RLIMIT_THREADS, RLIM_SAVED_CUR, and RLIM_SAVED_MAX. - gh-137044: resource.RLIM_INFINITY is now always a positive integer. On all supported platforms, it is larger than any limited resource value, which simplifies comparison of the resource values. Previously, it could be negative, such as -1 or -3, depending on platform. - gh-137477: Fix inspect.getblock(), inspect.getsourcelines() and inspect.getsource() for generator expressions. - gh-137481: Calendar uses the lengths of the locale’s weekdays to decide if the width requires abbreviation. - gh-137466: Remove undocumented glob.glob0() and glob.glob1() functions, which have been deprecated since Python 3.13. Use glob.glob() and pass a directory to its root_dir argument instead. - gh-137044: Return large limit values as positive integers instead of negative integers in resource.getrlimit(). Accept large values and reject negative values (except RLIM_INFINITY) for limits in resource.setrlimit(). - gh-115766: Fix ipaddress.IPv4Interface.is_unspecified. - gh-75989: tarfile.TarFile.extractall() and tarfile.TarFile.extract() now overwrite symlinks when extracting hardlinks. (Contributed by Alexander Enrique Urieles Nieto in gh-75989.) - gh-137017: Fix threading.Thread.is_alive to remain True until the underlying OS thread is fully cleaned up. This avoids false negatives in edge cases involving thread monitoring or premature threading.Thread.is_alive calls. - gh-137273: Fix debug assertion failure in locale.setlocale() on Windows. - gh-137191: Fix how type parameters are collected, when typing.Protocol are specified with explicit parameters. Now, typing.Generic and typing.Protocol always dictate the parameter number and parameter ordering of types. Previous behavior was a bug. - gh-137282: Fix tab completion and dir() on concurrent.futures. - gh-137257: Bump the version of pip bundled in ensurepip to version 25.2 - gh-137239: heapq: Update heapq.__all__ with *_max functions. - gh-124503: ast.literal_eval() is 10-20% faster for small inputs. - gh-137226: Fix behavior of annotationlib.ForwardRef.evaluate() when the type_params parameter is passed and the name of a type param is also present in an enclosing scope. - gh-137197: SSLContext objects can now set TLS 1.3 cipher suites via set_ciphersuites(). - gh-81325: tarfile.TarFile now accepts a path-like when working on a tar archive. (Contributed by Alexander Enrique Urieles Nieto in gh-81325.) - gh-137185: Fix a potential async-signal-safety issue in faulthandler when printing C stack traces. - gh-133951: Remove lib64-lib symlink creation when creating new virtual environments in venv module - gh-130522: Fix unraisable TypeError raised during interpreter shutdown in the threading module. - gh-137059: Fix handling of file URLs with a Windows drive letter in the URL authority by urllib.request.url2pathname(). This fixes a regression in earlier pre-releases of Python 3.14. - gh-136980: Remove unused C tracing code in bdb for event type c_call, c_return and c_exception - gh-130577: tarfile now validates archives to ensure member offsets are non-negative. (Contributed by Alexander Enrique Urieles Nieto in gh-130577.) - gh-136170: Removed the unreleased zipfile.ZipFile.data_offset property added in 3.14.0a7 as it wasn’t fully clear which behavior it should have in some situations so the result was not always what a user might expect. - gh-121237: Support %:z directive for datetime.datetime.strptime(), datetime.time.strptime() and time.strptime(). Patch by Lucas Esposito and Semyon Moroz. - gh-136929: Ensure that hash functions guaranteed to be always available exist as attributes of hashlib even if they will not work at runtime due to missing backend implementations. For instance, hashlib.md5 will no longer raise AttributeError if OpenSSL is not available and Python has been built without MD5 support. Patch by Bénédikt Tran. - gh-124621: pyrepl now works in Emscripten. - gh-136914: Fix retrieval of doctest.DocTest.lineno for objects decorated with functools.cache() or functools.cached_property. - gh-136912: hmac.digest() now properly handles large keys and messages by falling back to the pure Python implementation when necessary. Patch by Bénédikt Tran. - gh-83424: Allows creating a ctypes.CDLL without name when passing a handle as an argument. - gh-135228: When dataclasses replaces a class with a slotted dataclass, the original class can now be garbage collected again. Earlier changes in Python 3.14 caused this class to always remain in existence together with the replacement class synthesized by dataclasses. - gh-136874: Discard URL query and fragment in urllib.request.url2pathname(). - gh-136787: hashlib: improve exception messages when a hash algorithm is not recognized, blocked by the current security policy or incompatible with the desired operation (for instance, using HMAC with SHAKE). Patch by Bénédikt Tran. - gh-130645: Enable color help by default in argparse. - gh-131724: In http.client, a new max_response_headers keyword-only parameter has been added to HTTPConnection and HTTPSConnection constructors. This parameter sets the maximum number of allowed response headers, helping to prevent denial-of-service attacks. - gh-135427: With -Werror, the DeprecationWarning emitted by os.fork() and os.forkpty() in mutli-threaded processes is now raised as an exception. Previously it was silently ignored. Patch by Rani Pinchuk. - gh-136234: Fix asyncio.WriteTransport.writelines() to be robust to connection failure, by using the same behavior as write(). - gh-53144: encodings.aliases: Add latin_N aliases - gh-136669: _asyncio is now statically linked for improved performance. - gh-136134: SMTP.auth_cram_md5() now raises an SMTPException instead of a ValueError if Python has been built without MD5 support. In particular, SMTP clients will not attempt to use this method even if the remote server is assumed to support it. Patch by Bénédikt Tran. - gh-136134: IMAP4.login_cram_md5 now raises an IMAP4.error if CRAM-MD5 authentication is not supported. Patch by Bénédikt Tran. - gh-136591: _hashlib: avoid using deprecated functions ERR_func_error_string and EVP_MD_CTX_md when using OpenSSL 3.0 and later. Patch by Bénédikt Tran. - gh-136571: datetime.date.fromisocalendar() can now raise OverflowError for out of range arguments. - gh-136549: Fix signature of threading.excepthook(). - gh-136492: Expose PEP 667’s FrameLocalsProxyType in the types module. - gh-83336: utf8_sig is now aliased to encodings.utf_8_sig - gh-136523: Fix wave.Wave_write emitting an unraisable when open raises. - gh-136507: Fix mimetypes CLI to handle multiple file parameters. - gh-52876: Add missing keepends (default True) parameter to codecs.StreamReaderWriter.readline() and codecs.StreamReaderWriter.readlines(). - gh-136470: Correct concurrent.futures.InterpreterPoolExecutor’s default thread name. - gh-136476: Fix a bug that was causing the get_async_stack_trace function to miss some frames in the stack trace. - gh-136434: Fix docs generation of UnboundItem in concurrent.interpreters when running with -OO. - gh-136380: Raises AttributeError when accessing concurrent.futures.InterpreterPoolExecutor and subinterpreters are not available. - gh-72327: Suggest using the system command prompt when pip install is typed into the REPL. Patch by Tom Viner, Richard Si, and Brian Schubert. - gh-135953: Implement a new high-frequency runtime profiler that leverages the existing remote debugging functionality to collect detailed execution statistics from running Python processes. This tool is exposed in the profile.sample module and enables non-intrusive observation of production applications by attaching to already-running processes without requiring any code modifications, restarts, or special startup flags. The observer can perform extremely high-frequency sampling of stack traces and interpreter state, providing detailed runtime execution analysis of live applications. - gh-136021: Make type_params parameter required in typing._eval_type() after a deprecation period for not providing this parameter. Also remove the DeprecationWarning for the old behavior. - gh-136286: Fix pickling failures for protocols 0 and 1 for many objects related to subinterpreters. - gh-136047: Fix issues with typing when the C implementation of abc is not available. - gh-136316: Improve support for evaluating nested forward references in typing.evaluate_forward_ref(). - gh-136306: ssl can now get and set groups used for key agreement. - gh-136156: tempfile.TemporaryFile() no longer uses os.O_EXCL with os.O_TMPFILE, so it’s possible to use linkat() on the file descriptor. Patch by Victor Stinner. - gh-133982: Update Python implementation of io.BytesIO to be thread safe. - gh-136193: Improve TypeError error message, when richcomparing two types.SimpleNamespace objects. - gh-136097: Fix potential infinite recursion and KeyError in sysconfig --generate-posix-vars. - gh-85702: If zoneinfo._common.load_tzdata is given a package without a resource a zoneinfo.ZoneInfoNotFoundError is raised rather than a PermissionError. Patch by Victor Stinner. - gh-90733: Improve error messages when reporting invalid parameters in hashlib.scrypt(). Patch by Bénédikt Tran. - gh-134759: Fix UnboundLocalError in email.message.Message.get_payload() when the payload to decode is a bytes object. Patch by Kliment Lamonov. - gh-136028: Fix parsing month names containing “İ” (U+0130, LATIN CAPITAL LETTER I WITH DOT ABOVE) in time.strptime(). This affects locales az_AZ, ber_DZ, ber_MA and crh_UA. - gh-87135: Acquiring a threading.Lock or threading.RLock at interpreter shutdown will raise PythonFinalizationError if Python can determine that it would otherwise deadlock. - gh-135995: In the palmos encoding, make byte 0x9b decode to › (U+203A - SINGLE RIGHT-POINTING ANGLE QUOTATION MARK). - gh-105456: Removed sre_compile, sre_constants and sre_parse modules. - gh-53203: Fix time.strptime() for %c and %x formats on locales byn_ER, wal_ET and lzh_TW, and for %X format on locales ar_SA, bg_BG and lzh_TW. - gh-135878: Fixes a crash of types.SimpleNamespace on free threading builds, when several threads were calling its __repr__() method at the same time. - gh-135853: Add math.fmax() and math.fmin() to get the larger and smaller of two floating-point values. Patch by Bénédikt Tran. - gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when non-OSError exception is raised during connection and socket’s close() raises OSError. - gh-135853: math: expose C99 signbit() function to determine whether the sign bit of a floating-point value is set. Patch by Bénédikt Tran. - gh-134531: hmac: use the EVP_MAC(3ssl) interface for HMAC when Python is built with OpenSSL 3.0 and later instead of the deprecated HMAC_CTX(3ssl) interface. Patch by Bénédikt Tran. - gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when the Happy Eyeballs algorithm resulted in an empty exceptions list during connection attempts. - gh-135855: Raise TypeError instead of SystemError when _interpreters.set___main___attrs() is passed a non-dict object. Patch by Brian Schubert. - gh-135823: netrc: improve the error message when the security check for the ownership of the default configuration file ~/.netrc fails. Patch by Bénédikt Tran. - gh-135815: netrc: skip security checks if os.getuid() is missing. Patch by Bénédikt Tran. - gh-135640: Address bug where it was possible to call xml.etree.ElementTree.ElementTree.write() on an ElementTree object with an invalid root element. This behavior blanked the file passed to write if it already existed. - gh-90117: Speed up pprint for list and tuple. - gh-135759: hashlib: reject negative digest lengths in OpenSSL-based SHAKE objects by raising a ValueError. Previously, negative lengths were implicitly rejected by raising a MemoryError or a SystemError. Patch by Bénédikt Tran. - gh-123471: Make concurrent iterations over itertools.chain safe under free threading. - gh-135645: Added supports_isolated_interpreters field to sys.implementation. - gh-135646: Raise consistent NameError exceptions in annotationlib.ForwardRef.evaluate() - gh-135557: Fix races on heapq updates and list reads on the free threaded build. - gh-119180: Only fetch globals and locals if necessary in annotationlib.get_annotations() - gh-135561: Fix a crash on DEBUG builds when an HACL* HMAC routine fails. Patch by Bénédikt Tran. - gh-135386: Fix opening a dbm.sqlite3 database for reading from read-only file or directory. - gh-135444: Fix asyncio.DatagramTransport.sendto() to account for datagram header size when data cannot be sent. - gh-65697: configparser’s error message when attempting to write an invalid key is now more helpful. - gh-135497: Fix os.getlogin() failing for longer usernames on BSD-based platforms. - gh-135487: Fix reprlib.Repr.repr_int() when given integers with more than sys.get_int_max_str_digits() digits. Patch by Bénédikt Tran. - gh-135429: Fix the argument mismatch in _lsprof for PY_THROW event. - gh-135368: Fix unittest.mock.Mock generation on dataclasses.dataclass() objects. Now all special attributes are set as it was before gh-124429. - gh-135336: json now encodes strings up to 2.2x faster if they consist solely of characters that don’t require escaping. - gh-135335: multiprocessing: Flush stdout and stderr after preloading modules in the forkserver. - gh-126631: Fix multiprocessing forkserver bug which prevented __main__ from being preloaded. - gh-133967: Do not normalize locale name ‘C.UTF-8’ to ‘en_US.UTF-8’. - gh-130870: Preserve types.GenericAlias subclasses in typing.get_type_hints() - gh-135321: Raise a correct exception for values greater than 0x7fffffff for the BINSTRING opcode in the C implementation of pickle. - gh-121914: Changed the names of the symbol tables for lambda expressions and generator expressions to “” and “” respectively to avoid conflicts with user-defined names. - gh-135276: Synchronized zipfile.Path with zipp 3.23, including improved performance of zipfile.Path.open() for non-reading modes, rely on functools.cached_property() to cache values on the instance. Rely on save_method_args to save the initialization method arguments. Fixed .name, .stem and other basename-based properties on Windows when working with a zipfile on disk. - gh-135234: hashlib: improve exception messages when an OpenSSL function failed. When memory allocation fails on OpenSSL’s side, a MemoryError is raised instead of a ValueError. Patch by Bénédikt Tran. - gh-135244: uuid: when the MAC address cannot be determined, the 48-bit node ID is now generated with a cryptographically-secure pseudo-random number generator (CSPRNG) as per RFC 9562, §6.10.3. This affects uuid1() and uuid6(). - gh-135241: The INT opcode of the C accelerator _pickle module was updated to look only for “00” and “01” to push booleans onto the stack, aligning with the Python pickle module. - gh-133934: Improve sqlite3 CLI’s .help message. - gh-135069: Fix the “Invalid error handling” exception in encodings.idna.IncrementalDecoder to correctly replace the ‘errors’ parameter. - gh-130662: +Accept leading zeros in precision and width fields for +:class:Decimal formatting, for example format(Decimal(1.25), '.016f'). - gh-130662: Accept leading zeros in precision and width fields for Fraction formatting, for example format(Fraction(1, 3), '.016f'). - gh-135004: Rewrite and cleanup the internal _blake2 module. Some exception messages were changed but their types were left untouched. Patch by Bénédikt Tran. - gh-134953: Expand _colorize theme with keyword_constant and implement in repl. - gh-134978: hashlib: Supporting the string keyword parameter in hash function constructors such as new() or the direct hash-named constructors such as md5() and sha256() is now deprecated and slated for removal in Python 3.19. Prefer passing the initial data as a positional argument for maximum backwards compatibility. Patch by Bénédikt Tran. - gh-134970: Fix the “unknown action” exception in argparse.ArgumentParser.add_argument_group() to correctly replace the action class. - gh-134718: By default, omit optional Load() values in ast.dump(). - gh-134718: ast.dump() now only omits None and [] values if they are default values. - gh-134939: Add the concurrent.interpreters module. See PEP 734. - gh-108885: Run each example as a subtest in unit tests synthesized by doctest.DocFileSuite() and doctest.DocTestSuite(). Add the doctest.DocTestRunner.report_skip() method. - gh-134885: Fix possible crash in the compression.zstd module related to setting parameter types. Patch by Jelle Zijlstra. - gh-134857: Improve error report for doctests run with unittest. Remove doctest module frames from tracebacks and redundant newline character from a failure message. - gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address. - gh-133579: curses: Consistently report failures of curses C API calls in module-level methods by raising a curses.error. This affects assume_default_colors(), baudrate(), cbreak(), echo(), longname(), initscr(), nl(), raw(), termattrs(), termname() and unctrl(). Patch by Bénédikt Tran. - gh-133579: curses.window.refresh() and curses.window.noutrefresh() now raise a TypeError instead of curses.error when called with an incorrect number of arguments for pads. Patch by Bénédikt Tran. - gh-133579: curses.window: Consistently report failures of curses C API calls in Window methods by raising a curses.error. This affects addch(), addnstr(), addstr(), border(), box(), chgat(), getbkgd(), inch(), insstr() and insnstr(). Patch by Bénédikt Tran. - gh-134771: The time_clockid_converter() function now selects correct type for clockid_t on Cygwin which fixes a build error. - gh-134637: Fix performance regression in calling a ctypes function pointer in free threading. - gh-134696: Built-in HACL* and OpenSSL implementations of hash function constructors now correctly accept the same documented named arguments. For instance, md5() could be previously invoked as md5(data=data) or md5(string=string) depending on the underlying implementation but these calls were not compatible. Patch by Bénédikt Tran. - gh-132710: If possible, ensure that uuid.getnode() returns the same result even across different processes. Previously, the result was constant only within the same process. Patch by Bénédikt Tran. - gh-134531: _hashlib: Rename internal C functions for _hashlib.HASH and _hashlib.HASHXOF objects. Patch by Bénédikt Tran. - gh-134698: Fix a crash when calling methods of ssl.SSLContext or ssl.SSLSocket across multiple threads. - gh-134151: email: Fix TypeError in email.utils.decode_params() when sorting RFC 2231 continuations that contain an unnumbered section. - gh-134635: zlib: Allow to combine Adler-32 and CRC-32 checksums via adler32_combine() and crc32_combine(). Patch by Callum Attryde and Bénédikt Tran. - gh-134657: asyncio: Remove some private names from asyncio.__all__. - gh-134210: curses.window.getch() now correctly handles signals. Patch by Bénédikt Tran. - gh-80334: multiprocessing.freeze_support() now checks for work on any “spawn” start method platform rather than only on Windows. - gh-134582: Fix tokenize.untokenize() round-trip errors related to t-strings braces escaping - gh-134580: Improved the styling of HTML diff pages generated by the difflib.HtmlDiff class, and migrated the output to the HTML5 standard. - gh-134565: unittest.doModuleCleanups() no longer swallows all but first exception raised in the cleanup code, but raises a ExceptionGroup if multiple errors occurred. - gh-134546: Ensure pdb remote debugging script is readable by remote Python process. - gh-134451: Converted asyncio.tools.CycleFoundException from dataclass to a regular exception type. - gh-114177: Fix asyncio to not close subprocess pipes which would otherwise error out when the event loop is already closed. - gh-90871: Fixed an off by one error concerning the backlog parameter in create_unix_server(). Contributed by Christian Harries. - gh-134323: Fix the threading.RLock.locked() method. - gh-86802: Fixed asyncio memory leak in cancelled shield tasks. For shielded tasks where the shield was cancelled, log potential exceptions through the exception handler. Contributed by Christian Harries. - gh-71189: Add support of the all-but-last mode in os.path.realpath(). - gh-72902: Improve speed (x1.1-1.8) of the Fraction constructor for typical inputs (float’s, Decimal’s or strings). - gh-134209: curses: The curses.window.instr() and curses.window.getstr() methods now allocate their internal buffer on the heap instead of the stack; in addition, the max buffer size is increased from 1023 to 2047. - gh-88994: Change datetime.datetime.now() to half-even rounding for consistency with datetime.datetime.fromtimestamp(). Patch by John Keith Hohm. - gh-80184: The default queue size is now socket.SOMAXCONN for socketserver.TCPServer. - gh-132983: Add compression.zstd version information to test.pythoninfo. - gh-134235: Updated tab completion on REPL to include builtin modules. Contributed by Tom Wang, Hunter Young - gh-134152: Fixed UnboundLocalError that could occur during email header parsing if an expected trailing delimiter is missing in some contexts. - gh-134152: email: Fix parsing of email message ID with invalid domain. - gh-134168: http.server: Fix IPv6 address binding and --directory handling when using HTTPS. - gh-62184: Remove import of C implementation of io.FileIO from Python implementation which has its own implementation - gh-134087: Remove support for arbitrary positional or keyword arguments in the C implementation of threading.RLock objects. This was deprecated since Python 3.14. Patch by Bénédikt Tran. - gh-134173: Speed up asyncio performance of transferring state from thread pool concurrent.futures.Future by up to 4.4x. Patch by J. Nick Koston. - gh-133982: Emit RuntimeWarning in the Python implementation of io when the file-like object is not closed explicitly in the presence of multiple I/O layers. - gh-133890: The tarfile module now handles UnicodeEncodeError in the same way as OSError when cannot extract a member. - gh-134097: Fix interaction of the new REPL and -X showrefcount command line option. - gh-133889: The generated directory listing page in http.server.SimpleHTTPRequestHandler now only shows the decoded path component of the requested URL, and not the query and fragment. - gh-134098: Fix handling paths that end with a percent-encoded slash (%2f or %2F) in http.server.SimpleHTTPRequestHandler. - gh-132124: On POSIX-compliant systems, multiprocessing.util.get_temp_dir() now ignores TMPDIR (and similar environment variables) if the path length of AF_UNIX socket files exceeds the platform-specific maximum length when using the forkserver start method. Patch by Bénédikt Tran. - gh-134062: ipaddress: fix collisions in __hash__() for IPv4Network and IPv6Network objects. - gh-134004: shelve as well as underlying dbm.dumb and dbm.sqlite now have reorganize() methods to recover unused free space previously occupied by deleted entries. - gh-133970: Make string.templatelib.Template and string.templatelib.Interpolation generic. - gh-71253: Raise ValueError in open() if opener returns a negative file-descriptor in the Python implementation of io to match the C implementation. - gh-133960: Simplify and improve typing.evaluate_forward_ref(). It now no longer raises errors on certain invalid types. In several situations, it is now able to evaluate forward references that were previously unsupported. - gh-133925: Make the private class typing._UnionGenericAlias hashable. - gh-133604: Remove platform.java_ver() which was deprecated since Python 3.13. - gh-133875: Removed deprecated pathlib.PurePath.is_reserved(). Use os.path.isreserved() to detect reserved paths on Windows. - gh-133873: Remove the deprecated getmark(), setmark() and getmarkers() methods of the Wave_read and Wave_write classes, which were deprecated since Python 3.13. Patch by Bénédikt Tran. - gh-133866: Remove the undocumented function ctypes.SetPointerType(), which has been deprecated since Python 3.13. Patch by Bénédikt Tran. - gh-133823: Remove support for TD = TypedDict("TD") and TD = TypedDict("TD", None) calls for constructing typing.TypedDict objects with zero field. Patch by Bénédikt Tran. - gh-125996: Fix thread safety of collections.OrderedDict. Patch by Kumar Aditya. - gh-133817: Remove support for creating NamedTuple classes via the undocumented keyword argument syntax. Patch by Bénédikt Tran. - gh-133653: Fix argparse.ArgumentParser with the formatter_class argument. Fix TypeError when formatter_class is a custom subclass of HelpFormatter. Fix TypeError when formatter_class is not a subclass of HelpFormatter and non-standard prefix_char is used. Fix support of colorizing when formatter_class is not a subclass of HelpFormatter. - gh-133810: Remove http.server.CGIHTTPRequestHandler and --cgi flag from the python -m http.server command-line interface. They were deprecated in Python 3.13. Patch by Bénédikt Tran. - gh-132641: Fixed a race in functools.lru_cache() under free-threading. - gh-133783: Fix bug with applying copy.replace() to ast objects. Attributes that default to None were incorrectly treated as required for manually created AST nodes. - gh-133684: Fix bug where annotationlib.get_annotations() would return the wrong result for certain classes that are part of a class hierarchy where from __future__ import annotations is used. - gh-77057: Fix handling of invalid markup declarations in html.parser.HTMLParser. - gh-130328: Speedup pasting in PyREPL on Windows in a legacy console. Patch by Chris Eibl. - gh-133701: Fix bug where typing.TypedDict classes defined under from __future__ import annotations and inheriting from another TypedDict had an incorrect __annotations__ attribute. - gh-133656: Remove deprecated zipimport.zipimporter.load_module(). Use zipimport.zipimporter.exec_module() instead. - gh-133722: Added a color option to difflib.unified_diff() that colors output similar to git diff. - gh-133489: random.getrandbits() can now generate more that 231 bits. random.randbytes() can now generate more that 256 MiB. - gh-133595: Clean up sqlite3.Connection APIs. All parameters of sqlite3.connect() except database are now keyword-only. The first three parameters of methods create_function() and create_aggregate() are now positional-only. The first parameter of methods set_authorizer(), set_progress_handler() and set_trace_callback() is now positional-only. - gh-133581: Improve unparsing of t-strings in ast.unparse() and from __future__ import annotations. Empty t-strings now round-trip correctly and formatting in interpolations is preserved. Patch by Jelle Zijlstra. - gh-133577: Add parameter formatter to logging.basicConfig(). - gh-92897: Removed the check_home parameter from sysconfig.is_python_build(), deprecated since Python 3.12. - gh-133551: Support t-strings (PEP 750) in annotationlib. Patch by Jelle Zijlstra. - gh-133517: Remove os.listdrives(), os.listvolumes() and os.listmounts() in non Windows desktop builds since the underlying functionality is missing. - gh-133439: Fix dot commands with trailing spaces are mistaken for multi-line SQL statements in the sqlite3 command-line interface. - gh-133447: Add basic color to sqlite3 CLI interface. - gh-133253: Fix thread-safety issues in linecache. - gh-133390: Support keyword completion in the sqlite3 command-line interface and add sqlite3.SQLITE_KEYWORDS constant. - gh-132493: Avoid accessing __annotations__ unnecessarily in inspect.signature(). - gh-133017: Improve the error message of multiprocessing.sharedctypes.Array(), multiprocessing.sharedctypes.RawArray(), multiprocessing.sharedctypes.Value() and multiprocessing.sharedctypes.RawValue() when an invalid typecode is passed. Patch by Tomas Roun - gh-132813: Improve error messages for incorrect types and values of csv.Dialect attributes. - gh-132969: Prevent the ProcessPoolExecutor executor thread, which remains running when shutdown(wait=False), from attempting to adjust the pool’s worker processes after the object state has already been reset during shutdown. A combination of conditions, including a worker process having terminated abormally, resulted in an exception and a potential hang when the still-running executor thread attempted to replace dead workers within the pool. - gh-132876: ldexp() on Windows doesn’t round subnormal results before Windows 11, but should. Python’s math.ldexp() wrapper now does round them, so results may change slightly, in rare cases of very small results, on Windows versions before 11. - gh-133009: xml.etree.ElementTree: Fix a crash in Element.__deepcopy__ when the element is concurrently mutated. Patch by Bénédikt Tran. - gh-132908: Add math.isnormal() and math.issubnormal() functions. Patch by Sergey B Kirpichev. - gh-95380: fcntl.fcntl() and fcntl.ioctl(): Remove the 1024 bytes limit on the size of not mutated bytes-like argument. - gh-122781: Fix %z directive in datetime.datetime.strptime() to allow for no provided offset as was documented. - gh-123471: Make concurrent iterations over itertools.combinations and itertools.product safe under free-threading. - gh-127081: Fix libc thread safety issues with dbm by performing stateful operations in critical sections. - gh-127081: Fix libc thread safety issues with os by replacing getlogin with getlogin_r re-entrant version. - gh-127081: Fix libc thread safety issues with pwd by locking access to getpwall. - gh-132551: Make io.BytesIO safe in free-threaded build. - gh-107583: Fix Flag inversion when flag set has missing values (IntFlag still flips all bits); fix negative assigned values during flag creation (both Flag and IntFlag ignore missing values). - gh-87790: Support underscore and comma as thousands separators in the fractional part for Fraction’s formatting. Patch by Sergey B Kirpichev. - gh-87790: Support underscore and comma as thousands separators in the fractional part for Decimal’s formatting. Patch by Sergey B Kirpichev. - gh-131884: Fix formatting issues in json.dump() when both indent and skipkeys are used. - gh-131788: Make ResourceTracker.send from multiprocessing re-entrant safe - gh-91349: Adjust default compressionlevel= to 6 (down from 9) in gzip and tarfile. It is the default level used by most compression tools and a better tradeoff between speed and performance. - gh-131146: Fix calendar.TextCalendar, calendar.HTMLCalendar, and the calendar CLI to display month names in the nominative case by adding calendar.standalone_month_name and calendar.standalone_month_abbr, which provide month names and abbreviations in the grammatical form used when a month name stands by itself, if the locale supports it. - gh-123471: Make concurrent iterations over itertools.cycle safe under free-threading. - gh-130664: Handle corner-case for Fraction’s formatting: treat zero-padding (preceding the width field by a zero ('0') character) as an equivalent to a fill character of '0' with an alignment type of '=', just as in case of float’s. - gh-130999: Avoid exiting the new REPL and offer suggestions even if there are non-string candidates when errors occur. - gh-88473: Implement a fast path for datetime.date objects in datetime.date.today() which results in a 5x performance gain while proper subclasses retain their previous performance. - gh-126883: Add check that timezone fields are in range for datetime.datetime.fromisoformat() and datetime.time.fromisoformat(). Patch by Semyon Moroz. - gh-125028: functools.Placeholder cannot be passed to functools.partial() as a keyword argument. - gh-125843: If possible, indicate which curses C function or macro is responsible for raising a curses.error exception. Patch by Bénédikt Tran. - gh-119109: functools.partial() calls are now faster when keyword arguments are used. - gh-124033: SimplePath is now presented in importlib.metadata.__all__. - gh-91216: importlib.metadata now raises a KeyError instead of returning None when a key is missing from the metadata. - gh-120492: importlib.metadata now prioritizes valid dists to invalid dists when retrieving by name. - gh-99631: The shelve module now accepts custom serialization and deserialization functions. - gh-119186: Slightly speed up os.walk() by calling os.path.join() less often. - gh-120170: Fix an issue in the _pickle extension module in which importing multiprocessing could change how pickle identifies which module an object belongs to, potentially breaking the unpickling of those objects. - gh-118981: Fix potential hang in multiprocessing.popen_spawn_posix that can happen when the child proc dies early by closing the child fds right away. - gh-105497: Fix flag mask inversion when unnamed flags exist. - gh-99813: ssl now uses SSL_sendfile internally when it is possible (see OP_ENABLE_KTLS). The function sends a file more efficiently because it performs TLS encryption in the kernel to avoid additional context switches. Patch by Illia Volochii. - gh-62824: Fix aliases for iso8859_8 encoding. Patch by Dave Goncalves. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the . - Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. . - Multiple = between attribute name and value are no longer collapsed. E.g. produces attribute “foo” with value “=bar”. - Whitespaces between the = separator and attribute name or value are no longer ignored. E.g. produces two attributes “foo” and “=bar”, both with value None; produces two attributes: “foo” with value “” and “bar” with value None. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - Library - gh-136286: Fix pickling failures for protocols 0 and 1 for many objects realted to subinterpreters. - gh-136316: Improve support for evaluating nested forward references in typing.evaluate_forward_ref(). - gh-85702: If zoneinfo._common.load_tzdata is given a package without a resource a zoneinfo.ZoneInfoNotFoundError is raised rather than a PermissionError. Patch by Victor Stinner. - gh-136028: Fix parsing month names containing “İ” (U+0130, LATIN CAPITAL LETTER I WITH DOT ABOVE) in time.strptime(). This affects locales az_AZ, ber_DZ, ber_MA and crh_UA. - gh-135995: In the palmos encoding, make byte 0x9b decode to › (U+203A - SINGLE RIGHT-POINTING ANGLE QUOTATION MARK). - gh-53203: Fix time.strptime() for %c and %x formats on locales byn_ER, wal_ET and lzh_TW, and for %X format on locales ar_SA, bg_BG and lzh_TW. - gh-91555: An earlier change, which was introduced in 3.14.0b2, has been reverted. It disabled logging for a logger during handling of log messages for that logger. Since the reversion, the behaviour should be as it was before 3.14.0b2. - gh-135878: Fixes a crash of types.SimpleNamespace on free threading builds, when several threads were calling its __repr__() method at the same time. - gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when non-OSError exception is raised during connection and socket’s close() raises OSError. - gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when the Happy Eyeballs algorithm resulted in an empty exceptions list during connection attempts. - gh-135855: Raise TypeError instead of SystemError when _interpreters.set___main___attrs() is passed a non-dict object. Patch by Brian Schubert. - gh-135815: netrc: skip security checks if os.getuid() is missing. Patch by Bénédikt Tran. - gh-135640: Address bug where it was possible to call xml.etree.ElementTree.ElementTree.write() on an ElementTree object with an invalid root element. This behavior blanked the file passed to write if it already existed. - gh-135645: Added supports_isolated_interpreters field to sys.implementation. - gh-135646: Raise consistent NameError exceptions in annotationlib.ForwardRef.evaluate() - gh-135557: Fix races on heapq updates and list reads on the free threaded build. - gh-119180: Only fetch globals and locals if necessary in annotationlib.get_annotations() - gh-135561: Fix a crash on DEBUG builds when an HACL* HMAC routine fails. Patch by Bénédikt Tran. - gh-135487: Fix reprlib.Repr.repr_int() when given integers with more than sys.get_int_max_str_digits() digits. Patch by Bénédikt Tran. - gh-135335: multiprocessing: Flush stdout and stderr after preloading modules in the forkserver. - gh-135069: Fix the “Invalid error handling” exception in encodings.idna.IncrementalDecoder to correctly replace the ‘errors’ parameter. - gh-130662: +Accept leading zeros in precision and width fields for +:class:Decimal formatting, for example format(Decimal(1.25), '.016f'). - gh-130662: Accept leading zeros in precision and width fields for Fraction formatting, for example format(Fraction(1, 3), '.016f'). - gh-87790: Support underscore and comma as thousands separators in the fractional part for Fraction’s formatting. Patch by Sergey B Kirpichev. - gh-87790: Support underscore and comma as thousands separators in the fractional part for Decimal’s formatting. Patch by Sergey B Kirpichev. - gh-130664: Handle corner-case for Fraction’s formatting: treat zero-padding (preceding the width field by a zero ('0') character) as an equivalent to a fill character of '0' with an alignment type of '=', just as in case of float’s. - Documentation - gh-136155: EPUB builds are fixed by excluding non-XHTML-compatible tags. - Core and Builtins - gh-109700: Fix memory error handling in PyDict_SetDefault(). - gh-78465: Fix error message for cls.__new__(cls, ...) where cls is not instantiable builtin or extension type (with tp_new set to NULL). - gh-129958: Differentiate between t-strings and f-strings in syntax error for newlines in format specifiers of single-quoted interpolated strings. - gh-135871: Non-blocking mutex lock attempts now return immediately when the lock is busy instead of briefly spinning in the free threading build. - gh-135106: Restrict the trashcan mechanism to GC’ed objects and untrack them while in the trashcan to prevent the GC and trashcan mechanisms conflicting. - gh-135607: Fix potential weakref races in an object’s destructor on the free threaded build. - gh-135608: Fix a crash in the JIT involving attributes of modules. - gh-135543: Emit sys.remote_exec audit event when sys.remote_exec() is called and migrate remote_debugger_script to cpython.remote_debugger_script. - gh-134280: Disable constant folding for ~ with a boolean argument. This moves the deprecation warning from compile time to runtime. - C API - gh-135906: Fix compilation errors when compiling the internal headers with a C++ compiler. - Build - gh-134273: Add support for configuring compiler flags for the JIT with CFLAGS_JIT ------------------------------------------------------------------- Wed Jul 2 13:14:28 UTC 2025 - Matej Cepl - Add bsc1243155-sphinx-non-determinism.patch (bsc#1243155) to generate ids for audit_events using docname (reproducible builds). ------------------------------------------------------------------- Tue Jul 1 08:24:53 UTC 2025 - Daniel Garcia - Use one core to build doc. This will make sphinx doc build reproducible. bsc#1243155 ------------------------------------------------------------------- Sat Jun 21 22:30:08 UTC 2025 - Matej Cepl - Update to 3.14.0~b3: - Tests - gh-132815: Fix test__opcode: add JUMP_BACKWARD to specialization stats. - gh-135489: Show verbose output for failing tests during PGO profiling step with –enable-optimizations. - gh-135120: Add test.support.subTests(). - Security - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored (bsc#1244705, CVE-2025-6069). - gh-135034: Fixes multiple issues that allowed tarfile extraction filters (filter="data" and filter="tar") to be bypassed using crafted symlinks and hard links. Addresses CVE 2024-12718, CVE 2025-4138, CVE 2025-4330, and CVE 2025-4517. Also addresses CVE-2025-4435 (gh#135034, bsc#1244061). - Library - gh-65697: configparser’s error message when attempting to write an invalid key is now more helpful. - gh-135497: Fix os.getlogin() failing for longer usernames on BSD-based platforms. - gh-135429: Fix the argument mismatch in _lsprof for PY_THROW event. - gh-135368: Fix unittest.mock.Mock generation on dataclasses.dataclass() objects. Now all special attributes are set as it was before gh-124429. - gh-133967: Do not normalize locale name ‘C.UTF-8’ to ‘en_US.UTF-8’. - gh-135321: Raise a correct exception for values greater than 0x7fffffff for the BINSTRING opcode in the C implementation of pickle. - gh-135276: Backported bugfixes in zipfile.Path from zipp 3.23. Fixed .name, .stem and other basename-based properties on Windows when working with a zipfile on disk. - gh-135244: uuid: when the MAC address cannot be determined, the 48-bit node ID is now generated with a cryptographically-secure pseudo-random number generator (CSPRNG) as per RFC 9562, §6.10.3. This affects uuid1() and uuid6(). - gh-134970: Fix the “unknown action” exception in argparse.ArgumentParser.add_argument_group() to correctly replace the action class. - gh-134718: ast.dump() now only omits None and [] values if they are default values. - gh-134939: Add the concurrent.interpreters module. See PEP 734. - gh-134885: Fix possible crash in the compression.zstd module related to setting parameter types. Patch by Jelle Zijlstra. - gh-134857: Improve error report for doctests run with unittest. Remove doctest module frames from tracebacks and redundant newline character from a failure message. - gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address. - gh-134637: Fix performance regression in calling a ctypes function pointer in free threading. - gh-134696: Built-in HACL* and OpenSSL implementations of hash function constructors now correctly accept the same documented named arguments. For instance, md5() could be previously invoked as md5(data=data) or md5(string=string) depending on the underlying implementation but these calls were not compatible. Patch by Bénédikt Tran. - gh-134151: email: Fix TypeError in email.utils.decode_params() when sorting RFC 2231 continuations that contain an unnumbered section. - gh-134210: curses.window.getch() now correctly handles signals. Patch by Bénédikt Tran. - gh-134152: email: Fix parsing of email message ID with invalid domain. - gh-133489: random.getrandbits() can now generate more that 231 bits. random.randbytes() can now generate more that 256 MiB. - gh-132813: Improve error messages for incorrect types and values of csv.Dialect attributes. - gh-132969: Prevent the ProcessPoolExecutor executor thread, which remains running when shutdown(wait=False), from attempting to adjust the pool’s worker processes after the object state has already been reset during shutdown. A combination of conditions, including a worker process having terminated abormally, resulted in an exception and a potential hang when the still-running executor thread attempted to replace dead workers within the pool. - gh-127081: Fix libc thread safety issues with os by replacing getlogin with getlogin_r re-entrant version. - gh-131884: Fix formatting issues in json.dump() when both indent and skipkeys are used. - gh-130999: Avoid exiting the new REPL and offer suggestions even if there are non-string candidates when errors occur. - Documentation - gh-135171: Document that the iterator for the leftmost for clause in the generator expression is created immediately. - bpo-45210: Document that error indicator may be set in tp_dealloc, and how to avoid clobbering it. - Core and Builtins - gh-135496: Fix typo in the f-string conversion type error (“exclamanation” -> “exclamation”). - gh-135371: Fixed asyncio debugging tools to properly display internal coroutine call stacks alongside external task dependencies. The python -m asyncio ps and python -m asyncio pstree commands now show complete execution context. Patch by Pablo Galindo. - gh-127319: Set the allow_reuse_port class variable to False on the XMLRPC, logging, and HTTP servers. This matches the behavior in prior Python releases, which is to not allow port reuse. - gh-135171: Reverts the behavior of async generator expressions when created with object w/o __aiter__ method to the pre-3.13 behavior of raising a TypeError. - gh-130077: Properly raise custom syntax errors when incorrect syntax containing names that are prefixes of soft keywords is encountered. Patch by Pablo Galindo. - gh-135171: Reverts the behavior of generator expressions when created with a non-iterable to the pre-3.13 behavior of raising a TypeError. It is no longer possible to cause a crash in the debugger by altering the generator expression’s local variables. This is achieved by moving the GET_ITER instruction back to the creation of the generator expression and adding an additional check to FOR_ITER. - gh-116738: Make methods in heapq thread-safe on the free threaded build. - gh-134876: Add support to PEP 768 remote debugging for Linux kernels which don’t have CONFIG_CROSS_MEMORY_ATTACH configured. - gh-134889: Fix handling of a few opcodes that leave operands on the stack when optimizing LOAD_FAST. - gh-134908: Fix crash when iterating over lines in a text file on the free threaded build. - gh-132617: Fix dict.update() modification check that could incorrectly raise a “dict mutated during update” error when a different dictionary was modified that happens to share the same underlying keys object. - gh-134679: Fix crash in the free threading build’s QSBR code that could occur when changing an object’s __dict__ attribute. - gh-127682: No longer call __iter__ twice in list comprehensions. This brings the behavior of list comprehensions in line with other forms of iteration - gh-133912: Fix the C API function PyObject_GenericSetDict to handle extension classes with inline values. - C API - gh-134989: Fix Py_RETURN_NONE, Py_RETURN_TRUE and Py_RETURN_FALSE macros in the limited C API 3.11 and older: don’t treat Py_None, Py_True and Py_False as immortal. Patch by Victor Stinner. - gh-134989: Implement PyObject_DelAttr() and PyObject_DelAttrString() as macros in the limited C API 3.12 and older. Patch by Victor Stinner. - gh-133968: Add PyUnicodeWriter_WriteASCII() function to write an ASCII string into a PyUnicodeWriter. The function is faster than PyUnicodeWriter_WriteUTF8(), but has an undefined behavior if the input string contains non-ASCII characters. Patch by Victor Stinner. - Build - gh-119132: Remove “experimental” tag from the CPython free-threading build. - gh-135497: Fix the detection of MAXLOGNAME in the configure.ac script. - gh-134923: Windows builds with profile-guided optimization enabled now use /GENPROFILE and /USEPROFILE instead of deprecated /LTCG: options. - gh-134774: Fix Py_DEBUG macro redefinition warnings on Windows debug builds. Patch by Chris Eibl. - gh-134632: Fixed build-details.json generation to use INCLUDEPY, in order to reference the pythonX.Y subdirectory of the include directory, as required in PEP 739, instead of the top-level include directory. ------------------------------------------------------------------- Thu May 29 11:42:15 UTC 2025 - Matej Cepl - Update to 3.14.0~b2: - Tools/Demos - gh-134215: REPL import autocomplete only suggests private modules when explicitly specified. - Tests - gh-133744: Fix multiprocessing interrupt test. Add an event to synchronize the parent process with the child process: wait until the child process starts sleeping. Patch by Victor Stinner. - gh-133682: Fixed test case test.test_annotationlib.TestStringFormat.test_displays which ensures proper handling of complex data structures (lists, sets, dictionaries, and tuples) in string annotations. - gh-133639: Fix TestPyReplAutoindent.test_auto_indent_default() doesn’t run input_code. - Security - gh-133767: Fix use-after-free in the “unicode-escape” decoder with a non-“strict” error handler (CVE-2025-4516 bsc#1243273). - gh-128840: Short-circuit the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service. - Library - gh-132710: If possible, ensure that uuid.getnode() returns the same result even across different processes. Previously, the result was constant only within the same process. Patch by Bénédikt Tran. - gh-80334: multiprocessing.freeze_support() now checks for work on any “spawn” start method platform rather than only on Windows. - gh-134582: Fix tokenize.untokenize() round-trip errors related to t-strings braces escaping - gh-134546: Ensure pdb remote debugging script is readable by remote Python process. - gh-134451: Converted asyncio.tools.CycleFoundException from dataclass to a regular exception type. - gh-114177: Fix asyncio to not close subprocess pipes which would otherwise error out when the event loop is already closed. - gh-90871: Fixed an off by one error concerning the backlog parameter in create_unix_server(). Contributed by Christian Harries. - gh-134323: Fix the threading.RLock.locked() method. - gh-86802: Fixed asyncio memory leak in cancelled shield tasks. For shielded tasks where the shield was cancelled, log potential exceptions through the exception handler. Contributed by Christian Harries. - gh-134209: curses: The curses.window.instr() and curses.window.getstr() methods now allocate their internal buffer on the heap instead of the stack; in addition, the max buffer size is increased from 1023 to 2047. - gh-134235: Updated tab completion on REPL to include builtin modules. Contributed by Tom Wang, Hunter Young - gh-134152: Fixed UnboundLocalError that could occur during email header parsing if an expected trailing delimiter is missing in some contexts. - gh-134168: http.server: Fix IPv6 address binding and --directory handling when using HTTPS. - gh-62184: Remove import of C implementation of io.FileIO from Python implementation which has its own implementation - gh-133982: Emit RuntimeWarning in the Python implementation of io when the file-like object is not closed explicitly in the presence of multiple I/O layers. - gh-133890: The tarfile module now handles UnicodeEncodeError in the same way as OSError when cannot extract a member. - gh-134097: Fix interaction of the new REPL and -X showrefcount command line option. - gh-133889: The generated directory listing page in http.server.SimpleHTTPRequestHandler now only shows the decoded path component of the requested URL, and not the query and fragment. - gh-134098: Fix handling paths that end with a percent-encoded slash (%2f or %2F) in http.server.SimpleHTTPRequestHandler. - gh-132124: On POSIX-compliant systems, multiprocessing.util.get_temp_dir() now ignores TMPDIR (and similar environment variables) if the path length of AF_UNIX socket files exceeds the platform-specific maximum length when using the forkserver start method. Patch by Bénédikt Tran. - gh-134062: ipaddress: fix collisions in __hash__() for IPv4Network and IPv6Network objects. - gh-133970: Make string.templatelib.Template and string.templatelib.Interpolation generic. - gh-71253: Raise ValueError in open() if opener returns a negative file-descriptor in the Python implementation of io to match the C implementation. - gh-133960: Simplify and improve typing.evaluate_forward_ref(). It now no longer raises errors on certain invalid types. In several situations, it is now able to evaluate forward references that were previously unsupported. - gh-133925: Make the private class typing._UnionGenericAlias hashable. - gh-133653: Fix argparse.ArgumentParser with the formatter_class argument. Fix TypeError when formatter_class is a custom subclass of HelpFormatter. Fix TypeError when formatter_class is not a subclass of HelpFormatter and non-standard prefix_char is used. Fix support of colorizing when formatter_class is not a subclass of HelpFormatter. - gh-132641: Fixed a race in functools.lru_cache() under free-threading. - gh-133783: Fix bug with applying copy.replace() to ast objects. Attributes that default to None were incorrectly treated as required for manually created AST nodes. - gh-133684: Fix bug where annotationlib.get_annotations() would return the wrong result for certain classes that are part of a class hierarchy where from __future__ import annotations is used. - gh-77057: Fix handling of invalid markup declarations in html.parser.HTMLParser. - gh-130328: Speedup pasting in PyREPL on Windows in a legacy console. Patch by Chris Eibl. - gh-133701: Fix bug where typing.TypedDict classes defined under from __future__ import annotations and inheriting from another TypedDict had an incorrect __annotations__ attribute. - gh-133581: Improve unparsing of t-strings in ast.unparse() and from __future__ import annotations. Empty t-strings now round-trip correctly and formatting in interpolations is preserved. Patch by Jelle Zijlstra. - gh-133551: Support t-strings (PEP 750) in annotationlib. Patch by Jelle Zijlstra. - gh-133439: Fix dot commands with trailing spaces are mistaken for multi-line SQL statements in the sqlite3 command-line interface. - gh-132493: Avoid accessing __annotations__ unnecessarily in inspect.signature(). - gh-132876: ldexp() on Windows doesn’t round subnormal results before Windows 11, but should. Python’s math.ldexp() wrapper now does round them, so results may change slightly, in rare cases of very small results, on Windows versions before 11. - gh-133009: xml.etree.ElementTree: Fix a crash in Element.__deepcopy__ when the element is concurrently mutated. Patch by Bénédikt Tran. - gh-91555: Ignore log messages generated during handling of log messages, to avoid deadlock or infinite recursion. - gh-125028: functools.Placeholder cannot be passed to functools.partial() as a keyword argument. - gh-62824: Fix aliases for iso8859_8 encoding. Patch by Dave Goncalves. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the