- python -m http.server no longer allows terminal control
characters sent within a garbage request to be printed
to the stderr server lo This is done by changing the
http.server BaseHTTPRequestHandler .log_message method to
replace control characters with a \xHH hex escape before
printin
- Avoid publishing list of active per-interpreter audit hooks
via the gc module
- The IDNA codec decoder used on DNS hostnames by socket or
asyncio related name resolution functions no longer involves
a quadratic algorithm. This prevents a potential CPU denial
of service if an out-of-spec excessive length hostname
involving bidirectional characters were decoded. Some
protocols such as urllib http 3xx redirects potentially allow
for an attacker to supply such a name (CVE-2022-45061).
- Update bundled libexpat to 2.5.0
- Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no
longer uses a shell to run openssl commands. Issue reported
and initial fix by Caleb Shortt. Patch by Victor Stinner.
- Fix a crash when an object which does not have a dictionary
frees its instance values.
- Fix a bug in the tokenizer that could cause infinite
recursion when showing syntax warnings that happen in the
first line of the source. Patch by Pablo Galindo
- Fix an issue that could cause frames to be visible to Python
code as they are being torn down, possibly leading to memory
corruption or hard crashes of the interpreter.
- Fix a reference bug in _imp.create_builtin() after the
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=40
- Update to 3.11.0 (overall changes from 3.10.*):
- General changes
- PEP 657 -- Include Fine-Grained Error Locations in
Tracebacks
- PEP 654 -- Exception Groups and except*
- PEP 680 -- tomllib: Support for Parsing TOML in the
Standard Library
- gh-90908 -- Introduce task groups to asyncio
- gh-34627 -- Atomic grouping ((?>...)) and possessive
quantifiers (*+, ++, ?+, {m,n}+) are now supported in
regular expressions.
- The Faster CPython Project is already yielding some
exciting results. Python 3.11 is up to 10-60% faster than
Python 3.10. On average, we measured a 1.22x speedup on the
standard benchmark suite. See Faster CPython for details.
- Typing and typing language changes
- PEP 673 -- Self Type
- PEP 646 -- Variadic Generics
- PEP 675 -- Arbitrary Literal String Type
- PEP 655 -- Marking individual TypedDict items as required
or potentially-missing
- PEP 681 -- Data Class Transforms
- (just changes from 3.11.0rc2):
- Fix multiplying a list by an integer (list *= int): detect
the integer overflow when the new allocated length is close
to the maximum size. Issue reported by Jordan Limor. Patch by
Victor Stinner.
- On Linux the multiprocessing module returns to using
filesystem backed unix domain sockets for communication
with the forkserver process instead of the Linux abstract
OBS-URL: https://build.opensuse.org/request/show/1031401
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=34
- Update to 3.11.0rc2:
- Converting between int and str in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base
10 (decimal) now raises a ValueError if the number of digits
in string form is above a limit to avoid potential denial of
service attacks due to the algorithmic complexity. This is
a mitigation for CVE-2020-10735.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- Fix case of undefined behavior in ceval.c
- Do not expose KeyWrapper in _functools.
- Ensure that tracing, sys.setrace(), is turned on
immediately. In pre-release versions of 3.11, some tracing
events might have been lost when turning on tracing in a
__del__ method or interrupt.
- Fix use after free in trace refs build mode. Patch by Kumar
Aditya.
- When loading a file with invalid UTF-8 inside a multi-line
string, a correct SyntaxError is emitted.
- Make sure that incomplete frames do not show up in
tracemalloc traces.
- Remove two cases of undefined behavior, by adding NULL
checks.
- Fix possible NULL pointer dereference in
_PyThread_CurrentFrames. Patch by Kumar Aditya.
- Fix AttributeError missing name and obj attributes in
object.__getattribute__(). Patch by Philip Georgi.
- Loading a file with invalid UTF-8 will now report the broken
character at the correct location.
- Fixed a bug that caused _PyCode_GetExtra to return garbage
for negative indexes. Patch by Pablo Galindo
- Fix a deadlock in PyGILState_Ensure() when allocating new
thread state. Patch by Kumar Aditya.
- PyType_Ready() now initializes ht_cached_keys and performs
additional checks to ensure that type objects are properly
configured. This avoids crashes in 3rd party packages that
don’t use regular API to create new types.
- Skip over incomplete frames in PyThreadState_GetFrame().
- Fix format string in _PyPegen_raise_error_known_location that
can lead to memory corruption on some 64bit systems. The
function was building a tuple with i (int) instead of n
(Py_ssize_t) for Py_ssize_t arguments.
- Fix misleading contents of error message when converting an
all-whitespace string to float.
- ast.parse() will no longer parse function definitions with
positional-only params when passed feature_version less than
(3, 8). Patch by Shantanu Jain.
- Fix incorrect error message in the io module.
- Fix the faulthandler implementation of
faulthandler.register(signal, chain=True) if the sigaction()
function is not available: don’t call the previous signal
handler if it’s NULL. Patch by Victor Stinner.
- Correct conversion of numbers.Rational’s to float.
- Fix TypeVarTuple.__typing_prepare_subst__. TypeError was not
raised when using more than one TypeVarTuple, like [*T, *V]
in type alias substitutions.
- Fix asyncio.streams.StreamReaderProtocol to keep a strong
reference to the created task, so that it’s not garbage
collected
- Fix a performance regression in logging
TimedRotatingFileHandler. Only check for special files when
the rollover time has passed.
- Fix unused localName parameter in the Attr class in
xml.dom.minidom.
- Fix incorrect condition that causes sys.thread_info.name to
be wrong on pthread platforms.
- Remove an incompatible change from bpo-28080 that caused a
regression that ignored the utf8 in ZipInfo.flag_bits. Patch
by Pablo Galindo.
- Fix asyncio.Runner to call asyncio.set_event_loop() only
once to avoid calling attach_loop() multiple times on child
watchers. Patch by Kumar Aditya.
- Fix unittest.IsolatedAsyncioTestCase to set event loop before
calling setup functions. Patch by Kumar Aditya.
- When a task catches asyncio.CancelledError and raises some
other error, the other error should generally not silently be
suppressed.
- Fail gracefully if EPERM or ENOSYS is raised when loading
crypt methods. This may happen when trying to load MD5 on a
Linux kernel with FIPS enabled.
- Allow asyncio.StreamWriter.drain() to be awaited concurrently
by multiple tasks. Patch by Kumar Aditya.
- Fix ast.unparse() when ImportFrom.level is None
- Improve discoverability of the higher level
concurrent.futures module by providing clearer links from the
lower level threading and multiprocessing modules.
- What’s New 3.11 now has instructions for how to provide
compiler and linker flags for Tcl/Tk and OpenSSL on RHEL 7
and CentOS 7.
- Mitigate the inherent race condition from using
find_unused_port() in testSockName() by trying to find an
unused port a few times before failing. Patch by Ross Burton.
- Build and test with OpenSSL 1.1.1q
- Use support-expat-CVE-2022-25236-patched.patch from the current
version of gh#python/cpython#93900 instead of the old
support-expat-245.patch.
- Reapply fix_configure_rst.patch.
OBS-URL: https://build.opensuse.org/request/show/1003848
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python311?expand=0&rev=8
- Converting between int and str in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base
10 (decimal) now raises a ValueError if the number of digits
in string form is above a limit to avoid potential denial of
service attacks due to the algorithmic complexity. This is
a mitigation for CVE-2020-10735.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- Fix case of undefined behavior in ceval.c
- Do not expose KeyWrapper in _functools.
- Ensure that tracing, sys.setrace(), is turned on
immediately. In pre-release versions of 3.11, some tracing
events might have been lost when turning on tracing in a
__del__ method or interrupt.
- Fix use after free in trace refs build mode. Patch by Kumar
Aditya.
- When loading a file with invalid UTF-8 inside a multi-line
string, a correct SyntaxError is emitted.
- Make sure that incomplete frames do not show up in
tracemalloc traces.
- Remove two cases of undefined behavior, by adding NULL
checks.
- Fix possible NULL pointer dereference in
_PyThread_CurrentFrames. Patch by Kumar Aditya.
- Fix AttributeError missing name and obj attributes in
object.__getattribute__(). Patch by Philip Georgi.
- Loading a file with invalid UTF-8 will now report the broken
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=32
- Core and Builtins
- Update code object hashing and equality to consider all
debugging and exception handling tables. This fixes an
issue where certain non-identical code objects could be
“deduplicated” during compilation.
- _PyPegen_Parser_New now properly detects token memory
allocation errors. Patch by Honglin Zhu.
- Run Python code in tracer/profiler function at full
speed. Fixes slowdown in earlier versions of 3.11.
- Emit a warning in debug mode if an object does not call
PyObject_GC_UnTrack() before deallocation. Patch by Pablo
Galindo.
- Prevented crashes in the AST constructor when
compiling some absurdly long expressions like
"+0"*1000000. RecursionError is now raised instead. Patch
by Pablo Galindo
- ast.AST node positions are now validated when provided to
compile() and other related functions. If invalid positions
are detected, a ValueError will be raised.
- Fix error detection in some builtin functions when keyword
argument name is an instance of a str subclass with
overloaded __eq__ and __hash__. Previously it could cause
SystemError or other undesired behavior.
- Library
- Update bundled pip to 22.2.2.
- Fix asyncio.TaskGroup to propagate exception when
asyncio.CancelledError was replaced with another exception
by a context manger. Patch by Kumar Aditya and Guido van
Rossum.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=27
- Update to 3.11.0b5:
- Core and Builtins
- gh-93351: ast.AST node positions are now validated when
provided to compile() and other related functions. If
invalid positions are detected, a ValueError will be
raised.
- gh-94438: Fix an issue that caused extended opcode
arguments and some conditional pops to be ignored when
calculating valid jump targets for assignments to the
f_lineno attribute of frame objects. In some cases, this
could cause inconsistent internal state, resulting in a
hard crash of the interpreter.
- gh-95060: Undocumented PyCode_Addr2Location function now
properly returns when addrq argument is less than zero.
- gh-95113: Replace all EXTENDED_ARG_QUICK instructions
with basic EXTENDED_ARG instructions in unquickened
code. Consumers of non-adaptive bytecode should be able to
handle extended arguments the same way they were handled in
CPython 3.10 and older.
- gh-91409: Fix incorrect source location info caused by
certain optimizations in the bytecode compiler.
- gh-94036: Fix incorrect source location info for some
multi-line attribute accesses and method calls.
- gh-94739: Allow jumping within, out of, and across
exception handlers in the debugger.
- gh-94949: ast.parse() will no longer parse parenthesized
context managers when passed feature_version less than (3,
9). Patch by Shantanu Jain.
- gh-94947: ast.parse() will no longer parse assignment
expressions when passed feature_version less than (3,
8). Patch by Shantanu Jain.
- gh-91256: Ensures the program name is known for help text
during interpreter startup.
- gh-94869: Fix the column offsets for some expressions in
multi-line f-strings ast nodes. Patch by Pablo Galindo.
- gh-94822: Fix an issue where lookups of metaclass
descriptors may be ignored when an identically-named
attribute also exists on the class itself.
- gh-91153: Fix an issue where a bytearray item assignment
could crash if it’s resized by the new value’s __index__()
method.
- gh-90699: Fix reference counting bug in
bool.__repr__(). Patch by Kumar Aditya.
- Library
- gh-95087: Fix IndexError in parsing invalid date in the
email module.
- gh-95199: Upgrade bundled setuptools to 63.2.0.
- gh-95194: Upgrade bundled pip to 22.2.
- gh-95132: Fix a sqlite3 regression where *args and **kwds
were incorrectly relayed from connect() to the Connection
factory. The regression was introduced in 3.11a1 with PR
24421 (gh-85128). Patch by Erlend E. Aasland.`
- gh-93157: Fix fileinput module didn’t support errors option
when inplace is true.
- gh-95105: wsgiref.types.InputStream.__iter__() should
return Iterator[bytes], not Iterable[bytes]. Patch by
Shantanu Jain.
- gh-94857: Fix refleak in
_io.TextIOWrapper.reconfigure. Patch by Kumar Aditya.
- gh-94821: Fix binding of unix socket to empty address
on Linux to use an available address from the abstract
namespace, instead of “0”.
- gh-89988: Fix memory leak in pickle.Pickler when looking up
dispatch_table. Patch by Kumar Aditya.
- bpo-47025: Drop support for bytes on sys.path.
- Tests
- gh-95212: Make multiprocessing test case
test_shared_memory_recreate parallel-safe.
- Build
- gh-94847: Fixed _decimal module build issue on GCC when
compiling with LTO and pydebug. Debug builds no longer
force inlining of functions.
- gh-94841: Fix the possible performance regression of
PyObject_Free() compiled with MSVC version 1932.
- gh-94801: configure now uses custom flags like ZLIB_CFLAGS
and ZLIB_LIBS when searching for headers and libraries.
- gh-94773: deepfreeze.py now supports code object with
frozensets that contain incompatible, unsortable types.
- C API
- gh-94930: Fix SystemError raised when
PyArg_ParseTupleAndKeywords() is used with # in (...) but
without PY_SSIZE_T_CLEAN defined.
- gh-94864: Fix PyArg_Parse* with deprecated format units “u”
and “Z”. It returned 1 (success) when warnings are turned
into exceptions.
- gh-94731: Python again uses C-style casts for
most casting operations when compiled with
C++. This may trigger compiler warnings, if they
are enabled with e.g. -Wold-style-cast `` or
``-Wzero-as-null-pointer-constant options for g++.
OBS-URL: https://build.opensuse.org/request/show/991283
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python311?expand=0&rev=5
- Core and Builtins
- gh-93351: ast.AST node positions are now validated when
provided to compile() and other related functions. If
invalid positions are detected, a ValueError will be
raised.
- gh-94438: Fix an issue that caused extended opcode
arguments and some conditional pops to be ignored when
calculating valid jump targets for assignments to the
f_lineno attribute of frame objects. In some cases, this
could cause inconsistent internal state, resulting in a
hard crash of the interpreter.
- gh-95060: Undocumented PyCode_Addr2Location function now
properly returns when addrq argument is less than zero.
- gh-95113: Replace all EXTENDED_ARG_QUICK instructions
with basic EXTENDED_ARG instructions in unquickened
code. Consumers of non-adaptive bytecode should be able to
handle extended arguments the same way they were handled in
CPython 3.10 and older.
- gh-91409: Fix incorrect source location info caused by
certain optimizations in the bytecode compiler.
- gh-94036: Fix incorrect source location info for some
multi-line attribute accesses and method calls.
- gh-94739: Allow jumping within, out of, and across
exception handlers in the debugger.
- gh-94949: ast.parse() will no longer parse parenthesized
context managers when passed feature_version less than (3,
9). Patch by Shantanu Jain.
- gh-94947: ast.parse() will no longer parse assignment
expressions when passed feature_version less than (3,
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=25
- Update to 3.11.0b4:
- Fixes many bugs and adds following more significant changes
- Security
- gh-68966: The deprecated mailcap module now refuses to inject
Coreunsafe text (filenames, MIME types, parameters) into
shell Corecommands. Instead of using such text, it will
warn and act Coreas if a match was not found (or for test
commands, as if the Coretest failed). and Builtins
- gh-93516: Lazily create a table mapping bytecode offsets to
line numbers to speed up calculation of line numbers when
tracing.
- gh-93461: importlib.invalidate_caches() now drops entries
from sys.path_importer_cache with a relative path as
name. This solves a caching issue when a process changes its
current working directory.
- FileFinder no longer inserts a dot in the path, e.g.
/egg/./spam is now /egg/spam.
Library
- gh-93896: Fix asyncio.run() and
unittest.IsolatedAsyncioTestCase to always the set event loop
as it was done in Python 3.10 and earlier. Patch by Kumar
Aditya.
- gh-94101: Manual instantiation of ssl.SSLSession objects is
no longer allowed as it lead to misconfigured instances that
crashed the interpreter when attributes where accessed on
them.
- gh-83658: Make multiprocessing.Pool raise an exception if
maxtasksperchild is not None or a positive int.
- gh-61162: Clarify sqlite3 behavior when Using the connection
as a context manager.
Tools/Demos
- gh-94538: Fix Argument Clinic output to custom file
destinations. Patch by Erlend E. Aasland.
C API
- gh-93937: The following frame functions and type are now
directly available with #include <Python.h>, it’s no longer
needed to add #include <frameobject.h>:
PyFrame_Check()
PyFrame_GetBack()
PyFrame_GetBuiltins()
PyFrame_GetGenerator()
PyFrame_GetGlobals()
PyFrame_GetLasti()
PyFrame_GetLocals()
PyFrame_Type
OBS-URL: https://build.opensuse.org/request/show/989232
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python311?expand=0&rev=3
- Fixes many bugs and adds following more significant changes
- Security
- gh-68966: The deprecated mailcap module now refuses to inject
Coreunsafe text (filenames, MIME types, parameters) into
shell Corecommands. Instead of using such text, it will
warn and act Coreas if a match was not found (or for test
commands, as if the Coretest failed). and Builtins
- gh-93516: Lazily create a table mapping bytecode offsets to
line numbers to speed up calculation of line numbers when
tracing.
- gh-93461: importlib.invalidate_caches() now drops entries
from sys.path_importer_cache with a relative path as
name. This solves a caching issue when a process changes its
current working directory.
- FileFinder no longer inserts a dot in the path, e.g.
/egg/./spam is now /egg/spam.
Library
- gh-93896: Fix asyncio.run() and
unittest.IsolatedAsyncioTestCase to always the set event loop
as it was done in Python 3.10 and earlier. Patch by Kumar
Aditya.
- gh-94101: Manual instantiation of ssl.SSLSession objects is
no longer allowed as it lead to misconfigured instances that
crashed the interpreter when attributes where accessed on
them.
- gh-83658: Make multiprocessing.Pool raise an exception if
maxtasksperchild is not None or a positive int.
- gh-61162: Clarify sqlite3 behavior when Using the connection
as a context manager.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=20
- PEP 657 – Include Fine-Grained Error Locations in Tracebacks
- PEP 654 – Exception Groups and except*
- PEP 673 – Self Type
- PEP 646 – Variadic Generics
- PEP 680– tomllib: Support for Parsing TOML in the Standard Library
- PEP 675– Arbitrary Literal String Type
- PEP 655– Marking individual TypedDict items as required or potentially-missing
- bpo-46752– Introduce task groups to asyncio
- The Faster Cpython Project is already yielding some exciting
results. Python 3.11 is up to 10-60% faster than Python
3.10. On average, we measured a 1.22x speedup on the standard
benchmark suite. See
https://docs.python.org/3.11/whatsnew/3.11.html#faster-cpython
for details.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=3