| 7ea0551 | Ned Deily | 11 December 2019, 08:27:49 UTC | 3.6.10rc1 | 11 December 2019, 08:28:36 UTC |
| b23c084 | Kyle Stanley | 11 December 2019, 06:54:02 UTC | [3.6] bpo-37228: Fix loop.create_datagram_endpoint()'s usage of SO_REUSEADDR (GH-17311). (GH-17571) (cherry picked from commit ab513a38c98695f271e448fe2cb7c5e39eeaaaaf) Co-authored-by: Kyle Stanley <aeros167@gmail.com> | 11 December 2019, 06:54:02 UTC |
| 30afc91 | Miss Islington (bot) | 02 December 2019, 23:34:31 UTC | bpo-38945: UU Encoding: Don't let newline in filename corrupt the output format (GH-17418) (GH-17444) (cherry picked from commit a62ad4730c9b575f140f24074656c0257c86a09a) Co-authored-by: Matthew Rollings <1211162+stealthcopter@users.noreply.github.com> | 02 December 2019, 23:34:31 UTC |
| 0716056 | Miss Islington (bot) | 22 November 2019, 22:09:10 UTC | bpo-38804: Fix REDoS in http.cookiejar (GH-17157) (#17343) The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular expression denial of service (REDoS). LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar to parse Set-Cookie headers returned by a server. Processing a response from a malicious HTTP server can lead to extreme CPU usage and execution will be blocked for a long time. The regex contained multiple overlapping \s* capture groups. Ignoring the ?-optional capture groups the regex could be simplified to \d+-\w+-\d+(\s*\s*\s*)$ Therefore, a long sequence of spaces can trigger bad performance. Matching a malicious string such as LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!") caused catastrophic backtracking. The fix removes ambiguity about which \s* should match a particular space. You can create a malicious server which responds with Set-Cookie headers to attack all python programs which access it e.g. from http.server import BaseHTTPRequestHandler, HTTPServer def make_set_cookie_value(n_spaces): spaces = " " * n_spaces expiry = f"1-c-1{spaces}!" return f"b;Expires={expiry}" class Handler(BaseHTTPRequestHandler): def do_GET(self): self.log_request(204) self.send_response_only(204) GH- Don't bother sending Server and Date n_spaces = ( int(self.path[1:]) GH- Can GET e.g. /100 to test shorter sequences if len(self.path) > 1 else 65506 GH- Max header line length 65536 ) value = make_set_cookie_value(n_spaces) for i in range(99): GH- Not necessary, but we can have up to 100 header lines self.send_header("Set-Cookie", value) self.end_headers() if __name__ == "__main__": HTTPServer(("", 44020), Handler).serve_forever() This server returns 99 Set-Cookie headers. Each has 65506 spaces. Extracting the cookies will pretty much never complete. Vulnerable client using the example at the bottom of https://docs.python.org/3/library/http.cookiejar.html : import http.cookiejar, urllib.request cj = http.cookiejar.CookieJar() opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) r = opener.open("http://localhost:44020/") The popular requests library was also vulnerable without any additional options (as it uses http.cookiejar by default): import requests requests.get("http://localhost:44020/") * Regression test for http.cookiejar REDoS If we regress, this test will take a very long time. * Improve performance of http.cookiejar.ISO_DATE_RE A string like "444444" + (" " * 2000) + "A" could cause poor performance due to the 2 overlapping \s* groups, although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was. (cherry picked from commit 1b779bfb8593739b11cbb988ef82a883ec9d077e) Co-authored-by: bcaller <bcaller@users.noreply.github.com> | 22 November 2019, 22:09:10 UTC |
| 86c17c0 | Miss Skeleton (bot) | 23 October 2019, 20:29:55 UTC | Update URL in macOS installer copy of license (GH-16905) (GH-16908) (cherry picked from commit 01659ca62c4508518478a74615ac91c0009427ad) Co-authored-by: Ned Deily <nad@python.org> | 23 October 2019, 20:29:55 UTC |
| 293fc17 | Miss Skeleton (bot) | 23 October 2019, 19:33:56 UTC | [3.6] Fix Zope URL (GH-16880) (GH-16904) (cherry picked from commit dfe726b1ace03f206f45253b93ed7610473ae20f) Co-authored-by: Kyle Stanley <aeros167@gmail.com> | 23 October 2019, 19:33:56 UTC |
| 1039f21 | Miss Islington (bot) | 15 October 2019, 21:46:19 UTC | Update doc switcher list for 3.8.0 (GH-16809) (GH-16812) (cherry picked from commit 3f36043db22361500f52634f2b8de49dde0e7da9) Co-authored-by: Ned Deily <nad@python.org> | 15 October 2019, 21:46:19 UTC |
| 819ad37 | Miss Islington (bot) | 14 October 2019, 22:21:43 UTC | Doc: 3.8 is now stable. (GH-16790) (GH-16793) (cherry picked from commit 4504b4500d2a1a80c26b27b0bfff8b624d5ce06c) Co-authored-by: Julien Palard <julien@palard.fr> | 14 October 2019, 22:21:43 UTC |
| 5b18ce6 | Jason R. Coombs | 28 September 2019, 16:44:12 UTC | [3.6] bpo-38216, bpo-36274: Allow subclasses to separately override validation and encoding behavior (GH-16448) (GH-16462) (cherry picked from commit 7774d7831e8809795c64ce27f7df52674581d298) Co-authored-by: Jason R. Coombs <jaraco@jaraco.com> | 28 September 2019, 16:44:12 UTC |
| 1698cac | Victor Stinner | 28 September 2019, 07:33:00 UTC | bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441) Escape the server title of xmlrpc.server.DocXMLRPCServer when rendering the document page as HTML. (cherry picked from commit e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa) | 28 September 2019, 07:33:00 UTC |
| f050163 | Benjamin Peterson | 26 September 2019, 05:00:26 UTC | [3.6] closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16410) Fixes CVE-2019-15903. See full changelog at https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes.. (cherry picked from commit 52b940803860e37bcc3f6096b2d24e7c20a0e807) | 26 September 2019, 05:00:26 UTC |
| f1f9c0c | GeeTransit | 24 August 2019, 04:33:36 UTC | [3.6] bpo-37461: Fix typo (inifite -> infinite) (#15432) | 24 August 2019, 04:33:36 UTC |
| 13a1913 | Miss Islington (bot) | 09 August 2019, 15:22:19 UTC | bpo-34155: Dont parse domains containing @ (GH-13079) (GH-14826) Before: >>> email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses (Address(display_name='', username='a', domain='malicious.org'),) >>> parseaddr('a@malicious.org@important.com') ('', 'a@malicious.org') After: >>> email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses (Address(display_name='', username='', domain=''),) >>> parseaddr('a@malicious.org@important.com') ('', 'a@') https://bugs.python.org/issue34155 (cherry picked from commit 8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9) Co-authored-by: jpic <jpic@users.noreply.github.com> | 09 August 2019, 15:22:19 UTC |
| 1789bbd | Miss Islington (bot) | 01 August 2019, 16:36:46 UTC | bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794) (GH-14817) Some crafted email header would cause the get_parameter method to run in an infinite loop causing a DoS attack surface when parsing those headers. This patch fixes that by making sure the DQUOTE character is handled to prevent going into an infinite loop. (cherry picked from commit a4a994bd3e619cbaff97610a1cee8ffa87c672f5) Co-authored-by: Abhilash Raj <maxking@users.noreply.github.com> | 01 August 2019, 16:36:46 UTC |
| 79a47e2 | Miss Islington (bot) | 21 July 2019, 14:01:43 UTC | Fix infinite loop in email folding logic (GH-12732) (GH-14799) As far as I can tell, this infinite loop would be triggered if: 1. The value being folded contains a single word (no spaces) longer than max_line_length 2. The max_line_length is shorter than the encoding's name + 9 characters. bpo-36564: https://bugs.python.org/issue36564 (cherry picked from commit f69d5c61981ea97d251db515c7ff280fcc17182d) Co-authored-by: Paul Ganssle <pganssle@users.noreply.github.com> | 21 July 2019, 14:01:43 UTC |
| 317c33e | Ned Deily | 08 July 2019, 16:50:54 UTC | bpo-37149: Replace dead link for online Tkinter reference (GH-14616) Also fix a name misspelling. Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu> | 08 July 2019, 16:50:54 UTC |
| a6d97e2 | Anthony Sottile | 03 July 2019, 22:39:49 UTC | Fix 3.6 documentation build for sphinx<1.6 (GH-14576) | 03 July 2019, 22:39:48 UTC |
| af9e126 | Ned Deily | 02 July 2019, 21:57:03 UTC | Post release updates | 02 July 2019, 21:57:03 UTC |
| 201c8f7 | Ned Deily | 02 July 2019, 20:25:39 UTC | 3.6.9 | 02 July 2019, 20:25:39 UTC |
| 782854f | Miss Islington (bot) | 02 July 2019, 07:48:59 UTC | bpo-34602: Avoid failures setting macOS stack resource limit (GH-14546) (GH-14549) Under some conditions the earlier fix for bpo-18075, "Infinite recursion tests triggering a segfault on Mac OS X", now causes failures on macOS when attempting to change stack limit with resource.setrlimit resource.RLIMIT_STACK, like regrtest does when running the test suite. The reverted change had specified a non-default stack size when linking the python executable on macOS. As of macOS 10.14.4, the previous code causes a hard failure when running tests, although similar failures had been seen under some conditions under some earlier systems. Reverting the change to the interpreter stack size at link time helped for release builds but caused some tests to fail when built --with-pydebug. Try the opposite approach: continue to build the interpreter with an increased stack size on macOS and remove the failing setrlimit call in regrtest initialization. This will definitely avoid the resource.RLIMIT_STACK error and should have no, or fewer, side effects. (cherry picked from commit 5bbbc733e6cc0804f19b071944af8d4719e26ae6) Co-authored-by: Ned Deily <nad@python.org> | 02 July 2019, 07:48:59 UTC |
| 29d6905 | Miss Islington (bot) | 02 July 2019, 05:48:16 UTC | Put pyexpatns.h include back. bpo-37437 (GH-14542) (cherry picked from commit 2cd07920bb7d2d319999394092190f37935dc421) Co-authored-by: Benjamin Peterson <benjamin@python.org> | 02 July 2019, 05:48:16 UTC |
| a1093e4 | Miss Islington (bot) | 30 June 2019, 00:36:29 UTC | bpo-37437: Pass -Wno-unreachable-code when compiling expat. (GH-14470) (GH-14472) (cherry picked from commit 95da310078a9364bae9ab3f2ad9c71e34306a70c) Co-authored-by: Benjamin Peterson <benjamin@python.org> | 30 June 2019, 00:36:29 UTC |
| 6632906 | Miss Islington (bot) | 28 June 2019, 04:16:48 UTC | closes bpo-37437: Update vendorized expat to 2.2.7. (GH-14436) (cherry picked from commit 3b03b09fc94425915c5b1225e9200a3a95bc827b) Co-authored-by: Benjamin Peterson <benjamin@python.org> | 28 June 2019, 04:16:48 UTC |
| 31fb351 | Ned Deily | 19 June 2019, 03:50:05 UTC | Post release updates | 19 June 2019, 03:50:05 UTC |
| 0d47586 | Ned Deily | 19 June 2019, 00:37:44 UTC | 3.6.9rc1 | 19 June 2019, 00:37:44 UTC |
| 516a6a2 | Victor Stinner | 18 June 2019, 00:13:58 UTC | bpo-33529, email: Fix infinite loop in email header encoding (GH-12020) (GH-14162) (cherry picked from commit c1f5667be1e3ec5871560c677402c1252c6018a6) | 18 June 2019, 00:13:57 UTC |
| ecafe8e | Miss Islington (bot) | 16 June 2019, 18:55:59 UTC | Doc: Remove an ugly space before a dot. (GH-14123) (GH-14130) (cherry picked from commit 552951563cd5968d25e95306362e41f07d661a88) Co-authored-by: Julien Palard <julien@palard.fr> | 16 June 2019, 18:55:59 UTC |
| 78309c9 | Julien Palard | 15 June 2019, 18:25:03 UTC | [3.6] Doc: Add an optional obsolete header. (GH-13638). (GH-13657) (cherry picked from commit 46ed90dd014010703c7a3b2a61c4927644fa8210) Co-authored-by: Julien Palard <julien@palard.fr> | 15 June 2019, 18:25:02 UTC |
| 1af68a6 | Ned Deily | 13 June 2019, 04:35:19 UTC | [3.6] Doc fix: duplicate object description of email.message (GH-13742) (GH-14041) | 13 June 2019, 04:35:19 UTC |
| 9393e19 | Miss Islington (bot) | 09 June 2019, 00:54:57 UTC | Stop using deprecated logging API in Sphinx suspicious checker (GH-9875) (GH-13923) (cherry picked from commit ee171a26c1169abfae534b08acc0d95c6e45a22a) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com> | 09 June 2019, 00:54:57 UTC |
| dffc558 | Miss Islington (bot) | 04 June 2019, 23:22:50 UTC | Doc: Python 3.9 in sidebar and version switcher. (GH-13824) (GH-13827) (cherry picked from commit 59e7bbcaa4d0d556591f774c5ea4869c41fa95b0) Co-authored-by: Julien Palard <julien@palard.fr> | 04 June 2019, 23:22:50 UTC |
| fd1771d | Miss Islington (bot) | 04 June 2019, 18:43:52 UTC | bpo-36742: Corrects fix to handle decomposition in usernames (GH-13812) (GH-13814) (cherry picked from commit 8d0ef0b5edeae52960c7ed05ae8a12388324f87e) Co-authored-by: Steve Dower <steve.dower@python.org> | 04 June 2019, 18:43:52 UTC |
| 4f06dae | Victor Stinner | 29 May 2019, 02:30:48 UTC | bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-13513) CVE-2019-9948: Avoid file reading by disallowing local-file:// and local_file:// URL schemes in URLopener().open() and URLopener().retrieve() of urllib.request. Co-Authored-By: SH <push0ebp@gmail.com> (cherry picked from commit 0c2b6a3943aa7b022e8eb4bfd9bffcddebf9a587) (cherry picked from commit 34bab215596671d0dec2066ae7d7450cd73f638b) | 29 May 2019, 02:30:47 UTC |
| 8ab624b | Gregory P. Smith | 29 May 2019, 02:08:28 UTC | [3.6] bpo-35925: Skip SSL tests that fail due to weak external certs or old TLS (GH-13124) (GH-13252) * [3.6] bpo-35925: Skip SSL tests that fail due to weak external certs. (GH-13124) Modern Linux distros such as Debian Buster have default OpenSSL system configurations that reject connections to servers with weak certificates by default. This causes our test suite run with external networking resources enabled to skip these tests when they encounter such a failure. Fixing the network servers is a separate issue.. (cherry picked from commit 2cc0223f43a1ffd59c887a73e2b0ce5202f3be90) Co-authored-by: Gregory P. Smith <greg@krypto.org> * Also skip ssl tests that fail when the system rejects TLSv1. * Remove the test_httplib change; server was updated. self-signed.pythontest.net was updated so the test_httplib change is no longer necessary. | 29 May 2019, 02:08:27 UTC |
| 3dbc43f | Victor Stinner | 29 May 2019, 02:04:54 UTC | bpo-32947: test_ssl fixes for TLS 1.3 and OpenSSL 1.1.1 (GH-11612) Backport partially commit 529525fb5a8fd9b96ab4021311a598c77588b918: complete the previous partial backport (commit 2a4ee8aa01d61b6a9c8e9c65c211e61bdb471826. Co-Authored-By: Christian Heimes <christian@python.org> | 29 May 2019, 02:04:54 UTC |
| 2b9d7ab | Gregory P. Smith | 08 May 2019, 19:20:59 UTC | [3.6] bpo-36816: Update the self-signed.pythontest.net cert (GH-13192) (GH-13198) We updated the server, our testsuite must match. https://bugs.python.org/issue36816 ✈️ CLE -> DEN ✈️ GH-pycon2019 (cherry picked from commit 6bd81734de0b73f1431880d6a75fb71bcbc65fa1) Co-authored-by: Gregory P. Smith <greg@krypto.org> | 08 May 2019, 19:20:58 UTC |
| c50d437 | Miro Hrončok | 08 May 2019, 16:33:24 UTC | bpo-30458: Disallow control chars in http URLs. (GH-12755) (GH-13155) Disallow control chars in http URLs in urllib.urlopen. This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected. Disable https related urllib tests on a build without ssl (GH-13032) These tests require an SSL enabled build. Skip these tests when python is built without SSL to fix test failures. Use http.client.InvalidURL instead of ValueError as the new error case's exception. (GH-13044) Co-Authored-By: Miro Hrončok <miro@hroncok.cz> | 08 May 2019, 16:33:24 UTC |
| e5f9f4a | Miss Islington (bot) | 02 May 2019, 16:02:35 UTC | bpo-36742: Fixes handling of pre-normalization characters in urlsplit() (GH-13017) (GH-13024) (cherry picked from commit d537ab0ff9767ef024f26246899728f0116b1ec3) Co-authored-by: Steve Dower <steve.dower@python.org> | 02 May 2019, 16:02:35 UTC |
| dadc347 | Miss Islington (bot) | 02 May 2019, 16:00:33 UTC | bpo-9194: Fix the bounds checking in winreg.c's fixupMultiSZ() (GH-12687) (GH-12910) (cherry picked from commit 56ed86490cb8221c874d432461d77702437f63e5) Co-authored-by: Zackery Spytz <zspytz@gmail.com> | 02 May 2019, 16:00:33 UTC |
| fbe2a13 | Miss Islington (bot) | 29 April 2019, 19:56:58 UTC | bpo-34602: Avoid failures setting macOS stack resource limit (GH-13011) (GH-13014) Under some conditions the earlier fix for bpo-18075, "Infinite recursion tests triggering a segfault on Mac OS X", now causes failures on macOS when attempting to change stack limit with resource.setrlimit resource.RLIMIT_STACK, like regrtest does when running the test suite. The reverted change had specified a non-default stack size when linking the python executable on macOS. As of macOS 10.14.4, the previous code causes a hard failure when running tests, although similar failures had been seen under some conditions under some earlier systems. For now, revert the original change and resume using the default stack size when linking the interpreter. (cherry picked from commit 883dfc668f9730b00928730035b5dbd24b9da2a0) Co-authored-by: Ned Deily <nad@python.org> | 29 April 2019, 19:56:58 UTC |
| 4508bc3 | Julien Palard | 20 March 2019, 15:41:20 UTC | [3.6] bpo-35564: add master_doc='contents' to conf.py (GH-11290). (GH-12461) (cherry picked from commit fc8284e22074af8154e9865c8391b955f13a308b) Co-authored-by: Jean-François B <jfbu@free.fr> | 20 March 2019, 15:41:20 UTC |
| 75f8a69 | Harmon | 18 March 2019, 02:11:57 UTC | Fix "catchs" typos in NEWS entries (GH-12366) | 18 March 2019, 02:11:57 UTC |
| e601ef0 | Harmandeep Singh | 18 March 2019, 01:53:07 UTC | bpo-36195: Remove the ThreadPoolExecutor documentation mentioning the initializer feature added in Python 3.7 (GH-12182) | 18 March 2019, 01:53:07 UTC |
| 23fc041 | Steve Dower | 12 March 2019, 04:34:03 UTC | [3.6] bpo-36216: Add check for characters in netloc that normalize to separators (GH-12201) (GH-12215) | 12 March 2019, 04:34:03 UTC |
| 5565b1d | Miss Islington (bot) | 12 March 2019, 04:28:39 UTC | bpo-35647: Fix path check in cookiejar (GH-11436) (GH-12268) Co-authored-by: Xtreak <tir.karthi@gmail.com> | 12 March 2019, 04:28:39 UTC |
| b241af8 | Miss Islington (bot) | 10 March 2019, 02:59:28 UTC | bpo-35121: prefix dot in domain for proper subdomain validation (GH-10258) (GH-12260) Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy. Patch by Karthikeyan Singaravelan. (cherry picked from commit ca7fe5063593958e5efdf90f068582837f07bd14) Co-authored-by: Xtreak <tir.karthi@gmail.com> | 10 March 2019, 02:59:28 UTC |
| fb35241 | Miss Islington (bot) | 27 February 2019, 23:46:08 UTC | Document the surprising sideeffect PyErr_Print(). (GH-12081) (GH-12084) (cherry picked from commit 4173772031747a9b249be4100b4aa9eda805ea23) Co-authored-by: Gregory P. Smith <greg@krypto.org> | 27 February 2019, 23:46:08 UTC |
| 1dee456 | Miss Islington (bot) | 24 February 2019, 07:56:12 UTC | bpo-27313: Avoid test_ttk_guionly ComboboxTest fail with macOS Cocoa Tk (GH-12011) (GH-12013) (cherry picked from commit aeca373b339e0ea9739536ce6b43bd90f3b89873) Co-authored-by: Ned Deily <nad@python.org> | 24 February 2019, 07:56:12 UTC |
| 2a3af94 | Victor Stinner | 16 February 2019, 07:23:52 UTC | bpo-35746: Credit Colin Read and Nicolas Edet (GH-11865) Add credit for the cert parser vulnerability. Mention also Cisco TALOS-2018-0758 identifier. | 16 February 2019, 07:23:52 UTC |
| c41523a | Miss Islington (bot) | 10 February 2019, 22:07:24 UTC | Doc sidebar: 3.6 has moved to security-fix mode. (GH-11810) (GH-11812) (cherry picked from commit 9db56fb8faaa3cd66e7fe82740a4ae4d786bb27f) Co-authored-by: Julien Palard <julien@palard.fr> | 10 February 2019, 22:07:24 UTC |
| 9bacdce | Anthony Sottile | 03 February 2019, 23:22:52 UTC | [3.6] bpo-35605: Fix documentation build for sphinx<1.6 (GH-11368) | 03 February 2019, 23:22:52 UTC |
| 1edb3dc | Miss Islington (bot) | 18 January 2019, 01:11:09 UTC | bpo-35486: Note Py3.6 import system API requirement change (GH-11540) (GH-11588) While the introduction of ModuleNotFoundError was fully backwards compatible on the import API consumer side, folks providing alternative implementations of `__import__` need to make an update to be forward compatible with clients that start relying on the new subclass. https://bugs.python.org/issue35486 (cherry picked from commit cee29b46a19116261b083dc803217aa754c7df40) Co-authored-by: Nick Coghlan <ncoghlan@gmail.com> | 18 January 2019, 01:11:09 UTC |
| 7887c02 | Miss Islington (bot) | 18 January 2019, 01:07:39 UTC | bpo-35525: Correct the argument name for NNTP.starttls() (GH-11310) (GH-11417) (cherry picked from commit e9a044ec16989bd4b39763c0588c17200a925350) Co-authored-by: Harmandeep Singh <harmandeep3091@gmail.com> | 18 January 2019, 01:07:39 UTC |
| dc020cc | Miss Islington (bot) | 18 January 2019, 01:02:43 UTC | Make sure file object is close if socket.create_connection fails (GH-11334) (GH-11351) The problem affects _testWithTimeoutTriggeredSend in test_socket.py. (cherry picked from commit 1f511e1af060e98fb789319a96076c06e7f98135) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com> | 18 January 2019, 01:02:43 UTC |
| 7eef540 | Miss Islington (bot) | 18 January 2019, 01:00:46 UTC | bpo-35601: Alleviate race condition when waiting for SIGALRM in test_asyncio (GH-11337) (GH-11348) There is a race condition regarding signal delivery in test_signal_handling_args for test_asyncio.test_events.KqueueEventLoopTests. The signal can be received at any moment outside the time window provided in the test. The fix is to wait for the signal to be received instead with a bigger timeout. (cherry picked from commit 5471420faa84519530f29b08f2b042b2288e3e96) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com> | 18 January 2019, 01:00:46 UTC |
| 216a4d8 | Miss Islington (bot) | 16 January 2019, 01:16:36 UTC | bpo-35746: Fix segfault in ssl's cert parser (GH-11569) (GH-11573) Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL distribution points with empty DP or URI correctly. A malicious or buggy certificate can result into segfault. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue35746 (cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3) Co-authored-by: Christian Heimes <christian@python.org> | 16 January 2019, 01:16:36 UTC |
| d09e8ce | Senthil Kumaran | 10 January 2019, 18:56:02 UTC | Revert "bpo-24746: Avoid stripping trailing whitespace in doctest fancy diff (GH-10639) (GH-11477)" (GH-11509) This reverts commit 5d9ae8b9df8371dd65514e0d60b561fd37056986 which was merged to 3.6 in error. | 10 January 2019, 18:56:02 UTC |
| 5d9ae8b | Miss Islington (bot) | 09 January 2019, 14:46:28 UTC | bpo-24746: Avoid stripping trailing whitespace in doctest fancy diff (GH-10639) (#11477) (cherry picked from commit cbb16459934eaf29c7c7d362939cd05550b2f21f) Co-authored-by: Sanyam Khurana <8039608+CuriousLearner@users.noreply.github.com> | 09 January 2019, 14:46:28 UTC |
| 3e0144a | Miss Islington (bot) | 07 January 2019, 07:25:06 UTC | closes bpo-35643: Fix a SyntaxWarning: invalid escape sequence in Modules/_sha3/cleanup.py (GH-11413) (cherry picked from commit d466c43e55cd32af84e353f0e9a48b09b7534f61) Co-authored-by: Mickaël Schoentgen <contact@tiger-222.fr> | 07 January 2019, 07:25:06 UTC |
| c234061 | Benjamin Peterson | 02 January 2019, 16:23:51 UTC | [3.6] Bump copyright years to 2019. (GH-11407) (cherry picked from commit 9a69ae8a78785105ded02b083b2e5cd2dd939307) | 02 January 2019, 16:23:51 UTC |
| de66b8d | Miss Islington (bot) | 02 January 2019, 02:04:25 UTC | closes bpo-35630: Use code tag for 'python3' in 'README.rst' (GH-11400) (cherry picked from commit 7e3fb40b923cb09ecc67816d3191197868593737) Co-authored-by: Suriyaa ✌️️ <isc.suriyaa@gmail.com> | 02 January 2019, 02:04:25 UTC |
| be77fb7 | Ned Deily | 24 December 2018, 09:03:37 UTC | Post release bump | 24 December 2018, 09:03:37 UTC |
| e5fdab2 | Ned Deily | 24 December 2018, 06:49:16 UTC | Revert "bpo-35402: Update macOS installer to use Tcl 8.6.9 / Tk 8.6.9.1 (GH-11101)" This reverts commit 37607f26697351751165a042f91f04530ce333f7. Due to regressions found with using Tk 8.6.9.1, the python.org macOS installers for 3.6.8 and 3.7.2 are shipping with Tcl/Tk 8.6.8 as used in previous releases. | 24 December 2018, 07:06:19 UTC |
| 3c6b436 | Ned Deily | 23 December 2018, 21:37:14 UTC | 3.6.8final | 23 December 2018, 21:37:14 UTC |
| 68f5dfd | Miss Islington (bot) | 23 December 2018, 20:54:57 UTC | bpo-35257: fix broken BLDSHARED - needs LDFLAGS too (GH-11297) (GH-11299) `BLDSHARED` needs to have both `LDFLAGS` and `LDFLAGS_NODIST`, not just `LDFLAGS_NODIST`; `PY_CORE_LDFLAGS` provides both. For example, as it stands now with just `LDFLAGS_NODIST`, macOS universal builds are broken as the necessary `-arch` flags are no longer passed to the standard library extension module link step from `setup.py` resulting in extension modules being single architecture only. https://bugs.python.org/issue35257 (cherry picked from commit 44a3ee07e30e18d83e2730c093d8b0e930f0a06c) Co-authored-by: Ned Deily <nad@python.org> | 23 December 2018, 20:54:57 UTC |
| 5241ecf | Miss Islington (bot) | 20 December 2018, 21:52:09 UTC | bpo-35259: Limit `Py_FinalizeEx()` to `Py_LIMITED_API >= 0x03060000`. (GH-10620) (GH-11269) (cherry picked from commit 3e8f962e63c2f929604443531a9a3aced242f3e8) Co-authored-by: Arthur Neufeld <aneufeld@seinesoftware.ca> | 20 December 2018, 21:52:09 UTC |
| 3a26b59 | Miss Islington (bot) | 20 December 2018, 21:34:21 UTC | Fix documented signatures for C API functions. (GH-11236) (GH-11240) (cherry picked from commit 57dd79e6f7f33bb4e6817ac58c9cb91de99675e0) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> | 20 December 2018, 21:34:21 UTC |
| ff740db | Miss Islington (bot) | 20 December 2018, 21:28:30 UTC | bpo-35461: Document C API functions which suppress exceptions. (GH-11119) (GH-11210) (cherry picked from commit 3fcc1e08db6fb7e17acc4a8f63be3e42f52f094b) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> | 20 December 2018, 21:28:30 UTC |
| 75f1874 | Miss Islington (bot) | 20 December 2018, 20:50:00 UTC | bpo-35475: Add more PyImport* functions in refcounts.dat. (GH-11142) (GH-11199) (cherry picked from commit bdabb0737c631835b246c9823852d20331243315) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> | 20 December 2018, 20:50:00 UTC |
| a21bedf | Victor Stinner | 20 December 2018, 20:31:22 UTC | [3.6] bpo-35257: Avoid leaking LTO linker flags into distutils (GH-10900) (GH-11265) When compiling 3rd party C extensions, the linker flags used by the compiler for the interpreter and the stdlib modules, will get leaked into distutils. In order to avoid that, the PY_CORE_LDFLAGS and PY_LDFLAGS_NODIST are introduced to keep those flags separated. (cherry picked from commit cf10a750f4b50b6775719cfb17bee00bc3a9c60b) | 20 December 2018, 20:31:22 UTC |
| 70db385 | Myles Borins | 20 December 2018, 20:28:28 UTC | [3.6] bpo-31715 Add mimetype for extension .mjs (GH-3908) (GH-10976) (cherry picked from commit 0854b92cd2) | 20 December 2018, 20:28:28 UTC |
| 782e1d5 | Victor Stinner | 20 December 2018, 19:46:07 UTC | bpo-35499: make profile-opt don't override CFLAGS_NODIST (GH-11164) (GH-11267) "make profile-opt" no longer replaces CFLAGS_NODIST with CFLAGS. It now adds profile-guided optimization (PGO) flags to CFLAGS_NODIST, existing CFLAGS_NODIST flags are kept. (cherry picked from commit 640ed520dd6a43a8bf470b79542f58b5d57af9de) | 20 December 2018, 19:46:07 UTC |
| 789b0ee | Steve Dower | 20 December 2018, 19:11:39 UTC | bpo-35482: Fixes HTML escaping in CHM index and build location of NEWS file (GH-11224) (GH-11251) | 20 December 2018, 19:11:39 UTC |
| 1fb312c | Miss Islington (bot) | 14 December 2018, 20:37:45 UTC | bpo-35450: reflect in docs that venv module is not always creating a copy of the Python binary (GH-11144) (GH-11168) | 14 December 2018, 20:37:45 UTC |
| f2df9b9 | Ned Deily | 12 December 2018, 02:08:25 UTC | Post release bump | 12 December 2018, 02:08:25 UTC |
| cc3e732 | Ned Deily | 11 December 2018, 21:47:14 UTC | 3.6.8rc1 | 11 December 2018, 21:47:14 UTC |
| d23e1ea | Ned Deily | 11 December 2018, 21:28:57 UTC | Minor edits to NEWS entries | 11 December 2018, 21:28:57 UTC |
| 2c1c4a5 | Ned Deily | 11 December 2018, 21:03:42 UTC | Update macOS installer Welcome for 3.6.8 | 11 December 2018, 21:03:42 UTC |
| 56f86fc | Ned Deily | 11 December 2018, 03:05:14 UTC | macOS installer build: mitigate hdiutil resource busy bug | 11 December 2018, 20:56:50 UTC |
| 9756876 | Miss Islington (bot) | 11 December 2018, 12:22:53 UTC | bpo-35412: Skip test_multiprocessing_fork and test_multiprocessing_forkserver on Windows (GH-11086) Forkserver and fork are not available on Windows and therefore these test must be skipped. (cherry picked from commit a932d0b496767b5aac14191cbc17093e502b6cb4) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com> | 11 December 2018, 12:22:53 UTC |
| 869e23e | Miss Islington (bot) | 11 December 2018, 11:56:50 UTC | bpo-35426: Eliminate race condition in test_interprocess_signal (GH-11087) The test only except SIGUSR1Exception inside wait_signal(), but the signal can be sent during subprocess_send_signal() call. (cherry picked from commit 2ab2afd387084ba38a37f5944fcb0675113b64dc) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com> | 11 December 2018, 11:56:50 UTC |
| 7d9f219 | Miss Islington (bot) | 11 December 2018, 10:17:37 UTC | [3.6] bpo-33747: Avoid mutating the global sys.modules dict in unittest.mock tests (GH-8520) (GH-11032) (cherry picked from commit 3cf74384b53b998fa846dc2590cedf9ad2a0d5fd) Co-authored-by: Anirudha Bose <ani07nov@gmail.com> https://bugs.python.org/issue33747 | 11 December 2018, 10:17:37 UTC |
| be6ec44 | Miss Islington (bot) | 11 December 2018, 10:13:14 UTC | bpo-35444: Fix error handling when fail to look up builtin "getattr". (GH-11047) (GH-11107) (GH-11108) (cherry picked from commit bb86bf4c4eaa30b1f5192dab9f389ce0bb61114d) (cherry picked from commit 3cae16d2e98ffaa89ddd311df70a857dfaff4020) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> | 11 December 2018, 10:13:14 UTC |
| f74cabd | Ned Deily | 11 December 2018, 09:28:31 UTC | [3.6] bpo-15663: the 10.6+ macOS installers for 3.6/2.7 now provide a private Tcl/Tk 8.6 (GH-11109) | 11 December 2018, 09:28:31 UTC |
| 8855d93 | Serhiy Storchaka | 11 December 2018, 07:27:50 UTC | [3.6] bpo-35454: Fix miscellaneous minor issues in error handling. (GH-11077) (GH-11106) (cherry picked from commit 8905fcc85a6fc3ac394bc89b0bbf40897e9497a6) | 11 December 2018, 07:27:50 UTC |
| 37607f2 | Miss Islington (bot) | 11 December 2018, 06:29:45 UTC | bpo-35402: Update macOS installer to use Tcl 8.6.9 / Tk 8.6.9.1 (GH-11101) (cherry picked from commit 7cf3d8e25174c8871883e42f3240fd7f01efd3a8) Co-authored-by: Ned Deily <nad@python.org> | 11 December 2018, 06:29:45 UTC |
| 419b5ff | Ned Deily | 11 December 2018, 05:37:53 UTC | [3.6] bpo-35401: Update macOS installer to OpenSSL 1.0.2q (GH-11095) https://bugs.python.org/issue35401 | 11 December 2018, 05:37:53 UTC |
| 309d720 | Steve Dower | 11 December 2018, 03:52:51 UTC | bpo-35401: Updates Windows build to OpenSSL 1.0.2q (GH-11089) | 11 December 2018, 03:52:51 UTC |
| b1f98d4 | Miss Islington (bot) | 10 December 2018, 20:48:10 UTC | Fix numbered lists in stdtypes.rst. (GH-10989) (cherry picked from commit de9e9b476ec4abfb0b9161cff0e86bb7085ca8c6) Co-authored-by: Andre Delfino <adelfino@gmail.com> | 10 December 2018, 20:48:10 UTC |
| f04cc5f | Jeremy Kloth | 10 December 2018, 20:31:37 UTC | [3.6] bpo-35433: Properly detect installed SDK versions (GH-11009) | 10 December 2018, 20:31:37 UTC |
| 3acf30d | Miss Islington (bot) | 10 December 2018, 15:41:11 UTC | bpo-31374: expat doesn't include <pyconfig.h> on Windows (GH-11079) (cherry picked from commit b6ef6f69a9afc979640a5f9883f799de1364bff7) Co-authored-by: Victor Stinner <vstinner@redhat.com> | 10 December 2018, 15:41:11 UTC |
| 7215e48 | Miss Islington (bot) | 10 December 2018, 11:35:18 UTC | bpo-31374: Include pyconfig.h earlier in expat (GH-11064) Include <pyconfig.h> ealier in Modules/expat/xmltok.c to define properly _POSIX_C_SOURCE. Python defines _POSIX_C_SOURCE as 200809L, whereas <features.h> (included indirectly by <string.h>) defines _POSIX_C_SOURCE as 199506L. (cherry picked from commit cf247359d5b7082044eea1fa94b5211a172b1ff6) Co-authored-by: Victor Stinner <vstinner@redhat.com> | 10 December 2018, 11:35:18 UTC |
| bad41ce | Victor Stinner | 10 December 2018, 11:12:47 UTC | bpo-35050: AF_ALG length check off-by-one error (GH-10058) (GH-11070) The length check for AF_ALG salg_name and salg_type had a off-by-one error. The code assumed that both values are not necessarily NULL terminated. However the Kernel code for alg_bind() ensures that the last byte of both strings are NULL terminated. Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit 2eb6ad8578fa9d764c21a92acd8e054e3202ad19) | 10 December 2018, 11:12:47 UTC |
| 3fd9755 | Victor Stinner | 10 December 2018, 10:53:09 UTC | bpo-35052: Fix handler on xml.dom.minidom.cloneNode() (GH-11061) (GH-11067) Fix xml.dom.minidom cloneNode() on a document with an entity: pass the correct arguments to the user data handler of an entity (fix an old copy/paste mistake). Bug spotted and fix proposed by Charalampos Stratakis, initial reproducer written by Petr Viktorin. Co-Authored-By: Charalampos Stratakis <cstratak@redhat.com> Co-Authored-By: Petr Viktorin <encukou@gmail.com> (cherry picked from commit 8e0418688906206fe59bd26344320c0fc026849e) | 10 December 2018, 10:53:09 UTC |
| f2d2cb1 | Miss Islington (bot) | 09 December 2018, 08:35:13 UTC | bpo-35351: Pass link time optimization flags to CFLAGS_NODIST (GH-10797) When using link time optimizations, the -flto flag is passed to BASECFLAGS, which makes it propagate to distutils. Those flags should be reserved for the interpreter and the stdlib extension modules only, thus moving those flags to CFLAGS_NODIST. (cherry picked from commit f92c7aa1ae81efa475b5aecf66e4711ef0f52c4c) Co-authored-by: stratakis <cstratak@redhat.com> | 09 December 2018, 08:35:13 UTC |
| f83ee47 | stratakis | 09 December 2018, 08:08:43 UTC | bpo-28015: Support LTO build with clang (GH-9908) (GH-10922) .o generated by clang in LTO mode actually are LLVM bitcode files, which leads to a few errors during configure/build step: - add lto flags to the BASECFLAGS instead of CFLAGS, as CFLAGS are used to build autoconf test case, and some are not compatible with clang LTO (they assume binary in the .o, not bitcode) - force llvm-ar instead of ar, as ar is not aware of .o files generated by clang -flto (cherry picked from commit 5ad36f9b21a3aa3b2265b1b43d73522cc3322df2) Co-authored-by: serge-sans-paille <serge.guelton@telecom-bretagne.eu> | 09 December 2018, 08:08:43 UTC |
| df5d884 | Miss Islington (bot) | 09 December 2018, 07:11:31 UTC | bpo-33725: skip test_multiprocessing_fork on macOS (GH-11043) (cherry picked from commit ac218bc5dbfabbd61c76ce8a17de088611e21981) Co-authored-by: Ned Deily <nad@python.org> | 09 December 2018, 07:11:31 UTC |
| 23a98ab | Miss Islington (bot) | 09 December 2018, 05:34:30 UTC | [3.7] Doc: Bump sphinx. (GH-10676) (GH-10803) (cherry picked from commit 2db96ae7444880d66d4ef65abab8a5e6ff328711) Co-authored-by: Julien Palard <julien@palard.fr> | 09 December 2018, 05:34:30 UTC |
| 25555e0 | Miss Islington (bot) | 08 December 2018, 14:39:37 UTC | bpo-35441: Remove dead and buggy code related to PyList_SetItem(). (GH-11033) In _localemodule.c and selectmodule.c, remove dead code that would cause double decrefs if run. In addition, replace PyList_SetItem() with PyList_SET_ITEM() in cases where a new list is populated and there is no possibility of an error. In addition, check if the list changed size in the loop in array_array_fromlist(). (cherry picked from commit 99d56b53560b3867844472ae381fb3f858760621) Co-authored-by: Zackery Spytz <zspytz@gmail.com> | 08 December 2018, 14:39:37 UTC |
| 12b9fb6 | Miss Islington (bot) | 08 December 2018, 11:41:52 UTC | bpo-35330: Don't call the wrapped object if `side_effect` is set (GH11034) * tests: Further validate `wraps` functionality in `unittest.mock.Mock` Add more tests to validate how `wraps` interacts with other features of mocks. * Don't call the wrapped object if `side_effect` is set When a object is wrapped using `Mock(wraps=...)`, if an user sets a `side_effect` in one of their methods, return the value of `side_effect` and don't call the original object. * Refactor what to be called on `mock_call` When a `Mock` is called, it should return looking up in the following order: `side_effect`, `return_value`, `wraps`. If any of the first two return `mock.DEFAULT`, lookup in the next option. It makes no sense to check for `wraps` returning default, as it is supposed to be the original implementation and there is nothing to fallback to. (cherry picked from commit f05df0a4b679d0acfd0b1fe6187ba2d553b37afa) Co-authored-by: Mario Corchero <mariocj89@gmail.com> | 08 December 2018, 11:41:52 UTC |
