| 9a2d531 | Łukasz Langa | 06 June 2023, 13:32:21 UTC | Python 3.8.17 | 06 June 2023, 13:32:21 UTC |
| 43eff24 | Łukasz Langa | 06 June 2023, 13:17:42 UTC | [3.8] gh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u (GH-105174) (GH-105200) (GH-105205) (#105370) Upgrade builds to OpenSSL 1.1.1u. Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9. Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting). (cherry picked from commit ede89af) (cherry picked from commit e15de14c16ce98e773c31607bd70ee911e4ac073) Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Ned Deily <nad@python.org> | 06 June 2023, 13:17:42 UTC |
| 9c2ff15 | stratakis | 05 June 2023, 15:42:56 UTC | [3.8] gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508) (GH-104575) (GH-104592) (#104593) (#104895) `urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595. This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329). I simplified the docs by eliding the state of the world explanatory paragraph in this security release only backport. (people will see that in the mainline /3/ docs) (cherry picked from commit d7f8a5fe07b0ff3a419ccec434cc405b21a5a304) (cherry picked from commit 2f630e1ce18ad2e07428296532a68b11dc66ad10) (cherry picked from commit 610cc0ab1b760b2abaac92bd256b96191c46b941) (cherry picked from commit f48a96a28012d28ae37a2f4587a780a5eb779946) Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Co-authored-by: Illia Volochii <illia.volochii@gmail.com> Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org> | 05 June 2023, 15:42:56 UTC |
| c43c50e | Miss Islington (bot) | 05 June 2023, 15:41:14 UTC | [3.8] gh-105184: document that marshal functions can fail and need to be checked with PyErr_Occurred (GH-105185) (#105222) (cherry picked from commit ee26ca13a129da8cf549409d0a1b2e892ff2b4ec) Co-authored-by: Irit Katriel <1055913+iritkatriel@users.noreply.github.com> | 05 June 2023, 15:41:14 UTC |
| b28acfa | Ned Deily | 05 June 2023, 06:11:31 UTC | [3.8] Update GitHub CI workflow for macOS. (GH-105302) | 05 June 2023, 06:11:31 UTC |
| d958960 | Ned Deily | 05 June 2023, 03:52:32 UTC | [3.8] gh-68966: fix versionchanged in docs (GH-105299) | 05 June 2023, 03:52:32 UTC |
| 9f89c47 | Steve Dower | 22 May 2023, 10:40:02 UTC | [3.8] gh-103935: Use `io.open_code()` when executing code in trace and profile modules (GH-103947) (#103954) Co-authored-by: Tian Gao <gaogaotiantian@hotmail.com> | 22 May 2023, 10:40:02 UTC |
| 2062fce | Miss Islington (bot) | 22 May 2023, 10:39:50 UTC | [3.8] gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067) (#104121) Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure) (cherry picked from commit c7c3a60c88de61a79ded9fdaf6bc6a29da4efb9a) Co-authored-by: Ethan Furman <ethan@stoneleaf.us> Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com> | 22 May 2023, 10:39:50 UTC |
| 47ec96a | Miss Islington (bot) | 22 May 2023, 10:39:26 UTC | [3.8] gh-99889: Fix directory traversal security flaw in uu.decode() (GH-104096) (#104332) (cherry picked from commit 0aeda297931820436a50b78f4f7f0597274b5df4) Co-authored-by: Sam Carroll <70000253+samcarroll42@users.noreply.github.com> | 22 May 2023, 10:39:26 UTC |
| 79e63e5 | Petr Viktorin | 17 May 2023, 12:23:56 UTC | [3.8] gh-102950: Implement PEP 706 – Filter for tarfile.extractall (GH-102953) (#104548) Backport of c8c3956d905e019101038b018129a4c90c9c9b8f | 17 May 2023, 12:23:56 UTC |
| 3205d1f | Pradyun Gedam | 28 March 2023, 08:55:50 UTC | [3.8] gh-101997: Update bundled pip version to 23.0.1 (GH-101998). (#102244) (cherry picked from commit 89d9ff0f48c51a85920c7372a7df4a2204e32ea5) | 28 March 2023, 08:55:50 UTC |
| 045b252 | Miss Islington (bot) | 13 March 2023, 23:29:24 UTC | [3.8] gh-102627: Replace address pointing toward malicious web page (GH-102630) (GH-102667) (cherry picked from commit 61479d46848bc7a7f9b571b0b09c4a4b4436d839) Co-authored-by: Blind4Basics <32236948+Blind4Basics@users.noreply.github.com> Co-authored-by: C.A.M. Gerlach <CAM.Gerlach@Gerlach.CAM> Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com> | 13 March 2023, 23:29:24 UTC |
| ddd495e | Steve Dower | 07 March 2023, 23:03:06 UTC | [3.8] gh-101726: Update the OpenSSL version to 1.1.1t (GH-101727) (GH-101752) Fixes CVE-2023-0286 (High) and a couple of Medium security issues. https://www.openssl.org/news/secadv/20230207.txt Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Ned Deily <nad@python.org> | 07 March 2023, 23:03:06 UTC |
| 4812813 | Ned Deily | 04 March 2023, 21:07:35 UTC | [3.8] GH-102306 Avoid GHA CI macOS test_posix failure by using the appropriate macOS SDK (GH-102307) [3.8] Avoid GHA CI macOS test_posix failure by using the appropriate macOS SDK. | 04 March 2023, 21:07:35 UTC |
| 7a3db0c | Dong-hee Na | 21 February 2023, 16:33:12 UTC | [3.8] gh-101981: Fix Ubuntu SSL tests with OpenSSL (3.1.0-beta1) CI i… (#102095) [3.8] gh-101981: Fix Ubuntu SSL tests with OpenSSL (3.1.0-beta1) CI issue (gh-102079) | 21 February 2023, 16:33:12 UTC |
| 32a1a61 | Miss Islington (bot) | 09 February 2023, 10:00:51 UTC | [3.8] gh-101283: Improved fallback logic for subprocess with shell=True on Windows (GH-101286) (#101710) Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net> Co-authored-by: Steve Dower <steve.dower@microsoft.com> | 09 February 2023, 10:00:51 UTC |
| 41d301a | Éric | 08 February 2023, 10:06:21 UTC | [3.8] gh-95778: add doc missing in some places (GH-100627) (#101630) (cherry picked from commit 46521826cb1883e29e4640f94089dd92c57efc5b) | 08 February 2023, 10:06:21 UTC |
| db924a4 | Miss Islington (bot) | 30 January 2023, 18:11:54 UTC | gh-101422: (docs) TarFile default errorlevel argument is 1, not 0 (GH-101424) (cherry picked from commit ea232716d3de1675478db3a302629ba43194c967) Co-authored-by: Owain Davies <116417456+OTheDev@users.noreply.github.com> | 30 January 2023, 18:11:54 UTC |
| be3b5f7 | Steve Dower | 23 January 2023, 17:53:56 UTC | [3.8] gh-100180: Update Windows installer to OpenSSL 1.1.1s (GH-100903) (#101258) | 23 January 2023, 17:53:56 UTC |
| e57a3c1 | Miss Islington (bot) | 21 January 2023, 19:40:58 UTC | [3.8] Bump Azure Pipelines to ubuntu-22.04 (GH-101089) (#101215) (cherry picked from commit c22a55c8b4f142ff679880ec954691d5920b7845) Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com> | 21 January 2023, 19:40:58 UTC |
| 594ba19 | Gregory P. Smith | 20 January 2023, 22:20:09 UTC | [3.8] Correct CVE-2020-10735 documentation (GH-100306) (#100698) (cherry picked from commit 1cf3d78c92eb07dc09d15cc2e773b0b1b9436825) (cherry picked from commit 88fe8d701af3316c8869ea18ea1c7acec6f68c04) Co-authored-by: Jeremy Paige <ucodery@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org> | 20 January 2023, 22:20:09 UTC |
| 6924cba | Miss Islington (bot) | 09 January 2023, 03:13:24 UTC | [3.8] Update copyright year in README (GH-100863) (GH-100867) (cherry picked from commit 30a6cc418a60fccb91ba574b552203425e594c47) Co-authored-by: Ned Deily <nad@python.org> Co-authored-by: HARSHA VARDHAN <75431678+Thunder-007@users.noreply.github.com> | 09 January 2023, 03:13:24 UTC |
| 30afa75 | Benjamin Peterson | 08 January 2023, 23:00:31 UTC | [3.8] Update copyright years to 2023. (gh-100852) * [3.8] Update copyright years to 2023. (gh-100848). (cherry picked from commit 11f99323c2ae0ec428c370a335695e3d8d4afc1d) Co-authored-by: Benjamin Peterson <benjamin@python.org> * Update additional copyright years to 2023. Co-authored-by: Ned Deily <nad@python.org> | 08 January 2023, 23:00:31 UTC |
| 266a502 | Łukasz Langa | 06 December 2022, 19:33:43 UTC | Post 3.8.16 | 06 December 2022, 19:33:43 UTC |
| 1e3d2d5 | Łukasz Langa | 06 December 2022, 18:59:58 UTC | Python 3.8.16 | 06 December 2022, 18:59:58 UTC |
| e43393a | Miss Islington (bot) | 06 December 2022, 10:20:22 UTC | [3.8] gh-100001: Omit control characters in http.server stderr logs. (GH-100002) (#100033) * gh-100001: Omit control characters in http.server stderr logs. (GH-100002) Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to. (cherry picked from commit d8ab0a4dfa48f881b4ac9ab857d2e9de42f72828) Co-authored-by: Gregory P. Smith <greg@krypto.org> * also escape \s (backport of PR #100038). * add versionadded and remove extraneous 'to' Co-authored-by: Gregory P. Smith <greg@krypto.org> | 06 December 2022, 10:20:22 UTC |
| b50b6f9 | Miss Islington (bot) | 21 November 2022, 21:06:01 UTC | [3.8] gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module (GH-99373) (GH-99661) (cherry picked from commit 7b98207aa46bd637d07a7c4a84e998726b74acde) Co-authored-by: Steve Dower <steve.dower@python.org> | 21 November 2022, 21:06:01 UTC |
| 82ca283 | Miss Islington (bot) | 10 November 2022, 15:55:43 UTC | [3.8] gh-98433: Fix quadratic time idna decoding. (GH-99092) (GH-99222) (GH-99231) There was an unnecessary quadratic loop in idna decoding. This restores the behavior to linear. (cherry picked from commit d315722564927c7202dd6e111dc79eaf14240b0d) (cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15) Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Co-authored-by: Gregory P. Smith <greg@krypto.org> | 10 November 2022, 15:55:43 UTC |
| 948c679 | Miss Islington (bot) | 28 October 2022, 10:07:50 UTC | [3.8] gh-98517: Fix buffer overflows in _sha3 module (GH-98519) (#98527) This is a port of the applicable part of XKCP's fix [1] for CVE-2022-37454 and avoids the segmentation fault and the infinite loop in the test cases published in [2]. [1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a [2]: https://mouha.be/sha-3-buffer-overflow/ Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org> (cherry picked from commit 0e4e058602d93b88256ff90bbef501ba20be9dd3) Co-authored-by: Theo Buehler <botovq@users.noreply.github.com> | 28 October 2022, 10:07:50 UTC |
| 0037d46 | Miss Islington (bot) | 28 October 2022, 10:07:14 UTC | [3.8] gh-98739: Update libexpat from 2.4.9 to 2.5.0 (GH-98742) (#98787) Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680. Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com> (cherry picked from commit 3e07f827b359617664ad0880f218f17ae4483299) | 28 October 2022, 10:07:14 UTC |
| 0a4f650 | Miss Islington (bot) | 11 October 2022, 21:58:03 UTC | [3.8] gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993) (#98192) gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993) (cherry picked from commit b9509ba7a9c668b984dab876c7926fe1dc5aa0ba) Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Łukasz Langa <lukasz@langa.pl> | 11 October 2022, 21:58:03 UTC |
| a44cc0a | Miss Islington (bot) | 11 October 2022, 21:13:43 UTC | [3.8] gh-96710: Make the test timing more lenient for the int/str DoS regression test. (GH-96717) (#98197) gh-96710: Make the test timing more lenient for the int/str DoS regression test. (GH-96717) A regression would still absolutely fail and even a flaky pass isn't harmful as it'd fail most of the time across our N system test runs. Windows has a low resolution timer and CI systems are prone to odd timing so this just gives more leeway to avoid flakiness. (cherry picked from commit 11e3548fd1d3445ccde971d613633b58d73c3016) Co-authored-by: Gregory P. Smith <greg@krypto.org> | 11 October 2022, 21:13:43 UTC |
| 4f1364c | Łukasz Langa | 11 October 2022, 18:09:14 UTC | Post 3.8.15 | 11 October 2022, 18:09:14 UTC |
| 44adf8a | Łukasz Langa | 11 October 2022, 15:42:49 UTC | Python 3.8.15 | 11 October 2022, 15:42:49 UTC |
| dca2fd2 | Miss Islington (bot) | 04 October 2022, 18:58:10 UTC | [3.8] gh-95778: Mention sys.set_int_max_str_digits() in error message (GH-96874) (GH-96877) (GH-97835) [3.9] gh-95778: Mention sys.set_int_max_str_digits() in error message (GH-96874) (GH-96877) When ValueError is raised if an integer is larger than the limit, mention sys.set_int_max_str_digits() in the error message. (cherry picked from commit e841ffc915e82e5ea6e3b473205417d63494808d) Co-authored-by: Ned Deily <nad@python.org> (cherry picked from commit 41188134bd2120f0cedd681ed88743c11c7f3742) Co-authored-by: Victor Stinner <vstinner@python.org> | 04 October 2022, 18:58:10 UTC |
| 18a0cdb | Miss Islington (bot) | 04 October 2022, 18:57:06 UTC | [3.8] gh-96848: Fix -X int_max_str_digits option parsing (GH-96988) (GH-97575) Fix command line parsing: reject "-X int_max_str_digits" option with no value (invalid) when the PYTHONINTMAXSTRDIGITS environment variable is set to a valid limit. (cherry picked from commit 41351662bcd21672d8ccfa62fe44d72027e6bcf8) Co-authored-by: Victor Stinner <vstinner@python.org> | 04 October 2022, 18:57:06 UTC |
| 12c72d6 | Miss Islington (bot) | 04 October 2022, 18:07:09 UTC | [3.8] gh-96577: Fixes buffer overrun in _msi module (GH-96633) (GH-96658) gh-96577: Fixes buffer overrun in _msi module (GH-96633) (cherry picked from commit 4114bcc9ef7595a07196bcecf9c7d6d39f57f64d) Co-authored-by: Steve Dower <steve.dower@python.org> | 04 October 2022, 18:07:09 UTC |
| 069b718 | Miss Islington (bot) | 04 October 2022, 18:06:26 UTC | [3.8] gh-97005: Update libexpat from 2.4.7 to 2.4.9 (gh-97006) (gh-97013) gh-97005: Update libexpat from 2.4.7 to 2.4.9 (gh-97006) Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org> (cherry picked from commit 10e3d398c31cc1695752fc52bc6ca2ce9ef6237e) Co-authored-by: Dong-hee Na <donghee.na@python.org> | 04 October 2022, 18:06:26 UTC |
| f9ce9d4 | Miss Islington (bot) | 04 October 2022, 17:08:24 UTC | [3.8] gh-97616: list_resize() checks for integer overflow (GH-97617) (GH-97628) gh-97616: list_resize() checks for integer overflow (GH-97617) Fix multiplying a list by an integer (list *= int): detect the integer overflow when the new allocated length is close to the maximum size. Issue reported by Jordan Limor. list_resize() now checks for integer overflow before multiplying the new allocated length by the list item size (sizeof(PyObject*)). (cherry picked from commit a5f092f3c469b674b8d9ccbd4e4377230c9ac7cf) Co-authored-by: Victor Stinner <vstinner@python.org> | 04 October 2022, 17:08:24 UTC |
| 9062049 | Miss Islington (bot) | 04 October 2022, 17:07:55 UTC | [3.8] gh-97612: Fix shell injection in get-remote-certificate.py (GH-97613) (GH-97633) Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run "openssl" commands. Issue reported and initial fix by Caleb Shortt. Remove the Windows code path to send "quit" on stdin to the "openssl s_client" command: use DEVNULL on all platforms instead. Co-authored-by: Caleb Shortt <caleb@rgauge.com> (cherry picked from commit 83a0f44ffd8b398673ae56c310cf5768d359c341) Co-authored-by: Victor Stinner <vstinner@python.org> | 04 October 2022, 17:07:55 UTC |
| 246a044 | Ned Deily | 11 September 2022, 18:50:47 UTC | [3.8] Update bugs URL references in README and Docs/bugs.rst from bpo to gh issues (GH-96728) Co-authored-by: roy reznik <royreznik@gmail.com> Co-authored-by: Inada Naoki <songofacandy@gmail.com> Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com> | 11 September 2022, 18:50:47 UTC |
| 67d5c50 | Łukasz Langa | 06 September 2022, 21:13:41 UTC | Post 3.8.14 | 06 September 2022, 21:13:41 UTC |
| f43e767 | Łukasz Langa | 06 September 2022, 18:54:44 UTC | Python 3.8.14 | 06 September 2022, 20:59:22 UTC |
| b5e331f | Gregory P. Smith | 05 September 2022, 20:26:09 UTC | [3.8] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96503) * Correctly pre-check for int-to-str conversion Converting a large enough `int` to a decimal string raises `ValueError` as expected. However, the raise comes _after_ the quadratic-time base-conversion algorithm has run to completion. For effective DOS prevention, we need some kind of check before entering the quadratic-time loop. Oops! =) The quick fix: essentially we catch _most_ values that exceed the threshold up front. Those that slip through will still be on the small side (read: sufficiently fast), and will get caught by the existing check so that the limit remains exact. The justification for the current check. The C code check is: ```c max_str_digits / (3 * PyLong_SHIFT) <= (size_a - 11) / 10 ``` In GitHub markdown math-speak, writing $M$ for `max_str_digits`, $L$ for `PyLong_SHIFT` and $s$ for `size_a`, that check is: $$\left\lfloor\frac{M}{3L}\right\rfloor \le \left\lfloor\frac{s - 11}{10}\right\rfloor$$ From this it follows that $$\frac{M}{3L} < \frac{s-1}{10}$$ hence that $$\frac{L(s-1)}{M} > \frac{10}{3} > \log_2(10).$$ So $$2^{L(s-1)} > 10^M.$$ But our input integer $a$ satisfies $|a| \ge 2^{L(s-1)}$, so $|a|$ is larger than $10^M$. This shows that we don't accidentally capture anything _below_ the intended limit in the check. <!-- gh-issue-number: gh-95778 --> * Issue: gh-95778 <!-- /gh-issue-number --> Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org> Co-authored-by: Christian Heimes <christian@python.org> Co-authored-by: Mark Dickinson <dickinsm@gmail.com> | 05 September 2022, 20:26:09 UTC |
| 4f100fe | Dong-hee Na | 28 July 2022, 19:30:13 UTC | [3.8] gh-90359: Update documentation to follow PEP 495. (gh-94800). (GH-94834) (cherry picked from commit 07374cce52abb7fd39729dc1b646ca3029b64c64) Co-authored-by: Dong-hee Na <donghee.na@python.org> | 28 July 2022, 19:30:13 UTC |
| 48b323e | Łukasz Langa | 27 July 2022, 21:43:29 UTC | [3.8] gh-94208: Add more TLS version/protocol checks for FreeBSD (GH-94347) (GH-95313) Three test cases were failing on FreeBSD with latest OpenSSL. (cherry picked from commit 1bc86c26253befa006c0f52eebb6ed633c7d1e5c) Co-authored-by: Christian Heimes <christian@python.org> | 27 July 2022, 21:43:29 UTC |
| f78733b | Łukasz Langa | 05 July 2022, 16:07:36 UTC | [3.8] gh-90355: Add isolated flag if currently isolated (GH-92857) (GH-94571) Co-authored-by: Carter Dodd <carter.dodd@gmail.com> Co-authored-by: Éric <merwok@netwok.org> Co-authored-by: Łukasz Langa <lukasz@langa.pl> (cherry picked from commit c8556bcf6c0b05ac46bd74880626a2853e7c99a1) | 05 July 2022, 16:07:36 UTC |
| bd0f2a1 | Łukasz Langa | 01 July 2022, 16:42:13 UTC | [3.8] gh-81054: Document that SimpleHTTPRequestHandler follows symbolic links (GH-94416) (GH-94495) (cherry picked from commit 80aaeabb8bd1e6b49598a7e23e0f8d99b3fcecaf) Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com> | 01 July 2022, 16:42:13 UTC |
| 51f1ae5 | Miss Islington (bot) | 22 June 2022, 14:07:57 UTC | gh-91172: Create a workflow for verifying bundled pip and setuptools (GH-31885) (GH-94124) Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com> Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com> (cherry picked from commit d36954b7ead06daead3dcf9b0dd9f8002eab508f) Co-authored-by: Illia Volochii <illia.volochii@gmail.com> | 22 June 2022, 14:07:57 UTC |
| 4dc2cae | Miss Islington (bot) | 22 June 2022, 08:42:52 UTC | gh-87389: Fix an open redirection vulnerability in http.server. (GH-93879) (GH-94094) Fix an open redirection vulnerability in the `http.server` module when an URI path starts with `//` that could produce a 301 Location header with a misleading target. Vulnerability discovered, and logic fix proposed, by Hamza Avvan (@hamzaavvan). Test and comments authored by Gregory P. Smith [Google]. (cherry picked from commit 4abab6b603dd38bec1168e9a37c40a48ec89508e) Co-authored-by: Gregory P. Smith <greg@krypto.org> | 22 June 2022, 08:42:52 UTC |
| 5776f72 | Miss Islington (bot) | 06 June 2022, 17:10:34 UTC | gh-83728: Add hmac.new default parameter deprecation (GH-91939) (GH-93547) (cherry picked from commit 56b5daf15970be449d44e91f08db84c698ac5506) Co-authored-by: Stanley <46876382+slateny@users.noreply.github.com> | 06 June 2022, 17:10:34 UTC |
| 067c372 | Victor Stinner | 06 June 2022, 16:46:16 UTC | bpo-46114: Fix OpenSSL version check for 3.0.1 (GH-30170) (GH-92954) (cherry picked from commit 2985feac4e02d590bb78bcce9e30864be53280ac) Co-authored-by: Christian Heimes <christian@python.org> | 06 June 2022, 16:46:16 UTC |
| 6d4927a | Łukasz Langa | 24 May 2022, 09:26:25 UTC | [3.8] gh-93065: Fix HAMT to iterate correctly over 7-level deep trees (GH-93066) (#93148) Also while there, clarify a few things about why we reduce the hash to 32 bits. Co-authored-by: Eli Libman <eli@hyro.ai> Co-authored-by: Yury Selivanov <yury@edgedb.com> Co-authored-by: Łukasz Langa <lukasz@langa.pl> (cherry picked from commit c1f5c903a7e4ed27190488f4e33b00d3c3d952e5) | 24 May 2022, 09:26:25 UTC |
| 69cf020 | Erlend Egeberg Aasland | 16 May 2022, 15:39:17 UTC | [3.8] gh-80254: Disallow recursive usage of cursors in sqlite3 converters (#92333) (cherry picked from commit c908dc5b4798c311981bd7e1f7d92fb623ee448b) Co-authored-by: Sergey Fedoseev <fedoseev.sergey@gmail.com> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com> | 16 May 2022, 15:39:17 UTC |
| 7ccdec3 | Miss Islington (bot) | 16 May 2022, 15:35:01 UTC | bpo-47194: Update zlib to v1.2.12 on Windows to resolve CVE-2018-25032 (GH-32241) (GH-32250) (cherry picked from commit 6066739ff7794e54c98c08b953a699cbc961cd28) Co-authored-by: Zachary Ware <zach@python.org> | 16 May 2022, 15:35:01 UTC |
| a5ed894 | Dong-hee Na | 12 May 2022, 15:42:22 UTC | [3.8] gh-92448: Update the documentation builder to render the GitHub… (GH-92605) (cherry picked from commit 45e1721d100bab09510ccf9da49f14ca5cc268f4) Co-authored-by: Dong-hee Na <donghee.na@python.org> | 12 May 2022, 15:42:22 UTC |
| 10bc004 | Ezio Melotti | 10 May 2022, 07:51:20 UTC | [3.8] Update Sphinx bpo role to use redirect URI. (#91892) * Update Sphinx bpo role to use redirect URI. (GH-32342) * [3.8] Update Sphinx bpo role to use redirect URI. (GH-32342). (cherry picked from commit 08cfe079503ffd19d8b7ab324f0fdb1c6b150ca8) Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com> | 10 May 2022, 07:51:20 UTC |
| b3b1ff1 | Miss Islington (bot) | 10 May 2022, 07:47:04 UTC | Add redirects to Misc/NEWS bpo links (GH-91454) (#91895) (cherry picked from commit 17dbb6bc10ca8a8b602335414c047294f00afcbe) Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com> Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com> | 10 May 2022, 07:47:04 UTC |
| 0638941 | Ezio Melotti | 10 May 2022, 07:43:17 UTC | [3.8] gh-91888: add a `:gh:` role to the documentation (GH-91889) (#91936) * gh-91888: Add a :gh: role to the documentation (GH-91889). * [3.8] gh-91888: add a `:gh:` role to the documentation (GH-91889) * Add a new :gh:`...` role for GitHub issues. * Fix a GitHub id to use the :gh: role. * Add Misc/NEWS entry. * Refactoring and rephrasing. Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>. (cherry picked from commit f7641a2ffec243e5f600028a84debe9028a9ee44) Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com> * Fix use of the default role in NEWS entry | 10 May 2022, 07:43:17 UTC |
| bf54487 | Steve Dower | 09 May 2022, 13:47:32 UTC | bpo-47138: Ensure Windows docs build uses the same pinned version as other platforms (GH-32161) (#32183) Co-authored-by: Ned Deily <nad@python.org> | 09 May 2022, 13:47:32 UTC |
| d35af52 | m-aciek | 08 April 2022, 13:06:17 UTC | [3.8] bpo-47138: Fix documentation build by pinning Jinja version to 3.0.3 (GH-32109) Co-authored-by: Ned Deily <nad@python.org> | 08 April 2022, 13:06:17 UTC |
| a43fd45 | Łukasz Langa | 16 March 2022, 13:25:55 UTC | Post 3.8.13, take two | 16 March 2022, 13:25:55 UTC |
| ea67321 | Łukasz Langa | 16 March 2022, 12:22:54 UTC | Python 3.8.13, take two This reverts commit e5f711f5eeb6db4290db1b747f42f5d723d12ed3. | 16 March 2022, 12:22:54 UTC |
| 4d8e08b | Miss Islington (bot) | 16 March 2022, 10:12:50 UTC | bpo-31327: Update time documentation to reflect possible errors (GH-31460) (GH-31827) As per the comments, this mirrors the [datetime documentation](https://docs.python.org/3/library/datetime.htmlGH-datetime.datetime.fromtimestamp). ``` >>> import time >>> time.localtime(999999999999999999999) Traceback (most recent call last): File "<stdin>", line 1, in <module> OverflowError: timestamp out of range for platform time_t >>> time.localtime(-3600) Traceback (most recent call last): File "<stdin>", line 1, in <module> OSError: [Errno 22] Invalid argument ``` (cherry picked from commit c83fc9c02c9846ec3a2d0123999c98e02f00b3f5) Co-authored-by: slateny <46876382+slateny@users.noreply.github.com> | 16 March 2022, 10:12:50 UTC |
| 2b97cfd | Miss Islington (bot) | 16 March 2022, 10:11:36 UTC | bpo-46948: Fix launcher installer build failure due to first part of fix (GH-31920) (GH-31924) (cherry picked from commit 708812085355c92f32e547d1f1d1f29aefbbc27e) Co-authored-by: Steve Dower <steve.dower@python.org> | 16 March 2022, 10:11:36 UTC |
| e5f711f | Łukasz Langa | 15 March 2022, 22:41:31 UTC | Post 3.8.13 | 15 March 2022, 22:41:31 UTC |
| f1c3816 | Łukasz Langa | 15 March 2022, 21:43:42 UTC | Python 3.8.13 | 15 March 2022, 21:43:42 UTC |
| e8b72fc | Ned Deily | 15 March 2022, 20:53:48 UTC | [3.8] bpo-47024: Update Windows builds and macOS installer build to use OpenSSL 1.1.1n. (GH-31912) * bpo-47024: Update Windows builds and macOS installer build to use OpenSSL 1.1.1n. * Revert inadvertent sqlite downgrade | 15 March 2022, 20:53:48 UTC |
| 7a315d8 | Ned Deily | 15 March 2022, 14:39:50 UTC | bpo-46985: Upgrade bundled pip to 22.0.4 (GH-31819) (GH-31851) (cherry picked from commit d87f1b787ed38dfd307d82452f2efe9dc5b93942) Co-authored-by: Pradyun Gedam <pgedam@bloomberg.net> | 15 March 2022, 14:39:50 UTC |
| dea270a | Ned Deily | 15 March 2022, 14:39:20 UTC | bpo-45405: Prevent internal configure error when running configure with recent versions of clang. (GH-28845) (GH-31889) Change the configure logic to function properly on macOS when the compiler outputs a platform triplet for option --print-multiarch. The Apple Clang included with Xcode 13.3 now supports --print-multiarch causing configure to fail without this change. Co-authored-by: Ned Deily <nad@python.org> (cherry picked from commit 9c4766772cda67648184f8ddba546a5fc0167f91) Co-authored-by: David Bohman <debohman@gmail.com> Automerge-Triggered-By: GH:ned-deily (cherry picked from commit 9901d153c201d852d27dc9d3074e283c26468f6d) Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 15 March 2022, 14:39:20 UTC |
| ccbc31e | Miss Islington (bot) | 08 March 2022, 09:35:47 UTC | bpo-46784: Add newly exported expat symbols to the namespace. (GH-31397) (GH-31419) The libexpat 2.4.1 upgrade from introduced the following new exported symbols: * `testingAccountingGetCountBytesDirect` * `testingAccountingGetCountBytesIndirect` * `unsignedCharToPrintable` * `XML_SetBillionLaughsAttackProtectionActivationThreshold` * `XML_SetBillionLaughsAttackProtectionMaximumAmplification` We need to adjust [Modules/expat/pyexpatns.h](https://github.com/python/cpython/blob/master/Modules/expat/pyexpatns.h) (The newer libexpat upgrade has no new symbols). Automerge-Triggered-By: GH:gpshead (cherry picked from commit 6312c1052c0186b4596fc45c42fd3ade9f8f5911) Co-authored-by: Yilei "Dolee" Yang <yileiyang@google.com> | 08 March 2022, 09:35:47 UTC |
| 28ad79e | Miss Islington (bot) | 08 March 2022, 09:35:32 UTC | Update copyright year to 2022. (GH-30335) (GH-31478) Automerge-Triggered-By: GH:benjaminp (cherry picked from commit ba00f0d93a4aea85ae8089f139856a7c450584d7) Co-authored-by: Benjamin Peterson <benjamin@python.org> | 08 March 2022, 09:35:32 UTC |
| 6649519 | Steve Dower | 08 March 2022, 09:04:59 UTC | bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and CVE-2019-12900 (GH-31732) (GH-31734) | 08 March 2022, 09:04:59 UTC |
| cff1b78 | Steve Dower | 08 March 2022, 09:04:24 UTC | bpo-46948: Fix CVE-2022-26488 by ensuring the Windows Installer correctly uses the install path during repair (GH-31729) | 08 March 2022, 09:04:24 UTC |
| c3ec5bc | Miss Islington (bot) | 08 March 2022, 09:03:18 UTC | bpo-46932: Update bundled libexpat to 2.4.7 (GH-31736) (GH-31740) (cherry picked from commit 176835c3d5c70f4c1b152cc2062b549144e37094) Co-authored-by: Steve Dower <steve.dower@python.org> | 08 March 2022, 09:03:18 UTC |
| 1c9701a | Miss Islington (bot) | 02 March 2022, 13:50:32 UTC | bpo-46756: Fix authorization check in urllib.request (GH-31353) (GH-31572) Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo". (cherry picked from commit e2e72567a1c94c548868f6ee5329363e6036057a) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> | 02 March 2022, 13:50:32 UTC |
| eb6c840 | Miss Islington (bot) | 02 March 2022, 09:19:33 UTC | bpo-46794: Bump up the libexpat version into 2.4.6 (GH-31487) (GH-31520) (cherry picked from commit 1935e1cc284942bec8006287c939e295e1a7bf13) Co-authored-by: Dong-hee Na <donghee.na@python.org> | 02 March 2022, 09:19:33 UTC |
| 438f8cd | Łukasz Langa | 22 February 2022, 14:19:45 UTC | Don't test with OpenSSL 3.0 on 3.8 | 22 February 2022, 20:57:53 UTC |
| 899eb41 | Łukasz Langa | 22 February 2022, 10:06:36 UTC | Force use of `windows-2019` on GHA to continue using the v140 platform toolkit | 22 February 2022, 20:57:53 UTC |
| fdfd7a9 | Sebastian Pipping | 21 February 2022, 14:48:32 UTC | bpo-46811: Make test suite support Expat >=2.4.5 (GH-31453) Curly brackets were never allowed in namespace URIs according to RFC 3986, and so-called namespace-validating XML parsers have the right to reject them a invalid URIs. libexpat >=2.4.5 has become strcter in that regard due to related security issues; with ET.XML instantiating a namespace-aware parser under the hood, this test has no future in CPython. References: - https://datatracker.ietf.org/doc/html/rfc3968 - https://www.w3.org/TR/xml-names/ Also, test_minidom.py: Support Expat >=2.4.5 (cherry picked from commit 2cae93832f46b245847bdc252456ddf7742ef45e) Co-authored-by: Sebastian Pipping <sebastian@pipping.org> | 22 February 2022, 20:57:53 UTC |
| c60414d | Dong-hee Na | 21 February 2022, 15:02:38 UTC | bpo-46400: Update libexpat from 2.4.1 to 2.4.4 (GH-31022) (GH-31297) Co-authored-by: Cyril Jouve <jv.cyril@gmail.com> | 21 February 2022, 15:02:38 UTC |
| 4c48cac | Miss Islington (bot) | 17 February 2022, 18:55:23 UTC | bpo-41028: Doc: Move switchers to docsbuild-scripts. (GH-20969) (GH-30344) (cherry picked from commit ee2549c2ba8bae00f2b2fea8a39c6dfbd1d06520) Co-authored-by: Julien Palard <julien@palard.fr> | 17 February 2022, 18:55:23 UTC |
| b1bc04d | Miss Islington (bot) | 17 February 2022, 08:32:03 UTC | bpo-44949: Fix test_readline auto history tests (GH-27813) (GH-31118) (cherry picked from commit 6fb62b42f4db56ed5efe0ca4c1059049276c1083) Co-authored-by: Victor Stinner <vstinner@python.org> | 17 February 2022, 08:32:03 UTC |
| 8a84aef | Jason R. Coombs | 14 February 2022, 17:56:03 UTC | [3.8] bpo-46474: Avoid REDoS in EntryPoint.pattern (sync with importlib_metadata 4.10.1) (GH-30803). (#30829) (cherry picked from commit 51c3e28c8a163e58dc753765e3cc51d5a717e70d) Co-authored-by: Jason R. Coombs <jaraco@jaraco.com> | 14 February 2022, 17:56:03 UTC |
| f87e616 | Miss Islington (bot) | 08 February 2022, 09:52:39 UTC | bpo-46648: Skip test_urllib2.test_issue16464() (GH-31161) (GH-31173) POST requests to http://www.example.com/ fail randomly. (cherry picked from commit 1578de2fcd685c71f9c84e09bac32901dea192c1) Co-authored-by: Victor Stinner <vstinner@python.org> | 08 February 2022, 09:52:39 UTC |
| 7c5b01b | Miss Islington (bot) | 11 December 2021, 00:02:00 UTC | bpo-45859: Mark test_field_descriptor in test_collections as CPython-only (GH-29691) (GH-29710) (cherry picked from commit 4fad314246399b69ef0c57ba8527d9efade99069) Co-authored-by: Carl Friedrich Bolz-Tereick <cfbolz@gmx.de> | 11 December 2021, 00:02:00 UTC |
| c37a0d9 | Miss Islington (bot) | 16 November 2021, 09:56:56 UTC | bpo-45792: Fix contextvar.Token's intersphinx FQN (GH-29533) (GH-29537) Since `.. module:: contextvars` sets the module using `.. class:: contextvars.Token`, intersphinx records it as `contextvars.contextvars.Token`. (cherry picked from commit e501d70b347c5093018d12482c30a7a98aab86d0) Co-authored-by: Hynek Schlawack <hs@ox.cx> | 16 November 2021, 09:56:56 UTC |
| 10b0c67 | Ned Deily | 04 November 2021, 20:21:25 UTC | bpo-44828: Avoid leaving a zombie Save panel (GH-29372) Patch by Marc Culler of the Tk project. | 04 November 2021, 20:21:25 UTC |
| 76658e5 | Miss Islington (bot) | 28 October 2021, 20:02:07 UTC | bpo-45583: Correct datamodel documentation of int() (GH-29182) (GH-29287) It should be noted that this part of the documentation is redundant with function.rst's documentation of int. This one was correctly updated with Python 3.8. (cherry picked from commit d9c1868c25ec6466e8d8ae21fe9315a8a03836ab) Co-authored-by: Arthur Milchior <arthur@milchior.fr> | 28 October 2021, 20:02:07 UTC |
| f19c1a1 | Miss Islington (bot) | 28 October 2021, 19:10:15 UTC | bpo-44828: Avoid tkinter file dialog failure on macOS 12 Monterey (GH-29276) (GH-29279) when using the Tk 8.6.11 provided by python.org macOS installers. Patch by Marc Culler of the Tk project. (cherry picked from commit be8318be05e1a874215fa75b8845ede74b2c69b6) Co-authored-by: Ned Deily <nad@python.org> | 28 October 2021, 19:10:15 UTC |
| f240714 | Ned Deily | 28 October 2021, 19:08:42 UTC | [3.9] bpo-45618: Fix documentation build by pinning Docutils version to 0.17.1 (GH-29230) (GH-29241) (GH-29245) Co-authored-by: Maciej Olko <maciej.olko@yougov.com> Co-authored-by: Erlend Egeberg Aasland <erlend.aasland@innova.no> | 28 October 2021, 19:08:42 UTC |
| 2ce3816 | Miss Islington (bot) | 20 October 2021, 14:08:43 UTC | bpo-45436: Fix tkinter tests with Tcl/Tk 8.6.11+ (GH-29077) (GH-29093) Since v8.6.11, a few configuration options seem to accept an empty value where they did not previously; particularly the `type` of a `Menu` widget, and the `compound` of any ttk widget with a label. Providing an explicit expected error message to `checkEnumParam` bypasses the check of an empty value, which no longer raises `TclError`. (cherry picked from commit 4fe454c6f54b0948af67b53af6c2f35af6377e69) Co-authored-by: Zachary Ware <zach@python.org> | 20 October 2021, 14:08:43 UTC |
| 67e10be | Miss Islington (bot) | 19 October 2021, 19:15:29 UTC | bpo-44849: Fix os.set_inheritable() on FreeBSD 14 with O_PATH (GH-27623) (GH-28978) Fix the os.set_inheritable() function on FreeBSD 14 for file descriptor opened with the O_PATH flag: ignore the EBADF error on ioctl(), fallback on the fcntl() implementation. (cherry picked from commit c24896c0e3b32c8a9f614ef51366007b67d5c665) Co-authored-by: Victor Stinner <vstinner@python.org> | 19 October 2021, 19:15:29 UTC |
| 7f70ba3 | Victor Stinner | 19 October 2021, 19:15:06 UTC | bpo-45310: Fix parrallel shared memory tests (GH-28661) (GH-28979) Add a PID to names of POSIX shared memory objects to allow running multiprocessing tests (test_multiprocessing_fork, test_multiprocessing_spawn, etc) in parallel. (cherry picked from commit eb4495e8e275c83d691add116c4f2b74e73e3cc8) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> | 19 October 2021, 19:15:06 UTC |
| 1d8cb01 | Miss Islington (bot) | 19 October 2021, 19:14:36 UTC | bpo-45195: Fix test_readline.test_nonascii() (GH-28329) (GH-28984) Fix test_readline.test_nonascii(): sometimes, the newline character is not written at the end, so don't expect it in the output. (cherry picked from commit 797c8eb9ef511f0c25f10a453b35c4d2fe383c30) Co-authored-by: Victor Stinner <vstinner@python.org> | 19 October 2021, 19:14:36 UTC |
| 90004fc | Miss Islington (bot) | 29 September 2021, 14:35:53 UTC | [3.8] bpo-44394: Ensure libexpat is linked against libm (GH-28617) (GH-28620) (cherry picked from commit 6c1154b9de29e1c9cd3d05f5289543e5cff73895) Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com> Co-authored-by: Łukasz Langa <lukasz@langa.pl> | 29 September 2021, 14:35:53 UTC |
| 456d6d9 | Miss Islington (bot) | 29 September 2021, 13:54:47 UTC | bpo-45220: Avoid automatically selecting the Windows 11 SDK preview when building (GH-28393) (GH-28622) (cherry picked from commit f4b94b1f57827083990272b5f282aa1493ae2bf4) Co-authored-by: Steve Dower <steve.dower@python.org> | 29 September 2021, 13:54:47 UTC |
| 8344fef | Miss Islington (bot) | 23 September 2021, 21:39:26 UTC | [docs] Update documentation for `multiprocessing.get_start_method` (GH-18170) (GH-28535) (cherry picked from commit af90b5498b8c6acd67b50fdad007d26dfd1c5823) Co-authored-by: Sam Sneddon <me@gsnedders.com> | 23 September 2021, 21:39:26 UTC |
| 5a42a49 | Miss Islington (bot) | 07 September 2021, 16:21:23 UTC | bpo-45104: Clarify when __init__ is called (GH-28210) (GH-28213) (cherry picked from commit fa15df77f02ba4a66ba0b71989381a426038be01) Co-authored-by: Raymond Hettinger <rhettinger@users.noreply.github.com> | 07 September 2021, 16:21:23 UTC |
| 8c3a10e | Steve Dower | 03 September 2021, 16:53:12 UTC | bpo-45022: Pin current libffi build to fixed version in preparation for upcoming update (GH-27982) (GH-28001) Also improve the build script for libffi, which is not used as part of the regular build. (cherry picked from commit 969ae7f7356584e30667b4e490ffa2ffa1810429) Co-authored-by: Steve Dower <steve.dower@python.org> | 03 September 2021, 16:53:12 UTC |
