| 376d66e | Łukasz Langa | 24 August 2023, 17:51:41 UTC | Python 3.9.18 | 24 August 2023, 17:59:28 UTC |
| 92f9ce7 | Łukasz Langa | 24 August 2023, 17:44:27 UTC | Fix invalid string escape | 24 August 2023, 17:44:27 UTC |
| d2cd0a3 | Łukasz Langa | 24 August 2023, 10:09:11 UTC | [3.9] gh-108342: Make ssl TestPreHandshakeClose more reliable (GH-108370) (#108407) * In preauth tests of test_ssl, explicitly break reference cycles invoving SingleConnectionTestServerThread to make sure that the thread is deleted. Otherwise, the test marks the environment as altered because the threading module sees a "dangling thread" (SingleConnectionTestServerThread). This test leak was introduced by the test added for the fix of issue gh-108310. * Use support.SHORT_TIMEOUT instead of hardcoded 1.0 or 2.0 seconds timeout. * SingleConnectionTestServerThread.run() catchs TimeoutError * Fix a race condition (missing synchronization) in test_preauth_data_to_tls_client(): the server now waits until the client connect() completed in call_after_accept(). * test_https_client_non_tls_response_ignored() calls server.join() explicitly. * Replace "localhost" with server.listener.getsockname()[0]. (cherry picked from commit 592bacb6fc0833336c0453e818e9b95016e9fd47) Co-authored-by: Victor Stinner <vstinner@python.org> | 24 August 2023, 10:09:11 UTC |
| b8058b3 | Miss Islington (bot) | 23 August 2023, 10:10:49 UTC | [3.9] gh-108342: Break ref cycle in SSLSocket._create() exc (GH-108344) (#108351) Explicitly break a reference cycle when SSLSocket._create() raises an exception. Clear the variable storing the exception, since the exception traceback contains the variables and so creates a reference cycle. This test leak was introduced by the test added for the fix of GH-108310. (cherry picked from commit 64f99350351bc46e016b2286f36ba7cd669b79e3) Co-authored-by: Victor Stinner <vstinner@python.org> | 23 August 2023, 10:10:49 UTC |
| d31ae21 | Ned Deily | 22 August 2023, 18:28:57 UTC | [3.9] gh-107565: Update multissltests and GitHub CI workflows to use OpenSSL 1.1.1v, 3.0.10, and 3.1.2. (#108123) [3.9] gh-107565: Update multissltests and GitHub CI workflows to use OpenSSL 1.1.1v, 3.0.10, and 3.1.2. (cherry picked from commit 441797d4ffb12acda257370b9e5e19ed8d6e8a71) | 22 August 2023, 18:28:57 UTC |
| 42deeab | Petr Viktorin | 22 August 2023, 18:28:10 UTC | [3.9] gh-107845: Fix symlink handling for tarfile.data_filter (GH-107846) (#108274) (cherry picked from commit acbd3f9c5c5f23e95267714e41236140d84fe962) Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Lumír 'Frenzy' Balhar <frenzy.madness@gmail.com> | 22 August 2023, 18:28:10 UTC |
| 4a79328 | Serhiy Storchaka | 22 August 2023, 18:25:15 UTC | [3.9] gh-99612: Fix PyUnicode_DecodeUTF8Stateful() for ASCII-only data (GH-99613) (GH-107224) (#107231) Previously *consumed was not set in this case. (cherry picked from commit f08e52ccb027f6f703302b8c1a82db9fd3934270). (cherry picked from commit b8b3e6afc0a48c3cbb7c36d2f73e332edcd6058c) | 22 August 2023, 18:25:15 UTC |
| 264b1da | Łukasz Langa | 22 August 2023, 17:57:10 UTC | [3.9] gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw (#108320) gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. The vulnerability is caused when a socket is connected, data is sent by the malicious peer and stored in a buffer, and then the malicious peer closes the socket within a small timing window before the other peers’ TLS handshake can begin. After this sequence of events the closed socket will not immediately attempt a TLS handshake due to not being connected but will also allow the buffered data to be read as if a successful TLS handshake had occurred. Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org> | 22 August 2023, 17:57:10 UTC |
| 38b489b | Erlend E. Aasland | 05 July 2023, 11:20:44 UTC | [3.9] CI: Bump macOS build to use OpenSSL v3.0 (GH-105538) (#105871) (cherry picked from commit 34e93d3998bab8acd651c50724eb1977f4860a08) Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com> | 05 July 2023, 11:20:44 UTC |
| ce93371 | Miss Islington (bot) | 05 July 2023, 11:18:49 UTC | [3.9] [3.11] Add single value `agen.athrow(value)` signature to the 3.11 docs gh-105269 (GH-105468) (#105477) (cherry picked from commit acf3916e84158308660ed07c474a564e045d6884) Co-authored-by: Federico Caselli <CaselIT@users.noreply.github.com> | 05 July 2023, 11:18:49 UTC |
| 1528b42 | Łukasz Langa | 06 June 2023, 12:17:01 UTC | Post 3.9.17 | 06 June 2023, 12:17:01 UTC |
| 0d3cd4e | Łukasz Langa | 06 June 2023, 09:32:53 UTC | Python 3.9.17 | 06 June 2023, 09:32:53 UTC |
| e1c396d | Miss Islington (bot) | 05 June 2023, 15:42:16 UTC | [3.9] gh-105184: document that marshal functions can fail and need to be checked with PyErr_Occurred (GH-105185) (#105221) (cherry picked from commit ee26ca13a129da8cf549409d0a1b2e892ff2b4ec) Co-authored-by: Irit Katriel <1055913+iritkatriel@users.noreply.github.com> | 05 June 2023, 15:42:16 UTC |
| e15de14 | Gregory P. Smith | 05 June 2023, 15:41:51 UTC | [3.9] gh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u (GH-105174) (GH-105200) (#105205) Upgrade builds to OpenSSL 1.1.1u. Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9. Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting). (cherry picked from commit ede89af) Co-authored-by: Ned Deily <nad@python.org> | 05 June 2023, 15:41:51 UTC |
| c9bf00b | Ned Deily | 05 June 2023, 06:23:32 UTC | [3.9] Update GitHub CI workflow for macOS. (GH-105303) | 05 June 2023, 06:23:32 UTC |
| 89507d5 | Ned Deily | 05 June 2023, 03:56:15 UTC | [3.9] gh-68966: fix versionchanged in docs (GH-105298) | 05 June 2023, 03:56:15 UTC |
| d7f8a5f | Miss Islington (bot) | 22 May 2023, 10:42:37 UTC | [3.9] gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508) (GH-104575) (GH-104592) (#104593) gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508) `urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595. This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329). I simplified the docs by eliding the state of the world explanatory paragraph in this security release only backport. (people will see that in the mainline /3/ docs) (cherry picked from commit 2f630e1ce18ad2e07428296532a68b11dc66ad10) (cherry picked from commit 610cc0ab1b760b2abaac92bd256b96191c46b941) (cherry picked from commit f48a96a28012d28ae37a2f4587a780a5eb779946) Co-authored-by: Illia Volochii <illia.volochii@gmail.com> Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org> | 22 May 2023, 10:42:37 UTC |
| 3d5dd1e | Miss Islington (bot) | 22 May 2023, 10:41:30 UTC | [3.9] gh-99889: Fix directory traversal security flaw in uu.decode() (GH-104096) (#104331) (cherry picked from commit 0aeda297931820436a50b78f4f7f0597274b5df4) Co-authored-by: Sam Carroll <70000253+samcarroll42@users.noreply.github.com> | 22 May 2023, 10:41:30 UTC |
| b53d0ff | Miss Islington (bot) | 22 May 2023, 10:40:50 UTC | [3.9] gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067) (#104120) Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure) (cherry picked from commit c7c3a60c88de61a79ded9fdaf6bc6a29da4efb9a) Co-authored-by: Ethan Furman <ethan@stoneleaf.us> Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com> | 22 May 2023, 10:40:50 UTC |
| d1645ce | Steve Dower | 22 May 2023, 10:40:30 UTC | [3.9] gh-103935: Use `io.open_code()` when executing code in trace and profile modules (GH-103947) (#103953) Co-authored-by: Tian Gao <gaogaotiantian@hotmail.com> | 22 May 2023, 10:40:30 UTC |
| 98016f7 | Petr Viktorin | 15 May 2023, 16:53:58 UTC | [3.9] gh-102950: Implement PEP 706 – Filter for tarfile.extractall (GH-102953) (#104382) Backport of c8c3956d905e019101038b018129a4c90c9c9b8f | 15 May 2023, 16:53:58 UTC |
| 7cb3a44 | Kumar Aditya | 28 March 2023, 08:55:36 UTC | [3.9] GH-102126: fix deadlock at shutdown when clearing thread states (GH-102222) (#102236) (cherry picked from commit 5f11478ce7fda826d399530af4c5ca96c592f144) | 28 March 2023, 08:55:36 UTC |
| b5a9430 | Pradyun Gedam | 28 March 2023, 08:52:56 UTC | [3.9] gh-101997: Update bundled pip version to 23.0.1 (GH-101998). (#102243) (cherry picked from commit 89d9ff0f48c51a85920c7372a7df4a2204e32ea5) | 28 March 2023, 08:52:56 UTC |
| cb0b009 | Miss Islington (bot) | 13 March 2023, 23:28:36 UTC | [3.9] gh-102627: Replace address pointing toward malicious web page (GH-102630) (GH-102666) (cherry picked from commit 61479d46848bc7a7f9b571b0b09c4a4b4436d839) Co-authored-by: Blind4Basics <32236948+Blind4Basics@users.noreply.github.com> Co-authored-by: C.A.M. Gerlach <CAM.Gerlach@Gerlach.CAM> Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com> | 13 March 2023, 23:28:36 UTC |
| bf99e19 | Steve Dower | 07 March 2023, 23:01:22 UTC | [3.9] gh-101726: Update the OpenSSL version to 1.1.1t (GH-101727) (GH-101751) Fixes CVE-2023-0286 (High) and a couple of Medium security issues. https://www.openssl.org/news/secadv/20230207.txt Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Ned Deily <nad@python.org> | 07 March 2023, 23:01:22 UTC |
| c25b484 | Dong-hee Na | 21 February 2023, 16:33:23 UTC | [3.9] gh-101981: Fix Ubuntu SSL tests with OpenSSL (3.1.0-beta1) CI i… (#102094) [3.9] gh-101981: Fix Ubuntu SSL tests with OpenSSL (3.1.0-beta1) CI issue (gh-102079) | 21 February 2023, 16:33:23 UTC |
| 04cc427 | Miss Islington (bot) | 09 February 2023, 09:59:40 UTC | [3.9] gh-101283: Improved fallback logic for subprocess with shell=True on Windows (GH-101286) (#101709) Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net> Co-authored-by: Steve Dower <steve.dower@microsoft.com> | 09 February 2023, 09:59:40 UTC |
| c33aaa9 | Miss Islington (bot) | 30 January 2023, 18:21:08 UTC | gh-101422: (docs) TarFile default errorlevel argument is 1, not 0 (GH-101424) (cherry picked from commit ea232716d3de1675478db3a302629ba43194c967) Co-authored-by: Owain Davies <116417456+OTheDev@users.noreply.github.com> | 30 January 2023, 18:21:08 UTC |
| 044fb4f | Miss Islington (bot) | 21 January 2023, 19:38:52 UTC | [3.9] Bump Azure Pipelines to ubuntu-22.04 (GH-101089) (#101214) (cherry picked from commit c22a55c8b4f142ff679880ec954691d5920b7845) Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com> | 21 January 2023, 19:38:52 UTC |
| fcfa505 | Steve Dower | 20 January 2023, 22:22:50 UTC | [3.9] gh-100180: Update Windows installer to OpenSSL 1.1.1s (GH-100903) (#100904) | 20 January 2023, 22:22:50 UTC |
| 6954203 | Kumar Aditya | 20 January 2023, 22:21:40 UTC | [3.9] GH-100892: Fix race in clearing `threading.local` (GH-100922) (#100939) [3.9] [3.10] GH-100892: Fix race in clearing `threading.local` (GH-100922). (cherry picked from commit 762745a124cbc297cf2fe6f3ec9ca1840bb2e873) Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>. (cherry picked from commit 683e9fe30ecd024f5508b2a33316752870100a96) Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com> | 20 January 2023, 22:21:40 UTC |
| 6be2e0e | Éric | 20 January 2023, 22:21:00 UTC | [3.9] gh-95778: add doc missing in some places (GH-100627). (#101066) (cherry picked from commit 46521826cb1883e29e4640f94089dd92c57efc5b) Co-authored-by: Éric <earaujo@caravan.coop> | 20 January 2023, 22:21:00 UTC |
| cf71e19 | Gregory P. Smith | 20 January 2023, 22:20:32 UTC | [3.9] Correct CVE-2020-10735 documentation (GH-100306). (#100697) (cherry picked from commit 1cf3d78c92eb07dc09d15cc2e773b0b1b9436825) (cherry picked from commit 88fe8d701af3316c8869ea18ea1c7acec6f68c04) Co-authored-by: Jeremy Paige <ucodery@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org> | 20 January 2023, 22:20:32 UTC |
| 5ef90ee | Miss Islington (bot) | 09 January 2023, 03:11:49 UTC | [3.9] Update copyright year in README (GH-100863) (GH-100865) (GH-100866) (cherry picked from commit 30a6cc418a60fccb91ba574b552203425e594c47) Co-authored-by: Ned Deily <nad@python.org> Co-authored-by: HARSHA VARDHAN <75431678+Thunder-007@users.noreply.github.com> | 09 January 2023, 03:11:49 UTC |
| 08210c6 | Benjamin Peterson | 08 January 2023, 23:00:10 UTC | [3.9] Update copyright years to 2023. (gh-100851) * [3.9] Update copyright years to 2023. (gh-100848). (cherry picked from commit 11f99323c2ae0ec428c370a335695e3d8d4afc1d) Co-authored-by: Benjamin Peterson <benjamin@python.org> * Update additional copyright years to 2023. Co-authored-by: Ned Deily <nad@python.org> | 08 January 2023, 23:00:10 UTC |
| e8f61ed | Miss Islington (bot) | 20 December 2022, 11:57:08 UTC | Clarify that every thread has its own default context in contextvars (GH-99246) (cherry picked from commit cb60b6131bc2bb11c48a15f808914d8b242b9fc5) Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com> | 20 December 2022, 11:57:08 UTC |
| db577e2 | Łukasz Langa | 06 December 2022, 18:50:26 UTC | Post 3.9.16 | 06 December 2022, 18:50:26 UTC |
| 595f9cc | Łukasz Langa | 06 December 2022, 17:59:46 UTC | Python 3.9.16 | 06 December 2022, 17:59:46 UTC |
| 3b81c13 | Miss Islington (bot) | 06 December 2022, 10:22:12 UTC | [3.9] gh-100001: Omit control characters in http.server stderr logs. (GH-100002) (#100032) * gh-100001: Omit control characters in http.server stderr logs. (GH-100002) Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to. (cherry picked from commit d8ab0a4dfa48f881b4ac9ab857d2e9de42f72828) Co-authored-by: Gregory P. Smith <greg@krypto.org> * also escape \s (backport of PR #100038). * add versionadded and remove extra 'to' Co-authored-by: Gregory P. Smith <greg@krypto.org> | 06 December 2022, 10:22:12 UTC |
| 7b98207 | Steve Dower | 21 November 2022, 18:13:33 UTC | [3.9] gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module (GH-99373) (GH-99493) | 21 November 2022, 18:13:33 UTC |
| c09dba5 | Miss Islington (bot) | 10 November 2022, 15:57:41 UTC | [3.9] gh-98433: Fix quadratic time idna decoding. (GH-99092) (GH-99222) (#99230) There was an unnecessary quadratic loop in idna decoding. This restores the behavior to linear. (cherry picked from commit d315722564927c7202dd6e111dc79eaf14240b0d) (cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15) Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Co-authored-by: Gregory P. Smith <greg@krypto.org> | 10 November 2022, 15:57:41 UTC |
| b43496c | Miss Islington (bot) | 28 October 2022, 10:08:30 UTC | [3.9] gh-97514: Don't use Linux abstract sockets for multiprocessing (GH-98501) (#98504) Linux abstract sockets are insecure as they lack any form of filesystem permissions so their use allows anyone on the system to inject code into the process. This removes the default preference for abstract sockets in multiprocessing introduced in Python 3.9+ via https://github.com/python/cpython/pull/18866 while fixing https://github.com/python/cpython/issues/84031. Explicit use of an abstract socket by a user now generates a RuntimeWarning. If we choose to keep this warning, it should be backported to the 3.7 and 3.8 branches. (cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17) Co-authored-by: Gregory P. Smith <greg@krypto.org> | 28 October 2022, 10:08:30 UTC |
| 857efee | Miss Islington (bot) | 28 October 2022, 10:08:06 UTC | [3.9] gh-98517: Fix buffer overflows in _sha3 module (GH-98519) (#98526) This is a port of the applicable part of XKCP's fix [1] for CVE-2022-37454 and avoids the segmentation fault and the infinite loop in the test cases published in [2]. [1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a [2]: https://mouha.be/sha-3-buffer-overflow/ Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org> (cherry picked from commit 0e4e058602d93b88256ff90bbef501ba20be9dd3) Co-authored-by: Theo Buehler <botovq@users.noreply.github.com> | 28 October 2022, 10:08:06 UTC |
| 71a075a | Miss Islington (bot) | 28 October 2022, 10:07:32 UTC | [3.9] gh-98739: Update libexpat from 2.4.9 to 2.5.0 (GH-98742) (#98786) Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680. Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com> (cherry picked from commit 3e07f827b359617664ad0880f218f17ae4483299) | 28 October 2022, 10:07:32 UTC |
| 157a8b8 | Miss Islington (bot) | 11 October 2022, 21:13:54 UTC | [3.9] gh-96710: Make the test timing more lenient for the int/str DoS regression test. (GH-96717) (#98196) gh-96710: Make the test timing more lenient for the int/str DoS regression test. (GH-96717) A regression would still absolutely fail and even a flaky pass isn't harmful as it'd fail most of the time across our N system test runs. Windows has a low resolution timer and CI systems are prone to odd timing so this just gives more leeway to avoid flakiness. (cherry picked from commit 11e3548fd1d3445ccde971d613633b58d73c3016) Co-authored-by: Gregory P. Smith <greg@krypto.org> | 11 October 2022, 21:13:54 UTC |
| c59a16e | Miss Islington (bot) | 11 October 2022, 21:13:18 UTC | [3.9] gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993) (#98190) gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993) (cherry picked from commit b9509ba7a9c668b984dab876c7926fe1dc5aa0ba) Co-authored-by: Petr Viktorin <encukou@gmail.com> | 11 October 2022, 21:13:18 UTC |
| bd4e532 | Łukasz Langa | 11 October 2022, 15:38:29 UTC | Post 3.9.15 | 11 October 2022, 15:38:29 UTC |
| 7e28154 | Łukasz Langa | 11 October 2022, 14:48:37 UTC | Python 3.9.15 | 11 October 2022, 14:48:37 UTC |
| 1db2d95 | Miss Islington (bot) | 07 October 2022, 20:53:39 UTC | [3.9] gh-91708: Revert params note in urllib.parse.urlparse table (GH-96699) (#98054) Revert params note in urllib.parse.urlparse table (cherry picked from commit eed80458e8e776d15fa862da71dcce58c47e2ca7) Co-authored-by: Stanley <46876382+slateny@users.noreply.github.com> | 07 October 2022, 20:53:39 UTC |
| da1fe38 | Łukasz Langa | 07 October 2022, 18:49:28 UTC | [3.9] gh-94208: Add even more TLS version/protocol checks for FreeBSD (#98037) Otherwise, buildbot builds would fail since there's no TLS 1.0/1.1 support. | 07 October 2022, 18:49:28 UTC |
| 77796d0 | Miss Islington (bot) | 06 October 2022, 19:14:32 UTC | [3.9] gh-97897: Prevent os.mkfifo and os.mknod segfaults with macOS 13 SDK (GH-97944) (#97968) The macOS 13 SDK includes support for the `mkfifoat` and `mknodat` system calls. Using the `dir_fd` option with either `os.mkfifo` or `os.mknod` could result in a segfault if cpython is built with the macOS 13 SDK but run on an earlier version of macOS. Prevent this by adding runtime support for detection of these system calls ("weaklinking") as is done for other newer syscalls on macOS. (cherry picked from commit 6d0a0191a4e5477bd843e62c24d7f3bcad4fd5fc) Co-authored-by: Ned Deily <nad@python.org> | 06 October 2022, 19:14:32 UTC |
| 358b7a4 | Miss Islington (bot) | 04 October 2022, 18:57:34 UTC | [3.9] gh-96848: Fix -X int_max_str_digits option parsing (GH-96988) (GH-97574) gh-96848: Fix -X int_max_str_digits option parsing (GH-96988) Fix command line parsing: reject "-X int_max_str_digits" option with no value (invalid) when the PYTHONINTMAXSTRDIGITS environment variable is set to a valid limit. (cherry picked from commit 41351662bcd21672d8ccfa62fe44d72027e6bcf8) Co-authored-by: Victor Stinner <vstinner@python.org> | 04 October 2022, 18:57:34 UTC |
| 938223e | Miss Islington (bot) | 04 October 2022, 17:06:17 UTC | [3.9] gh-96577: Fixes buffer overrun in _msi module (GH-96633) (GH-96657) gh-96577: Fixes buffer overrun in _msi module (GH-96633) (cherry picked from commit 4114bcc9ef7595a07196bcecf9c7d6d39f57f64d) Co-authored-by: Steve Dower <steve.dower@python.org> | 04 October 2022, 17:06:17 UTC |
| 4118813 | Victor Stinner | 04 October 2022, 17:05:45 UTC | [3.9] gh-95778: Mention sys.set_int_max_str_digits() in error message (#96874) (#96877) When ValueError is raised if an integer is larger than the limit, mention sys.set_int_max_str_digits() in the error message. (cherry picked from commit e841ffc915e82e5ea6e3b473205417d63494808d) Co-authored-by: Ned Deily <nad@python.org> | 04 October 2022, 17:05:45 UTC |
| 9b409e4 | Miss Islington (bot) | 04 October 2022, 17:04:33 UTC | [3.9] gh-97005: Update libexpat from 2.4.7 to 2.4.9 (gh-97006) (gh-97012) gh-97005: Update libexpat from 2.4.7 to 2.4.9 (gh-97006) Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org> (cherry picked from commit 10e3d398c31cc1695752fc52bc6ca2ce9ef6237e) Co-authored-by: Dong-hee Na <donghee.na@python.org> Co-authored-by: Ned Deily <nad@python.org> | 04 October 2022, 17:04:33 UTC |
| f65f3a9 | Miss Islington (bot) | 04 October 2022, 17:01:10 UTC | [3.9] gh-97616: list_resize() checks for integer overflow (GH-97617) (GH-97627) gh-97616: list_resize() checks for integer overflow (GH-97617) Fix multiplying a list by an integer (list *= int): detect the integer overflow when the new allocated length is close to the maximum size. Issue reported by Jordan Limor. list_resize() now checks for integer overflow before multiplying the new allocated length by the list item size (sizeof(PyObject*)). (cherry picked from commit a5f092f3c469b674b8d9ccbd4e4377230c9ac7cf) Co-authored-by: Victor Stinner <vstinner@python.org> | 04 October 2022, 17:01:10 UTC |
| d6ef680 | Miss Islington (bot) | 04 October 2022, 17:00:16 UTC | [3.9] gh-97612: Fix shell injection in get-remote-certificate.py (GH-97613) (GH-97632) gh-97612: Fix shell injection in get-remote-certificate.py (GH-97613) Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run "openssl" commands. Issue reported and initial fix by Caleb Shortt. Remove the Windows code path to send "quit" on stdin to the "openssl s_client" command: use DEVNULL on all platforms instead. Co-authored-by: Caleb Shortt <caleb@rgauge.com> (cherry picked from commit 83a0f44ffd8b398673ae56c310cf5768d359c341) Co-authored-by: Victor Stinner <vstinner@python.org> | 04 October 2022, 17:00:16 UTC |
| 94dbdbb | Miss Islington (bot) | 04 October 2022, 16:59:07 UTC | [3.9] gh-87597: Document TimeoutExpired.stdout & .stderr types (GH-97685) (GH-97688) This documents the behavior that has always been the case since timeout support was introduced in Python 3.3. (cherry picked from commit b05dd796492160c37c9e15e3882f699f411b3461) Co-authored-by: Gregory P. Smith <greg@krypto.org> | 04 October 2022, 16:59:07 UTC |
| 71eddde | Jason R. Coombs | 04 October 2022, 16:58:34 UTC | [3.9] gh-96845: Fix docs around importlib.abc.Traversable (GH-97515) (GH-97761) Co-authored-by: Jason R. Coombs <jaraco@jaraco.com> | 04 October 2022, 16:58:34 UTC |
| ac3d79c | Dong-hee Na | 24 September 2022, 19:31:12 UTC | gh-97032: Set tkinter path for macOS CI (GH-97525) | 24 September 2022, 19:31:12 UTC |
| 8388626 | Łukasz Langa | 06 September 2022, 18:47:37 UTC | Post 3.9.14 | 06 September 2022, 18:47:37 UTC |
| 816066f | Łukasz Langa | 06 September 2022, 17:23:34 UTC | Python 3.9.14 | 06 September 2022, 17:26:16 UTC |
| cec1e9d | Gregory P. Smith | 05 September 2022, 09:21:03 UTC | [3.9] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96502) * Correctly pre-check for int-to-str conversion (#96537) Converting a large enough `int` to a decimal string raises `ValueError` as expected. However, the raise comes _after_ the quadratic-time base-conversion algorithm has run to completion. For effective DOS prevention, we need some kind of check before entering the quadratic-time loop. Oops! =) The quick fix: essentially we catch _most_ values that exceed the threshold up front. Those that slip through will still be on the small side (read: sufficiently fast), and will get caught by the existing check so that the limit remains exact. The justification for the current check. The C code check is: ```c max_str_digits / (3 * PyLong_SHIFT) <= (size_a - 11) / 10 ``` In GitHub markdown math-speak, writing $M$ for `max_str_digits`, $L$ for `PyLong_SHIFT` and $s$ for `size_a`, that check is: $$\left\lfloor\frac{M}{3L}\right\rfloor \le \left\lfloor\frac{s - 11}{10}\right\rfloor$$ From this it follows that $$\frac{M}{3L} < \frac{s-1}{10}$$ hence that $$\frac{L(s-1)}{M} > \frac{10}{3} > \log_2(10).$$ So $$2^{L(s-1)} > 10^M.$$ But our input integer $a$ satisfies $|a| \ge 2^{L(s-1)}$, so $|a|$ is larger than $10^M$. This shows that we don't accidentally capture anything _below_ the intended limit in the check. <!-- gh-issue-number: gh-95778 --> * Issue: gh-95778 <!-- /gh-issue-number --> Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org> Co-authored-by: Christian Heimes <christian@python.org> Co-authored-by: Mark Dickinson <dickinsm@gmail.com> | 05 September 2022, 09:21:03 UTC |
| d348afa | Shantanu | 04 August 2022, 16:14:04 UTC | [3.9] gh-91423: Remove bugs.python.org from bugs.rst (GH-91425) (GH-95614) Co-authored-by: roy reznik <royreznik@gmail.com> Co-authored-by: Inada Naoki <songofacandy@gmail.com> Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>. (cherry picked from commit df81d2892eed3a256eb61ce59304f2173fb0c945) | 04 August 2022, 16:14:04 UTC |
| 03dc951 | Miss Islington (bot) | 29 July 2022, 15:20:06 UTC | gh-95280: Fix test_get_ciphers on systems without RSA key exchange (GH-95282) (GH-95323) (cherry picked from commit 565403038b75eb64ea483b2757ba30769246d853) Co-authored-by: Christian Heimes <christian@python.org> | 29 July 2022, 15:20:06 UTC |
| 7b87765 | Dong-hee Na | 28 July 2022, 19:31:17 UTC | [3.9] gh-90359: Update documentation to follow PEP 495. (gh-94800). (gh-94835) (cherry picked from commit 07374cce52abb7fd39729dc1b646ca3029b64c64) Co-authored-by: Dong-hee Na <donghee.na@python.org> | 28 July 2022, 19:31:17 UTC |
| 017080f | Łukasz Langa | 27 July 2022, 21:43:02 UTC | [3.9] gh-94208: Add more TLS version/protocol checks for FreeBSD (GH-94347) (GH-95312) Three test cases were failing on FreeBSD with latest OpenSSL. (cherry picked from commit 1bc86c26253befa006c0f52eebb6ed633c7d1e5c) Co-authored-by: Christian Heimes <christian@python.org> | 27 July 2022, 21:43:02 UTC |
| cd0a59f | Miss Islington (bot) | 26 July 2022, 10:07:41 UTC | gh-94821: Fix autobind of empty unix domain address (GH-94826) (GH-94875) When binding a unix socket to an empty address on Linux, the socket is automatically bound to an available address in the abstract namespace. >>> s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) >>> s.bind("") >>> s.getsockname() b'\x0075499' Since python 3.9, the socket is bound to the one address: >>> s.getsockname() b'\x00' And trying to bind multiple sockets will fail with: Traceback (most recent call last): File "/home/nsoffer/src/cpython/Lib/test/test_socket.py", line 5553, in testAutobind s2.bind("") OSError: [Errno 98] Address already in use Added 2 tests: - Auto binding empty address on Linux - Failing to bind an empty address on other platforms Fixes f6b3a07b7df6 (bpo-44493: Add missing terminated NUL in sockaddr_un's length (GH-26866) (cherry picked from commit c22f134211743cd5ad14cec1dd4f527bee542b4c) Co-authored-by: Nir Soffer <nsoffer@redhat.com> | 26 July 2022, 10:07:41 UTC |
| eff4aa5 | Łukasz Langa | 05 July 2022, 16:06:57 UTC | [3.9] gh-90355: Add isolated flag if currently isolated (GH-92857) (GH-94570) Co-authored-by: Carter Dodd <carter.dodd@gmail.com> Co-authored-by: Éric <merwok@netwok.org> Co-authored-by: Łukasz Langa <lukasz@langa.pl> (cherry picked from commit c8556bcf6c0b05ac46bd74880626a2853e7c99a1) | 05 July 2022, 16:06:57 UTC |
| 224cd0c | Miss Islington (bot) | 01 July 2022, 16:41:54 UTC | gh-81054: Document that SimpleHTTPRequestHandler follows symbolic links (GH-94416) (GH-94494) (cherry picked from commit 80aaeabb8bd1e6b49598a7e23e0f8d99b3fcecaf) Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com> | 01 July 2022, 16:41:54 UTC |
| 66f4593 | Miss Islington (bot) | 22 June 2022, 13:58:16 UTC | gh-91172: Create a workflow for verifying bundled pip and setuptools (GH-31885) (GH-94123) Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com> Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com> (cherry picked from commit d36954b7ead06daead3dcf9b0dd9f8002eab508f) Co-authored-by: Illia Volochii <illia.volochii@gmail.com> | 22 June 2022, 13:58:16 UTC |
| defaa2b | Miss Islington (bot) | 22 June 2022, 08:42:02 UTC | gh-87389: Fix an open redirection vulnerability in http.server. (GH-93879) (GH-94093) Fix an open redirection vulnerability in the `http.server` module when an URI path starts with `//` that could produce a 301 Location header with a misleading target. Vulnerability discovered, and logic fix proposed, by Hamza Avvan (@hamzaavvan). Test and comments authored by Gregory P. Smith [Google]. (cherry picked from commit 4abab6b603dd38bec1168e9a37c40a48ec89508e) Co-authored-by: Gregory P. Smith <greg@krypto.org> | 22 June 2022, 08:42:02 UTC |
| 893adbf | Miss Islington (bot) | 16 June 2022, 10:16:30 UTC | gh-91810: Fix regression with writing an XML declaration with encoding='unicode' (GH-93426) (GH-93791) Suppress writing an XML declaration in open files in ElementTree.write() with encoding='unicode' and xml_declaration=None. If file patch is passed to ElementTree.write() with encoding='unicode', always open a new file in UTF-8. (cherry picked from commit d7db9dc3cc5b44d0b4ce000571fecf58089a01ec) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> | 16 June 2022, 10:16:30 UTC |
| e8f2fe3 | Miss Islington (bot) | 06 June 2022, 17:10:56 UTC | gh-83728: Add hmac.new default parameter deprecation (GH-91939) (GH-93546) (cherry picked from commit 56b5daf15970be449d44e91f08db84c698ac5506) Co-authored-by: Stanley <46876382+slateny@users.noreply.github.com> | 06 June 2022, 17:10:56 UTC |
| 95c9c2b | Miss Islington (bot) | 24 May 2022, 08:52:49 UTC | gh-93065: Fix HAMT to iterate correctly over 7-level deep trees (GH-93066) (#93147) Also while there, clarify a few things about why we reduce the hash to 32 bits. Co-authored-by: Eli Libman <eli@hyro.ai> Co-authored-by: Yury Selivanov <yury@edgedb.com> Co-authored-by: Łukasz Langa <lukasz@langa.pl> (cherry picked from commit c1f5c903a7e4ed27190488f4e33b00d3c3d952e5) | 24 May 2022, 08:52:49 UTC |
| a43f4e7 | Miss Islington (bot) | 19 May 2022, 16:03:55 UTC | bpo-46879: Fix incorrect sphinx object names in doc (GH-31615) (GH-92976) (cherry picked from commit 2cdd57f119e3b85f1bfd28c7ff040e0d9bcaf115) Co-authored-by: Łukasz Langa <lukasz@langa.pl> Co-authored-by: Martin Fischer <martin@push-f.com> | 19 May 2022, 16:03:55 UTC |
| 9f7cdb2 | Miss Islington (bot) | 19 May 2022, 15:33:09 UTC | bpo-45393: help() on operator precedence has misleading entries (GH-31246) (GH-92967) (cherry picked from commit fb082c2fc5a925085b179e63ca10b7f60b356d2f) Co-authored-by: Zackery Spytz <zspytz@gmail.com> | 19 May 2022, 15:33:09 UTC |
| 3bc3c89 | Miss Islington (bot) | 19 May 2022, 15:21:23 UTC | gh-92417: Update docs and examples of doctest.IGNORE_EXCEPTION_DETAIL for Py>=3 (GH-92502) (GH-92964) (cherry picked from commit 97b9c1096feff77a564787ef520cc7d4e1d1c45f) | 19 May 2022, 15:21:23 UTC |
| ab003d0 | Łukasz Langa | 17 May 2022, 17:06:39 UTC | Post 3.9.13 | 17 May 2022, 17:06:39 UTC |
| 6de2ca5 | Łukasz Langa | 17 May 2022, 11:12:56 UTC | Python 3.9.13 | 17 May 2022, 11:12:56 UTC |
| f82b324 | Jelle Zijlstra | 16 May 2022, 16:47:35 UTC | [3.9] gh-92112: Fix crash triggered by an evil custom `mro()` (GH-92113) (GH-92372) (cherry picked from commit 85354ed78c0edb6d81a2bd53cabc85e547b8b26e) Co-authored-by: Alexey Izbyshev <izbyshev@ispras.ru> | 16 May 2022, 16:47:35 UTC |
| 518b238 | Marek Suscak | 16 May 2022, 16:19:04 UTC | [3.9] bpo-34480: fix bug where match variable is used prior to being defined (GH-17643) (GH-32256) Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com> Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Łukasz Langa <lukasz@langa.pl> | 16 May 2022, 16:19:04 UTC |
| 1699a5e | Miss Islington (bot) | 16 May 2022, 15:33:01 UTC | Check result of utc_to_seconds and skip fold probe in pure Python (GH-91582) (GH-92748) The `utc_to_seconds` call can fail, here's a minimal reproducer on Linux: TZ=UTC python -c "from datetime import *; datetime.fromtimestamp(253402300799 + 1)" The old behavior still raised an error in a similar way, but only because subsequent calculations happened to fail as well. Better to fail fast. This also refactors the tests to split out the `fromtimestamp` and `utcfromtimestamp` tests, and to get us closer to the actual desired limits of the functions. As part of this, we also changed the way we detect platforms where the same limits don't necessarily apply (e.g. Windows). As part of refactoring the tests to hit this condition explicitly (even though the user-facing behvior doesn't change in any way we plan to guarantee), I noticed that there was a difference in the places that `datetime.utcfromtimestamp` fails in the C and pure Python versions, which was fixed by skipping the "probe for fold" logic for UTC specifically — since UTC doesn't have any folds or gaps, we were never going to find a fold value anyway. This should prevent some failures in the pure python `utcfromtimestamp` method on timestamps close to 0001-01-01. There are two separate news entries for this because one is a potentially user-facing change, the other is an internal code correctness change that, if anything, changes some error messages. The two happen to be coupled because of the test refactoring, but they are probably best thought of as independent changes. Fixes GH-91581 (cherry picked from commit 83c0247d47b99f4571e35ea95361436e1d2a61cd) Co-authored-by: Paul Ganssle <1377457+pganssle@users.noreply.github.com> | 16 May 2022, 15:33:01 UTC |
| 4d05114 | Miss Islington (bot) | 16 May 2022, 15:32:28 UTC | gh-80143: Add clarification for escape characters (GH-92292) (GH-92630) (cherry picked from commit 549567c6e70da4846c105a18a1a89e7dd09680d7) Co-authored-by: slateny <46876382+slateny@users.noreply.github.com> | 16 May 2022, 15:32:28 UTC |
| 14d0594 | Miss Islington (bot) | 16 May 2022, 15:25:31 UTC | gh-92530: Fix an issue that occurred after interrupting threading.Condition.notify (GH-92534) (GH-92831) If Condition.notify() was interrupted just after it released the waiter lock, but before removing it from the queue, the following calls of notify() failed with RuntimeError: cannot release un-acquired lock. (cherry picked from commit 70af994fee7c0850ae859727d9468a5f29375a38) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> | 16 May 2022, 15:25:31 UTC |
| c4fc53f | Miss Islington (bot) | 16 May 2022, 06:32:15 UTC | gh-87670: Add web.archive redirects from effbot (GH-92816) (cherry picked from commit 3ed1cae9ed9d1f0dd9d68da4b30b731fdf6be768) Co-authored-by: Stanley <46876382+slateny@users.noreply.github.com> | 16 May 2022, 06:32:15 UTC |
| 1aafad1 | Miss Islington (bot) | 13 May 2022, 20:13:02 UTC | gh-92611: Link to PEP 594 sections & add key detail in doc deprecation notices (GH-92612) (cherry picked from commit 9f68dab3d327335b938046c50b4f09944e993cc8) Co-authored-by: CAM Gerlach <CAM.Gerlach@Gerlach.CAM> | 13 May 2022, 20:13:02 UTC |
| f253cf4 | Miss Islington (bot) | 13 May 2022, 14:10:10 UTC | Document Py_ssize_t. (GH-92512) It fixes 252 errors from a Sphinx nitpicky run (sphinx-build -n). But there's 8182 errors left. Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com> (cherry picked from commit 664aa94b570a4a8f3535efb2e3d638a4ab655943) Co-authored-by: Julien Palard <julien@palard.fr> | 13 May 2022, 14:10:10 UTC |
| 256c6d0 | thueringa | 13 May 2022, 14:01:30 UTC | Fix typo in argparse docs. (GH-92691) (#92731) | 13 May 2022, 14:01:30 UTC |
| 801f771 | Dennis Sweeney | 12 May 2022, 21:41:34 UTC | [3.9] gh-92311: Let frame_setlineno jump over listcomps (#92740) | 12 May 2022, 21:41:34 UTC |
| f6bd1bd | Jelle Zijlstra | 12 May 2022, 21:12:28 UTC | [3.9] gh-92436: __future__ docs: add note on expectations for "from __future__ import annotations" (GH-92568). (#92726) (cherry picked from commit 6582c96454ddb731eb412c2a473300172225fdb9) Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com> | 12 May 2022, 21:12:28 UTC |
| 65d2dfd | Miss Islington (bot) | 11 May 2022, 18:42:10 UTC | bpo-42627: Fix incorrect parsing of Windows registry proxy settings (GH-26307) (cherry picked from commit b69297ea23c0ab9866ae8bd26a347a9b5df567a6) Co-authored-by: 狂男风 <CrazyBoyFeng@Live.com> | 11 May 2022, 18:42:10 UTC |
| bfc88d3 | Miss Islington (bot) | 11 May 2022, 17:40:05 UTC | [3.9] gh-91810: ElementTree: Use text file's encoding by default in XML declaration (GH-91903) (GH-92665) ElementTree method write() and function tostring() now use the text file's encoding ("UTF-8" if not available) instead of locale encoding in XML declaration when encoding="unicode" is specified. (cherry picked from commit 707839b0fe02ba2c891a40f40e7a869d84c2c9c5) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Automerge-Triggered-By: GH:serhiy-storchaka | 11 May 2022, 17:40:05 UTC |
| 3f2113d | Miss Islington (bot) | 11 May 2022, 10:50:00 UTC | [3.9] Fix typo in unittest.rst: addCleanupModule -> addModuleCleanup (GH-92631) (GH-92661) (cherry picked from commit 38486ca212c0827d54e7b0d0b1e2c1ccc2bdad33) Co-authored-by: Mikhail Terekhov <termim@gmail.com> Automerge-Triggered-By: GH:serhiy-storchaka | 11 May 2022, 10:50:00 UTC |
| 7534c50 | Miss Islington (bot) | 10 May 2022, 09:28:24 UTC | [3.9] gh-76773: Update docs mentioning no-longer-supported Windows versions & features (GH-92529) (GH-92610) (cherry picked from commit f1bbcba74f77eff2a4c0881f3d529f3bf0664d40) Co-authored-by: CAM Gerlach <CAM.Gerlach@Gerlach.CAM> Automerge-Triggered-By: GH:serhiy-storchaka | 10 May 2022, 09:28:24 UTC |
| 35d589c | Miss Islington (bot) | 10 May 2022, 07:49:09 UTC | gh-92256: Improve Argument Clinic parser error messages (GH-92268) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Victor Stinner <vstinner@python.org> (cherry picked from commit 4bd07d1dbd493fc9b2c2a77e9e905c517682052e) Co-authored-by: Erlend Egeberg Aasland <erlend.aasland@protonmail.com> | 10 May 2022, 07:49:09 UTC |
| b7a8786 | Miss Islington (bot) | 10 May 2022, 04:20:37 UTC | bpo-13553: Document tkinter.Tk args (GH-4786) (cherry picked from commit c56e2bb9949c95ec8911cd5554b07044a564796f) Co-authored-by: Cheryl Sabella <cheryl.sabella@gmail.com> | 10 May 2022, 04:20:37 UTC |
| 1fb25a9 | Itai Steinherz | 09 May 2022, 22:42:59 UTC | bpo-46785: Fix race condition between os.stat() and unlink on Windows (GH-31858) * [3.9] bpo-46785: Fix race condition between os.stat() and unlink on Windows (GH-31858). (cherry picked from commit 39e6b8ae6a5b49bb23746fdcc354d148ff2d98e3) Co-authored-by: Itai Steinherz <itaisteinherz@gmail.com> | 09 May 2022, 22:42:59 UTC |
| 249be82 | Miss Islington (bot) | 09 May 2022, 21:31:12 UTC | Doc: Update py2app link. (GH-91585) See: https://mail.python.org/archives/list/docs@python.org/thread/KDVFGNGGUGGPVRZT7WZYHHWXCRS2GEN7/ (cherry picked from commit b77a95f44a024d1afab28e380252aa6d9c4efb1c) Co-authored-by: Julien Palard <julien@palard.fr> | 09 May 2022, 21:31:12 UTC |
| ad82e12 | Miss Islington (bot) | 09 May 2022, 16:49:25 UTC | gh-92417: `asyncio` docs: `asyncio.run()` is available on all supported Python versions (GH-92419) (cherry picked from commit f4e317b304c7f86e48885b4b74c7a8826648922c) Co-authored-by: Alex Waygood <Alex.Waygood@Gmail.com> | 09 May 2022, 16:49:25 UTC |
