+++++++++++ Python News +++++++++++ What's New in Python 3.8.9 final? ================================= *Release date: 2021-04-02* Security -------- - bpo-42988: CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer. - bpo-43285: :mod:`ftplib` no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network. Code that requires the former vulnerable behavior may set a ``trust_server_pasv_ipv4_address`` attribute on their :class:`ftplib.FTP` instances to ``True`` to re-enable it. - bpo-43439: Add audit hooks for :func:`gc.get_objects`, :func:`gc.get_referrers` and :func:`gc.get_referents`. Patch by Pablo Galindo. Core and Builtins ----------------- - bpo-43660: Fix crash that happens when replacing ``sys.stderr`` with a callable that can remove the object while an exception is being printed. Patch by Pablo Galindo. - bpo-35883: Python no longer fails at startup with a fatal error if a command line argument contains an invalid Unicode character. The :c:func:`Py_DecodeLocale` function now escapes byte sequences which would be decoded as Unicode characters outside the [U+0000; U+10ffff] range. - bpo-43406: Fix a possible race condition where ``PyErr_CheckSignals`` tries to execute a non-Python signal handler. Library ------- - bpo-35930: Raising an exception raised in a "future" instance will create reference cycles. - bpo-43577: Fix deadlock when using :class:`ssl.SSLContext` debug callback with :meth:`ssl.SSLContext.sni_callback`. - bpo-43423: :func:`subprocess.communicate` no longer raises an IndexError when there is an empty stdout or stderr IO buffer during a timeout on Windows. - bpo-27820: Fixed long-standing bug of smtplib.SMTP where doing AUTH LOGIN with initial_response_ok=False will fail. The cause is that SMTP.auth_login _always_ returns a password if provided with a challenge string, thus non-compliant with the standard for AUTH LOGIN. Also fixes bug with the test for smtpd. - bpo-43399: Fix ``ElementTree.extend`` not working on iterators when using the Python implementation - bpo-43316: The ``python -m gzip`` command line application now properly fails when detecting an unsupported extension. It exits with a non-zero exit code and prints an error message to stderr. - bpo-43260: Fix TextIOWrapper can not flush internal buffer forever after very large text is written. - bpo-42782: Fail fast in :func:`shutil.move()` to avoid creating destination directories on failure. - bpo-37193: Fixed memory leak in ``socketserver.ThreadingMixIn`` introduced in Python 3.7. Documentation ------------- - bpo-43199: Answer "Why is there no goto?" in the Design and History FAQ. - bpo-43407: Clarified that a result from :func:`time.monotonic`, :func:`time.perf_counter`, :func:`time.process_time`, or :func:`time.thread_time` can be compared with the result from any following call to the same function - not just the next immediate call. - bpo-27646: Clarify that 'yield from <expr>' works with any iterable, not just iterators. - bpo-36346: Update some deprecated unicode APIs which are documented as "will be removed in 4.0" to "3.12". See :pep:`623` for detail. Tests ----- - bpo-37945: Fix test_getsetlocale_issue1813() of test_locale: skip the test if ``setlocale()`` fails. Patch by Victor Stinner. - bpo-41561: Add workaround for Ubuntu's custom OpenSSL security level policy. Build ----- - bpo-43631: Update macOS, Windows, and CI to OpenSSL 1.1.1k. - bpo-43617: Improve configure.ac: Check for presence of autoconf-archive package and remove our copies of M4 macros. macOS ----- - bpo-41837: Update macOS installer build to use OpenSSL 1.1.1j. IDLE ---- - bpo-42225: Document that IDLE can fail on Unix either from misconfigured IP masquerage rules or failure displaying complex colored (non-ascii) characters. - bpo-43283: Document why printing to IDLE's Shell is often slower than printing to a system terminal and that it can be made faster by pre-formatting a single string before printing. What's New in Python 3.8.8 final? ================================= *Release date: 2021-02-19* There were no new changes in version 3.8.8. What's New in Python 3.8.8 release candidate 1? =============================================== *Release date: 2021-02-16* Security -------- - bpo-42967: Fix web cache poisoning vulnerability by defaulting the query args separator to ``&``, and allowing the user to choose a custom separator. - bpo-42938: Avoid static buffers when computing the repr of :class:`ctypes.c_double` and :class:`ctypes.c_longdouble` values. Core and Builtins ----------------- - bpo-42819: :mod:`readline`: Explicitly disable bracketed paste in the interactive interpreter, even if it's set in the inputrc, is enabled by default (eg GNU Readline 8.1), or a user calls ``readline.read_init_file()``. The Python REPL has not implemented bracketed paste support. Also, bracketed mode writes the ``"\x1b[?2004h"`` escape sequence into stdout which causes test failures in applications that don't support it. It can still be explicitly enabled by calling ``readline.parse_and_bind("set enable-bracketed-paste on")``. Patch by Dustin Rodrigues. Library ------- - bpo-43108: Fixed a reference leak in the :mod:`curses` module. Patch by Pablo Galindo - bpo-42780: Fix os.set_inheritable() for O_PATH file descriptors on Linux. - bpo-41748: Fix HTMLParser parsing rules for element attributes containing commas with spaces. Patch by Karl Dubost. - bpo-42759: Fixed equality comparison of :class:`tkinter.Variable` and :class:`tkinter.font.Font`. Objects which belong to different Tcl interpreters are now always different, even if they have the same name. - bpo-23328: Allow / character in username, password fields on _PROXY envars. - bpo-42681: Fixed range checks for color and pair numbers in :mod:`curses`. - bpo-42531: :func:`importlib.resources.path` now works for :term:`package`\ s missing the optional :attr:`__file__` attribute (more specifically, packages whose :attr:`__spec__`\ ``.``\ :attr:`~importlib.machinery.ModuleSpec.origin` :keyword:`is` :data:`None`). - bpo-42388: Fix subprocess.check_output(..., input=None) behavior when text=True to be consistent with that of the documentation and universal_newlines=True. - bpo-42384: Make pdb populate sys.path[0] exactly the same as regular python execution. - bpo-42383: Fix pdb: previously pdb would fail to restart the debugging target if it was specified using a relative path and the current directory changed. - bpo-42318: Fixed support of non-BMP characters in :mod:`tkinter` on macOS. - bpo-42005: Fix CLI of :mod:`cProfile` and :mod:`profile` to catch :exc:`BrokenPipeError`. - bpo-41604: Don't decrement the reference count of the previous user_ptr when set_panel_userptr fails. - bpo-26407: Unexpected errors in calling the ``__iter__`` method are no longer masked by ``TypeError`` in :func:`csv.reader`, :func:`csv.writer.writerow` and :meth:`csv.writer.writerows`. - bpo-39068: Fix initialization race condition in :func:`a85encode` and :func:`b85encode` in :mod:`base64`. Patch by Brandon Stansbury. - bpo-36589: The :func:`curses.update_lines_cols` function now returns ``None`` instead of ``1`` on success. - bpo-33289: Correct call to :mod:`tkinter.colorchooser` to return RGB triplet of ints instead of floats. Patch by Cheryl Sabella. Documentation ------------- - bpo-40304: Fix doc for type(name, bases, dict). Patch by Boris Verkhovskiy and Éric Araujo. - bpo-42811: Updated importlib.utils.resolve_name() doc to use __spec__.parent instead of __package__. (Thanks Yair Frid.) Tests ----- - bpo-42794: Update test_nntplib to use offical group name of news.aioe.org for testing. Patch by Dong-hee Na. - bpo-40810: In :mod:`sqlite3`, fix ``CheckTraceCallbackContent`` for SQLite pre 3.7.15. Build ----- - bpo-29076: Add fish shell support to macOS installer. Windows ------- - bpo-41837: Updated Windows installer to include OpenSSL 1.1.1i - bpo-42584: Upgrade Windows installer to use SQLite 3.34.0. macOS ----- - bpo-41837: Update macOS installer build to use OpenSSL 1.1.1i. - bpo-42584: Update macOS installer to use SQLite 3.34.0. IDLE ---- - bpo-43008: Make IDLE invoke :func:`sys.excepthook` in normal, 2-process mode. Patch by Ken Hilton. - bpo-33065: Fix problem debugging user classes with __repr__ method. - bpo-42508: Keep IDLE running on macOS. Remove obsolete workaround that prevented running files with shortcuts when using new universal2 installers built on macOS 11. - bpo-23544: Disable Debug=>Stack Viewer when user code is running or Debugger is active, to prevent hang or crash. Patch by Zackery Spytz. - bpo-32631: Finish zzdummy example extension module: make menu entries work; add docstrings and tests with 100% coverage. Tools/Demos ----------- - bpo-42726: Fixed Python 3 compatibility issue with gdb/libpython.py handling of attribute dictionaries. C API ----- - bpo-43030: Fixed a compiler warning in :c:func:`Py_UNICODE_ISSPACE()` on platforms with signed ``wchar_t``. - bpo-40052: Fix an alignment build warning/error in function ``PyVectorcall_Function()``. Patch by Andreas Schneider, Antoine Pitrou and Petr Viktorin. What's New in Python 3.8.7 final? ================================= *Release date: 2020-12-21* Core and Builtins ----------------- - bpo-32381: Fix encoding name when running a ``.pyc`` file on Windows: :c:func:`PyRun_SimpleFileExFlags()` now uses the correct encoding to decode the filename. - bpo-42536: Several built-in and standard library types now ensure that their internal result tuples are always tracked by the :term:`garbage collector <garbage collection>`: - :meth:`collections.OrderedDict.items() <collections.OrderedDict>` - :meth:`dict.items` - :func:`enumerate` - :func:`functools.reduce` - :func:`itertools.combinations` - :func:`itertools.combinations_with_replacement` - :func:`itertools.permutations` - :func:`itertools.product` - :func:`itertools.zip_longest` - :func:`zip` Previously, they could have become untracked by a prior garbage collection. Patch by Brandt Bucher. Library ------- - bpo-42630: :mod:`tkinter` functions and constructors which need a default root window raise now :exc:`RuntimeError` with descriptive message instead of obscure :exc:`AttributeError` or :exc:`NameError` if it is not created yet or cannot be created automatically. - bpo-42644: `logging.disable` will now validate the types and value of its parameter. It also now accepts strings representing the levels (as does `loging.setLevel`) instead of only the numerical values. - bpo-36541: Fixed lib2to3.pgen2 to be able to parse PEP-570 positional only argument syntax. - bpo-42375: subprocess module update for DragonFlyBSD support. - bpo-39825: Windows: Change ``sysconfig.get_config_var('EXT_SUFFIX')`` to the expected full ``platform_tag.extension`` format. Previously it was hard-coded to ``.pyd``, now it is compatible with ``distutils.sysconfig`` and will result in something like ``.cp38-win_amd64.pyd``. This brings windows into conformance with the other platforms. - bpo-39101: Fixed tests using IsolatedAsyncioTestCase from hanging on BaseExceptions. - bpo-41907: fix `format()` behavior for `IntFlag` - bpo-41889: Enum: fix regression involving inheriting a multiply-inherited enum - bpo-41891: Ensure asyncio.wait_for waits for task completion - bpo-40219: Lowered :class:`tkinter.ttk.LabeledScale` dummy widget to prevent hiding part of the content label. - bpo-40084: Fix ``Enum.__dir__``: dir(Enum.member) now includes attributes as well as methods. Documentation ------------- - bpo-17140: Add documentation for the :class:`multiprocessing.pool.ThreadPool` class. Build ----- - bpo-42604: Now all platforms use a value for the "EXT_SUFFIX" build variable derived from SOABI (for instance in freeBSD, "EXT_SUFFIX" is now ".cpython-310d.so" instead of ".so"). Previosuly only Linux, Mac and VxWorks were using a value for "EXT_SUFFIX" that included "SOABI". - bpo-42598: Fix implicit function declarations in configure which could have resulted in incorrect configuration checks. Patch contributed by Joshua Root. Tools/Demos ----------- - bpo-42613: Fix ``freeze.py`` tool to use the prope config and library directories. Patch by Victor Stinner. What's New in Python 3.8.7 release candidate 1? =============================================== *Release date: 2020-12-07* Security -------- - bpo-42103: Prevented potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format. - bpo-42051: The :mod:`plistlib` module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. This should not affect users as entity declarations are not used in regular plist files. - bpo-40791: Add ``volatile`` to the accumulator variable in ``hmac.compare_digest``, making constant-time-defeating optimizations less likely. Core and Builtins ----------------- - bpo-41686: On Windows, the ``SIGINT`` event, ``_PyOS_SigintEvent()``, is now created even if Python is configured to not install signal handlers (if :c:member:`PyConfig.install_signal_handlers` equals to 0, or ``Py_InitializeEx(0)``). - bpo-42143: Fix handling of errors during creation of ``PyFunctionObject``, which resulted in operations on uninitialized memory. Patch by Yonatan Goldschmidt. - bpo-41984: The garbage collector now tracks all user-defined classes. Patch by Brandt Bucher. - bpo-41909: Fixed stack overflow in :func:`issubclass` and :func:`isinstance` when getting the ``__bases__`` attribute leads to infinite recursion. - bpo-41894: When loading a native module and a load failure occurs, prevent a possible UnicodeDecodeError when not running in a UTF-8 locale by decoding the load error message using the current locale's encoding. Library ------- - bpo-17735: :func:`inspect.findsource` now raises :exc:`OSError` instead of :exc:`IndexError` when :attr:`co_lineno` of a code object is greater than the file length. This can happen, for example, when a file is edited after it was imported. PR by Irit Katriel. - bpo-42116: Fix handling of trailing comments by :func:`inspect.getsource`. - bpo-42482: :class:`~traceback.TracebackException` no longer holds a reference to the exception's traceback object. Consequently, instances of TracebackException for equivalent but non-equal exceptions now compare as equal. - bpo-42406: We fixed an issue in `pickle.whichmodule` in which importing `multiprocessing` could change the how pickle identifies which module an object belongs to, potentially breaking the unpickling of those objects. - bpo-42328: Fixed :meth:`tkinter.ttk.Style.map`. The function accepts now the representation of the default state as empty sequence (as returned by ``Style.map()``). The structure of the result is now the same on all platform and does not depend on the value of ``wantobjects``. - bpo-42014: The ``onerror`` callback from ``shutil.rmtree`` now receives correct function when ``os.open`` fails. - bpo-42237: Fix `os.sendfile()` on illumos. - bpo-42249: Fixed writing binary Plist files larger than 4 GiB. - bpo-35455: On Solaris, :