Python 3.8.9v3.8.9

27 files changed, 276 insertions, 68 deletions

diff --git a/Misc/NEWS.d/3.8.9.rst b/Misc/NEWS.d/3.8.9.rst
new file mode 100644
index 0000000..10d498c
--- /dev/null
+++ b/Misc/NEWS.d/3.8.9.rst
@@ -0,0 +1,276 @@
+.. bpo: 42988
+.. date: 2021-03-24-14-16-56
+.. nonce: P2aNco
+.. release date: 2021-04-02
+.. section: Security
+
+CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module
+which could be abused to read arbitrary files on the disk (directory
+traversal vulnerability). Moreover, even source code of Python modules can
+contain sensitive data like passwords. Vulnerability reported by David
+Schwörer.
+
+..
+
+.. bpo: 43285
+.. date: 2021-03-13-03-48-14
+.. nonce: g-Hah3
+.. section: Security
+
+:mod:`ftplib` no longer trusts the IP address value returned from the server
+in response to the PASV command by default.  This prevents a malicious FTP
+server from using the response to probe IPv4 address and port combinations
+on the client network.
+
+Code that requires the former vulnerable behavior may set a
+``trust_server_pasv_ipv4_address`` attribute on their :class:`ftplib.FTP`
+instances to ``True`` to re-enable it.
+
+..
+
+.. bpo: 43439
+.. date: 2021-03-08-23-06-07
+.. nonce: 5U3lXm
+.. section: Security
+
+Add audit hooks for :func:`gc.get_objects`, :func:`gc.get_referrers` and
+:func:`gc.get_referents`. Patch by Pablo Galindo.
+
+..
+
+.. bpo: 43660
+.. date: 2021-03-29-19-50-34
+.. nonce: scTgag
+.. section: Core and Builtins
+
+Fix crash that happens when replacing ``sys.stderr`` with a callable that
+can remove the object while an exception is being printed. Patch by Pablo
+Galindo.
+
+..
+
+.. bpo: 35883
+.. date: 2021-03-13-13-57-21
+.. nonce: UyGpdG
+.. section: Core and Builtins
+
+Python no longer fails at startup with a fatal error if a command line
+argument contains an invalid Unicode character. The
+:c:func:`Py_DecodeLocale` function now escapes byte sequences which would be
+decoded as Unicode characters outside the [U+0000; U+10ffff] range.
+
+..
+
+.. bpo: 43406
+.. date: 2021-03-04-22-53-10
+.. nonce: Na_VpA
+.. section: Core and Builtins
+
+Fix a possible race condition where ``PyErr_CheckSignals`` tries to execute
+a non-Python signal handler.
+
+..
+
+.. bpo: 35930
+.. date: 2021-03-23-17-18-56
+.. nonce: RZ51pM
+.. section: Library
+
+Raising an exception raised in a "future" instance will create reference
+cycles.
+
+..
+
+.. bpo: 43577
+.. date: 2021-03-21-10-13-17
+.. nonce: m7JnAV
+.. section: Library
+
+Fix deadlock when using :class:`ssl.SSLContext` debug callback with
+:meth:`ssl.SSLContext.sni_callback`.
+
+..
+
+.. bpo: 43423
+.. date: 2021-03-11-15-44-18
+.. nonce: rRomRD
+.. section: Library
+
+:func:`subprocess.communicate` no longer raises an IndexError when there is
+an empty stdout or stderr IO buffer during a timeout on Windows.
+
+..
+
+.. bpo: 27820
+.. date: 2021-03-10-14-07-44
+.. nonce: Wwdy-r
+.. section: Library
+
+Fixed long-standing bug of smtplib.SMTP where doing AUTH LOGIN with
+initial_response_ok=False will fail.
+
+The cause is that SMTP.auth_login _always_ returns a password if provided
+with a challenge string, thus non-compliant with the standard for AUTH
+LOGIN.
+
+Also fixes bug with the test for smtpd.
+
+..
+
+.. bpo: 43399
+.. date: 2021-03-04-17-53-46
+.. nonce: Wn95u-
+.. section: Library
+
+Fix ``ElementTree.extend`` not working on iterators when using the Python
+implementation
+
+..
+
+.. bpo: 43316
+.. date: 2021-02-25-09-44-36
+.. nonce: k9Gyqn
+.. section: Library
+
+The ``python -m gzip`` command line application now properly fails when
+detecting an unsupported extension. It exits with a non-zero exit code and
+prints an error message to stderr.
+
+..
+
+.. bpo: 43260
+.. date: 2021-02-20-12-15-29
+.. nonce: 6znAas
+.. section: Library
+
+Fix TextIOWrapper can not flush internal buffer forever after very large
+text is written.
+
+..
+
+.. bpo: 42782
+.. date: 2020-12-29-13-46-57
+.. nonce: 3r0HFY
+.. section: Library
+
+Fail fast in :func:`shutil.move()` to avoid creating destination directories
+on failure.
+
+..
+
+.. bpo: 37193
+.. date: 2020-06-12-21-23-20
+.. nonce: wJximU
+.. section: Library
+
+Fixed memory leak in ``socketserver.ThreadingMixIn`` introduced in Python
+3.7.
+
+..
+
+.. bpo: 43199
+.. date: 2021-03-13-18-43-54
+.. nonce: ZWA6KX
+.. section: Documentation
+
+Answer "Why is there no goto?" in the Design and History FAQ.
+
+..
+
+.. bpo: 43407
+.. date: 2021-03-04-22-53-03
+.. nonce: x570l5
+.. section: Documentation
+
+Clarified that a result from :func:`time.monotonic`,
+:func:`time.perf_counter`, :func:`time.process_time`, or
+:func:`time.thread_time` can be compared with the result from any following
+call to the same function - not just the next immediate call.
+
+..
+
+.. bpo: 27646
+.. date: 2021-02-20-00-09-13
+.. nonce: HRsmo-
+.. section: Documentation
+
+Clarify that 'yield from <expr>' works with any iterable, not just
+iterators.
+
+..
+
+.. bpo: 36346
+.. date: 2020-06-15-10-45-45
+.. nonce: H0sS_i
+.. section: Documentation
+
+Update some deprecated unicode APIs which are documented as "will be removed
+in 4.0" to "3.12". See :pep:`623` for detail.
+
+..
+
+.. bpo: 37945
+.. date: 2021-03-31-11-38-42
+.. nonce: HTUYhv
+.. section: Tests
+
+Fix test_getsetlocale_issue1813() of test_locale: skip the test if
+``setlocale()`` fails. Patch by Victor Stinner.
+
+..
+
+.. bpo: 41561
+.. date: 2021-03-18-10-34-42
+.. nonce: pDg4w-
+.. section: Tests
+
+Add workaround for Ubuntu's custom OpenSSL security level policy.
+
+..
+
+.. bpo: 43631
+.. date: 2021-03-26-09-16-34
+.. nonce: msJyPi
+.. section: Build
+
+Update macOS, Windows, and CI to OpenSSL 1.1.1k.
+
+..
+
+.. bpo: 43617
+.. date: 2021-03-24-16-55-55
+.. nonce: d69KAv
+.. section: Build
+
+Improve configure.ac: Check for presence of autoconf-archive package and
+remove our copies of M4 macros.
+
+..
+
+.. bpo: 41837
+.. date: 2021-02-28-22-49-46
+.. nonce: 9fqyXC
+.. section: macOS
+
+Update macOS installer build to use OpenSSL 1.1.1j.
+
+..
+
+.. bpo: 42225
+.. date: 2021-03-29-16-22-27
+.. nonce: iIeiLg
+.. section: IDLE
+
+Document that IDLE can fail on Unix either from misconfigured IP masquerage
+rules or failure displaying complex colored (non-ascii) characters.
+
+..
+
+.. bpo: 43283
+.. date: 2021-02-21-16-30-10
+.. nonce: DLBwYn
+.. section: IDLE
+
+Document why printing to IDLE's Shell is often slower than printing to a
+system terminal and that it can be made faster by pre-formatting a single
+string before printing.
diff --git a/Misc/NEWS.d/next/Build/2021-03-24-16-55-55.bpo-43617.d69KAv.rst b/Misc/NEWS.d/next/Build/2021-03-24-16-55-55.bpo-43617.d69KAv.rst
deleted file mode 100644
index 2678396..0000000
--- a/Misc/NEWS.d/next/Build/2021-03-24-16-55-55.bpo-43617.d69KAv.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Improve configure.ac: Check for presence of autoconf-archive package and
-remove our copies of M4 macros.
diff --git a/Misc/NEWS.d/next/Build/2021-03-26-09-16-34.bpo-43631.msJyPi.rst b/Misc/NEWS.d/next/Build/2021-03-26-09-16-34.bpo-43631.msJyPi.rst
deleted file mode 100644
index 4de4905..0000000
--- a/Misc/NEWS.d/next/Build/2021-03-26-09-16-34.bpo-43631.msJyPi.rst
+++ /dev/null
@@ -1 +0,0 @@
-Update macOS, Windows, and CI to OpenSSL 1.1.1k.
diff --git a/Misc/NEWS.d/next/Core and Builtins/2021-03-04-22-53-10.bpo-43406.Na_VpA.rst b/Misc/NEWS.d/next/Core and Builtins/2021-03-04-22-53-10.bpo-43406.Na_VpA.rst
deleted file mode 100644
index c18a55e..0000000
--- a/Misc/NEWS.d/next/Core and Builtins/2021-03-04-22-53-10.bpo-43406.Na_VpA.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Fix a possible race condition where ``PyErr_CheckSignals`` tries to execute a
-non-Python signal handler.
diff --git a/Misc/NEWS.d/next/Core and Builtins/2021-03-13-13-57-21.bpo-35883.UyGpdG.rst b/Misc/NEWS.d/next/Core and Builtins/2021-03-13-13-57-21.bpo-35883.UyGpdG.rst
deleted file mode 100644
index 4674242..0000000
--- a/Misc/NEWS.d/next/Core and Builtins/2021-03-13-13-57-21.bpo-35883.UyGpdG.rst
+++ /dev/null
@@ -1,4 +0,0 @@
-Python no longer fails at startup with a fatal error if a command line
-argument contains an invalid Unicode character. The
-:c:func:`Py_DecodeLocale` function now escapes byte sequences which would be
-decoded as Unicode characters outside the [U+0000; U+10ffff] range.
diff --git a/Misc/NEWS.d/next/Core and Builtins/2021-03-29-19-50-34.bpo-43660.scTgag.rst b/Misc/NEWS.d/next/Core and Builtins/2021-03-29-19-50-34.bpo-43660.scTgag.rst
deleted file mode 100644
index 9841950..0000000
--- a/Misc/NEWS.d/next/Core and Builtins/2021-03-29-19-50-34.bpo-43660.scTgag.rst
+++ /dev/null
@@ -1,3 +0,0 @@
-Fix crash that happens when replacing ``sys.stderr`` with a callable that
-can remove the object while an exception is being printed. Patch by Pablo
-Galindo.
diff --git a/Misc/NEWS.d/next/Documentation/2020-06-15-10-45-45.bpo-36346.H0sS_i.rst b/Misc/NEWS.d/next/Documentation/2020-06-15-10-45-45.bpo-36346.H0sS_i.rst
deleted file mode 100644
index b737e12..0000000
--- a/Misc/NEWS.d/next/Documentation/2020-06-15-10-45-45.bpo-36346.H0sS_i.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Update some deprecated unicode APIs which are documented as "will be removed
-in 4.0" to "3.12". See :pep:`623` for detail.
diff --git a/Misc/NEWS.d/next/Documentation/2021-02-20-00-09-13.bpo-27646.HRsmo-.rst b/Misc/NEWS.d/next/Documentation/2021-02-20-00-09-13.bpo-27646.HRsmo-.rst
deleted file mode 100644
index 8ba398a..0000000
--- a/Misc/NEWS.d/next/Documentation/2021-02-20-00-09-13.bpo-27646.HRsmo-.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Clarify that 'yield from <expr>' works with any iterable, not just
-iterators.
diff --git a/Misc/NEWS.d/next/Documentation/2021-03-04-22-53-03.bpo-43407.x570l5.rst b/Misc/NEWS.d/next/Documentation/2021-03-04-22-53-03.bpo-43407.x570l5.rst
deleted file mode 100644
index 615e3d0..0000000
--- a/Misc/NEWS.d/next/Documentation/2021-03-04-22-53-03.bpo-43407.x570l5.rst
+++ /dev/null
@@ -1,4 +0,0 @@
-Clarified that a result from :func:`time.monotonic`,
-:func:`time.perf_counter`, :func:`time.process_time`, or
-:func:`time.thread_time` can be compared with the result from any following
-call to the same function - not just the next immediate call.
diff --git a/Misc/NEWS.d/next/Documentation/2021-03-13-18-43-54.bpo-43199.ZWA6KX.rst b/Misc/NEWS.d/next/Documentation/2021-03-13-18-43-54.bpo-43199.ZWA6KX.rst
deleted file mode 100644
index d1b454f..0000000
--- a/Misc/NEWS.d/next/Documentation/2021-03-13-18-43-54.bpo-43199.ZWA6KX.rst
+++ /dev/null
@@ -1 +0,0 @@
-Answer "Why is there no goto?" in the Design and History FAQ.
diff --git a/Misc/NEWS.d/next/IDLE/2021-02-21-16-30-10.bpo-43283.DLBwYn.rst b/Misc/NEWS.d/next/IDLE/2021-02-21-16-30-10.bpo-43283.DLBwYn.rst
deleted file mode 100644
index 7a627af..0000000
--- a/Misc/NEWS.d/next/IDLE/2021-02-21-16-30-10.bpo-43283.DLBwYn.rst
+++ /dev/null
@@ -1,3 +0,0 @@
-Document why printing to IDLE's Shell is often slower than printing to a
-system terminal and that it can be made faster by pre-formatting a single
-string before printing.
diff --git a/Misc/NEWS.d/next/IDLE/2021-03-29-16-22-27.bpo-42225.iIeiLg.rst b/Misc/NEWS.d/next/IDLE/2021-03-29-16-22-27.bpo-42225.iIeiLg.rst
deleted file mode 100644
index 59fb08b..0000000
--- a/Misc/NEWS.d/next/IDLE/2021-03-29-16-22-27.bpo-42225.iIeiLg.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Document that IDLE can fail on Unix either from misconfigured IP masquerage
-rules or failure displaying complex colored (non-ascii) characters.
diff --git a/Misc/NEWS.d/next/Library/2020-06-12-21-23-20.bpo-37193.wJximU.rst b/Misc/NEWS.d/next/Library/2020-06-12-21-23-20.bpo-37193.wJximU.rst
deleted file mode 100644
index fbf56d3..0000000
--- a/Misc/NEWS.d/next/Library/2020-06-12-21-23-20.bpo-37193.wJximU.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Fixed memory leak in ``socketserver.ThreadingMixIn`` introduced in Python
-3.7.
diff --git a/Misc/NEWS.d/next/Library/2020-12-29-13-46-57.bpo-42782.3r0HFY.rst b/Misc/NEWS.d/next/Library/2020-12-29-13-46-57.bpo-42782.3r0HFY.rst
deleted file mode 100644
index 065df9b..0000000
--- a/Misc/NEWS.d/next/Library/2020-12-29-13-46-57.bpo-42782.3r0HFY.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Fail fast in :func:`shutil.move()` to avoid creating destination directories on
-failure.
diff --git a/Misc/NEWS.d/next/Library/2021-02-20-12-15-29.bpo-43260.6znAas.rst b/Misc/NEWS.d/next/Library/2021-02-20-12-15-29.bpo-43260.6znAas.rst
deleted file mode 100644
index f3c21d1..0000000
--- a/Misc/NEWS.d/next/Library/2021-02-20-12-15-29.bpo-43260.6znAas.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Fix TextIOWrapper can not flush internal buffer forever after very large
-text is written.
diff --git a/Misc/NEWS.d/next/Library/2021-02-25-09-44-36.bpo-43316.k9Gyqn.rst b/Misc/NEWS.d/next/Library/2021-02-25-09-44-36.bpo-43316.k9Gyqn.rst
deleted file mode 100644
index 1f0d3c4..0000000
--- a/Misc/NEWS.d/next/Library/2021-02-25-09-44-36.bpo-43316.k9Gyqn.rst
+++ /dev/null
@@ -1,3 +0,0 @@
-The ``python -m gzip`` command line application now properly fails when
-detecting an unsupported extension. It exits with a non-zero exit code and
-prints an error message to stderr.
diff --git a/Misc/NEWS.d/next/Library/2021-03-04-17-53-46.bpo-43399.Wn95u-.rst b/Misc/NEWS.d/next/Library/2021-03-04-17-53-46.bpo-43399.Wn95u-.rst
deleted file mode 100644
index 0b8dffb..0000000
--- a/Misc/NEWS.d/next/Library/2021-03-04-17-53-46.bpo-43399.Wn95u-.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Fix ``ElementTree.extend`` not working on iterators when using the
-Python implementation
diff --git a/Misc/NEWS.d/next/Library/2021-03-10-14-07-44.bpo-27820.Wwdy-r.rst b/Misc/NEWS.d/next/Library/2021-03-10-14-07-44.bpo-27820.Wwdy-r.rst
deleted file mode 100644
index 7f1014d..0000000
--- a/Misc/NEWS.d/next/Library/2021-03-10-14-07-44.bpo-27820.Wwdy-r.rst
+++ /dev/null
@@ -1,8 +0,0 @@
-Fixed long-standing bug of smtplib.SMTP where doing AUTH LOGIN with
-initial_response_ok=False will fail.
-
-The cause is that SMTP.auth_login _always_ returns a password if provided
-with a challenge string, thus non-compliant with the standard for AUTH
-LOGIN.
-
-Also fixes bug with the test for smtpd.
diff --git a/Misc/NEWS.d/next/Library/2021-03-11-15-44-18.bpo-43423.rRomRD.rst b/Misc/NEWS.d/next/Library/2021-03-11-15-44-18.bpo-43423.rRomRD.rst
deleted file mode 100644
index 290d7fb..0000000
--- a/Misc/NEWS.d/next/Library/2021-03-11-15-44-18.bpo-43423.rRomRD.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-:func:`subprocess.communicate` no longer raises an IndexError when there is an
-empty stdout or stderr IO buffer during a timeout on Windows.
diff --git a/Misc/NEWS.d/next/Library/2021-03-21-10-13-17.bpo-43577.m7JnAV.rst b/Misc/NEWS.d/next/Library/2021-03-21-10-13-17.bpo-43577.m7JnAV.rst
deleted file mode 100644
index a7db48b..0000000
--- a/Misc/NEWS.d/next/Library/2021-03-21-10-13-17.bpo-43577.m7JnAV.rst
+++ /dev/null
@@ -1 +0,0 @@
-Fix deadlock when using :class:`ssl.SSLContext` debug callback with :meth:`ssl.SSLContext.sni_callback`.
diff --git a/Misc/NEWS.d/next/Library/2021-03-23-17-18-56.bpo-35930.RZ51pM.rst b/Misc/NEWS.d/next/Library/2021-03-23-17-18-56.bpo-35930.RZ51pM.rst
deleted file mode 100644
index 71c6012..0000000
--- a/Misc/NEWS.d/next/Library/2021-03-23-17-18-56.bpo-35930.RZ51pM.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Raising an exception raised in a "future" instance will create reference
-cycles.
diff --git a/Misc/NEWS.d/next/Security/2021-03-08-23-06-07.bpo-43439.5U3lXm.rst b/Misc/NEWS.d/next/Security/2021-03-08-23-06-07.bpo-43439.5U3lXm.rst
deleted file mode 100644
index 5186503..0000000
--- a/Misc/NEWS.d/next/Security/2021-03-08-23-06-07.bpo-43439.5U3lXm.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Add audit hooks for :func:`gc.get_objects`, :func:`gc.get_referrers` and
-:func:`gc.get_referents`. Patch by Pablo Galindo.
diff --git a/Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst b/Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst
deleted file mode 100644
index 8312b7e..0000000
--- a/Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst
+++ /dev/null
@@ -1,8 +0,0 @@
-:mod:`ftplib` no longer trusts the IP address value returned from the server
-in response to the PASV command by default.  This prevents a malicious FTP
-server from using the response to probe IPv4 address and port combinations
-on the client network.
-
-Code that requires the former vulnerable behavior may set a
-``trust_server_pasv_ipv4_address`` attribute on their
-:class:`ftplib.FTP` instances to ``True`` to re-enable it.
diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
deleted file mode 100644
index 4b42dd0..0000000
--- a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
+++ /dev/null
@@ -1,4 +0,0 @@
-CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which
-could be abused to read arbitrary files on the disk (directory traversal
-vulnerability). Moreover, even source code of Python modules can contain
-sensitive data like passwords. Vulnerability reported by David Schwörer.
diff --git a/Misc/NEWS.d/next/Tests/2021-03-18-10-34-42.bpo-41561.pDg4w-.rst b/Misc/NEWS.d/next/Tests/2021-03-18-10-34-42.bpo-41561.pDg4w-.rst
deleted file mode 100644
index 2143507..0000000
--- a/Misc/NEWS.d/next/Tests/2021-03-18-10-34-42.bpo-41561.pDg4w-.rst
+++ /dev/null
@@ -1 +0,0 @@
-Add workaround for Ubuntu's custom OpenSSL security level policy.
diff --git a/Misc/NEWS.d/next/Tests/2021-03-31-11-38-42.bpo-37945.HTUYhv.rst b/Misc/NEWS.d/next/Tests/2021-03-31-11-38-42.bpo-37945.HTUYhv.rst
deleted file mode 100644
index e1c95f6..0000000
--- a/Misc/NEWS.d/next/Tests/2021-03-31-11-38-42.bpo-37945.HTUYhv.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Fix test_getsetlocale_issue1813() of test_locale: skip the test if
-``setlocale()`` fails. Patch by Victor Stinner.
diff --git a/Misc/NEWS.d/next/macOS/2021-02-28-22-49-46.bpo-41837.9fqyXC.rst b/Misc/NEWS.d/next/macOS/2021-02-28-22-49-46.bpo-41837.9fqyXC.rst
deleted file mode 100644
index 5d32d87..0000000
--- a/Misc/NEWS.d/next/macOS/2021-02-28-22-49-46.bpo-41837.9fqyXC.rst
+++ /dev/null
@@ -1 +0,0 @@
-Update macOS installer build to use OpenSSL 1.1.1j.