diff options
Diffstat (limited to 'Misc/NEWS.d')
27 files changed, 276 insertions, 68 deletions
diff --git a/Misc/NEWS.d/3.8.9.rst b/Misc/NEWS.d/3.8.9.rst new file mode 100644 index 0000000..10d498c --- /dev/null +++ b/Misc/NEWS.d/3.8.9.rst @@ -0,0 +1,276 @@ +.. bpo: 42988 +.. date: 2021-03-24-14-16-56 +.. nonce: P2aNco +.. release date: 2021-04-02 +.. section: Security + +CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module +which could be abused to read arbitrary files on the disk (directory +traversal vulnerability). Moreover, even source code of Python modules can +contain sensitive data like passwords. Vulnerability reported by David +Schwörer. + +.. + +.. bpo: 43285 +.. date: 2021-03-13-03-48-14 +.. nonce: g-Hah3 +.. section: Security + +:mod:`ftplib` no longer trusts the IP address value returned from the server +in response to the PASV command by default. This prevents a malicious FTP +server from using the response to probe IPv4 address and port combinations +on the client network. + +Code that requires the former vulnerable behavior may set a +``trust_server_pasv_ipv4_address`` attribute on their :class:`ftplib.FTP` +instances to ``True`` to re-enable it. + +.. + +.. bpo: 43439 +.. date: 2021-03-08-23-06-07 +.. nonce: 5U3lXm +.. section: Security + +Add audit hooks for :func:`gc.get_objects`, :func:`gc.get_referrers` and +:func:`gc.get_referents`. Patch by Pablo Galindo. + +.. + +.. bpo: 43660 +.. date: 2021-03-29-19-50-34 +.. nonce: scTgag +.. section: Core and Builtins + +Fix crash that happens when replacing ``sys.stderr`` with a callable that +can remove the object while an exception is being printed. Patch by Pablo +Galindo. + +.. + +.. bpo: 35883 +.. date: 2021-03-13-13-57-21 +.. nonce: UyGpdG +.. section: Core and Builtins + +Python no longer fails at startup with a fatal error if a command line +argument contains an invalid Unicode character. The +:c:func:`Py_DecodeLocale` function now escapes byte sequences which would be +decoded as Unicode characters outside the [U+0000; U+10ffff] range. + +.. + +.. bpo: 43406 +.. date: 2021-03-04-22-53-10 +.. nonce: Na_VpA +.. section: Core and Builtins + +Fix a possible race condition where ``PyErr_CheckSignals`` tries to execute +a non-Python signal handler. + +.. + +.. bpo: 35930 +.. date: 2021-03-23-17-18-56 +.. nonce: RZ51pM +.. section: Library + +Raising an exception raised in a "future" instance will create reference +cycles. + +.. + +.. bpo: 43577 +.. date: 2021-03-21-10-13-17 +.. nonce: m7JnAV +.. section: Library + +Fix deadlock when using :class:`ssl.SSLContext` debug callback with +:meth:`ssl.SSLContext.sni_callback`. + +.. + +.. bpo: 43423 +.. date: 2021-03-11-15-44-18 +.. nonce: rRomRD +.. section: Library + +:func:`subprocess.communicate` no longer raises an IndexError when there is +an empty stdout or stderr IO buffer during a timeout on Windows. + +.. + +.. bpo: 27820 +.. date: 2021-03-10-14-07-44 +.. nonce: Wwdy-r +.. section: Library + +Fixed long-standing bug of smtplib.SMTP where doing AUTH LOGIN with +initial_response_ok=False will fail. + +The cause is that SMTP.auth_login _always_ returns a password if provided +with a challenge string, thus non-compliant with the standard for AUTH +LOGIN. + +Also fixes bug with the test for smtpd. + +.. + +.. bpo: 43399 +.. date: 2021-03-04-17-53-46 +.. nonce: Wn95u- +.. section: Library + +Fix ``ElementTree.extend`` not working on iterators when using the Python +implementation + +.. + +.. bpo: 43316 +.. date: 2021-02-25-09-44-36 +.. nonce: k9Gyqn +.. section: Library + +The ``python -m gzip`` command line application now properly fails when +detecting an unsupported extension. It exits with a non-zero exit code and +prints an error message to stderr. + +.. + +.. bpo: 43260 +.. date: 2021-02-20-12-15-29 +.. nonce: 6znAas +.. section: Library + +Fix TextIOWrapper can not flush internal buffer forever after very large +text is written. + +.. + +.. bpo: 42782 +.. date: 2020-12-29-13-46-57 +.. nonce: 3r0HFY +.. section: Library + +Fail fast in :func:`shutil.move()` to avoid creating destination directories +on failure. + +.. + +.. bpo: 37193 +.. date: 2020-06-12-21-23-20 +.. nonce: wJximU +.. section: Library + +Fixed memory leak in ``socketserver.ThreadingMixIn`` introduced in Python +3.7. + +.. + +.. bpo: 43199 +.. date: 2021-03-13-18-43-54 +.. nonce: ZWA6KX +.. section: Documentation + +Answer "Why is there no goto?" in the Design and History FAQ. + +.. + +.. bpo: 43407 +.. date: 2021-03-04-22-53-03 +.. nonce: x570l5 +.. section: Documentation + +Clarified that a result from :func:`time.monotonic`, +:func:`time.perf_counter`, :func:`time.process_time`, or +:func:`time.thread_time` can be compared with the result from any following +call to the same function - not just the next immediate call. + +.. + +.. bpo: 27646 +.. date: 2021-02-20-00-09-13 +.. nonce: HRsmo- +.. section: Documentation + +Clarify that 'yield from <expr>' works with any iterable, not just +iterators. + +.. + +.. bpo: 36346 +.. date: 2020-06-15-10-45-45 +.. nonce: H0sS_i +.. section: Documentation + +Update some deprecated unicode APIs which are documented as "will be removed +in 4.0" to "3.12". See :pep:`623` for detail. + +.. + +.. bpo: 37945 +.. date: 2021-03-31-11-38-42 +.. nonce: HTUYhv +.. section: Tests + +Fix test_getsetlocale_issue1813() of test_locale: skip the test if +``setlocale()`` fails. Patch by Victor Stinner. + +.. + +.. bpo: 41561 +.. date: 2021-03-18-10-34-42 +.. nonce: pDg4w- +.. section: Tests + +Add workaround for Ubuntu's custom OpenSSL security level policy. + +.. + +.. bpo: 43631 +.. date: 2021-03-26-09-16-34 +.. nonce: msJyPi +.. section: Build + +Update macOS, Windows, and CI to OpenSSL 1.1.1k. + +.. + +.. bpo: 43617 +.. date: 2021-03-24-16-55-55 +.. nonce: d69KAv +.. section: Build + +Improve configure.ac: Check for presence of autoconf-archive package and +remove our copies of M4 macros. + +.. + +.. bpo: 41837 +.. date: 2021-02-28-22-49-46 +.. nonce: 9fqyXC +.. section: macOS + +Update macOS installer build to use OpenSSL 1.1.1j. + +.. + +.. bpo: 42225 +.. date: 2021-03-29-16-22-27 +.. nonce: iIeiLg +.. section: IDLE + +Document that IDLE can fail on Unix either from misconfigured IP masquerage +rules or failure displaying complex colored (non-ascii) characters. + +.. + +.. bpo: 43283 +.. date: 2021-02-21-16-30-10 +.. nonce: DLBwYn +.. section: IDLE + +Document why printing to IDLE's Shell is often slower than printing to a +system terminal and that it can be made faster by pre-formatting a single +string before printing. diff --git a/Misc/NEWS.d/next/Build/2021-03-24-16-55-55.bpo-43617.d69KAv.rst b/Misc/NEWS.d/next/Build/2021-03-24-16-55-55.bpo-43617.d69KAv.rst deleted file mode 100644 index 2678396..0000000 --- a/Misc/NEWS.d/next/Build/2021-03-24-16-55-55.bpo-43617.d69KAv.rst +++ /dev/null @@ -1,2 +0,0 @@ -Improve configure.ac: Check for presence of autoconf-archive package and -remove our copies of M4 macros. diff --git a/Misc/NEWS.d/next/Build/2021-03-26-09-16-34.bpo-43631.msJyPi.rst b/Misc/NEWS.d/next/Build/2021-03-26-09-16-34.bpo-43631.msJyPi.rst deleted file mode 100644 index 4de4905..0000000 --- a/Misc/NEWS.d/next/Build/2021-03-26-09-16-34.bpo-43631.msJyPi.rst +++ /dev/null @@ -1 +0,0 @@ -Update macOS, Windows, and CI to OpenSSL 1.1.1k. diff --git a/Misc/NEWS.d/next/Core and Builtins/2021-03-04-22-53-10.bpo-43406.Na_VpA.rst b/Misc/NEWS.d/next/Core and Builtins/2021-03-04-22-53-10.bpo-43406.Na_VpA.rst deleted file mode 100644 index c18a55e..0000000 --- a/Misc/NEWS.d/next/Core and Builtins/2021-03-04-22-53-10.bpo-43406.Na_VpA.rst +++ /dev/null @@ -1,2 +0,0 @@ -Fix a possible race condition where ``PyErr_CheckSignals`` tries to execute a -non-Python signal handler. diff --git a/Misc/NEWS.d/next/Core and Builtins/2021-03-13-13-57-21.bpo-35883.UyGpdG.rst b/Misc/NEWS.d/next/Core and Builtins/2021-03-13-13-57-21.bpo-35883.UyGpdG.rst deleted file mode 100644 index 4674242..0000000 --- a/Misc/NEWS.d/next/Core and Builtins/2021-03-13-13-57-21.bpo-35883.UyGpdG.rst +++ /dev/null @@ -1,4 +0,0 @@ -Python no longer fails at startup with a fatal error if a command line -argument contains an invalid Unicode character. The -:c:func:`Py_DecodeLocale` function now escapes byte sequences which would be -decoded as Unicode characters outside the [U+0000; U+10ffff] range. diff --git a/Misc/NEWS.d/next/Core and Builtins/2021-03-29-19-50-34.bpo-43660.scTgag.rst b/Misc/NEWS.d/next/Core and Builtins/2021-03-29-19-50-34.bpo-43660.scTgag.rst deleted file mode 100644 index 9841950..0000000 --- a/Misc/NEWS.d/next/Core and Builtins/2021-03-29-19-50-34.bpo-43660.scTgag.rst +++ /dev/null @@ -1,3 +0,0 @@ -Fix crash that happens when replacing ``sys.stderr`` with a callable that -can remove the object while an exception is being printed. Patch by Pablo -Galindo. diff --git a/Misc/NEWS.d/next/Documentation/2020-06-15-10-45-45.bpo-36346.H0sS_i.rst b/Misc/NEWS.d/next/Documentation/2020-06-15-10-45-45.bpo-36346.H0sS_i.rst deleted file mode 100644 index b737e12..0000000 --- a/Misc/NEWS.d/next/Documentation/2020-06-15-10-45-45.bpo-36346.H0sS_i.rst +++ /dev/null @@ -1,2 +0,0 @@ -Update some deprecated unicode APIs which are documented as "will be removed -in 4.0" to "3.12". See :pep:`623` for detail. diff --git a/Misc/NEWS.d/next/Documentation/2021-02-20-00-09-13.bpo-27646.HRsmo-.rst b/Misc/NEWS.d/next/Documentation/2021-02-20-00-09-13.bpo-27646.HRsmo-.rst deleted file mode 100644 index 8ba398a..0000000 --- a/Misc/NEWS.d/next/Documentation/2021-02-20-00-09-13.bpo-27646.HRsmo-.rst +++ /dev/null @@ -1,2 +0,0 @@ -Clarify that 'yield from <expr>' works with any iterable, not just -iterators. diff --git a/Misc/NEWS.d/next/Documentation/2021-03-04-22-53-03.bpo-43407.x570l5.rst b/Misc/NEWS.d/next/Documentation/2021-03-04-22-53-03.bpo-43407.x570l5.rst deleted file mode 100644 index 615e3d0..0000000 --- a/Misc/NEWS.d/next/Documentation/2021-03-04-22-53-03.bpo-43407.x570l5.rst +++ /dev/null @@ -1,4 +0,0 @@ -Clarified that a result from :func:`time.monotonic`, -:func:`time.perf_counter`, :func:`time.process_time`, or -:func:`time.thread_time` can be compared with the result from any following -call to the same function - not just the next immediate call. diff --git a/Misc/NEWS.d/next/Documentation/2021-03-13-18-43-54.bpo-43199.ZWA6KX.rst b/Misc/NEWS.d/next/Documentation/2021-03-13-18-43-54.bpo-43199.ZWA6KX.rst deleted file mode 100644 index d1b454f..0000000 --- a/Misc/NEWS.d/next/Documentation/2021-03-13-18-43-54.bpo-43199.ZWA6KX.rst +++ /dev/null @@ -1 +0,0 @@ -Answer "Why is there no goto?" in the Design and History FAQ. diff --git a/Misc/NEWS.d/next/IDLE/2021-02-21-16-30-10.bpo-43283.DLBwYn.rst b/Misc/NEWS.d/next/IDLE/2021-02-21-16-30-10.bpo-43283.DLBwYn.rst deleted file mode 100644 index 7a627af..0000000 --- a/Misc/NEWS.d/next/IDLE/2021-02-21-16-30-10.bpo-43283.DLBwYn.rst +++ /dev/null @@ -1,3 +0,0 @@ -Document why printing to IDLE's Shell is often slower than printing to a -system terminal and that it can be made faster by pre-formatting a single -string before printing. diff --git a/Misc/NEWS.d/next/IDLE/2021-03-29-16-22-27.bpo-42225.iIeiLg.rst b/Misc/NEWS.d/next/IDLE/2021-03-29-16-22-27.bpo-42225.iIeiLg.rst deleted file mode 100644 index 59fb08b..0000000 --- a/Misc/NEWS.d/next/IDLE/2021-03-29-16-22-27.bpo-42225.iIeiLg.rst +++ /dev/null @@ -1,2 +0,0 @@ -Document that IDLE can fail on Unix either from misconfigured IP masquerage -rules or failure displaying complex colored (non-ascii) characters. diff --git a/Misc/NEWS.d/next/Library/2020-06-12-21-23-20.bpo-37193.wJximU.rst b/Misc/NEWS.d/next/Library/2020-06-12-21-23-20.bpo-37193.wJximU.rst deleted file mode 100644 index fbf56d3..0000000 --- a/Misc/NEWS.d/next/Library/2020-06-12-21-23-20.bpo-37193.wJximU.rst +++ /dev/null @@ -1,2 +0,0 @@ -Fixed memory leak in ``socketserver.ThreadingMixIn`` introduced in Python -3.7. diff --git a/Misc/NEWS.d/next/Library/2020-12-29-13-46-57.bpo-42782.3r0HFY.rst b/Misc/NEWS.d/next/Library/2020-12-29-13-46-57.bpo-42782.3r0HFY.rst deleted file mode 100644 index 065df9b..0000000 --- a/Misc/NEWS.d/next/Library/2020-12-29-13-46-57.bpo-42782.3r0HFY.rst +++ /dev/null @@ -1,2 +0,0 @@ -Fail fast in :func:`shutil.move()` to avoid creating destination directories on -failure. diff --git a/Misc/NEWS.d/next/Library/2021-02-20-12-15-29.bpo-43260.6znAas.rst b/Misc/NEWS.d/next/Library/2021-02-20-12-15-29.bpo-43260.6znAas.rst deleted file mode 100644 index f3c21d1..0000000 --- a/Misc/NEWS.d/next/Library/2021-02-20-12-15-29.bpo-43260.6znAas.rst +++ /dev/null @@ -1,2 +0,0 @@ -Fix TextIOWrapper can not flush internal buffer forever after very large -text is written. diff --git a/Misc/NEWS.d/next/Library/2021-02-25-09-44-36.bpo-43316.k9Gyqn.rst b/Misc/NEWS.d/next/Library/2021-02-25-09-44-36.bpo-43316.k9Gyqn.rst deleted file mode 100644 index 1f0d3c4..0000000 --- a/Misc/NEWS.d/next/Library/2021-02-25-09-44-36.bpo-43316.k9Gyqn.rst +++ /dev/null @@ -1,3 +0,0 @@ -The ``python -m gzip`` command line application now properly fails when -detecting an unsupported extension. It exits with a non-zero exit code and -prints an error message to stderr. diff --git a/Misc/NEWS.d/next/Library/2021-03-04-17-53-46.bpo-43399.Wn95u-.rst b/Misc/NEWS.d/next/Library/2021-03-04-17-53-46.bpo-43399.Wn95u-.rst deleted file mode 100644 index 0b8dffb..0000000 --- a/Misc/NEWS.d/next/Library/2021-03-04-17-53-46.bpo-43399.Wn95u-.rst +++ /dev/null @@ -1,2 +0,0 @@ -Fix ``ElementTree.extend`` not working on iterators when using the -Python implementation diff --git a/Misc/NEWS.d/next/Library/2021-03-10-14-07-44.bpo-27820.Wwdy-r.rst b/Misc/NEWS.d/next/Library/2021-03-10-14-07-44.bpo-27820.Wwdy-r.rst deleted file mode 100644 index 7f1014d..0000000 --- a/Misc/NEWS.d/next/Library/2021-03-10-14-07-44.bpo-27820.Wwdy-r.rst +++ /dev/null @@ -1,8 +0,0 @@ -Fixed long-standing bug of smtplib.SMTP where doing AUTH LOGIN with -initial_response_ok=False will fail. - -The cause is that SMTP.auth_login _always_ returns a password if provided -with a challenge string, thus non-compliant with the standard for AUTH -LOGIN. - -Also fixes bug with the test for smtpd. diff --git a/Misc/NEWS.d/next/Library/2021-03-11-15-44-18.bpo-43423.rRomRD.rst b/Misc/NEWS.d/next/Library/2021-03-11-15-44-18.bpo-43423.rRomRD.rst deleted file mode 100644 index 290d7fb..0000000 --- a/Misc/NEWS.d/next/Library/2021-03-11-15-44-18.bpo-43423.rRomRD.rst +++ /dev/null @@ -1,2 +0,0 @@ -:func:`subprocess.communicate` no longer raises an IndexError when there is an -empty stdout or stderr IO buffer during a timeout on Windows. diff --git a/Misc/NEWS.d/next/Library/2021-03-21-10-13-17.bpo-43577.m7JnAV.rst b/Misc/NEWS.d/next/Library/2021-03-21-10-13-17.bpo-43577.m7JnAV.rst deleted file mode 100644 index a7db48b..0000000 --- a/Misc/NEWS.d/next/Library/2021-03-21-10-13-17.bpo-43577.m7JnAV.rst +++ /dev/null @@ -1 +0,0 @@ -Fix deadlock when using :class:`ssl.SSLContext` debug callback with :meth:`ssl.SSLContext.sni_callback`. diff --git a/Misc/NEWS.d/next/Library/2021-03-23-17-18-56.bpo-35930.RZ51pM.rst b/Misc/NEWS.d/next/Library/2021-03-23-17-18-56.bpo-35930.RZ51pM.rst deleted file mode 100644 index 71c6012..0000000 --- a/Misc/NEWS.d/next/Library/2021-03-23-17-18-56.bpo-35930.RZ51pM.rst +++ /dev/null @@ -1,2 +0,0 @@ -Raising an exception raised in a "future" instance will create reference -cycles. diff --git a/Misc/NEWS.d/next/Security/2021-03-08-23-06-07.bpo-43439.5U3lXm.rst b/Misc/NEWS.d/next/Security/2021-03-08-23-06-07.bpo-43439.5U3lXm.rst deleted file mode 100644 index 5186503..0000000 --- a/Misc/NEWS.d/next/Security/2021-03-08-23-06-07.bpo-43439.5U3lXm.rst +++ /dev/null @@ -1,2 +0,0 @@ -Add audit hooks for :func:`gc.get_objects`, :func:`gc.get_referrers` and -:func:`gc.get_referents`. Patch by Pablo Galindo. diff --git a/Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst b/Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst deleted file mode 100644 index 8312b7e..0000000 --- a/Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst +++ /dev/null @@ -1,8 +0,0 @@ -:mod:`ftplib` no longer trusts the IP address value returned from the server -in response to the PASV command by default. This prevents a malicious FTP -server from using the response to probe IPv4 address and port combinations -on the client network. - -Code that requires the former vulnerable behavior may set a -``trust_server_pasv_ipv4_address`` attribute on their -:class:`ftplib.FTP` instances to ``True`` to re-enable it. diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst deleted file mode 100644 index 4b42dd0..0000000 --- a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst +++ /dev/null @@ -1,4 +0,0 @@ -CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which -could be abused to read arbitrary files on the disk (directory traversal -vulnerability). Moreover, even source code of Python modules can contain -sensitive data like passwords. Vulnerability reported by David Schwörer. diff --git a/Misc/NEWS.d/next/Tests/2021-03-18-10-34-42.bpo-41561.pDg4w-.rst b/Misc/NEWS.d/next/Tests/2021-03-18-10-34-42.bpo-41561.pDg4w-.rst deleted file mode 100644 index 2143507..0000000 --- a/Misc/NEWS.d/next/Tests/2021-03-18-10-34-42.bpo-41561.pDg4w-.rst +++ /dev/null @@ -1 +0,0 @@ -Add workaround for Ubuntu's custom OpenSSL security level policy. diff --git a/Misc/NEWS.d/next/Tests/2021-03-31-11-38-42.bpo-37945.HTUYhv.rst b/Misc/NEWS.d/next/Tests/2021-03-31-11-38-42.bpo-37945.HTUYhv.rst deleted file mode 100644 index e1c95f6..0000000 --- a/Misc/NEWS.d/next/Tests/2021-03-31-11-38-42.bpo-37945.HTUYhv.rst +++ /dev/null @@ -1,2 +0,0 @@ -Fix test_getsetlocale_issue1813() of test_locale: skip the test if -``setlocale()`` fails. Patch by Victor Stinner. diff --git a/Misc/NEWS.d/next/macOS/2021-02-28-22-49-46.bpo-41837.9fqyXC.rst b/Misc/NEWS.d/next/macOS/2021-02-28-22-49-46.bpo-41837.9fqyXC.rst deleted file mode 100644 index 5d32d87..0000000 --- a/Misc/NEWS.d/next/macOS/2021-02-28-22-49-46.bpo-41837.9fqyXC.rst +++ /dev/null @@ -1 +0,0 @@ -Update macOS installer build to use OpenSSL 1.1.1j. |