.. bpo: 43434 .. date: 2021-05-02-17-50-23 .. nonce: cy7xz6 .. release date: 2021-05-03 .. section: Security Creating a :class:`sqlite3.Connection` object now also produces a ``sqlite3.connect`` :ref:`auditing event `. Previously this event was only produced by :func:`sqlite3.connect` calls. Patch by Erlend E. Aasland. .. .. bpo: 43882 .. date: 2021-04-25-07-46-37 .. nonce: Jpwx85 .. section: Security The presence of newline or tab characters in parts of a URL could allow some forms of attacks. Following the controlling specification for URLs defined by WHATWG :func:`urllib.parse` now removes ASCII newlines and tabs from URLs, preventing such attacks. .. .. bpo: 43472 .. date: 2021-04-21-22-53-31 .. nonce: gjLBTb .. section: Security Ensures interpreter-level audit hooks receive the ``cpython.PyInterpreterState_New`` event when called through the ``_xxsubinterpreters`` module. .. .. bpo: 36384 .. date: 2021-03-30-16-29-51 .. nonce: sCAmLs .. section: Security :mod:`ipaddress` module no longer accepts any leading zeros in IPv4 address strings. Leading zeros are ambiguous and interpreted as octal notation by some libraries. For example the legacy function :func:`socket.inet_aton` treats leading zeros as octal notatation. glibc implementation of modern :func:`~socket.inet_pton` does not accept any leading zeros. For a while the :mod:`ipaddress` module used to accept ambiguous leading zeros. .. .. bpo: 43075 .. date: 2021-01-31-05-28-14 .. nonce: DoAXqO .. section: Security Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server. .. .. bpo: 42800 .. date: 2021-01-09-17-07-36 .. nonce: _dtZvW .. section: Security Audit hooks are now fired for frame.f_code, traceback.tb_frame, and generator code/frame attribute access. .. .. bpo: 43105 .. date: 2021-03-31-20-35-11 .. nonce: PBVmHm .. section: Core and Builtins Importlib now resolves relative paths when creating module spec objects from file locations. .. .. bpo: 42924 .. date: 2021-01-13-14-06-01 .. nonce: _WS1Ok .. section: Core and Builtins Fix ``bytearray`` repetition incorrectly copying data from the start of the buffer, even if the data is offset within the buffer (e.g. after reassigning a slice at the start of the ``bytearray`` to a shorter byte string). .. .. bpo: 43993 .. date: 2021-04-30-19-23-45 .. nonce: T7_yoq .. section: Library Update bundled pip to 21.1.1. .. .. bpo: 43937 .. date: 2021-04-25-13-34-13 .. nonce: isx95l .. section: Library Fixed the :mod:`turtle` module working with non-default root window. .. .. bpo: 43930 .. date: 2021-04-24-14-23-07 .. nonce: R7ah0m .. section: Library Update bundled pip to 21.1 and setuptools to 56.0.0 .. .. bpo: 43920 .. date: 2021-04-23-11-54-38 .. nonce: cJMQ2D .. section: Library OpenSSL 3.0.0: :meth:`~ssl.SSLContext.load_verify_locations` now returns a consistent error message when cadata contains no valid certificate. .. .. bpo: 43607 .. date: 2021-04-22-22-39-58 .. nonce: 7IYDkG .. section: Library :mod:`urllib` can now convert Windows paths with ``\\?\`` prefixes into URL paths. .. .. bpo: 43284 .. date: 2021-04-21-14-50-57 .. nonce: 2QZn2T .. section: Library platform.win32_ver derives the windows version from sys.getwindowsversion().platform_version which in turn derives the version from kernel32.dll (which can be of a different version than Windows itself). Therefore change the platform.win32_ver to determine the version using the platform module's _syscmd_ver private function to return an accurate version. .. .. bpo: 42248 .. date: 2021-04-11-21-10-57 .. nonce: pedB1E .. section: Library [Enum] ensure exceptions raised in ``_missing_`` are released. .. .. bpo: 43799 .. date: 2021-04-10-11-35-50 .. nonce: 1iV4pX .. section: Library OpenSSL 3.0.0: define ``OPENSSL_API_COMPAT`` 1.1.1 to suppress deprecation warnings. Python requires OpenSSL 1.1.1 APIs. .. .. bpo: 43794 .. date: 2021-04-09-16-14-22 .. nonce: -1XPDH .. section: Library Add :data:`ssl.OP_IGNORE_UNEXPECTED_EOF` constants (OpenSSL 3.0.0) .. .. bpo: 43789 .. date: 2021-04-09-14-08-03 .. nonce: eaHlAm .. section: Library OpenSSL 3.0.0: Don't call the password callback function a second time when first call has signaled an error condition. .. .. bpo: 43788 .. date: 2021-04-09-12-08-01 .. nonce: YsvInM .. section: Library The header files for :mod:`ssl` error codes are now OpenSSL version-specific. Exceptions will now show correct reason and library codes. The ``make_ssl_data.py`` script has been rewritten to use OpenSSL's text file with error codes. .. .. bpo: 43655 .. date: 2021-04-04-20-51-19 .. nonce: LwGy8R .. section: Library :mod:`tkinter` dialog windows are now recognized as dialogs by window managers on macOS and X Window. .. .. bpo: 43534 .. date: 2021-03-18-15-46-08 .. nonce: vPE9Us .. section: Library :func:`turtle.textinput` and :func:`turtle.numinput` create now a transient window working on behalf of the canvas window. .. .. bpo: 43522 .. date: 2021-03-16-22-37-32 .. nonce: dhNwOu .. section: Library Fix problem with :attr:`~ssl.SSLContext.hostname_checks_common_name`. OpenSSL does not copy hostflags from *struct SSL_CTX* to *struct SSL*. .. .. bpo: 42967 .. date: 2021-03-11-00-31-41 .. nonce: 2PeQRw .. section: Library Allow :class:`bytes` ``separator`` argument in ``urllib.parse.parse_qs`` and ``urllib.parse.parse_qsl`` when parsing :class:`str` query strings. Previously, this raised a ``TypeError``. .. .. bpo: 43176 .. date: 2021-02-09-07-24-29 .. nonce: bocNQn .. section: Library Fixed processing of a dataclass that inherits from a frozen dataclass with no fields. It is now correctly detected as an error. .. .. bpo: 41735 .. date: 2020-09-07-21-40-07 .. nonce: NKqGKy .. section: Library Fix thread locks in zlib module may go wrong in rare case. Patch by Ma Lin. .. .. bpo: 36470 .. date: 2020-06-13-23-33-32 .. nonce: oi6Kdb .. section: Library Fix dataclasses with ``InitVar``\s and :func:`~dataclasses.replace()`. Patch by Claudiu Popa. .. .. bpo: 32745 .. date: 2018-08-09-23-47-10 .. nonce: iQi9hI .. section: Library Fix a regression in the handling of ctypes' :data:`ctypes.c_wchar_p` type: embedded null characters would cause a :exc:`ValueError` to be raised. Patch by Zackery Spytz. .. .. bpo: 43959 .. date: 2021-04-27-22-22-22 .. nonce: n2261q .. section: Documentation The documentation on the PyContextVar C-API was clarified. .. .. bpo: 43938 .. date: 2021-04-25-22-44-27 .. nonce: nC660q .. section: Documentation Update dataclasses documentation to express that FrozenInstanceError is derived from AttributeError. .. .. bpo: 43755 .. date: 2021-04-06-14-55-45 .. nonce: 1m0fGq .. section: Documentation Update documentation to reflect that unparenthesized lambda expressions can no longer be the expression part in an ``if`` clause in comprehensions and generator expressions since Python 3.9. .. .. bpo: 43739 .. date: 2021-04-06-07-05-49 .. nonce: L4HjiX .. section: Documentation Fixing the example code in Doc/extending/extending.rst to declare and initialize the pmodule variable to be of the right type. .. .. bpo: 43961 .. date: 2021-04-28-13-21-52 .. nonce: gNchls .. section: Tests Fix test_logging.test_namer_rotator_inheritance() on Windows: use :func:`os.replace` rather than :func:`os.rename`. Patch by Victor Stinner. .. .. bpo: 43842 .. date: 2021-04-16-14-07-40 .. nonce: w60GAH .. section: Tests Fix a race condition in the SMTP test of test_logging. Don't close a file descriptor (socket) from a different thread while asyncore.loop() is polling the file descriptor. Patch by Victor Stinner. .. .. bpo: 43811 .. date: 2021-04-12-11-14-28 .. nonce: vGNbnD .. section: Tests Tests multiple OpenSSL versions on GitHub Actions. Use ccache to speed up testing. .. .. bpo: 43791 .. date: 2021-04-09-15-10-38 .. nonce: 4KxiXK .. section: Tests OpenSSL 3.0.0: Disable testing of legacy protocols TLS 1.0 and 1.1. Tests are failing with TLSV1_ALERT_INTERNAL_ERROR. .. .. bpo: 35306 .. date: 2021-04-22-20-39-49 .. nonce: F0Cg6X .. section: Windows Avoid raising errors from :meth:`pathlib.Path.exists()` when passed an invalid filename. .. .. bpo: 38822 .. date: 2021-04-22-19-49-20 .. nonce: jgdPmq .. section: Windows Fixed :func:`os.stat` failing on inaccessible directories with a trailing slash, rather than falling back to the parent directory's metadata. This implicitly affected :func:`os.path.exists` and :func:`os.path.isdir`. .. .. bpo: 26227 .. date: 2021-04-21-23-37-34 .. nonce: QMY_eA .. section: Windows Fixed decoding of host names in :func:`socket.gethostbyaddr` and :func:`socket.gethostbyname_ex`. .. .. bpo: 40432 .. date: 2021-04-20-23-07-22 .. nonce: 9OFpoq .. section: Windows Updated pegen regeneration script on Windows to find and use Python 3.8 or higher. Prior to this, pegen regeneration already required 3.8 or higher, but the script may have used lower versions of Python. .. .. bpo: 43745 .. date: 2021-04-06-12-27-33 .. nonce: rdKNda .. section: Windows Actually updates Windows release to OpenSSL 1.1.1k. Earlier releases were mislabelled and actually included 1.1.1i again. .. .. bpo: 43492 .. date: 2021-03-15-11-34-33 .. nonce: AsYnVX .. section: Windows Upgrade Windows installer to use SQLite 3.35.5. .. .. bpo: 42119 .. date: 2021-05-02-21-03-27 .. nonce: Y7BSX_ .. section: macOS Fix check for macOS SDK paths when building Python. Narrow search to match contents of SDKs, namely only files in ``/System/Library``, ``/System/IOSSupport``, and ``/usr`` other than ``/usr/local``. Previously, anything under ``/System`` was assumed to be in an SDK which causes problems with the new file system layout in 10.15+ where user file systems may appear to be mounted under ``/System``. Paths in ``/Library`` were also incorrectly treated as SDK locations. .. .. bpo: 44009 .. date: 2021-05-02-03-45-30 .. nonce: uvhmlh .. section: macOS Provide "python3.x-intel64" executable to allow reliably forcing macOS universal2 framework builds to run under Rosetta 2 Intel-64 emulation on Apple Silicon Macs. This can be useful for testing or when universal2 wheels are not yet available. .. .. bpo: 43492 .. date: 2021-03-15-11-32-23 .. nonce: 1ZRcV9 .. section: macOS Update macOS installer to use SQLite 3.35.4. .. .. bpo: 43655 .. date: 2021-04-04-20-52-07 .. nonce: HSyaKH .. section: IDLE IDLE dialog windows are now recognized as dialogs by window managers on macOS and X Window.