path: root/Misc/NEWS.d/3.9.3.rst

.. bpo: 42988
.. date: 2021-03-24-14-16-56
.. nonce: P2aNco
.. release date: 2021-04-02
.. section: Security

CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module
which could be abused to read arbitrary files on the disk (directory
traversal vulnerability). Moreover, even source code of Python modules can
contain sensitive data like passwords. Vulnerability reported by David
Schwörer.

..

.. bpo: 43285
.. date: 2021-03-13-03-48-14
.. nonce: g-Hah3
.. section: Security

:mod:`ftplib` no longer trusts the IP address value returned from the server
in response to the PASV command by default.  This prevents a malicious FTP
server from using the response to probe IPv4 address and port combinations
on the client network.

Code that requires the former vulnerable behavior may set a
``trust_server_pasv_ipv4_address`` attribute on their :class:`ftplib.FTP`
instances to ``True`` to re-enable it.

..

.. bpo: 43439
.. date: 2021-03-08-23-06-07
.. nonce: 5U3lXm
.. section: Security

Add audit hooks for :func:`gc.get_objects`, :func:`gc.get_referrers` and
:func:`gc.get_referents`. Patch by Pablo Galindo.

..

.. bpo: 43660
.. date: 2021-03-29-19-50-34
.. nonce: scTgag
.. section: Core and Builtins

Fix crash that happens when replacing ``sys.stderr`` with a callable that
can remove the object while an exception is being printed. Patch by Pablo
Galindo.

..

.. bpo: 43555
.. date: 2021-03-19-22-49-40
.. nonce: ZmhYSA
.. section: Core and Builtins

Report the column offset for :exc:`SyntaxError` for invalid line
continuation characters. Patch by Pablo Galindo.

..

.. bpo: 43517
.. date: 2021-03-16-17-12-54
.. nonce: zAo6Ws
.. section: Core and Builtins

Fix misdetection of circular imports when using ``from pkg.mod import
attr``, which caused false positives in non-trivial multi-threaded code.

..

.. bpo: 35883
.. date: 2021-03-13-13-57-21
.. nonce: UyGpdG
.. section: Core and Builtins

Python no longer fails at startup with a fatal error if a command line
argument contains an invalid Unicode character. The
:c:func:`Py_DecodeLocale` function now escapes byte sequences which would be
decoded as Unicode characters outside the [U+0000; U+10ffff] range.

..

.. bpo: 43406
.. date: 2021-03-04-22-53-10
.. nonce: Na_VpA
.. section: Core and Builtins

Fix a possible race condition where ``PyErr_CheckSignals`` tries to execute
a non-Python signal handler.

..

.. bpo: 42500
.. date: 2020-11-30-14-27-29
.. nonce: excVKU
.. section: Core and Builtins

Improve handling of exceptions near recursion limit. Converts a number of
Fatal Errors in RecursionErrors.

..

.. bpo: 43433
.. date: 2021-03-28-23-50-20
.. nonce: so9j5G
.. section: Library

:class:`xmlrpc.client.ServerProxy` no longer ignores query and fragment in
the URL of the server.

..

.. bpo: 35930
.. date: 2021-03-23-17-18-56
.. nonce: RZ51pM
.. section: Library

Raising an exception raised in a "future" instance will create reference
cycles.

..

.. bpo: 43577
.. date: 2021-03-21-10-13-17
.. nonce: m7JnAV
.. section: Library

Fix deadlock when using :class:`ssl.SSLContext` debug callback with
:meth:`ssl.SSLContext.sni_callback`.

..

.. bpo: 43521
.. date: 2021-03-16-16-05-02
.. nonce: mRT6fh
.. section: Library

``ast.unparse`` can now render NaNs and empty sets.

..

.. bpo: 43423
.. date: 2021-03-11-15-44-18
.. nonce: rRomRD
.. section: Library

:func:`subprocess.communicate` no longer raises an IndexError when there is
an empty stdout or stderr IO buffer during a timeout on Windows.

..

.. bpo: 27820
.. date: 2021-03-10-14-07-44
.. nonce: Wwdy-r
.. section: Library

Fixed long-standing bug of smtplib.SMTP where doing AUTH LOGIN with
initial_response_ok=False will fail.

The cause is that SMTP.auth_login _always_ returns a password if provided
with a challenge string, thus non-compliant with the standard for AUTH
LOGIN.

Also fixes bug with the test for smtpd.

..

.. bpo: 43332
.. date: 2021-03-07-11-23-20
.. nonce: weatsh
.. section: Library

Improves the networking efficiency of :mod:`http.client` when using a proxy
via :meth:`~HTTPConnection.set_tunnel`.  Fewer small send calls are made
during connection setup.

..

.. bpo: 43399
.. date: 2021-03-04-17-53-46
.. nonce: Wn95u-
.. section: Library

Fix ``ElementTree.extend`` not working on iterators when using the Python
implementation

..

.. bpo: 43316
.. date: 2021-02-25-09-44-36
.. nonce: k9Gyqn
.. section: Library

The ``python -m gzip`` command line application now properly fails when
detecting an unsupported extension. It exits with a non-zero exit code and
prints an error message to stderr.

..

.. bpo: 43260
.. date: 2021-02-20-12-15-29
.. nonce: 6znAas
.. section: Library

Fix TextIOWrapper can not flush internal buffer forever after very large
text is written.

..

.. bpo: 42782
.. date: 2020-12-29-13-46-57
.. nonce: 3r0HFY
.. section: Library

Fail fast in :func:`shutil.move()` to avoid creating destination directories
on failure.

..

.. bpo: 37193
.. date: 2020-06-12-21-23-20
.. nonce: wJximU
.. section: Library

Fixed memory leak in ``socketserver.ThreadingMixIn`` introduced in Python
3.7.

..

.. bpo: 43199
.. date: 2021-03-13-18-43-54
.. nonce: ZWA6KX
.. section: Documentation

Answer "Why is there no goto?" in the Design and History FAQ.

..

.. bpo: 43407
.. date: 2021-03-04-22-53-03
.. nonce: x570l5
.. section: Documentation

Clarified that a result from :func:`time.monotonic`,
:func:`time.perf_counter`, :func:`time.process_time`, or
:func:`time.thread_time` can be compared with the result from any following
call to the same function - not just the next immediate call.

..

.. bpo: 27646
.. date: 2021-02-20-00-09-13
.. nonce: HRsmo-
.. section: Documentation

Clarify that 'yield from <expr>' works with any iterable, not just
iterators.

..

.. bpo: 36346
.. date: 2020-06-15-10-45-45
.. nonce: H0sS_i
.. section: Documentation

Update some deprecated unicode APIs which are documented as "will be removed
in 4.0" to "3.12". See :pep:`623` for detail.

..

.. bpo: 37945
.. date: 2021-03-31-11-38-42
.. nonce: HTUYhv
.. section: Tests

Fix test_getsetlocale_issue1813() of test_locale: skip the test if
``setlocale()`` fails. Patch by Victor Stinner.

..

.. bpo: 41561
.. date: 2021-03-18-10-34-42
.. nonce: pDg4w-
.. section: Tests

Add workaround for Ubuntu's custom OpenSSL security level policy.

..

.. bpo: 43288
.. date: 2021-02-21-11-11-53
.. nonce: LfTvL-
.. section: Tests

Fix test_importlib to correctly skip Unicode file tests if the fileystem
does not support them.

..

.. bpo: 43631
.. date: 2021-03-26-09-16-34
.. nonce: msJyPi
.. section: Build

Update macOS, Windows, and CI to OpenSSL 1.1.1k.

..

.. bpo: 43617
.. date: 2021-03-24-16-55-55
.. nonce: d69KAv
.. section: Build

Improve configure.ac: Check for presence of autoconf-archive package and
remove our copies of M4 macros.

..

.. bpo: 41837
.. date: 2021-02-28-22-49-46
.. nonce: 9fqyXC
.. section: macOS

Update macOS installer build to use OpenSSL 1.1.1j.

..

.. bpo: 42225
.. date: 2021-03-29-16-22-27
.. nonce: iIeiLg
.. section: IDLE

Document that IDLE can fail on Unix either from misconfigured IP masquerage
rules or failure displaying complex colored (non-ascii) characters.

..

.. bpo: 43283
.. date: 2021-02-21-16-30-10
.. nonce: DLBwYn
.. section: IDLE

Document why printing to IDLE's Shell is often slower than printing to a
system terminal and that it can be made faster by pre-formatting a single
string before printing.