--- /dev/null
+.. date: 2026-05-02-16-22-20
+.. gh-issue: 149254
+.. nonce: 9ozXB9
+.. release date: 2026-05-04
+.. section: Security
+
+Update Android and iOS installer to use OpenSSL 3.0.20.
+
+..
+
+.. date: 2026-04-26-17-49-58
+.. gh-issue: 149017
+.. nonce: EiVFPo
+.. section: Security
+
+Update bundled `libexpat <https://libexpat.github.io/>`_ to version 2.8.0.
+
+..
+
+.. date: 2026-04-21-13-46-30
+.. gh-issue: 90309
+.. nonce: srvj9q
+.. section: Security
+
+Base64-encode values when embedding cookies to JavaScript using the
+:meth:`http.cookies.BaseCookie.js_output` method to avoid injection and
+escaping.
+
+..
+
+.. date: 2026-04-20-15-31-37
+.. gh-issue: 148808
+.. nonce: _Z8JL0
+.. section: Security
+
+Added buffer boundary check when using ``nbytes`` parameter with
+:meth:`!asyncio.AbstractEventLoop.sock_recvfrom_into`. Only relevant for
+Windows and the :class:`asyncio.ProactorEventLoop`.
+
+..
+
+.. date: 2026-04-10-16-28-21
+.. gh-issue: 148395
+.. nonce: kfzm0G
+.. section: Security
+
+Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
+:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor`
+when memory allocation fails with :exc:`MemoryError`, which could let a
+subsequent :meth:`!decompress` call read or write through a stale pointer to
+the already-released caller buffer.
+
+..
+
+.. date: 2026-03-31-09-15-51
+.. gh-issue: 148169
+.. nonce: EZJzz2
+.. section: Security
+
+A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass
+the dash-prefix safety check.
+
+..
+
+.. date: 2026-03-29-12-51-33
+.. gh-issue: 146581
+.. nonce: 4vZfB0
+.. section: Security
+
+Fix vulnerability in :func:`shutil.unpack_archive` for ZIP files on Windows
+which allowed to write files outside of the destination tree if the patch in
+the archive contains a Windows drive prefix. Now such invalid paths will be
+skipped. Files containing ".." in the name (like "foo..bar") are no longer
+skipped.
+
+..
+
+.. date: 2026-03-25-00-51-03
+.. gh-issue: 146333
+.. nonce: LqdL__bn
+.. section: Security
+
+Fix quadratic backtracking in :class:`configparser.RawConfigParser` option
+parsing regexes (``OPTCRE`` and ``OPTCRE_NV``). A crafted configuration line
+with many whitespace characters could cause excessive CPU usage.
+
+..
+
+.. date: 2026-03-20-09-29-42
+.. gh-issue: 146211
+.. nonce: PQVbs7
+.. section: Security
+
+Reject CR/LF characters in tunnel request headers for the
+HTTPConnection.set_tunnel() method.
+
+..
+
+.. date: 2026-04-29-14-06-00
+.. gh-issue: 149122
+.. nonce: P8k2Lm
+.. section: Core and Builtins
+
+Fix a crash in optimized calls to :func:`all`, :func:`any`, :func:`tuple`,
+:func:`list`, and :func:`set` with an async generator expression argument
+(for example, ``tuple(await x for x in y)``). These calls now correctly
+raise ``TypeError`` instead of crashing.
+
+..
+
+.. date: 2026-04-22-14-55-18
+.. gh-issue: 113956
+.. nonce: 0VEXd6
+.. section: Core and Builtins
+
+Fix a data race in :func:`sys.intern` in the free-threaded build when
+interning a string owned by another thread. An interned copy owned by the
+current thread is used instead when it is not safe to immortalize the
+original.
+
+..
+
+.. date: 2026-04-21-14-36-44
+.. gh-issue: 148820
+.. nonce: XhOGhA
+.. section: Core and Builtins
+
+Fix a race in :c:type:`!_PyRawMutex` on the free-threaded build where a
+``Py_PARK_INTR`` return from ``_PySemaphore_Wait`` could let the waiter
+destroy its semaphore before the unlocking thread's ``_PySemaphore_Wakeup``
+completed, causing a fatal ``ReleaseSemaphore`` error.
+
+..
+
+.. date: 2026-04-17-20-37-02
+.. gh-issue: 148653
+.. nonce: nbbHMh
+.. section: Core and Builtins
+
+Forbid :mod:`marshalling <marshal>` recursive code objects and
+:class:`slice` objects which cannot be correctly unmarshalled.
+
+..
+
+.. date: 2026-04-17-11-30-00
+.. gh-issue: 142516
+.. nonce: GcGen315
+.. section: Core and Builtins
+
+Forward-port the generational cycle garbage collector to the default 3.14
+build, replacing the incremental collector while leaving the free-threaded
+collector unchanged.
+
+..
+
+.. date: 2026-04-12-17-27-28
+.. gh-issue: 148390
+.. nonce: MAhw7F
+.. section: Core and Builtins
+
+Fix an undefined behavior in :class:`memoryview` when using the native
+boolean format (``?``) in :meth:`~memoryview.cast`. Previously, on some
+common platforms, calling ``memoryview(b).cast("?").tolist()`` incorrectly
+returned ``[False]`` instead of ``[True]`` for any even byte *b*. Patch by
+Bénédikt Tran.
+
+..
+
+.. date: 2026-04-12-10-40-57
+.. gh-issue: 148418
+.. nonce: ggA1LZ
+.. section: Core and Builtins
+
+Fix a possible reference leak in a corrupted ``TYPE_CODE`` marshal stream.
+
+..
+
+.. date: 2026-04-11-17-28-52
+.. gh-issue: 148393
+.. nonce: lX6gwN
+.. section: Core and Builtins
+
+Fix data races between :c:func:`PyDict_Watch` / :c:func:`PyDict_Unwatch` and
+concurrent dict mutation in the :term:`free-threaded build`.
+
+..
+
+.. date: 2026-04-10-14-20-54
+.. gh-issue: 148284
+.. nonce: HKs-S_
+.. section: Core and Builtins
+
+Fix high stack consumption in Python's interpreter loop on Clang 22 by
+setting function limits for inlining when building with computed gotos.
+
+..
+
+.. date: 2026-04-09-14-18-33
+.. gh-issue: 148037
+.. nonce: aP3CSX
+.. section: Core and Builtins
+
+Remove critical section from :c:func:`!PyCode_Addr2Line` in free-threading.
+
+..
+
+.. date: 2026-04-07-20-37-23
+.. gh-issue: 148222
+.. nonce: uF4D4E
+.. section: Core and Builtins
+
+Fix vectorcall support in :class:`types.GenericAlias` when the underlying
+type does not support the vectorcall protocol. Fix possible leaks in
+:class:`types.GenericAlias` and :class:`types.UnionType` in case of memory
+error.
+
+..
+
+.. date: 2026-04-07-20-21-44
+.. gh-issue: 148208
+.. nonce: JAxpDU
+.. section: Core and Builtins
+
+Fix recursion depth leak in :c:func:`PyObject_Print`
+
+..
+
+.. date: 2026-04-07-07-21-30
+.. gh-issue: 137814
+.. nonce: 6yRTeu
+.. section: Core and Builtins
+
+Fix the ``__qualname__`` attribute of ``__annotate__`` functions on
+functions.
+
+..
+
+.. date: 2026-04-02-13-25-09
+.. gh-issue: 147998
+.. nonce: wnzkRT
+.. section: Core and Builtins
+
+Fixed a memory leak in interpreter helper calls so cleanup works when an
+operation falls across interpreter boundaries. Patch by Maurycy
+Pawłowski-Wieroński.
+
+..
+
+.. date: 2026-03-26-08-49-35
+.. gh-issue: 146455
+.. nonce: f54083a9
+.. section: Core and Builtins
+
+Fix O(N²) compile-time regression in constant folding after it was moved
+from AST to CFG optimizer.
+
+..
+
+.. date: 2026-05-02-12-03-48
+.. gh-issue: 149221
+.. nonce: __KOks
+.. section: Library
+
+Catch rare math domain error for :func:`random.binomialvariate`.
+
+..
+
+.. date: 2026-04-29-16-11-27
+.. gh-issue: 149117
+.. nonce: yEeTYd
+.. section: Library
+
+Fix :func:`runpy.run_module` and :func:`runpy.run_path` to set the
+:attr:`~ImportError.name` attribute on the :exc:`ImportError` they raise.
+
+..
+
+.. date: 2026-04-29-14-33-42
+.. gh-issue: 149148
+.. nonce: EaiYvk
+.. section: Library
+
+:mod:`ensurepip`: Upgrade bundled pip to 26.1. This version fixes the
+:cve:`2026-3219` vulnerability. Patch by Victor Stinner.
+
+..
+
+.. date: 2026-04-27-22-34-09
+.. gh-issue: 148093
+.. nonce: 9pWceM
+.. section: Library
+
+Fix an out-of-bounds read of one byte in :func:`binascii.a2b_uu`. Raise
+:exc:`binascii.Error`, instead of reading past the buffer end.
+
+..
+
+.. date: 2026-04-27-17-12-11
+.. gh-issue: 148914
+.. nonce: i5C3kW
+.. section: Library
+
+Fix memoization of in-band :class:`~pickle.PickleBuffer` in the Python
+implementation of :mod:`pickle`. Previously, identical
+:class:`!PickleBuffer`\ s did not preserve identity, and empty writable
+:class:`!PickleBuffer` memoized an empty bytearray object in place of
+``b''``, so the following references to ``b''`` were unpickled as an empty
+bytearray object.
+
+..
+
+.. date: 2026-04-23-21-47-49
+.. gh-issue: 148947
+.. nonce: W4V2lG
+.. section: Library
+
+Fix crash in :deco:`dataclasses.dataclass` with ``slots=True`` that occurred
+when a function found within the class had an empty ``__class__`` cell.
+
+..
+
+.. date: 2026-04-23-07-38-04
+.. gh-issue: 148680
+.. nonce: ___ePl
+.. section: Library
+
+``ForwardRef`` objects that contain internal names to represent known
+objects now show the ``type_repr`` of the known object rather than the
+internal ``__annotationlib_name_x__`` name when evaluated as strings.
+
+..
+
+.. date: 2026-04-20-18-29-21
+.. gh-issue: 148801
+.. nonce: ROeNqs
+.. section: Library
+
+:mod:`xml.etree.ElementTree`: Fix a crash in :meth:`Element.__deepcopy__
+<object.__deepcopy__>` on deeply nested trees.
+
+..
+
+.. date: 2026-04-18-21-39-15
+.. gh-issue: 148735
+.. nonce: siw6DG
+.. section: Library
+
+:mod:`xml.etree.ElementTree`: Fix a use-after-free in
+:meth:`Element.findtext <xml.etree.ElementTree.Element.findtext>` when the
+element tree is mutated concurrently during the search.
+
+..
+
+.. date: 2026-04-18-17-37-13
+.. gh-issue: 148740
+.. nonce: sYnFi0
+.. section: Library
+
+Fix usage for :mod:`uuid` command-line interface to support a custom
+namespace be provided for uuid3 and uuid5.
+
+..
+
+.. date: 2026-04-16-13-30-00
+.. gh-issue: 148651
+.. nonce: ZsTdLk
+.. section: Library
+
+Fix reference leak in :class:`compression.zstd.ZstdDecompressor` when an
+invalid option key is passed.
+
+..
+
+.. date: 2026-04-15-11-00-39
+.. gh-issue: 146553
+.. nonce: VGOsoP
+.. section: Library
+
+Fix infinite loop in :func:`typing.get_type_hints` when ``__wrapped__``
+forms a cycle. Patch by Shamil Abdulaev.
+
+..
+
+.. date: 2026-04-14-09-04-35
+.. gh-issue: 148508
+.. nonce: -GiXml
+.. section: Library
+
+An intermittent timing error when running SSL tests on iOS has been
+resolved.
+
+..
+
+.. date: 2026-04-13-15-59-44
+.. gh-issue: 148518
+.. nonce: RQdvsu
+.. section: Library
+
+If an email containing an address header that ended in an open double quote
+was parsed with a non-``compat32`` policy, accessing the ``username``
+attribute of the mailbox accessed through that header object would result in
+an ``IndexError``. It now correctly returns an empty string as the result.
+
+..
+
+.. date: 2026-04-13-06-22-27
+.. gh-issue: 148464
+.. nonce: Bj_NZy
+.. section: Library
+
+Add missing ``__ctype_le/be__`` attributes for
+:class:`~ctypes.c_float_complex` and :class:`~ctypes.c_double_complex`.
+Patch by Sergey B Kirpichev.
+
+..
+
+.. date: 2026-04-12-16-40-11
+.. gh-issue: 148370
+.. nonce: 0Li2EK
+.. section: Library
+
+:mod:`configparser`: prevent quadratic behavior when a
+:exc:`~configparser.ParsingError` is raised after a parser fails to parse
+multiple lines. Patch by Bénédikt Tran.
+
+..
+
+.. date: 2026-04-09-12-42-42
+.. gh-issue: 148254
+.. nonce: Xt7vKs
+.. section: Library
+
+Use singular "sec" instead of "secs" in :mod:`timeit` verbose output for
+consistency with other time units.
+
+..
+
+.. date: 2026-04-07-14-13-40
+.. gh-issue: 148192
+.. nonce: 34AUYQ
+.. section: Library
+
+``email.generator.Generator._make_boundary`` could fail to detect a
+duplicate boundary string if linesep was not \n. It now correctly detects
+boundary strings when linesep is \r\n as well.
+
+..
+
+.. date: 2026-03-22-23-42-22
+.. gh-issue: 146313
+.. nonce: RtDeAd
+.. section: Library
+
+Fix a deadlock in :mod:`multiprocessing`'s resource tracker where the parent
+process could hang indefinitely in :func:`os.waitpid` during interpreter
+shutdown if a child created via :func:`os.fork` still held the resource
+tracker's pipe open.
+
+..
+
+.. date: 2026-03-11-15-09-52
+.. gh-issue: 145831
+.. nonce: _sW94w
+.. section: Library
+
+Fix :func:`!email.quoprimime.decode` leaving a stray ``\r`` when
+``eol='\r\n'`` by stripping the full *eol* string instead of one character.
+
+..
+
+.. date: 2026-02-22-00-00-00
+.. gh-issue: 145105
+.. nonce: csv-reader-reentrant
+.. section: Library
+
+Fix crash in :mod:`csv` reader when iterating with a re-entrant iterator
+that calls :func:`next` on the same reader from within ``__next__``.
+
+..
+
+.. date: 2026-01-19-21-23-18
+.. gh-issue: 105936
+.. nonce: dGrzjM
+.. section: Library
+
+Attempting to mutate non-field attributes of :mod:`dataclasses` with both
+*frozen* and *slots* being ``True`` now raises
+:class:`~dataclasses.FrozenInstanceError` instead of :class:`TypeError`.
+Their non-dataclass subclasses can now freely mutate non-field attributes,
+and the original non-slotted class can be garbage collected.
+
+..
+
+.. date: 2025-10-18-12-13-39
+.. gh-issue: 140287
+.. nonce: 49iU-4
+.. section: Library
+
+The :mod:`asyncio` REPL now handles exceptions when executing
+:envvar:`PYTHONSTARTUP` scripts. Patch by Bartosz Sławecki.
+
+..
+
+.. date: 2025-04-17-15-26-35
+.. gh-issue: 132631
+.. nonce: IDFZfb
+.. section: Library
+
+Fix "I/O operation on closed file" when parsing JSON Lines file with
+:mod:`JSON CLI <json.tool>`.
+
+..
+
+.. date: 2024-02-10-21-25-22
+.. gh-issue: 70039
+.. nonce: 6wvcAP
+.. section: Library
+
+Fixed bug where :meth:`smtplib.SMTP.starttls` could fail if
+:meth:`smtplib.SMTP.connect` is called explicitly rather than implicitly.
+
+..
+
+.. date: 2023-09-08-13-10-32
+.. gh-issue: 83281
+.. nonce: 2Plpcj
+.. section: Library
+
+:mod:`email`: improve handling trailing garbage in address lists to avoid
+throwing AttributeError in certain edge cases
+
+..
+
+.. date: 2026-04-17-02-28-55
+.. gh-issue: 148663
+.. nonce: MHIbRB
+.. section: Documentation
+
+Document that :class:`calendar.IllegalMonthError` is a subclass of both
+:exc:`ValueError` and :exc:`IndexError` since Python 3.12.
+
+..
+
+.. date: 2026-04-02-07-20-00
+.. gh-issue: 146646
+.. nonce: GlobDoc1
+.. section: Documentation
+
+Document that :func:`glob.glob`, :func:`glob.iglob`,
+:meth:`pathlib.Path.glob`, and :meth:`pathlib.Path.rglob` silently suppress
+:exc:`OSError` exceptions raised from scanning the filesystem.
+
+..
+
+.. date: 2026-05-04-06-03-50
+.. gh-issue: 149351
+.. nonce: hN4sF0
+.. section: Build
+
+Avoid possible broken macOS framework install names when DESTDIR is
+specified during builds.
+
+..
+
+.. date: 2026-04-30-08-43-47
+.. gh-issue: 146475
+.. nonce: 1cL4hX
+.. section: Build
+
+Block Apple Clang from being used to build the JIT as it ships without
+required LLVM tools.
+
+..
+
+.. date: 2026-04-14-15-20-29
+.. gh-issue: 148535
+.. nonce: JjKiaa
+.. section: Build
+
+No longer use the ``gcc -fprofile-update=atomic`` flag on i686. The flag has
+been added to fix a random GCC internal error on PGO build (:gh:`145801`)
+caused by corruption of profile data (.gcda files). The problem is that it
+makes the PGO build way slower (up to 47x slower) on i686. Since the GCC
+internal error was not seen on i686 so far, don't use
+``-fprofile-update=atomic`` on i686 anymore. Patch by Victor Stinner.
+
+..
+
+.. date: 2026-03-21-18-51-31
+.. gh-issue: 146264
+.. nonce: Q9Ej4m
+.. section: Build
+
+Fix static module builds on non-WASI targets by linking HACL dependencies as
+static libraries when ``MODULE_BUILDTYPE=static``, preventing duplicate
+``_Py_LibHacl_*`` symbol errors at link time.
+
+..
+
+.. date: 2026-05-03-14-07-51
+.. gh-issue: 149254
+.. nonce: ENtMYD
+.. section: Windows
+
+Updated bundled version of OpenSSL to 3.0.20.
+
+..
+
+.. date: 2026-03-27-22-06-10
+.. gh-issue: 146458
+.. nonce: fYj0UQ
+.. section: Windows
+
+Fix incorrect REPL height and width tracking on console window resize on
+Windows.
+
+..
+
+.. date: 2026-05-01-19-38-16
+.. gh-issue: 149254
+.. nonce: enO7uj
+.. section: macOS
+
+Update macOS installer to use OpenSSL 3.0.20.
projects / thirdparty / Python / cpython.git / commitdiff
