[3.13] gh-144833: Fix use-after-free in SSL module when SSL_new() fails (GH-144843) (#144859)
gh-144833: Fix use-after-free in SSL module when SSL_new() fails (GH-144843)
In newPySSLSocket(), when SSL_new() returns NULL, Py_DECREF(self)
was called before _setSSLError(get_state_ctx(self), ...), causing
a use-after-free. Additionally, get_state_ctx() was called with
self (PySSLSocket*) instead of sslctx (PySSLContext*), which is
a type confusion bug.
Fix by calling _setSSLError() before Py_DECREF() and using
sslctx instead of self for get_state_ctx().
(cherry picked from commit c91638ca0671b8038831f963ed44e66cdda006a2)
Co-authored-by: Ramin Farajpour Cami <ramin.blackhat@gmail.com>
[3.13] gh-144787: [tests] Allow TLS v1.2 to be minimum version (GH-144790) (#144792)
gh-144787: [tests] Allow TLS v1.2 to be minimum version (GH-144790)
Allow TLS v1.2 to be minimum version
Updates test_min_max_version to allow TLS v1.2 to be minimum version if
TLS 1.0 and 1.1 are disabled in OpenSSL.
(cherry picked from commit d625f7da33bf8eb57fb7e1a05deae3f68bf4d00f)
Co-authored-by: Colin McAllister <colinmca242@gmail.com>
[3.13] gh-144706: Warn against using synchronization primitives within signal handlers (GH-144736) (GH-144768)
gh-144706: Warn against using synchronization primitives within signal handlers (GH-144736)
(cherry picked from commit 945bf8ce1bf7ee3881752c2ecc129e35ab818477)
Serhiy Storchaka [Thu, 12 Feb 2026 17:18:48 +0000 (19:18 +0200)]
[3.13] gh-80667: Fix case-sensitivity of some Unicode literal escapes (GH-107281) (GH-144754)
Lookup for CJK ideograms and Hangul syllables is now case-insensitive,
as is the case for other character names.
(cherry picked from commit e66f4a5a9c7ce744030d6352bf5575639b1096cc)
Serhiy Storchaka [Thu, 12 Feb 2026 08:35:09 +0000 (10:35 +0200)]
[3.13] gh-84424: Use numeric_changed for UCD.numeric (GH-19457) (GH-144732)
This was causing ucd_3_2_0.numeric() to pick up only decimal
changes between Unicode 3.2.0 and the current version.
(cherry picked from commit 3e0322ff16f47caa3e273d453f007d3918b8ac80)
gh-143650: Fix importlib race condition on import failure (GH-143651)
Fix a race condition where a thread could receive a partially-initialized
module when another thread's import fails. The race occurs when:
1. Thread 1 starts importing, adds module to sys.modules
2. Thread 2 sees the module in sys.modules via the fast path
3. Thread 1's import fails, removes module from sys.modules
4. Thread 2 returns a stale module reference not in sys.modules
The fix adds verification after the "skip lock" optimization in both Python
and C code paths to check if the module is still in sys.modules. If the
module was removed (due to import failure), we retry the import so the
caller receives the actual exception from the import failure rather than
a stale module reference.
[3.13] gh-144492: Fix `process_changed_files` outputs for `reusable-{macos, wasi}.yml` (GH-144518) (#144634)
gh-144492: Fix `process_changed_files` outputs for `reusable-{macos, wasi}.yml` (GH-144518)
Fix `process_changed_files` double-processing reusable-{macos, wasi] ending up with incorrect outputs
(cherry picked from commit fd190d1fa1a34bb8d533d05263ea744a051b7529)
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
[3.13] gh-144330: Initialize classmethod and staticmethod in new (GH-144498) (#144537)
[3.14] gh-144330: Initialize classmethod and staticmethod in new (GH-144498)
gh-144330: Initialize classmethod and staticmethod in new
Initialize cm_callable and sm_callable to None in classmethod and
staticmethod constructor.
(cherry picked from commit 160810de89477836f2fde7139f7ab0670399efff)
Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Aniket Singh Yadav <singhyadavaniket43@gmail.com> Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
[3.13] gh-75572: Speed up test_xpickle (GH-144393) (GH-144404)
Run a long living subprocess which handles multiple requests instead of
running a new subprocess for each request.
(cherry picked from commit 29acc08c8dad664cd5713cb392e5beba65724c10)
Modifies handling of `.gz` files in Android app payloads, and ensures that
when the Android testbed streams logs, stream flushes aren't treated as
newlines. This improves the output of test suites that use "one dot per test"
progress indicators.
(cherry picked from commit cb1dc91dcb1eb6637d1c79b34a0bab728939f717)
[3.13] gh-142387: Reduce Android testbed API level to 33 (GH-144315) (#144318)
The emulator images for API level 34 and 35 have significant issues with image size and
internet connectivity. Reverts the default API level used for testbed testing to 33.
(cherry picked from commit 6543720b63a62363de540deb5a6701f1ae431bce)
Victor Stinner [Wed, 28 Jan 2026 14:15:39 +0000 (15:15 +0100)]
[3.13] gh-144194: Fix mmap failure check in perf_jit_trampoline.c (#143713) (#144304)
gh-144194: Fix mmap failure check in perf_jit_trampoline.c (#143713)
mmap() returns MAP_FAILED ((void*)-1) on error, not NULL. The current
check never detects mmap failures, so jitdump initialization proceeds
even when the memory mapping fails.
The code in test_makefile was attempting to ignore any
non-interesting files, but missed some corners:
1. There is never a *file* called `__pycache__`.
2. A directory containing only a `__pycache__` subdirectory should be
ignored.
3. A directory containing only hidden files should be ignored.
[3.13] gh-143935: Email preserve parens when folding comments (GH-143936) (#144035)
gh-143935: Email preserve parens when folding comments (GH-143936)
Fix a bug in the folding of comments when flattening an email message
using a modern email policy. Comments consisting of a very long sequence of
non-foldable characters could trigger a forced line wrap that omitted the
required leading space on the continuation line, causing the remainder of
the comment to be interpreted as a new header field. This enabled header
injection with carefully crafted inputs.
(cherry picked from commit 17d1490aa97bd6b98a42b1a9b324ead84e7fd8a2)
Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Denis Ledoux <dle@odoo.com>
[3.13] gh-141004: Mark up docs of old PyMem macros (GH-143783) (GH-143865)
gh-141004: Mark up docs of old PyMem macros (GH-143783)
These had a docs-only deprecation notice since the first version of the docs in this repo. Nowadays we call things “soft deprecated” if there's just a note in the docs.
The deprecated directive needs a version, I went with the first one that had the notice (2.0; it's not in 1.6):
- https://docs.python.org/release/2.0/api/memoryInterface.html
- https://docs.python.org/release/1.6/api/memoryInterface.html
Since PEP 445, they are now direct aliases; there are no (additional) binary compatibility concerns over the preferred names.
(cherry picked from commit a009e78b79ec340d9ff0e1a8ad20f8178fd3257f)
[3.13] gh-143774 - Improve IDLE Format Paragraph doc (GH-143775) (#144063)
gh-143774 - Improve IDLE Format Paragraph doc (GH-143775)
Add a reminder to not rewrap code line to the Menu => Format => Reformat Paragraph entry.
In Editing and Nagivagion, add a new 'Format block' subsection that defines 'paragraph'
to better match what is dependably handled as more or less expected.
In particular, specify equal indents and that the resulting indent equals original indent.
Also mention that selections are expanded to complete lines and how to modify max length.
[3.13] gh-65784: Add support for parametrized resource wantobjects in regrtests (GH-143570) (GH-143914)
This allows to run Tkinter tests with the specified value of
tkinter.wantobjects, for example "-u wantobjects=0".
(cherry picked from commit 21ed1e2a9401a2e96ccc910fcb66f22afc96efbd)
[3.14] gh-143602: Fix duplicate buffer exports in io.BytesIO.write (#143629) (#143872)
gh-143602: Fix duplicate buffer exports in io.BytesIO.write (#143629)
Fix an inconsistency issue in io.BytesIO.write() where the buffer was exported
twice, which could lead to unexpected data overwrites and position drift when
the buffer changes between exports.
Serhiy Storchaka [Thu, 15 Jan 2026 07:59:15 +0000 (09:59 +0200)]
[3.13] gh-141805: Fix crash after concurrent addition objects with the same hash to set (GH-143815) (GH-143853)
This happens when the set contained several elements with the same hash,
and then some of them were removed.
(cherry picked from commit b8e925b4f8f6c5e28fbebc4f3965bf77610698b3)
[3.13] gh-106287: Do not write objects after an unmarshalling error (GH-132715) (GH-143833)
Writing out an object may involve a slot lookup, which is not safe to do with
an exception raised. In debug mode an assertion failure will occur if this
happens.
(cherry picked from commit ce8f5f98c6fc95a1704360d986a4d0281eeada79)
[3.13] gh-141004: Document old provisional names for vectorcall/code API (GH-143568) (GH-143829)
For vectorcall API, the underscore-prefixed provisional names
continue to be available per PEP 590:
https://peps.python.org/pep-0590/#finalizing-the-api
Use `versionadded`, `versionchanged`, and `:no-typesetting:`
to mark this up.
For PyCode API, use `:no-typesetting:` rather than `index::` so that
these are semantically documented as C functions.
(cherry picked from commit 7e8a1b5061313e03f99bc2ffa2062702bcc76426)
[3.13] gh-137113 docs: note readline no longer supported in REPL after 3.13 (GH-137142) (GH-143792)
Add a note to the readline module documentation stating that
Python 3.13 and later no longer supports readline in the default REPL,
as per gh-118840. Includes workaround using PYTHON_BASIC_REPL.
Gregory P. Smith [Wed, 14 Jan 2026 02:09:05 +0000 (18:09 -0800)]
[3.13] gh-143706: Fix sys.argv not set during multiprocessing forkserver `__main__` preload (GH-143717) (#143821)
The forkserver was not passing sys.argv to its main() function, causing
sys.argv to be empty during `__main__` module import in child processes. This
fixes a non-obvious regression inadvertently introduced by the gh-126631 main
preloading fix.
projects / thirdparty / Python / cpython.git / log
