From: Thomas Wouters Date: Tue, 3 Mar 2026 12:38:32 +0000 (+0100) Subject: Python 3.12.13 X-Git-Tag: v3.12.13^0 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3bb231a6a5dc02b95658877318bf61501a7209e9;p=thirdparty%2FPython%2Fcpython.git Python 3.12.13 --- diff --git a/Doc/library/pyexpat.rst b/Doc/library/pyexpat.rst index fba1449cd20c..c806a21aeea6 100644 --- a/Doc/library/pyexpat.rst +++ b/Doc/library/pyexpat.rst @@ -255,7 +255,7 @@ common XML vulnerabilities. The corresponding :attr:`~ExpatError.lineno` and :attr:`~ExpatError.offset` should not be used as they may have no special meaning. - .. versionadded:: next + .. versionadded:: 3.12.13 .. method:: xmlparser.SetAllocTrackerMaximumAmplification(max_factor, /) @@ -285,7 +285,7 @@ common XML vulnerabilities. that can be adjusted by :meth:`.SetAllocTrackerActivationThreshold` is exceeded. - .. versionadded:: next + .. versionadded:: 3.12.13 :class:`xmlparser` objects have the following attributes: diff --git a/Include/patchlevel.h b/Include/patchlevel.h index 4fe232e1dbc3..a9e55db31f35 100644 --- a/Include/patchlevel.h +++ b/Include/patchlevel.h @@ -18,12 +18,12 @@ /*--start constants--*/ #define PY_MAJOR_VERSION 3 #define PY_MINOR_VERSION 12 -#define PY_MICRO_VERSION 12 +#define PY_MICRO_VERSION 13 #define PY_RELEASE_LEVEL PY_RELEASE_LEVEL_FINAL #define PY_RELEASE_SERIAL 0 /* Version as a string */ -#define PY_VERSION "3.12.12+" +#define PY_VERSION "3.12.13" /*--end constants--*/ /* Version as a single 4-byte hex number, e.g. 0x010502B2 == 1.5.2b2. diff --git a/Lib/pydoc_data/topics.py b/Lib/pydoc_data/topics.py index 3593d44cc5c5..e0e524f67296 100644 --- a/Lib/pydoc_data/topics.py +++ b/Lib/pydoc_data/topics.py @@ -1,4 +1,4 @@ -# Autogenerated by Sphinx on Thu Oct 9 13:06:56 2025 +# Autogenerated by Sphinx on Tue Mar 3 13:38:43 2026 # as part of the release process. topics = { diff --git a/Misc/NEWS.d/3.12.13.rst b/Misc/NEWS.d/3.12.13.rst new file mode 100644 index 000000000000..e6143240cc7c --- /dev/null +++ b/Misc/NEWS.d/3.12.13.rst @@ -0,0 +1,168 @@ +.. date: 2026-01-21-12-34-05 +.. gh-issue: 144125 +.. nonce: TAz5uo +.. release date: 2026-03-03 +.. section: Security + +:mod:`~email.generator.BytesGenerator` will now refuse to serialize (write) +headers that are unsafely folded or delimited; see +:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas +Bloemsaat and Petr Viktorin in :gh:`121650`). + +.. + +.. date: 2026-01-16-14-40-31 +.. gh-issue: 143935 +.. nonce: U2YtKl +.. section: Security + +Fixed a bug in the folding of comments when flattening an email message +using a modern email policy. Comments consisting of a very long sequence of +non-foldable characters could trigger a forced line wrap that omitted the +required leading space on the continuation line, causing the remainder of +the comment to be interpreted as a new header field. This enabled header +injection with carefully crafted inputs. + +.. + +.. date: 2026-01-16-11-51-19 +.. gh-issue: 143925 +.. nonce: mrtcHW +.. section: Security + +Reject control characters in ``data:`` URL media types. + +.. + +.. date: 2026-01-16-11-13-15 +.. gh-issue: 143919 +.. nonce: kchwZV +.. section: Security + +Reject control characters in :class:`http.cookies.Morsel` fields and values. + +.. + +.. date: 2026-01-16-11-07-36 +.. gh-issue: 143916 +.. nonce: dpWeOD +.. section: Security + +Reject C0 control characters within wsgiref.headers.Headers fields, values, +and parameters. + +.. + +.. date: 2025-12-01-09-36-45 +.. gh-issue: 142145 +.. nonce: tcAUhg +.. section: Security + +Remove quadratic behavior in ``xml.minidom`` node ID cache clearing. In +order to do this without breaking existing users, we also add the +*ownerDocument* attribute to :mod:`xml.dom.minidom` elements and attributes +created by directly instantiating the ``Element`` or ``Attr`` class. Note +that this way of creating nodes is not supported; creator functions like +:py:meth:`xml.dom.Document.documentElement` should be used instead. + +.. + +.. date: 2025-08-15-23-08-44 +.. gh-issue: 137836 +.. nonce: b55rhh +.. section: Security + +Add support of the "plaintext" element, RAWTEXT elements "xmp", "iframe", +"noembed" and "noframes", and optionally RAWTEXT element "noscript" in +:class:`html.parser.HTMLParser`. + +.. + +.. date: 2025-06-28-13-23-53 +.. gh-issue: 136063 +.. nonce: aGk0Jv +.. section: Security + +:mod:`email.message`: ensure linear complexity for legacy HTTP parameters +parsing. Patch by Bénédikt Tran. + +.. + +.. date: 2025-05-30-22-33-27 +.. gh-issue: 136065 +.. nonce: bu337o +.. section: Security + +Fix quadratic complexity in :func:`os.path.expandvars`. + +.. + +.. date: 2024-05-23-11-47-48 +.. gh-issue: 119451 +.. nonce: qkJe9- +.. section: Security + +Fix a potential memory denial of service in the :mod:`http.client` module. +When connecting to a malicious server, it could cause an arbitrary amount of +memory to be allocated. This could have led to symptoms including a +:exc:`MemoryError`, swapping, out of memory (OOM) killed processes or +containers, or even system crashes. + +.. + +.. date: 2024-05-23-11-44-41 +.. gh-issue: 119452 +.. nonce: PRfsSv +.. section: Security + +Fix a potential memory denial of service in the :mod:`http.server` module. +When a malicious user is connected to the CGI server on Windows, it could +cause an arbitrary amount of memory to be allocated. This could have led to +symptoms including a :exc:`MemoryError`, swapping, out of memory (OOM) +killed processes or containers, or even system crashes. + +.. + +.. date: 2024-05-21-22-11-31 +.. gh-issue: 119342 +.. nonce: BTFj4Z +.. section: Security + +Fix a potential memory denial of service in the :mod:`plistlib` module. When +reading a Plist file received from untrusted source, it could cause an +arbitrary amount of memory to be allocated. This could have led to symptoms +including a :exc:`MemoryError`, swapping, out of memory (OOM) killed +processes or containers, or even system crashes. + +.. + +.. date: 2026-02-15-00-00-00 +.. gh-issue: 144833 +.. nonce: TUelo1 +.. section: Library + +Fixed a use-after-free in :mod:`ssl` when ``SSL_new()`` returns NULL in +``newPySSLSocket()``. The error was reported via a dangling pointer after +the object had already been freed. + +.. + +.. date: 2026-01-31-17-15-49 +.. gh-issue: 144363 +.. nonce: X9f0sU +.. section: Library + +Update bundled `libexpat `_ to 2.7.4 + +.. + +.. date: 2025-09-22-14-40-11 +.. gh-issue: 90949 +.. nonce: UM35nb +.. section: Library + +Add :meth:`~xml.parsers.expat.xmlparser.SetAllocTrackerActivationThreshold` +and :meth:`~xml.parsers.expat.xmlparser.SetAllocTrackerMaximumAmplification` +to :ref:`xmlparser ` objects to prevent use of +disproportional amounts of dynamic memory from within an Expat parser. Patch +by Bénédikt Tran. diff --git a/Misc/NEWS.d/next/Library/2025-09-22-14-40-11.gh-issue-90949.UM35nb.rst b/Misc/NEWS.d/next/Library/2025-09-22-14-40-11.gh-issue-90949.UM35nb.rst deleted file mode 100644 index 5611f33fb8e3..000000000000 --- a/Misc/NEWS.d/next/Library/2025-09-22-14-40-11.gh-issue-90949.UM35nb.rst +++ /dev/null @@ -1,5 +0,0 @@ -Add :meth:`~xml.parsers.expat.xmlparser.SetAllocTrackerActivationThreshold` -and :meth:`~xml.parsers.expat.xmlparser.SetAllocTrackerMaximumAmplification` -to :ref:`xmlparser ` objects to prevent use of -disproportional amounts of dynamic memory from within an Expat parser. -Patch by Bénédikt Tran. diff --git a/Misc/NEWS.d/next/Library/2026-01-31-17-15-49.gh-issue-144363.X9f0sU.rst b/Misc/NEWS.d/next/Library/2026-01-31-17-15-49.gh-issue-144363.X9f0sU.rst deleted file mode 100644 index c17cea6613d0..000000000000 --- a/Misc/NEWS.d/next/Library/2026-01-31-17-15-49.gh-issue-144363.X9f0sU.rst +++ /dev/null @@ -1 +0,0 @@ -Update bundled `libexpat `_ to 2.7.4 diff --git a/Misc/NEWS.d/next/Library/2026-02-15-00-00-00.gh-issue-144833.TUelo1.rst b/Misc/NEWS.d/next/Library/2026-02-15-00-00-00.gh-issue-144833.TUelo1.rst deleted file mode 100644 index 6d5b18f59ee7..000000000000 --- a/Misc/NEWS.d/next/Library/2026-02-15-00-00-00.gh-issue-144833.TUelo1.rst +++ /dev/null @@ -1,3 +0,0 @@ -Fixed a use-after-free in :mod:`ssl` when ``SSL_new()`` returns NULL in -``newPySSLSocket()``. The error was reported via a dangling pointer after the -object had already been freed. diff --git a/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst b/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst deleted file mode 100644 index 04fd8faca4cf..000000000000 --- a/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst +++ /dev/null @@ -1,5 +0,0 @@ -Fix a potential memory denial of service in the :mod:`plistlib` module. -When reading a Plist file received from untrusted source, it could cause -an arbitrary amount of memory to be allocated. -This could have led to symptoms including a :exc:`MemoryError`, swapping, out -of memory (OOM) killed processes or containers, or even system crashes. diff --git a/Misc/NEWS.d/next/Security/2024-05-23-11-44-41.gh-issue-119452.PRfsSv.rst b/Misc/NEWS.d/next/Security/2024-05-23-11-44-41.gh-issue-119452.PRfsSv.rst deleted file mode 100644 index 98956627f2b3..000000000000 --- a/Misc/NEWS.d/next/Security/2024-05-23-11-44-41.gh-issue-119452.PRfsSv.rst +++ /dev/null @@ -1,5 +0,0 @@ -Fix a potential memory denial of service in the :mod:`http.server` module. -When a malicious user is connected to the CGI server on Windows, it could cause -an arbitrary amount of memory to be allocated. -This could have led to symptoms including a :exc:`MemoryError`, swapping, out -of memory (OOM) killed processes or containers, or even system crashes. diff --git a/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst b/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst deleted file mode 100644 index 6d6f25cd2f8b..000000000000 --- a/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst +++ /dev/null @@ -1,5 +0,0 @@ -Fix a potential memory denial of service in the :mod:`http.client` module. -When connecting to a malicious server, it could cause -an arbitrary amount of memory to be allocated. -This could have led to symptoms including a :exc:`MemoryError`, swapping, out -of memory (OOM) killed processes or containers, or even system crashes. diff --git a/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst b/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst deleted file mode 100644 index 1d152bb53183..000000000000 --- a/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst +++ /dev/null @@ -1 +0,0 @@ -Fix quadratic complexity in :func:`os.path.expandvars`. diff --git a/Misc/NEWS.d/next/Security/2025-06-28-13-23-53.gh-issue-136063.aGk0Jv.rst b/Misc/NEWS.d/next/Security/2025-06-28-13-23-53.gh-issue-136063.aGk0Jv.rst deleted file mode 100644 index 940a3ad5a72f..000000000000 --- a/Misc/NEWS.d/next/Security/2025-06-28-13-23-53.gh-issue-136063.aGk0Jv.rst +++ /dev/null @@ -1,2 +0,0 @@ -:mod:`email.message`: ensure linear complexity for legacy HTTP parameters -parsing. Patch by Bénédikt Tran. diff --git a/Misc/NEWS.d/next/Security/2025-08-15-23-08-44.gh-issue-137836.b55rhh.rst b/Misc/NEWS.d/next/Security/2025-08-15-23-08-44.gh-issue-137836.b55rhh.rst deleted file mode 100644 index c30c9439a76a..000000000000 --- a/Misc/NEWS.d/next/Security/2025-08-15-23-08-44.gh-issue-137836.b55rhh.rst +++ /dev/null @@ -1,3 +0,0 @@ -Add support of the "plaintext" element, RAWTEXT elements "xmp", "iframe", -"noembed" and "noframes", and optionally RAWTEXT element "noscript" in -:class:`html.parser.HTMLParser`. diff --git a/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst b/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst deleted file mode 100644 index 05c7df35d14b..000000000000 --- a/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst +++ /dev/null @@ -1,6 +0,0 @@ -Remove quadratic behavior in ``xml.minidom`` node ID cache clearing. In order -to do this without breaking existing users, we also add the *ownerDocument* -attribute to :mod:`xml.dom.minidom` elements and attributes created by directly -instantiating the ``Element`` or ``Attr`` class. Note that this way of creating -nodes is not supported; creator functions like -:py:meth:`xml.dom.Document.documentElement` should be used instead. diff --git a/Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst b/Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst deleted file mode 100644 index 44bd0b27059f..000000000000 --- a/Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst +++ /dev/null @@ -1,2 +0,0 @@ -Reject C0 control characters within wsgiref.headers.Headers fields, values, -and parameters. diff --git a/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst b/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst deleted file mode 100644 index 788c3e4ac2eb..000000000000 --- a/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst +++ /dev/null @@ -1 +0,0 @@ -Reject control characters in :class:`http.cookies.Morsel` fields and values. diff --git a/Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst b/Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst deleted file mode 100644 index 46109dfbef3e..000000000000 --- a/Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst +++ /dev/null @@ -1 +0,0 @@ -Reject control characters in ``data:`` URL media types. diff --git a/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst b/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst deleted file mode 100644 index c3d864936884..000000000000 --- a/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst +++ /dev/null @@ -1,6 +0,0 @@ -Fixed a bug in the folding of comments when flattening an email message -using a modern email policy. Comments consisting of a very long sequence of -non-foldable characters could trigger a forced line wrap that omitted the -required leading space on the continuation line, causing the remainder of -the comment to be interpreted as a new header field. This enabled header -injection with carefully crafted inputs. diff --git a/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst b/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst deleted file mode 100644 index e6333e724972..000000000000 --- a/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst +++ /dev/null @@ -1,4 +0,0 @@ -:mod:`~email.generator.BytesGenerator` will now refuse to serialize (write) headers -that are unsafely folded or delimited; see -:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas -Bloemsaat and Petr Viktorin in :gh:`121650`). diff --git a/README.rst b/README.rst index 7a384ed7833a..2a4c011567dd 100644 --- a/README.rst +++ b/README.rst @@ -1,4 +1,4 @@ -This is Python version 3.12.12 +This is Python version 3.12.13 ============================== .. image:: https://github.com/python/cpython/workflows/Tests/badge.svg