From: Thomas Wouters Date: Wed, 10 Jun 2026 12:23:45 +0000 (+0200) Subject: Python 3.13.14 X-Git-Tag: v3.13.14^0 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=fd17997c3866d61e0e7bd8201b1d8f35b40a40bd;p=thirdparty%2FPython%2Fcpython.git Python 3.13.14 --- diff --git a/Doc/library/pyexpat.rst b/Doc/library/pyexpat.rst index 4bdde5613510..ea8e3eca52dc 100644 --- a/Doc/library/pyexpat.rst +++ b/Doc/library/pyexpat.rst @@ -262,7 +262,7 @@ against some common XML vulnerabilities. Activation thresholds below 4 MiB are known to break support for DITA 1.3 payload and are hence not recommended. - .. versionadded:: next + .. versionadded:: 3.13.14 .. method:: xmlparser.SetBillionLaughsAttackProtectionMaximumAmplification(max_factor, /) @@ -294,7 +294,7 @@ against some common XML vulnerabilities. that can be adjusted by :meth:`.SetBillionLaughsAttackProtectionActivationThreshold` is exceeded. - .. versionadded:: next + .. versionadded:: 3.13.14 .. method:: xmlparser.SetAllocTrackerActivationThreshold(threshold, /) diff --git a/Doc/library/sqlite3.rst b/Doc/library/sqlite3.rst index 2a781cf16f17..96817ff03cba 100644 --- a/Doc/library/sqlite3.rst +++ b/Doc/library/sqlite3.rst @@ -1436,7 +1436,7 @@ Connection objects See :ref:`sqlite3-howto-row-factory` for more details. - .. versionchanged:: next + .. versionchanged:: 3.13.14 Deleting the ``row_factory`` attribute is no longer allowed. .. attribute:: text_factory @@ -1448,7 +1448,7 @@ Connection objects See :ref:`sqlite3-howto-encoding` for more details. - .. versionchanged:: next + .. versionchanged:: 3.13.14 Deleting the ``text_factory`` attribute is no longer allowed. .. attribute:: total_changes @@ -1734,7 +1734,7 @@ Cursor objects See :ref:`sqlite3-howto-row-factory` for more details. - .. versionchanged:: next + .. versionchanged:: 3.13.14 Deleting the ``row_factory`` attribute is no longer allowed. diff --git a/Include/patchlevel.h b/Include/patchlevel.h index 439793b02047..e33d30adf950 100644 --- a/Include/patchlevel.h +++ b/Include/patchlevel.h @@ -18,12 +18,12 @@ /*--start constants--*/ #define PY_MAJOR_VERSION 3 #define PY_MINOR_VERSION 13 -#define PY_MICRO_VERSION 13 +#define PY_MICRO_VERSION 14 #define PY_RELEASE_LEVEL PY_RELEASE_LEVEL_FINAL #define PY_RELEASE_SERIAL 0 /* Version as a string */ -#define PY_VERSION "3.13.13+" +#define PY_VERSION "3.13.14" /*--end constants--*/ /* Version as a single 4-byte hex number, e.g. 0x010502B2 == 1.5.2b2. diff --git a/Lib/pydoc_data/module_docs.py b/Lib/pydoc_data/module_docs.py index 8c4013606ca6..9e4564909676 100644 --- a/Lib/pydoc_data/module_docs.py +++ b/Lib/pydoc_data/module_docs.py @@ -1,4 +1,4 @@ -# Autogenerated by Sphinx on Tue Apr 7 20:18:56 2026 +# Autogenerated by Sphinx on Wed Jun 10 14:23:59 2026 # as part of the release process. module_docs = { diff --git a/Lib/pydoc_data/topics.py b/Lib/pydoc_data/topics.py index bbbd6a3effdb..31d582a90abc 100644 --- a/Lib/pydoc_data/topics.py +++ b/Lib/pydoc_data/topics.py @@ -1,4 +1,4 @@ -# Autogenerated by Sphinx on Tue Apr 7 20:18:56 2026 +# Autogenerated by Sphinx on Wed Jun 10 14:23:59 2026 # as part of the release process. topics = { @@ -2122,9 +2122,9 @@ Added in version 3.10. The match statement is used for pattern matching. Syntax: match_stmt ::= 'match' subject_expr ":" NEWLINE INDENT case_block+ DEDENT - subject_expr ::= `!star_named_expression` "," `!star_named_expressions`? - | `!named_expression` - case_block ::= 'case' patterns [guard] ":" `!block` + subject_expr ::= flexible_expression "," [flexible_expression_list [',']] + | assignment_expression + case_block ::= 'case' patterns [guard] ":" suite Note: @@ -2215,7 +2215,7 @@ section. Guards ------ - guard ::= "if" `!named_expression` + guard ::= "if" assignment_expression A "guard" (which is part of the "case") must succeed for code inside the "case" block to execute. It takes the form: "if" followed by an @@ -4625,11 +4625,6 @@ Note: See also the description of the "try" statement in section The try statement and "raise" statement in section The raise statement. - --[ Footnotes ]- - -[1] This limitation occurs because the code that is executed by these - operations is not available at the time the module is compiled. ''', 'execmodel': r'''Execution model *************** @@ -4976,6 +4971,180 @@ Note: See also the description of the "try" statement in section The try statement and "raise" statement in section The raise statement. + +Runtime Components +================== + + +General Computing Model +----------------------- + +Python’s execution model does not operate in a vacuum. It runs on a +host machine and through that host’s runtime environment, including +its operating system (OS), if there is one. When a program runs, the +conceptual layers of how it runs on the host look something like this: + + **host machine** + **process** (global resources) + **thread** (runs machine code) + +Each process represents a program running on the host. Think of each +process itself as the data part of its program. Think of the process’ +threads as the execution part of the program. This distinction will +be important to understand the conceptual Python runtime. + +The process, as the data part, is the execution context in which the +program runs. It mostly consists of the set of resources assigned to +the program by the host, including memory, signals, file handles, +sockets, and environment variables. + +Processes are isolated and independent from one another. (The same is +true for hosts.) The host manages the process’ access to its assigned +resources, in addition to coordinating between processes. + +Each thread represents the actual execution of the program’s machine +code, running relative to the resources assigned to the program’s +process. It’s strictly up to the host how and when that execution +takes place. + +From the point of view of Python, a program always starts with exactly +one thread. However, the program may grow to run in multiple +simultaneous threads. Not all hosts support multiple threads per +process, but most do. Unlike processes, threads in a process are not +isolated and independent from one another. Specifically, all threads +in a process share all of the process’ resources. + +The fundamental point of threads is that each one does *run* +independently, at the same time as the others. That may be only +conceptually at the same time (“concurrently”) or physically (“in +parallel”). Either way, the threads effectively run at a non- +synchronized rate. + +Note: + + That non-synchronized rate means none of the process’ memory is + guaranteed to stay consistent for the code running in any given + thread. Thus multi-threaded programs must take care to coordinate + access to intentionally shared resources. Likewise, they must take + care to be absolutely diligent about not accessing any *other* + resources in multiple threads; otherwise two threads running at the + same time might accidentally interfere with each other’s use of some + shared data. All this is true for both Python programs and the + Python runtime.The cost of this broad, unstructured requirement is + the tradeoff for the kind of raw concurrency that threads provide. + The alternative to the required discipline generally means dealing + with non-deterministic bugs and data corruption. + + +Python Runtime Model +-------------------- + +The same conceptual layers apply to each Python program, with some +extra data layers specific to Python: + + **host machine** + **process** (global resources) + Python global runtime (*state*) + Python interpreter (*state*) + **thread** (runs Python bytecode and “C-API”) + Python thread *state* + +At the conceptual level: when a Python program starts, it looks +exactly like that diagram, with one of each. The runtime may grow to +include multiple interpreters, and each interpreter may grow to +include multiple thread states. + +Note: + + A Python implementation won’t necessarily implement the runtime + layers distinctly or even concretely. The only exception is places + where distinct layers are directly specified or exposed to users, + like through the "threading" module. + +Note: + + The initial interpreter is typically called the “main” interpreter. + Some Python implementations, like CPython, assign special roles to + the main interpreter.Likewise, the host thread where the runtime was + initialized is known as the “main” thread. It may be different from + the process’ initial thread, though they are often the same. In + some cases “main thread” may be even more specific and refer to the + initial thread state. A Python runtime might assign specific + responsibilities to the main thread, such as handling signals. + +As a whole, the Python runtime consists of the global runtime state, +interpreters, and thread states. The runtime ensures all that state +stays consistent over its lifetime, particularly when used with +multiple host threads. + +The global runtime, at the conceptual level, is just a set of +interpreters. While those interpreters are otherwise isolated and +independent from one another, they may share some data or other +resources. The runtime is responsible for managing these global +resources safely. The actual nature and management of these resources +is implementation-specific. Ultimately, the external utility of the +global runtime is limited to managing interpreters. + +In contrast, an “interpreter” is conceptually what we would normally +think of as the (full-featured) “Python runtime”. When machine code +executing in a host thread interacts with the Python runtime, it calls +into Python in the context of a specific interpreter. + +Note: + + The term “interpreter” here is not the same as the “bytecode + interpreter”, which is what regularly runs in threads, executing + compiled Python code.In an ideal world, “Python runtime” would refer + to what we currently call “interpreter”. However, it’s been called + “interpreter” at least since introduced in 1997 (CPython:a027efa5b). + +Each interpreter completely encapsulates all of the non-process- +global, non-thread-specific state needed for the Python runtime to +work. Notably, the interpreter’s state persists between uses. It +includes fundamental data like "sys.modules". The runtime ensures +multiple threads using the same interpreter will safely share it +between them. + +A Python implementation may support using multiple interpreters at the +same time in the same process. They are independent and isolated from +one another. For example, each interpreter has its own "sys.modules". + +For thread-specific runtime state, each interpreter has a set of +thread states, which it manages, in the same way the global runtime +contains a set of interpreters. It can have thread states for as many +host threads as it needs. It may even have multiple thread states for +the same host thread, though that isn’t as common. + +Each thread state, conceptually, has all the thread-specific runtime +data an interpreter needs to operate in one host thread. The thread +state includes the current raised exception and the thread’s Python +call stack. It may include other thread-specific resources. + +Note: + + The term “Python thread” can sometimes refer to a thread state, but + normally it means a thread created using the "threading" module. + +Each thread state, over its lifetime, is always tied to exactly one +interpreter and exactly one host thread. It will only ever be used in +that thread and with that interpreter. + +Multiple thread states may be tied to the same host thread, whether +for different interpreters or even the same interpreter. However, for +any given host thread, only one of the thread states tied to it can be +used by the thread at a time. + +Thread states are isolated and independent from one another and don’t +share any data, except for possibly sharing an interpreter and objects +or other resources belonging to that interpreter. + +Once a program is running, new Python threads can be created using the +"threading" module (on platforms and Python implementations that +support threads). Additional processes can be created using the "os", +"subprocess", and "multiprocessing" modules. Coroutines (async) can be +run using "asyncio" in each interpreter, typically only in a single +thread (often the main thread). + -[ Footnotes ]- [1] This limitation occurs because the code that is executed by these @@ -5317,7 +5486,8 @@ following: | | is not supported. | +-----------+------------------------------------------------------------+ -For a locale aware separator, use the "'n'" presentation type instead. +For a locale-aware separator, use the "'n'" float presentation type or +integer presentation type instead. Changed in version 3.1: Added the "','" option (see also **PEP 378**). @@ -5368,7 +5538,10 @@ The available integer presentation types are: +-----------+------------------------------------------------------------+ | "'n'" | Number. This is the same as "'d'", except that it uses the | | | current locale setting to insert the appropriate digit | - | | group separators. | + | | group separators. Note that the default locale is not the | + | | system locale. Depending on your use case, you may wish to | + | | set "LC_NUMERIC" with "locale.setlocale()" before using | + | | "'n'". | +-----------+------------------------------------------------------------+ | None | The same as "'d'". | +-----------+------------------------------------------------------------+ @@ -5442,7 +5615,10 @@ The available presentation types for "float" and "Decimal" values are: +-----------+------------------------------------------------------------+ | "'n'" | Number. This is the same as "'g'", except that it uses the | | | current locale setting to insert the appropriate digit | - | | group separators for the integral part of a number. | + | | group separators for the integral part of a number. Note | + | | that the default locale is not the system locale. | + | | Depending on your use case, you may wish to set | + | | "LC_NUMERIC" with "locale.setlocale()" before using "'n'". | +-----------+------------------------------------------------------------+ | "'%'" | Percentage. Multiplies the number by 100 and displays in | | | fixed ("'f'") format, followed by a percent sign. | @@ -6039,8 +6215,9 @@ steps: 1. find a module, loading and initializing it if necessary -2. define a name or names in the local namespace for the scope where - the "import" statement occurs. +2. define a name or names in the current namespace for the scope where + the "import" statement occurs, just as an assignment statement + would (including "global" and "nonlocal" semantics). When the statement contains multiple clauses (separated by commas) the two steps are carried out separately for each clause, just as though @@ -6085,7 +6262,7 @@ The "from" form uses a slightly more complex process: 3. if the attribute is not found, "ImportError" is raised. - 4. otherwise, a reference to that value is stored in the local + 4. otherwise, a reference to that value is stored in the current namespace, using the name in the "as" clause if it is present, otherwise using the attribute name @@ -9342,9 +9519,22 @@ str.isdigit() decimal characters and digits that need special handling, such as the compatibility superscript digits. This covers digits which cannot be used to form numbers in base 10, like the Kharosthi - numbers. Formally, a digit is a character that has the property + numbers. Formally, a digit is a character that has the property value Numeric_Type=Digit or Numeric_Type=Decimal. + For example: + + >>> '0123456789'.isdigit() + True + >>> '٠١٢٣٤٥٦٧٨٩'.isdigit() # Arabic-Indic digits zero to nine + True + >>> '⅕'.isdigit() # Vulgar fraction one fifth + False + >>> '²'.isdecimal(), '²'.isdigit(), '²'.isnumeric() + (False, True, True) + + See also "isdecimal()" and "isnumeric()". + str.isidentifier() Return "True" if the string is a valid identifier according to the @@ -9380,15 +9570,14 @@ str.isnumeric() >>> '0123456789'.isnumeric() True - >>> '٠١٢٣٤٥٦٧٨٩'.isnumeric() # Arabic-indic digit zero to nine + >>> '٠١٢٣٤٥٦٧٨٩'.isnumeric() # Arabic-Indic digits zero to nine True >>> '⅕'.isnumeric() # Vulgar fraction one fifth True >>> '²'.isdecimal(), '²'.isdigit(), '²'.isnumeric() (False, True, True) - See also "isdecimal()" and "isdigit()". Numeric characters are a - superset of decimal numbers. + See also "isdecimal()" and "isdigit()". str.isprintable() @@ -9770,7 +9959,7 @@ str.split(sep=None, maxsplit=-1) >>> " foo ".split(maxsplit=0) ['foo '] - See also "join()". + See also "join()" and "rsplit()". str.splitlines(keepends=False) @@ -9860,6 +10049,8 @@ str.strip(chars=None, /) not a prefix or suffix; rather, all combinations of its values are stripped. + Whitespace characters are defined by "str.isspace()". + For example: >>> ' spacious '.strip() @@ -9884,8 +10075,18 @@ str.strip(chars=None, /) str.swapcase() Return a copy of the string with uppercase characters converted to - lowercase and vice versa. Note that it is not necessarily true that - "s.swapcase().swapcase() == s". + lowercase and vice versa. For example: + + >>> 'Hello World'.swapcase() + 'hELLO wORLD' + + Note that it is not necessarily true that "s.swapcase().swapcase() + == s". For example: + + >>> 'straße'.swapcase().swapcase() + 'strasse' + + See also "str.lower()" and "str.upper()". str.title() @@ -11899,6 +12100,9 @@ class dict(iterable, /, **kwargs) insertion order. This behavior was an implementation detail of CPython from 3.6. + Dictionaries are generic over two types, signifying (respectively) + the types of the dictionary’s keys and values. + These are the operations that dictionaries support (and therefore, custom mapping types should support too): @@ -12598,6 +12802,8 @@ class list(iterable=(), /) Many other operations also produce lists, including the "sorted()" built-in. + Lists are generic over the types of their items. + Lists implement all of the common and mutable sequence operations. Lists also provide the following additional method: @@ -12683,6 +12889,10 @@ class tuple(iterable=(), /) Tuples implement all of the common sequence operations. + Tuples are generic over the types of their contents. For more + information, refer to the typing documentation on annotating + tuples. + For heterogeneous collections of data where access by name is clearer than access by index, "collections.namedtuple()" may be a more appropriate choice than a simple tuple object. diff --git a/Misc/NEWS.d/3.13.14.rst b/Misc/NEWS.d/3.13.14.rst new file mode 100644 index 000000000000..14d4a624f146 --- /dev/null +++ b/Misc/NEWS.d/3.13.14.rst @@ -0,0 +1,1039 @@ +.. date: 2026-06-09-01-27-48 +.. gh-issue: 124111 +.. nonce: MDDDD6 +.. release date: 2026-06-10 +.. section: macOS + +Update macOS installer to use Tcl/Tk 8.6.18. + +.. + +.. date: 2026-05-31-10-40-00 +.. gh-issue: 150644 +.. nonce: zLWyjj +.. section: macOS + +When system logging is enabled (with ``config.use_system_logger``, messages +are now tagged as public. This allows the macOS 26 system logger to view +messages without special configuration. + +.. + +.. date: 2025-10-14-00-17-48 +.. gh-issue: 115119 +.. nonce: 470I1N +.. section: macOS + +Update macOS installer to use libmpdecimal 4.0.1. + +.. + +.. date: 2026-06-09-12-04-21 +.. gh-issue: 151159 +.. nonce: O2NVrd +.. section: Windows + +Updated bundled version of OpenSSL to 3.0.21. + +.. + +.. date: 2026-06-09-11-40-17 +.. gh-issue: 151159 +.. nonce: 9si8Fo +.. section: Windows + +Update macOS installer to use OpenSSL 3.0.21. + +.. + +.. date: 2026-06-09-11-52-52 +.. gh-issue: 151130 +.. nonce: 1vslPH +.. section: Tests + +Add more tests for ``PyWeakref_*`` C API. + +.. + +.. date: 2026-05-13-14-53-23 +.. gh-issue: 149776 +.. nonce: orqgsn +.. section: Tests + +Fix test_socket on Linux kernel 7.1 and newer: skip UDP Lite tests if it's +not supported. Patch by Victor Stinner. + +.. + +.. date: 2026-06-09-12-27-17 +.. gh-issue: 151159 +.. nonce: ng1cPU +.. section: Security + +Bumps the OpenSSL version to 3.0.21 on Android. + +.. + +.. date: 2026-05-30-09-36-20 +.. gh-issue: 150599 +.. nonce: nlHqU- +.. section: Security + +Fix a possible stack buffer overflow in :mod:`bz2` when a +:class:`bz2.BZ2Decompressor` is reused after a decompression error. The +decompressor now becomes unusable after libbz2 reports an error. + +.. + +.. date: 2026-05-18-17-46-00 +.. gh-issue: 149835 +.. nonce: EebFlk +.. section: Security + +:func:`shutil.move` now resolves symlinks via :func:`os.path.realpath` when +checking whether the destination is inside the source directory, preventing +a symlink-based bypass of that guard. + +.. + +.. date: 2026-05-11-21-15-07 +.. gh-issue: 149698 +.. nonce: OudOcW +.. section: Security + +Update bundled `libexpat `_ to version 2.8.1 +for the fix for :cve:`2026-45186`. + +.. + +.. date: 2026-05-10-18-05-32 +.. gh-issue: 87451 +.. nonce: XkKB6M +.. section: Security + +The :mod:`ftplib` module's undocumented ``ftpcp`` function no longer trusts +the IPv4 address value returned from the source server in response to the +``PASV`` command by default, completing the fix for CVE-2021-4189. As with +:class:`ftplib.FTP`, the former behavior can be re-enabled by setting the +``trust_server_pasv_ipv4_address`` attribute on the source +:class:`ftplib.FTP` instance to ``True``. Thanks to Qi Deng at Aurascape AI +for the report. + +.. + +.. date: 2026-05-03-21-00-00 +.. gh-issue: 149486 +.. nonce: tarflt +.. section: Security + +:func:`tarfile.data_filter` now validates link targets using the same +normalised value that is written to disk, strips trailing separators from +the member name when resolving a symlink's directory, and rejects link +members that would replace the destination directory itself. This closes +several path-traversal bypasses of the ``data`` extraction filter. + +.. + +.. date: 2026-04-27-16-36-11 +.. gh-issue: 149079 +.. nonce: vKl-LM +.. section: Security + +Fix a potential denial of service in :func:`unicodedata.normalize`. The +canonical ordering step of Unicode normalization used a quadratic-time +insertion sort for reordering combining characters, which could be exploited +with crafted input containing many combining characters in non-canonical +order. Replaced with a linear-time counting sort for long runs. + +.. + +.. date: 2026-04-26-19-30-45 +.. gh-issue: 149018 +.. nonce: a9SqWb +.. section: Security + +Improved protection against XML hash-flooding attacks in +:mod:`xml.parsers.expat` and :mod:`xml.etree.ElementTree` when Python is +compiled with libExpat 2.8.0 or later. + +.. + +.. date: 2026-04-26-17-49-58 +.. gh-issue: 149017 +.. nonce: EiVFPo +.. section: Security + +Update bundled `libexpat `_ to version 2.8.0. + +.. + +.. date: 2026-04-21-13-46-30 +.. gh-issue: 90309 +.. nonce: srvj9q +.. section: Security + +Base64-encode values when embedding cookies to JavaScript using the +:meth:`http.cookies.BaseCookie.js_output` method to avoid injection and +escaping. + +.. + +.. date: 2026-04-20-15-31-37 +.. gh-issue: 148808 +.. nonce: _Z8JL0 +.. section: Security + +Added buffer boundary check when using ``nbytes`` parameter with +:meth:`!asyncio.AbstractEventLoop.sock_recvfrom_into`. Only relevant for +Windows and the :class:`asyncio.ProactorEventLoop`. + +.. + +.. date: 2026-04-10-16-28-21 +.. gh-issue: 148395 +.. nonce: kfzm0G +.. section: Security + +Fix a dangling input pointer in :class:`lzma.LZMADecompressor`, +:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor` +when memory allocation fails with :exc:`MemoryError`, which could let a +subsequent :meth:`!decompress` call read or write through a stale pointer to +the already-released caller buffer. + +.. + +.. date: 2026-03-31-09-15-51 +.. gh-issue: 148169 +.. nonce: EZJzz2 +.. section: Security + +A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass +the dash-prefix safety check. + +.. + +.. date: 2026-03-29-12-51-33 +.. gh-issue: 146581 +.. nonce: 4vZfB0 +.. section: Security + +Fix vulnerability in :func:`shutil.unpack_archive` for ZIP files on Windows +which allowed to write files outside of the destination tree if the patch in +the archive contains a Windows drive prefix. Now such invalid paths will be +skipped. Files containing ".." in the name (like "foo..bar") are no longer +skipped. + +.. + +.. date: 2026-03-25-00-51-03 +.. gh-issue: 146333 +.. nonce: LqdL__bn +.. section: Security + +Fix quadratic backtracking in :class:`configparser.RawConfigParser` option +parsing regexes (``OPTCRE`` and ``OPTCRE_NV``). A crafted configuration line +with many whitespace characters could cause excessive CPU usage. + +.. + +.. date: 2026-03-20-09-29-42 +.. gh-issue: 146211 +.. nonce: PQVbs7 +.. section: Security + +Reject CR/LF characters in tunnel request headers for the +HTTPConnection.set_tunnel() method. + +.. + +.. date: 2026-06-04-21-49-18 +.. gh-issue: 150913 +.. nonce: EmptyBl +.. section: Library + +Fix :class:`sqlite3.Blob` slice assignment to raise :exc:`TypeError` and +:exc:`IndexError` for type and size mismatches respectively, even when the +target slice is empty. + +.. + +.. date: 2026-06-04-18-22-56 +.. gh-issue: 143008 +.. nonce: z5tw-J +.. section: Library + +Fix race conditions when re-initializing a :class:`io.TextIOWrapper` object. + +.. + +.. date: 2026-05-31-17-47-30 +.. gh-issue: 150685 +.. nonce: EBB2mU +.. section: Library + +Update bundled pip to 26.1.2 + +.. + +.. date: 2026-05-25-17-00-00 +.. gh-issue: 150406 +.. nonce: jF3g63 +.. section: Library + +Fix a possible crash occurring during :mod:`socket` module initialization +when the system is out of memory on platforms without a reentrant +``gethostbyname``. + +.. + +.. date: 2026-05-25-07-22-05 +.. gh-issue: 150372 +.. nonce: 9hLqhe +.. section: Library + +:mod:`readline`: Fix a potential crash during tab completion caused by an +out-of-memory error during module initialization. + +.. + +.. date: 2026-05-21-11-25-58 +.. gh-issue: 150175 +.. nonce: 8H4Caz +.. section: Library + +Fix race condition in :class:`unittest.mock.ThreadingMock` where concurrent +calls could lose increments to ``call_count`` and other attributes due to a +missing lock in ``_increment_mock_call``. + +.. + +.. date: 2026-05-19-19-00-49 +.. gh-issue: 84353 +.. nonce: ZU5zaQ +.. section: Library + +Preserve non-UTF-8 encoded filenames when appending to a +:class:`zipfile.ZipFile`. Previously, non-ASCII names stored in a legacy +encoding (without the UTF-8 flag bit set) could be corrupted when the +central directory was rewritten: they were decoded as cp437 and then +re-stored as UTF-8. + +.. + +.. date: 2026-05-18-07-44-46 +.. gh-issue: 149995 +.. nonce: vvtFHn +.. section: Library + +Update various docstrings in :mod:`typing`. + +.. + +.. date: 2026-05-17-22-37-02 +.. gh-issue: 88726 +.. nonce: BAoL6j +.. section: Library + +The :mod:`email` package now uses standard MIME charset names "gb2312" and +"big5" instead of non-standard names "eucgb2312_cn" and "big5_tw". + +.. + +.. date: 2026-05-17-02-25-56 +.. gh-issue: 149571 +.. nonce: LNyuWJ +.. section: Library + +Fix the C implementation of :meth:`xml.etree.ElementTree.Element.itertext`: +it no longer emits text for comments and processing instructions. + +.. + +.. date: 2026-05-16-21-08-33 +.. gh-issue: 149921 +.. nonce: I1yNML +.. section: Library + +Fix reference leaks in error paths of the :mod:`!_interpchannels` and +:mod:`!_interpqueues` extension modules. + +.. + +.. date: 2026-05-13-23-18-39 +.. gh-issue: 149801 +.. nonce: S_FfGr +.. section: Library + +Add IANA registered names and aliases with leading zeros before number (like +IBM00858, CP00858, IBM01140, CP01140) for corresponding codecs. + +.. + +.. date: 2026-05-12-06-24-54 +.. gh-issue: 149701 +.. nonce: 8v9RTm +.. section: Library + +Fix bad return code from Lib/venv/bin/activate if hashing is disabled + +.. + +.. date: 2026-05-08-15-08-35 +.. gh-issue: 112821 +.. nonce: t9T1YD +.. section: Library + +In the REPL, autocompletion might run arbitrary code in the getter of a +descriptor. If that getter raised an exception, autocompletion would fail to +present any options for the entire object. Autocompletion now works as +expected for these objects. + +.. + +.. date: 2026-05-07-21-58-17 +.. gh-issue: 149388 +.. nonce: DDBPeA +.. section: Library + +Make :class:`!asyncio.windows_utils.PipeHandle` closing idempotent. + +.. + +.. date: 2026-05-07-14-18-47 +.. gh-issue: 149489 +.. nonce: bX9iHe +.. section: Library + +Fix :mod:`~xml.etree.ElementTree` serialization to HTML. The content of +elements "xmp", "iframe", "noembed", "noframes", and "plaintext" is no +longer escaped. The "plaintext" element no longer have the closing tag. + +.. + +.. date: 2026-05-04-19-28-48 +.. gh-issue: 149377 +.. nonce: WNlc8Y +.. section: Library + +Update bundled pip to 26.1.1 + +.. + +.. date: 2026-05-01-16-45-31 +.. gh-issue: 149231 +.. nonce: x2nBEE +.. section: Library + +In :mod:`tomllib`, the number of parts in TOML keys is now limited. + +.. + +.. date: 2026-04-29-16-11-27 +.. gh-issue: 149117 +.. nonce: yEeTYd +.. section: Library + +Fix :func:`runpy.run_module` and :func:`runpy.run_path` to set the +:attr:`~ImportError.name` attribute on the :exc:`ImportError` they raise. + +.. + +.. date: 2026-04-29-14-33-42 +.. gh-issue: 149148 +.. nonce: EaiYvk +.. section: Library + +:mod:`ensurepip`: Upgrade bundled pip to 26.1. This version fixes the +:cve:`2026-3219` vulnerability. Patch by Victor Stinner. + +.. + +.. date: 2026-04-27-22-34-09 +.. gh-issue: 148093 +.. nonce: 9pWceM +.. section: Library + +Fix an out-of-bounds read of one byte in :func:`binascii.a2b_uu`. Raise +:exc:`binascii.Error`, instead of reading past the buffer end. + +.. + +.. date: 2026-04-27-17-12-11 +.. gh-issue: 148914 +.. nonce: i5C3kW +.. section: Library + +Fix memoization of in-band :class:`~pickle.PickleBuffer` in the Python +implementation of :mod:`pickle`. Previously, identical +:class:`!PickleBuffer`\ s did not preserve identity, and empty writable +:class:`!PickleBuffer` memoized an empty bytearray object in place of +``b''``, so the following references to ``b''`` were unpickled as an empty +bytearray object. + +.. + +.. date: 2026-04-25-14-11-24 +.. gh-issue: 138907 +.. nonce: u21Wnh +.. section: Library + +Support :rfc:`9309` in :mod:`urllib.robotparser`. + +.. + +.. date: 2026-04-24-19-54-00 +.. gh-issue: 148954 +.. nonce: v1 +.. section: Library + +Fix XML injection vulnerability in :func:`xmlrpc.client.dumps` where the +``methodname`` was not being escaped before interpolation into the XML body. + +.. + +.. date: 2026-04-20-18-29-21 +.. gh-issue: 148801 +.. nonce: ROeNqs +.. section: Library + +:mod:`xml.etree.ElementTree`: Fix a crash in :meth:`Element.__deepcopy__ +` on deeply nested trees. + +.. + +.. date: 2026-04-18-21-39-15 +.. gh-issue: 148735 +.. nonce: siw6DG +.. section: Library + +:mod:`xml.etree.ElementTree`: Fix a use-after-free in +:meth:`Element.findtext ` when the +element tree is mutated concurrently during the search. + +.. + +.. date: 2026-04-15-11-00-39 +.. gh-issue: 146553 +.. nonce: VGOsoP +.. section: Library + +Fix infinite loop in :func:`typing.get_type_hints` when ``__wrapped__`` +forms a cycle. Patch by Shamil Abdulaev. + +.. + +.. date: 2026-04-14-09-04-35 +.. gh-issue: 148508 +.. nonce: -GiXml +.. section: Library + +An intermittent timing error when running SSL tests on iOS has been +resolved. + +.. + +.. date: 2026-04-13-15-59-44 +.. gh-issue: 148518 +.. nonce: RQdvsu +.. section: Library + +If an email containing an address header that ended in an open double quote +was parsed with a non-``compat32`` policy, accessing the ``username`` +attribute of the mailbox accessed through that header object would result in +an ``IndexError``. It now correctly returns an empty string as the result. + +.. + +.. date: 2026-04-12-16-40-11 +.. gh-issue: 148370 +.. nonce: 0Li2EK +.. section: Library + +:mod:`configparser`: prevent quadratic behavior when a +:exc:`~configparser.ParsingError` is raised after a parser fails to parse +multiple lines. Patch by Bénédikt Tran. + +.. + +.. date: 2026-04-09-12-42-42 +.. gh-issue: 148254 +.. nonce: Xt7vKs +.. section: Library + +Use singular "sec" instead of "secs" in :mod:`timeit` verbose output for +consistency with other time units. + +.. + +.. date: 2026-04-07-14-13-40 +.. gh-issue: 148192 +.. nonce: 34AUYQ +.. section: Library + +``email.generator.Generator._make_boundary`` could fail to detect a +duplicate boundary string if linesep was not \n. It now correctly detects +boundary strings when linesep is \r\n as well. + +.. + +.. date: 2026-03-22-23-42-22 +.. gh-issue: 146313 +.. nonce: RtDeAd +.. section: Library + +Fix a deadlock in :mod:`multiprocessing`'s resource tracker where the parent +process could hang indefinitely in :func:`os.waitpid` during interpreter +shutdown if a child created via :func:`os.fork` still held the resource +tracker's pipe open. + +.. + +.. date: 2026-03-11-15-09-52 +.. gh-issue: 145831 +.. nonce: _sW94w +.. section: Library + +Fix :func:`!email.quoprimime.decode` leaving a stray ``\r`` when +``eol='\r\n'`` by stripping the full *eol* string instead of one character. + +.. + +.. date: 2026-02-22-00-00-00 +.. gh-issue: 145105 +.. nonce: csv-reader-reentrant +.. section: Library + +Fix crash in :mod:`csv` reader when iterating with a re-entrant iterator +that calls :func:`next` on the same reader from within ``__next__``. + +.. + +.. date: 2026-02-19-04-40-57 +.. gh-issue: 130750 +.. nonce: 0hW52O +.. section: Library + +Restore quoting of choices in :mod:`argparse` error messages for improved +clarity and consistency with documentation. + +.. + +.. date: 2026-01-19-21-23-18 +.. gh-issue: 105936 +.. nonce: dGrzjM +.. section: Library + +Attempting to mutate non-field attributes of :mod:`dataclasses` with both +*frozen* and *slots* being ``True`` now raises +:class:`~dataclasses.FrozenInstanceError` instead of :class:`TypeError`. +Their non-dataclass subclasses can now freely mutate non-field attributes, +and the original non-slotted class can be garbage collected. The fix also +handles the case of an empty ``__class__`` cell on a function found within +the class (gh-148947). + +.. + +.. date: 2026-01-11-13-03-32 +.. gh-issue: 142516 +.. nonce: u7An-s +.. section: Library + +:mod:`ssl`: fix reference leaks in :class:`ssl.SSLContext` objects. Patch by +Bénédikt Tran. + +.. + +.. date: 2025-12-17-04-10-35 +.. gh-issue: 142831 +.. nonce: ee3t4L +.. section: Library + +Fix a crash in the :mod:`json` module where a use-after-free could occur if +the object being encoded is modified during serialization. + +.. + +.. date: 2025-10-18-12-13-39 +.. gh-issue: 140287 +.. nonce: 49iU-4 +.. section: Library + +The :mod:`asyncio` REPL now handles exceptions when executing +:envvar:`PYTHONSTARTUP` scripts. Patch by Bartosz Sławecki. + +.. + +.. date: 2025-09-26-18-04-28 +.. gh-issue: 90949 +.. nonce: YHjSzX +.. section: Library + +Add +:meth:`~xml.parsers.expat.xmlparser.SetBillionLaughsAttackProtectionActivationThreshold` +and +:meth:`~xml.parsers.expat.xmlparser.SetBillionLaughsAttackProtectionMaximumAmplification` +to :ref:`xmlparser ` objects to tune protections against +`billion laughs `_ +attacks. Patch by Bénédikt Tran. + +.. + +.. date: 2025-04-17-15-26-35 +.. gh-issue: 132631 +.. nonce: IDFZfb +.. section: Library + +Fix "I/O operation on closed file" when parsing JSON Lines file with +:mod:`JSON CLI `. + +.. + +.. date: 2025-03-01-13-36-02 +.. gh-issue: 128110 +.. nonce: 9wx_G0 +.. section: Library + +Fix bug in the parsing of :mod:`email` address headers that could result in +extraneous spaces in the decoded text when using a modern email policy. +Space between pairs of adjacent :rfc:`2047` encoded-words is now ignored, +per section 6.2 (and consistent with existing parsing of unstructured +headers like *Subject*). + +.. + +.. date: 2024-11-02-02-02-31 +.. gh-issue: 107398 +.. nonce: uUtA6Q +.. section: Library + +Fix :mod:`tarfile` stream mode exception when process the file with the gzip +extra field. + +.. + +.. date: 2024-09-09-12-48-37 +.. gh-issue: 123853 +.. nonce: e-zFxb +.. section: Library + +Update the table of Windows language code identifiers (LCIDs) used by +:func:`locale.getdefaultlocale` on Windows to protocol version 16.0 +(2024-04-23). + +.. + +.. date: 2024-02-10-21-25-22 +.. gh-issue: 70039 +.. nonce: 6wvcAP +.. section: Library + +Fixed bug where :meth:`smtplib.SMTP.starttls` could fail if +:meth:`smtplib.SMTP.connect` is called explicitly rather than implicitly. + +.. + +.. date: 2023-09-08-13-10-32 +.. gh-issue: 83281 +.. nonce: 2Plpcj +.. section: Library + +:mod:`email`: improve handling trailing garbage in address lists to avoid +throwing AttributeError in certain edge cases + +.. + +.. date: 2023-02-26-14-07-18 +.. gh-issue: 91099 +.. nonce: _QPbEL +.. section: Library + +:meth:`imaplib.IMAP4.login` now raises exceptions with :class:`str` instead +of :class:`bytes`. Patch by Florian Best. + +.. + +.. bpo: 6699 +.. date: 2019-12-12-03-18-02 +.. nonce: 1CqJFG +.. section: IDLE + +Warn the user if a file will be overwritten when saving. + +.. + +.. date: 2026-05-23-17-27-41 +.. gh-issue: 150319 +.. nonce: ol9tWK +.. section: Documentation + +Generic builtin and standard library types now document the meaning of their +type parameters. + +.. + +.. date: 2026-04-17-02-28-55 +.. gh-issue: 148663 +.. nonce: MHIbRB +.. section: Documentation + +Document that :class:`calendar.IllegalMonthError` is a subclass of both +:exc:`ValueError` and :exc:`IndexError` since Python 3.12. + +.. + +.. date: 2026-04-02-07-20-00 +.. gh-issue: 146646 +.. nonce: GlobDoc1 +.. section: Documentation + +Document that :func:`glob.glob`, :func:`glob.iglob`, +:meth:`pathlib.Path.glob`, and :meth:`pathlib.Path.rglob` silently suppress +:exc:`OSError` exceptions raised from scanning the filesystem. + +.. + +.. date: 2023-09-16-23-42-27 +.. gh-issue: 109503 +.. nonce: mZ-kdU +.. section: Documentation + +Fix documentation for :func:`shutil.move` on usage of :func:`os.rename` +since nonatomic move might be used even if the files are on the same +filesystem. Patch by Fang Li + +.. + +.. date: 2026-06-09-12-24-35 +.. gh-issue: 151112 +.. nonce: 4RKCkD +.. section: Core and Builtins + +Fix a crash in the compiler that could occur when running out of memory. + +.. + +.. date: 2026-06-09-10-28-30 +.. gh-issue: 151126 +.. nonce: DKa6Sl +.. section: Core and Builtins + +Fix a crash, when there's no memory left on a device, which happened in: + +- code compilation - :func:`!_winapi.CreateProcess` + +Now these places raise proper :exc:`MemoryError` errors. + +.. + +.. date: 2026-05-30-20-19-35 +.. gh-issue: 150633 +.. nonce: XkNul0 +.. section: Core and Builtins + +Fix the frozen importer accepting module names with embedded null bytes, +which caused it to bypass the :data:`sys.modules` cache and create duplicate +module objects. + +.. + +.. date: 2026-05-24-14-45-00 +.. gh-issue: 149156 +.. nonce: NP73rB +.. section: Core and Builtins + +Fix an intermittent crash after :func:`os.fork` when perf trampoline +profiling is enabled and the child returns through trampoline frames +inherited from the parent process. + +.. + +.. date: 2026-05-23-22-08-01 +.. gh-issue: 149449 +.. nonce: 2lhQFF +.. section: Core and Builtins + +Fix a use-after-free crash when the :mod:`unicodedata` module was removed +from :data:`sys.modules` and garbage-collected between calls that decode +``\N{...}`` escapes or use the ``namereplace`` codec error handler. + +.. + +.. date: 2026-05-23-09-55-50 +.. gh-issue: 148450 +.. nonce: 2MEVqH +.. section: Core and Builtins + +Fix ``abc.register()`` so it invalidates type version tags for registered +classes. + +.. + +.. date: 2026-05-22-21-52-38 +.. gh-issue: 150207 +.. nonce: l2BUtI +.. section: Core and Builtins + +Fix a crash when a memory allocation fails during tokenizer initialization. +A proper :exc:`MemoryError` is now raised instead. + +.. + +.. date: 2026-05-22-17-09-28 +.. gh-issue: 150107 +.. nonce: GD72-D +.. section: Core and Builtins + +:mod:`asyncio`: ``sendfile()`` and ``sock_sendfile()`` event loop methods +now call ``file.seek(offset)`` if *file* has a ``seek()`` method, even if +*offset* is ``0`` (default value). + +.. + +.. date: 2026-05-20-13-06-17 +.. gh-issue: 150146 +.. nonce: i5m_SL +.. section: Core and Builtins + +Fix a crash on a complex type variable substitution. + +``from typing import TypeVar; memoryview[TypeVar("")][*typing.Mapping[..., +...]]`` used to fail due to missing ``NULL`` check on ``_unpack_args`` C +function call. + +.. + +.. date: 2026-05-18-13-47-17 +.. gh-issue: 149590 +.. nonce: IPBeQx +.. section: Core and Builtins + +Fix crash when faulthandler is imported more than once. + +.. + +.. date: 2026-05-13-06-54-41 +.. gh-issue: 149738 +.. nonce: 4BLFoH +.. section: Core and Builtins + +:mod:`sqlite3`: Disallow removing ``row_factory`` and ``text_factory`` +attributes of a connection to prevent a crash on a query. + +.. + +.. date: 2026-05-12-16-47-23 +.. gh-issue: 139808 +.. nonce: iIs7_E +.. section: Core and Builtins + +Add branch protections for AArch64 (BTI/PAC) in assembly code used by +:option:`-X perf_jit <-X>` (Linux perf profiler integration). + +.. + +.. date: 2026-04-21-14-36-44 +.. gh-issue: 148820 +.. nonce: XhOGhA +.. section: Core and Builtins + +Fix a race in :c:type:`!_PyRawMutex` on the free-threaded build where a +``Py_PARK_INTR`` return from ``_PySemaphore_Wait`` could let the waiter +destroy its semaphore before the unlocking thread's ``_PySemaphore_Wakeup`` +completed, causing a fatal ``ReleaseSemaphore`` error. + +.. + +.. date: 2026-04-17-20-37-02 +.. gh-issue: 148653 +.. nonce: nbbHMh +.. section: Core and Builtins + +Forbid :mod:`marshalling ` recursive code objects which cannot be +correctly unmarshalled. + +.. + +.. date: 2026-04-12-17-27-28 +.. gh-issue: 148390 +.. nonce: MAhw7F +.. section: Core and Builtins + +Fix an undefined behavior in :class:`memoryview` when using the native +boolean format (``?``) in :meth:`~memoryview.cast`. Previously, on some +common platforms, calling ``memoryview(b).cast("?").tolist()`` incorrectly +returned ``[False]`` instead of ``[True]`` for any even byte *b*. Patch by +Bénédikt Tran. + +.. + +.. date: 2026-04-12-10-40-57 +.. gh-issue: 148418 +.. nonce: ggA1LZ +.. section: Core and Builtins + +Fix a possible reference leak in a corrupted ``TYPE_CODE`` marshal stream. + +.. + +.. date: 2026-04-07-20-37-23 +.. gh-issue: 148222 +.. nonce: uF4D4E +.. section: Core and Builtins + +Fix vectorcall support in :class:`types.GenericAlias` when the underlying +type does not support the vectorcall protocol. Fix possible leaks in +:class:`types.GenericAlias` and :class:`types.UnionType` in case of memory +error. + +.. + +.. date: 2026-02-28-16-46-17 +.. gh-issue: 145376 +.. nonce: lG5u1a +.. section: Core and Builtins + +Fix reference leaks in various unusual error scenarios. + +.. + +.. date: 2026-06-04-14-26-17 +.. gh-issue: 150907 +.. nonce: CA91_B +.. section: C API + +Fix ``dynamic_annotations.h`` header file when built with C++ and Valgrind: +add ``extern "C++" scope`` for the C++ template. Patch by Victor Stinner. + +.. + +.. date: 2026-05-04-06-03-50 +.. gh-issue: 149351 +.. nonce: hN4sF0 +.. section: Build + +Avoid possible broken macOS framework install names when DESTDIR is +specified during builds. + +.. + +.. date: 2026-04-30-08-43-47 +.. gh-issue: 146475 +.. nonce: 1cL4hX +.. section: Build + +Block Apple Clang from being used to build the JIT as it ships without +required LLVM tools. + +.. + +.. date: 2026-04-14-15-20-29 +.. gh-issue: 148535 +.. nonce: JjKiaa +.. section: Build + +No longer use the ``gcc -fprofile-update=atomic`` flag on i686. The flag has +been added to fix a random GCC internal error on PGO build (:gh:`145801`) +caused by corruption of profile data (.gcda files). The problem is that it +makes the PGO build way slower (up to 47x slower) on i686. Since the GCC +internal error was not seen on i686 so far, don't use +``-fprofile-update=atomic`` on i686 anymore. Patch by Victor Stinner. diff --git a/Misc/NEWS.d/next/Build/2026-04-14-15-20-29.gh-issue-148535.JjKiaa.rst b/Misc/NEWS.d/next/Build/2026-04-14-15-20-29.gh-issue-148535.JjKiaa.rst deleted file mode 100644 index 39f37acb14e0..000000000000 --- a/Misc/NEWS.d/next/Build/2026-04-14-15-20-29.gh-issue-148535.JjKiaa.rst +++ /dev/null @@ -1,6 +0,0 @@ -No longer use the ``gcc -fprofile-update=atomic`` flag on i686. The flag has -been added to fix a random GCC internal error on PGO build (:gh:`145801`) -caused by corruption of profile data (.gcda files). The problem is that it -makes the PGO build way slower (up to 47x slower) on i686. Since the GCC -internal error was not seen on i686 so far, don't use -``-fprofile-update=atomic`` on i686 anymore. Patch by Victor Stinner. diff --git a/Misc/NEWS.d/next/Build/2026-04-30-08-43-47.gh-issue-146475.1cL4hX.rst b/Misc/NEWS.d/next/Build/2026-04-30-08-43-47.gh-issue-146475.1cL4hX.rst deleted file mode 100644 index 225c659393fa..000000000000 --- a/Misc/NEWS.d/next/Build/2026-04-30-08-43-47.gh-issue-146475.1cL4hX.rst +++ /dev/null @@ -1,2 +0,0 @@ -Block Apple Clang from being used to build the JIT as it ships without -required LLVM tools. diff --git a/Misc/NEWS.d/next/Build/2026-05-04-06-03-50.gh-issue-149351.hN4sF0.rst b/Misc/NEWS.d/next/Build/2026-05-04-06-03-50.gh-issue-149351.hN4sF0.rst deleted file mode 100644 index 792c8d394ecc..000000000000 --- a/Misc/NEWS.d/next/Build/2026-05-04-06-03-50.gh-issue-149351.hN4sF0.rst +++ /dev/null @@ -1,2 +0,0 @@ -Avoid possible broken macOS framework install names when DESTDIR is -specified during builds. diff --git a/Misc/NEWS.d/next/C_API/2026-06-04-14-26-17.gh-issue-150907.CA91_B.rst b/Misc/NEWS.d/next/C_API/2026-06-04-14-26-17.gh-issue-150907.CA91_B.rst deleted file mode 100644 index f58b248f3a0b..000000000000 --- a/Misc/NEWS.d/next/C_API/2026-06-04-14-26-17.gh-issue-150907.CA91_B.rst +++ /dev/null @@ -1,2 +0,0 @@ -Fix ``dynamic_annotations.h`` header file when built with C++ and Valgrind: -add ``extern "C++" scope`` for the C++ template. Patch by Victor Stinner. diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2026-02-28-16-46-17.gh-issue-145376.lG5u1a.rst b/Misc/NEWS.d/next/Core_and_Builtins/2026-02-28-16-46-17.gh-issue-145376.lG5u1a.rst deleted file mode 100644 index a5a6908757e4..000000000000 --- a/Misc/NEWS.d/next/Core_and_Builtins/2026-02-28-16-46-17.gh-issue-145376.lG5u1a.rst +++ /dev/null @@ -1 +0,0 @@ -Fix reference leaks in various unusual error scenarios. diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2026-04-07-20-37-23.gh-issue-148222.uF4D4E.rst b/Misc/NEWS.d/next/Core_and_Builtins/2026-04-07-20-37-23.gh-issue-148222.uF4D4E.rst deleted file mode 100644 index 2c273fc4daba..000000000000 --- a/Misc/NEWS.d/next/Core_and_Builtins/2026-04-07-20-37-23.gh-issue-148222.uF4D4E.rst +++ /dev/null @@ -1 +0,0 @@ -Fix vectorcall support in :class:`types.GenericAlias` when the underlying type does not support the vectorcall protocol. Fix possible leaks in :class:`types.GenericAlias` and :class:`types.UnionType` in case of memory error. diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2026-04-12-10-40-57.gh-issue-148418.ggA1LZ.rst b/Misc/NEWS.d/next/Core_and_Builtins/2026-04-12-10-40-57.gh-issue-148418.ggA1LZ.rst deleted file mode 100644 index 793858be7814..000000000000 --- a/Misc/NEWS.d/next/Core_and_Builtins/2026-04-12-10-40-57.gh-issue-148418.ggA1LZ.rst +++ /dev/null @@ -1 +0,0 @@ -Fix a possible reference leak in a corrupted ``TYPE_CODE`` marshal stream. diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2026-04-12-17-27-28.gh-issue-148390.MAhw7F.rst b/Misc/NEWS.d/next/Core_and_Builtins/2026-04-12-17-27-28.gh-issue-148390.MAhw7F.rst deleted file mode 100644 index 881964673307..000000000000 --- a/Misc/NEWS.d/next/Core_and_Builtins/2026-04-12-17-27-28.gh-issue-148390.MAhw7F.rst +++ /dev/null @@ -1,5 +0,0 @@ -Fix an undefined behavior in :class:`memoryview` when using the native -boolean format (``?``) in :meth:`~memoryview.cast`. Previously, on some -common platforms, calling ``memoryview(b).cast("?").tolist()`` incorrectly -returned ``[False]`` instead of ``[True]`` for any even byte *b*. -Patch by Bénédikt Tran. diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2026-04-17-20-37-02.gh-issue-148653.nbbHMh.rst b/Misc/NEWS.d/next/Core_and_Builtins/2026-04-17-20-37-02.gh-issue-148653.nbbHMh.rst deleted file mode 100644 index 2edcb35aa98a..000000000000 --- a/Misc/NEWS.d/next/Core_and_Builtins/2026-04-17-20-37-02.gh-issue-148653.nbbHMh.rst +++ /dev/null @@ -1,2 +0,0 @@ -Forbid :mod:`marshalling ` recursive code objects -which cannot be correctly unmarshalled. diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2026-04-21-14-36-44.gh-issue-148820.XhOGhA.rst b/Misc/NEWS.d/next/Core_and_Builtins/2026-04-21-14-36-44.gh-issue-148820.XhOGhA.rst deleted file mode 100644 index 392becaffb73..000000000000 --- a/Misc/NEWS.d/next/Core_and_Builtins/2026-04-21-14-36-44.gh-issue-148820.XhOGhA.rst +++ /dev/null @@ -1,5 +0,0 @@ -Fix a race in :c:type:`!_PyRawMutex` on the free-threaded build where a -``Py_PARK_INTR`` return from ``_PySemaphore_Wait`` could let the waiter -destroy its semaphore before the unlocking thread's -``_PySemaphore_Wakeup`` completed, causing a fatal ``ReleaseSemaphore`` -error. diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2026-05-12-16-47-23.gh-issue-139808.iIs7_E.rst b/Misc/NEWS.d/next/Core_and_Builtins/2026-05-12-16-47-23.gh-issue-139808.iIs7_E.rst deleted file mode 100644 index 3e9d930bf1de..000000000000 --- a/Misc/NEWS.d/next/Core_and_Builtins/2026-05-12-16-47-23.gh-issue-139808.iIs7_E.rst +++ /dev/null @@ -1,2 +0,0 @@ -Add branch protections for AArch64 (BTI/PAC) in assembly code used by -:option:`-X perf_jit <-X>` (Linux perf profiler integration). diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2026-05-13-06-54-41.gh-issue-149738.4BLFoH.rst b/Misc/NEWS.d/next/Core_and_Builtins/2026-05-13-06-54-41.gh-issue-149738.4BLFoH.rst deleted file mode 100644 index e62b681d7166..000000000000 --- a/Misc/NEWS.d/next/Core_and_Builtins/2026-05-13-06-54-41.gh-issue-149738.4BLFoH.rst +++ /dev/null @@ -1,2 +0,0 @@ -:mod:`sqlite3`: Disallow removing ``row_factory`` and ``text_factory`` attributes -of a connection to prevent a crash on a query. diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2026-05-18-13-47-17.gh-issue-149590.IPBeQx.rst b/Misc/NEWS.d/next/Core_and_Builtins/2026-05-18-13-47-17.gh-issue-149590.IPBeQx.rst deleted file mode 100644 index 8d3b29d69cc8..000000000000 --- a/Misc/NEWS.d/next/Core_and_Builtins/2026-05-18-13-47-17.gh-issue-149590.IPBeQx.rst +++ /dev/null @@ -1 +0,0 @@ -Fix crash when faulthandler is imported more than once. diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2026-05-20-13-06-17.gh-issue-150146.i5m_SL.rst b/Misc/NEWS.d/next/Core_and_Builtins/2026-05-20-13-06-17.gh-issue-150146.i5m_SL.rst deleted file mode 100644 index f373f0bee702..000000000000 --- a/Misc/NEWS.d/next/Core_and_Builtins/2026-05-20-13-06-17.gh-issue-150146.i5m_SL.rst +++ /dev/null @@ -1,5 +0,0 @@ -Fix a crash on a complex type variable substitution. - -``from typing import TypeVar; memoryview[TypeVar("")][*typing.Mapping[..., -...]]`` used to fail due to missing ``NULL`` check on ``_unpack_args`` C -function call. diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2026-05-22-17-09-28.gh-issue-150107.GD72-D.rst b/Misc/NEWS.d/next/Core_and_Builtins/2026-05-22-17-09-28.gh-issue-150107.GD72-D.rst deleted file mode 100644 index a13f249e48cc..000000000000 --- a/Misc/NEWS.d/next/Core_and_Builtins/2026-05-22-17-09-28.gh-issue-150107.GD72-D.rst +++ /dev/null @@ -1,3 +0,0 @@ -:mod:`asyncio`: ``sendfile()`` and ``sock_sendfile()`` event loop methods -now call ``file.seek(offset)`` if *file* has a ``seek()`` method, -even if *offset* is ``0`` (default value). diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2026-05-22-21-52-38.gh-issue-150207.l2BUtI.rst b/Misc/NEWS.d/next/Core_and_Builtins/2026-05-22-21-52-38.gh-issue-150207.l2BUtI.rst deleted file mode 100644 index 12fbffcd1706..000000000000 --- a/Misc/NEWS.d/next/Core_and_Builtins/2026-05-22-21-52-38.gh-issue-150207.l2BUtI.rst +++ /dev/null @@ -1 +0,0 @@ -Fix a crash when a memory allocation fails during tokenizer initialization. A proper :exc:`MemoryError` is now raised instead. diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2026-05-23-09-55-50.gh-issue-148450.2MEVqH.rst b/Misc/NEWS.d/next/Core_and_Builtins/2026-05-23-09-55-50.gh-issue-148450.2MEVqH.rst deleted file mode 100644 index 2a7d0d9bb3a7..000000000000 --- a/Misc/NEWS.d/next/Core_and_Builtins/2026-05-23-09-55-50.gh-issue-148450.2MEVqH.rst +++ /dev/null @@ -1 +0,0 @@ -Fix ``abc.register()`` so it invalidates type version tags for registered classes. diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2026-05-23-22-08-01.gh-issue-149449.2lhQFF.rst b/Misc/NEWS.d/next/Core_and_Builtins/2026-05-23-22-08-01.gh-issue-149449.2lhQFF.rst deleted file mode 100644 index 7d11442468d2..000000000000 --- a/Misc/NEWS.d/next/Core_and_Builtins/2026-05-23-22-08-01.gh-issue-149449.2lhQFF.rst +++ /dev/null @@ -1,3 +0,0 @@ -Fix a use-after-free crash when the :mod:`unicodedata` module was removed -from :data:`sys.modules` and garbage-collected between calls that decode -``\N{...}`` escapes or use the ``namereplace`` codec error handler. diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2026-05-24-14-45-00.gh-issue-149156.NP73rB.rst b/Misc/NEWS.d/next/Core_and_Builtins/2026-05-24-14-45-00.gh-issue-149156.NP73rB.rst deleted file mode 100644 index 2cb091e2b162..000000000000 --- a/Misc/NEWS.d/next/Core_and_Builtins/2026-05-24-14-45-00.gh-issue-149156.NP73rB.rst +++ /dev/null @@ -1,3 +0,0 @@ -Fix an intermittent crash after :func:`os.fork` when perf trampoline -profiling is enabled and the child returns through trampoline frames -inherited from the parent process. diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2026-05-30-20-19-35.gh-issue-150633.XkNul0.rst b/Misc/NEWS.d/next/Core_and_Builtins/2026-05-30-20-19-35.gh-issue-150633.XkNul0.rst deleted file mode 100644 index c397ad61f086..000000000000 --- a/Misc/NEWS.d/next/Core_and_Builtins/2026-05-30-20-19-35.gh-issue-150633.XkNul0.rst +++ /dev/null @@ -1,3 +0,0 @@ -Fix the frozen importer accepting module names with embedded null bytes, which -caused it to bypass the :data:`sys.modules` cache and create duplicate module -objects. diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2026-06-09-10-28-30.gh-issue-151126.DKa6Sl.rst b/Misc/NEWS.d/next/Core_and_Builtins/2026-06-09-10-28-30.gh-issue-151126.DKa6Sl.rst deleted file mode 100644 index 81e87e539865..000000000000 --- a/Misc/NEWS.d/next/Core_and_Builtins/2026-06-09-10-28-30.gh-issue-151126.DKa6Sl.rst +++ /dev/null @@ -1,7 +0,0 @@ -Fix a crash, when there's no memory left on a device, -which happened in: - -- code compilation -- :func:`!_winapi.CreateProcess` - -Now these places raise proper :exc:`MemoryError` errors. diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2026-06-09-12-24-35.gh-issue-151112.4RKCkD.rst b/Misc/NEWS.d/next/Core_and_Builtins/2026-06-09-12-24-35.gh-issue-151112.4RKCkD.rst deleted file mode 100644 index 93ee5c8cf191..000000000000 --- a/Misc/NEWS.d/next/Core_and_Builtins/2026-06-09-12-24-35.gh-issue-151112.4RKCkD.rst +++ /dev/null @@ -1 +0,0 @@ -Fix a crash in the compiler that could occur when running out of memory. diff --git a/Misc/NEWS.d/next/Documentation/2023-09-16-23-42-27.gh-issue-109503.mZ-kdU.rst b/Misc/NEWS.d/next/Documentation/2023-09-16-23-42-27.gh-issue-109503.mZ-kdU.rst deleted file mode 100644 index c3c6c57569c2..000000000000 --- a/Misc/NEWS.d/next/Documentation/2023-09-16-23-42-27.gh-issue-109503.mZ-kdU.rst +++ /dev/null @@ -1,3 +0,0 @@ -Fix documentation for :func:`shutil.move` on usage of -:func:`os.rename` since nonatomic move might be used even if the files are -on the same filesystem. Patch by Fang Li diff --git a/Misc/NEWS.d/next/Documentation/2026-04-02-07-20-00.gh-issue-146646.GlobDoc1.rst b/Misc/NEWS.d/next/Documentation/2026-04-02-07-20-00.gh-issue-146646.GlobDoc1.rst deleted file mode 100644 index 4e89270442a3..000000000000 --- a/Misc/NEWS.d/next/Documentation/2026-04-02-07-20-00.gh-issue-146646.GlobDoc1.rst +++ /dev/null @@ -1,3 +0,0 @@ -Document that :func:`glob.glob`, :func:`glob.iglob`, -:meth:`pathlib.Path.glob`, and :meth:`pathlib.Path.rglob` silently suppress -:exc:`OSError` exceptions raised from scanning the filesystem. diff --git a/Misc/NEWS.d/next/Documentation/2026-04-17-02-28-55.gh-issue-148663.MHIbRB.rst b/Misc/NEWS.d/next/Documentation/2026-04-17-02-28-55.gh-issue-148663.MHIbRB.rst deleted file mode 100644 index 0fbe5a699ef0..000000000000 --- a/Misc/NEWS.d/next/Documentation/2026-04-17-02-28-55.gh-issue-148663.MHIbRB.rst +++ /dev/null @@ -1,2 +0,0 @@ -Document that :class:`calendar.IllegalMonthError` is a subclass of both -:exc:`ValueError` and :exc:`IndexError` since Python 3.12. diff --git a/Misc/NEWS.d/next/Documentation/2026-05-23-17-27-41.gh-issue-150319.ol9tWK.rst b/Misc/NEWS.d/next/Documentation/2026-05-23-17-27-41.gh-issue-150319.ol9tWK.rst deleted file mode 100644 index d56ccbce2fa3..000000000000 --- a/Misc/NEWS.d/next/Documentation/2026-05-23-17-27-41.gh-issue-150319.ol9tWK.rst +++ /dev/null @@ -1,2 +0,0 @@ -Generic builtin and standard library types now document the meaning of their -type parameters. diff --git a/Misc/NEWS.d/next/IDLE/2019-12-12-03-18-02.bpo-6699.1CqJFG.rst b/Misc/NEWS.d/next/IDLE/2019-12-12-03-18-02.bpo-6699.1CqJFG.rst deleted file mode 100644 index e7fb9bf1b3bd..000000000000 --- a/Misc/NEWS.d/next/IDLE/2019-12-12-03-18-02.bpo-6699.1CqJFG.rst +++ /dev/null @@ -1 +0,0 @@ -Warn the user if a file will be overwritten when saving. diff --git a/Misc/NEWS.d/next/Library/2023-02-26-14-07-18.gh-issue-91099._QPbEL.rst b/Misc/NEWS.d/next/Library/2023-02-26-14-07-18.gh-issue-91099._QPbEL.rst deleted file mode 100644 index d886e8ac6032..000000000000 --- a/Misc/NEWS.d/next/Library/2023-02-26-14-07-18.gh-issue-91099._QPbEL.rst +++ /dev/null @@ -1,2 +0,0 @@ -:meth:`imaplib.IMAP4.login` now raises exceptions with :class:`str` instead of -:class:`bytes`. Patch by Florian Best. diff --git a/Misc/NEWS.d/next/Library/2023-09-08-13-10-32.gh-issue-83281.2Plpcj.rst b/Misc/NEWS.d/next/Library/2023-09-08-13-10-32.gh-issue-83281.2Plpcj.rst deleted file mode 100644 index cf2ae770bd19..000000000000 --- a/Misc/NEWS.d/next/Library/2023-09-08-13-10-32.gh-issue-83281.2Plpcj.rst +++ /dev/null @@ -1,2 +0,0 @@ -:mod:`email`: improve handling trailing garbage in address lists to avoid throwing -AttributeError in certain edge cases diff --git a/Misc/NEWS.d/next/Library/2024-02-10-21-25-22.gh-issue-70039.6wvcAP.rst b/Misc/NEWS.d/next/Library/2024-02-10-21-25-22.gh-issue-70039.6wvcAP.rst deleted file mode 100644 index 8bb2cd188e89..000000000000 --- a/Misc/NEWS.d/next/Library/2024-02-10-21-25-22.gh-issue-70039.6wvcAP.rst +++ /dev/null @@ -1 +0,0 @@ -Fixed bug where :meth:`smtplib.SMTP.starttls` could fail if :meth:`smtplib.SMTP.connect` is called explicitly rather than implicitly. diff --git a/Misc/NEWS.d/next/Library/2024-09-09-12-48-37.gh-issue-123853.e-zFxb.rst b/Misc/NEWS.d/next/Library/2024-09-09-12-48-37.gh-issue-123853.e-zFxb.rst deleted file mode 100644 index d7204c289369..000000000000 --- a/Misc/NEWS.d/next/Library/2024-09-09-12-48-37.gh-issue-123853.e-zFxb.rst +++ /dev/null @@ -1,3 +0,0 @@ -Update the table of Windows language code identifiers (LCIDs) used by -:func:`locale.getdefaultlocale` on Windows to protocol version 16.0 -(2024-04-23). diff --git a/Misc/NEWS.d/next/Library/2024-11-02-02-02-31.gh-issue-107398.uUtA6Q.rst b/Misc/NEWS.d/next/Library/2024-11-02-02-02-31.gh-issue-107398.uUtA6Q.rst deleted file mode 100644 index d5af322d68d3..000000000000 --- a/Misc/NEWS.d/next/Library/2024-11-02-02-02-31.gh-issue-107398.uUtA6Q.rst +++ /dev/null @@ -1 +0,0 @@ -Fix :mod:`tarfile` stream mode exception when process the file with the gzip extra field. diff --git a/Misc/NEWS.d/next/Library/2025-03-01-13-36-02.gh-issue-128110.9wx_G0.rst b/Misc/NEWS.d/next/Library/2025-03-01-13-36-02.gh-issue-128110.9wx_G0.rst deleted file mode 100644 index b08b1886cff9..000000000000 --- a/Misc/NEWS.d/next/Library/2025-03-01-13-36-02.gh-issue-128110.9wx_G0.rst +++ /dev/null @@ -1,5 +0,0 @@ -Fix bug in the parsing of :mod:`email` address headers that could result in -extraneous spaces in the decoded text when using a modern email policy. -Space between pairs of adjacent :rfc:`2047` encoded-words is now ignored, per -section 6.2 (and consistent with existing parsing of unstructured -headers like *Subject*). diff --git a/Misc/NEWS.d/next/Library/2025-04-17-15-26-35.gh-issue-132631.IDFZfb.rst b/Misc/NEWS.d/next/Library/2025-04-17-15-26-35.gh-issue-132631.IDFZfb.rst deleted file mode 100644 index 9cc1d5a389c0..000000000000 --- a/Misc/NEWS.d/next/Library/2025-04-17-15-26-35.gh-issue-132631.IDFZfb.rst +++ /dev/null @@ -1,2 +0,0 @@ -Fix "I/O operation on closed file" when parsing JSON Lines file with -:mod:`JSON CLI `. diff --git a/Misc/NEWS.d/next/Library/2025-09-26-18-04-28.gh-issue-90949.YHjSzX.rst b/Misc/NEWS.d/next/Library/2025-09-26-18-04-28.gh-issue-90949.YHjSzX.rst deleted file mode 100644 index dae1b618ca0d..000000000000 --- a/Misc/NEWS.d/next/Library/2025-09-26-18-04-28.gh-issue-90949.YHjSzX.rst +++ /dev/null @@ -1,7 +0,0 @@ -Add -:meth:`~xml.parsers.expat.xmlparser.SetBillionLaughsAttackProtectionActivationThreshold` -and -:meth:`~xml.parsers.expat.xmlparser.SetBillionLaughsAttackProtectionMaximumAmplification` -to :ref:`xmlparser ` objects to tune protections against -`billion laughs `_ attacks. -Patch by Bénédikt Tran. diff --git a/Misc/NEWS.d/next/Library/2025-10-18-12-13-39.gh-issue-140287.49iU-4.rst b/Misc/NEWS.d/next/Library/2025-10-18-12-13-39.gh-issue-140287.49iU-4.rst deleted file mode 100644 index 09643956d980..000000000000 --- a/Misc/NEWS.d/next/Library/2025-10-18-12-13-39.gh-issue-140287.49iU-4.rst +++ /dev/null @@ -1,2 +0,0 @@ -The :mod:`asyncio` REPL now handles exceptions when executing :envvar:`PYTHONSTARTUP` scripts. -Patch by Bartosz Sławecki. diff --git a/Misc/NEWS.d/next/Library/2025-12-17-04-10-35.gh-issue-142831.ee3t4L.rst b/Misc/NEWS.d/next/Library/2025-12-17-04-10-35.gh-issue-142831.ee3t4L.rst deleted file mode 100644 index 5fa3cd2727a9..000000000000 --- a/Misc/NEWS.d/next/Library/2025-12-17-04-10-35.gh-issue-142831.ee3t4L.rst +++ /dev/null @@ -1,2 +0,0 @@ -Fix a crash in the :mod:`json` module where a use-after-free could occur if -the object being encoded is modified during serialization. diff --git a/Misc/NEWS.d/next/Library/2026-01-11-13-03-32.gh-issue-142516.u7An-s.rst b/Misc/NEWS.d/next/Library/2026-01-11-13-03-32.gh-issue-142516.u7An-s.rst deleted file mode 100644 index efa7c8a1f626..000000000000 --- a/Misc/NEWS.d/next/Library/2026-01-11-13-03-32.gh-issue-142516.u7An-s.rst +++ /dev/null @@ -1,2 +0,0 @@ -:mod:`ssl`: fix reference leaks in :class:`ssl.SSLContext` objects. Patch by -Bénédikt Tran. diff --git a/Misc/NEWS.d/next/Library/2026-01-19-21-23-18.gh-issue-105936.dGrzjM.rst b/Misc/NEWS.d/next/Library/2026-01-19-21-23-18.gh-issue-105936.dGrzjM.rst deleted file mode 100644 index 076574ce8599..000000000000 --- a/Misc/NEWS.d/next/Library/2026-01-19-21-23-18.gh-issue-105936.dGrzjM.rst +++ /dev/null @@ -1,7 +0,0 @@ -Attempting to mutate non-field attributes of :mod:`dataclasses` -with both *frozen* and *slots* being ``True`` now raises -:class:`~dataclasses.FrozenInstanceError` instead of :class:`TypeError`. -Their non-dataclass subclasses can now freely mutate non-field attributes, -and the original non-slotted class can be garbage collected. The fix also -handles the case of an empty ``__class__`` cell on a function found within -the class (gh-148947). diff --git a/Misc/NEWS.d/next/Library/2026-02-19-04-40-57.gh-issue-130750.0hW52O.rst b/Misc/NEWS.d/next/Library/2026-02-19-04-40-57.gh-issue-130750.0hW52O.rst deleted file mode 100644 index 8bca48ab1594..000000000000 --- a/Misc/NEWS.d/next/Library/2026-02-19-04-40-57.gh-issue-130750.0hW52O.rst +++ /dev/null @@ -1,2 +0,0 @@ -Restore quoting of choices in :mod:`argparse` error messages for improved clarity and consistency with documentation. - diff --git a/Misc/NEWS.d/next/Library/2026-02-22-00-00-00.gh-issue-145105.csv-reader-reentrant.rst b/Misc/NEWS.d/next/Library/2026-02-22-00-00-00.gh-issue-145105.csv-reader-reentrant.rst deleted file mode 100644 index 1c2e06c86f65..000000000000 --- a/Misc/NEWS.d/next/Library/2026-02-22-00-00-00.gh-issue-145105.csv-reader-reentrant.rst +++ /dev/null @@ -1,2 +0,0 @@ -Fix crash in :mod:`csv` reader when iterating with a re-entrant iterator -that calls :func:`next` on the same reader from within ``__next__``. diff --git a/Misc/NEWS.d/next/Library/2026-03-11-15-09-52.gh-issue-145831._sW94w.rst b/Misc/NEWS.d/next/Library/2026-03-11-15-09-52.gh-issue-145831._sW94w.rst deleted file mode 100644 index 454b62bc0db9..000000000000 --- a/Misc/NEWS.d/next/Library/2026-03-11-15-09-52.gh-issue-145831._sW94w.rst +++ /dev/null @@ -1,2 +0,0 @@ -Fix :func:`!email.quoprimime.decode` leaving a stray ``\r`` when -``eol='\r\n'`` by stripping the full *eol* string instead of one character. diff --git a/Misc/NEWS.d/next/Library/2026-03-22-23-42-22.gh-issue-146313.RtDeAd.rst b/Misc/NEWS.d/next/Library/2026-03-22-23-42-22.gh-issue-146313.RtDeAd.rst deleted file mode 100644 index 1beea3694c42..000000000000 --- a/Misc/NEWS.d/next/Library/2026-03-22-23-42-22.gh-issue-146313.RtDeAd.rst +++ /dev/null @@ -1,4 +0,0 @@ -Fix a deadlock in :mod:`multiprocessing`'s resource tracker -where the parent process could hang indefinitely in :func:`os.waitpid` -during interpreter shutdown if a child created via :func:`os.fork` still -held the resource tracker's pipe open. diff --git a/Misc/NEWS.d/next/Library/2026-04-07-14-13-40.gh-issue-148192.34AUYQ.rst b/Misc/NEWS.d/next/Library/2026-04-07-14-13-40.gh-issue-148192.34AUYQ.rst deleted file mode 100644 index 87a568b50c17..000000000000 --- a/Misc/NEWS.d/next/Library/2026-04-07-14-13-40.gh-issue-148192.34AUYQ.rst +++ /dev/null @@ -1,3 +0,0 @@ -``email.generator.Generator._make_boundary`` could fail to detect a duplicate -boundary string if linesep was not \n. It now correctly detects boundary -strings when linesep is \r\n as well. diff --git a/Misc/NEWS.d/next/Library/2026-04-09-12-42-42.gh-issue-148254.Xt7vKs.rst b/Misc/NEWS.d/next/Library/2026-04-09-12-42-42.gh-issue-148254.Xt7vKs.rst deleted file mode 100644 index 818310c31b9d..000000000000 --- a/Misc/NEWS.d/next/Library/2026-04-09-12-42-42.gh-issue-148254.Xt7vKs.rst +++ /dev/null @@ -1,2 +0,0 @@ -Use singular "sec" instead of "secs" in :mod:`timeit` verbose output for -consistency with other time units. diff --git a/Misc/NEWS.d/next/Library/2026-04-12-16-40-11.gh-issue-148370.0Li2EK.rst b/Misc/NEWS.d/next/Library/2026-04-12-16-40-11.gh-issue-148370.0Li2EK.rst deleted file mode 100644 index 3bb662350796..000000000000 --- a/Misc/NEWS.d/next/Library/2026-04-12-16-40-11.gh-issue-148370.0Li2EK.rst +++ /dev/null @@ -1,2 +0,0 @@ -:mod:`configparser`: prevent quadratic behavior when a :exc:`~configparser.ParsingError` -is raised after a parser fails to parse multiple lines. Patch by Bénédikt Tran. diff --git a/Misc/NEWS.d/next/Library/2026-04-13-15-59-44.gh-issue-148518.RQdvsu.rst b/Misc/NEWS.d/next/Library/2026-04-13-15-59-44.gh-issue-148518.RQdvsu.rst deleted file mode 100644 index 994e4ad74466..000000000000 --- a/Misc/NEWS.d/next/Library/2026-04-13-15-59-44.gh-issue-148518.RQdvsu.rst +++ /dev/null @@ -1,4 +0,0 @@ -If an email containing an address header that ended in an open double quote -was parsed with a non-``compat32`` policy, accessing the ``username`` attribute -of the mailbox accessed through that header object would result in an -``IndexError``. It now correctly returns an empty string as the result. diff --git a/Misc/NEWS.d/next/Library/2026-04-14-09-04-35.gh-issue-148508.-GiXml.rst b/Misc/NEWS.d/next/Library/2026-04-14-09-04-35.gh-issue-148508.-GiXml.rst deleted file mode 100644 index 7995dec397f7..000000000000 --- a/Misc/NEWS.d/next/Library/2026-04-14-09-04-35.gh-issue-148508.-GiXml.rst +++ /dev/null @@ -1,2 +0,0 @@ -An intermittent timing error when running SSL tests on iOS has been -resolved. diff --git a/Misc/NEWS.d/next/Library/2026-04-15-11-00-39.gh-issue-146553.VGOsoP.rst b/Misc/NEWS.d/next/Library/2026-04-15-11-00-39.gh-issue-146553.VGOsoP.rst deleted file mode 100644 index 44216318d474..000000000000 --- a/Misc/NEWS.d/next/Library/2026-04-15-11-00-39.gh-issue-146553.VGOsoP.rst +++ /dev/null @@ -1,2 +0,0 @@ -Fix infinite loop in :func:`typing.get_type_hints` when ``__wrapped__`` -forms a cycle. Patch by Shamil Abdulaev. diff --git a/Misc/NEWS.d/next/Library/2026-04-18-21-39-15.gh-issue-148735.siw6DG.rst b/Misc/NEWS.d/next/Library/2026-04-18-21-39-15.gh-issue-148735.siw6DG.rst deleted file mode 100644 index db5e94c0ccac..000000000000 --- a/Misc/NEWS.d/next/Library/2026-04-18-21-39-15.gh-issue-148735.siw6DG.rst +++ /dev/null @@ -1,3 +0,0 @@ -:mod:`xml.etree.ElementTree`: Fix a use-after-free in -:meth:`Element.findtext ` when the -element tree is mutated concurrently during the search. diff --git a/Misc/NEWS.d/next/Library/2026-04-20-18-29-21.gh-issue-148801.ROeNqs.rst b/Misc/NEWS.d/next/Library/2026-04-20-18-29-21.gh-issue-148801.ROeNqs.rst deleted file mode 100644 index 6fcd30e8f057..000000000000 --- a/Misc/NEWS.d/next/Library/2026-04-20-18-29-21.gh-issue-148801.ROeNqs.rst +++ /dev/null @@ -1,2 +0,0 @@ -:mod:`xml.etree.ElementTree`: Fix a crash in :meth:`Element.__deepcopy__ -` on deeply nested trees. diff --git a/Misc/NEWS.d/next/Library/2026-04-24-19-54-00.gh-issue-148954.v1.rst b/Misc/NEWS.d/next/Library/2026-04-24-19-54-00.gh-issue-148954.v1.rst deleted file mode 100644 index 6245af7e362e..000000000000 --- a/Misc/NEWS.d/next/Library/2026-04-24-19-54-00.gh-issue-148954.v1.rst +++ /dev/null @@ -1 +0,0 @@ -Fix XML injection vulnerability in :func:`xmlrpc.client.dumps` where the ``methodname`` was not being escaped before interpolation into the XML body. diff --git a/Misc/NEWS.d/next/Library/2026-04-25-14-11-24.gh-issue-138907.u21Wnh.rst b/Misc/NEWS.d/next/Library/2026-04-25-14-11-24.gh-issue-138907.u21Wnh.rst deleted file mode 100644 index cc996a85f1c1..000000000000 --- a/Misc/NEWS.d/next/Library/2026-04-25-14-11-24.gh-issue-138907.u21Wnh.rst +++ /dev/null @@ -1 +0,0 @@ -Support :rfc:`9309` in :mod:`urllib.robotparser`. diff --git a/Misc/NEWS.d/next/Library/2026-04-27-17-12-11.gh-issue-148914.i5C3kW.rst b/Misc/NEWS.d/next/Library/2026-04-27-17-12-11.gh-issue-148914.i5C3kW.rst deleted file mode 100644 index 8348aad0d892..000000000000 --- a/Misc/NEWS.d/next/Library/2026-04-27-17-12-11.gh-issue-148914.i5C3kW.rst +++ /dev/null @@ -1,6 +0,0 @@ -Fix memoization of in-band :class:`~pickle.PickleBuffer` in the Python -implementation of :mod:`pickle`. Previously, identical -:class:`!PickleBuffer`\ s did not preserve identity, and empty writable -:class:`!PickleBuffer` memoized an empty bytearray object in place of -``b''``, so the following references to ``b''`` were unpickled as an empty -bytearray object. diff --git a/Misc/NEWS.d/next/Library/2026-04-27-22-34-09.gh-issue-148093.9pWceM.rst b/Misc/NEWS.d/next/Library/2026-04-27-22-34-09.gh-issue-148093.9pWceM.rst deleted file mode 100644 index 9418044201f8..000000000000 --- a/Misc/NEWS.d/next/Library/2026-04-27-22-34-09.gh-issue-148093.9pWceM.rst +++ /dev/null @@ -1,2 +0,0 @@ -Fix an out-of-bounds read of one byte in :func:`binascii.a2b_uu`. Raise -:exc:`binascii.Error`, instead of reading past the buffer end. diff --git a/Misc/NEWS.d/next/Library/2026-04-29-14-33-42.gh-issue-149148.EaiYvk.rst b/Misc/NEWS.d/next/Library/2026-04-29-14-33-42.gh-issue-149148.EaiYvk.rst deleted file mode 100644 index 06186773474f..000000000000 --- a/Misc/NEWS.d/next/Library/2026-04-29-14-33-42.gh-issue-149148.EaiYvk.rst +++ /dev/null @@ -1,2 +0,0 @@ -:mod:`ensurepip`: Upgrade bundled pip to 26.1. This version fixes -the :cve:`2026-3219` vulnerability. Patch by Victor Stinner. diff --git a/Misc/NEWS.d/next/Library/2026-04-29-16-11-27.gh-issue-149117.yEeTYd.rst b/Misc/NEWS.d/next/Library/2026-04-29-16-11-27.gh-issue-149117.yEeTYd.rst deleted file mode 100644 index 41223e90ed0b..000000000000 --- a/Misc/NEWS.d/next/Library/2026-04-29-16-11-27.gh-issue-149117.yEeTYd.rst +++ /dev/null @@ -1,3 +0,0 @@ -Fix :func:`runpy.run_module` and :func:`runpy.run_path` to set the -:attr:`~ImportError.name` attribute on the :exc:`ImportError` they -raise. diff --git a/Misc/NEWS.d/next/Library/2026-05-01-16-45-31.gh-issue-149231.x2nBEE.rst b/Misc/NEWS.d/next/Library/2026-05-01-16-45-31.gh-issue-149231.x2nBEE.rst deleted file mode 100644 index c265b54db8be..000000000000 --- a/Misc/NEWS.d/next/Library/2026-05-01-16-45-31.gh-issue-149231.x2nBEE.rst +++ /dev/null @@ -1 +0,0 @@ -In :mod:`tomllib`, the number of parts in TOML keys is now limited. diff --git a/Misc/NEWS.d/next/Library/2026-05-04-19-28-48.gh-issue-149377.WNlc8Y.rst b/Misc/NEWS.d/next/Library/2026-05-04-19-28-48.gh-issue-149377.WNlc8Y.rst deleted file mode 100644 index 7bab1c049e67..000000000000 --- a/Misc/NEWS.d/next/Library/2026-05-04-19-28-48.gh-issue-149377.WNlc8Y.rst +++ /dev/null @@ -1 +0,0 @@ -Update bundled pip to 26.1.1 diff --git a/Misc/NEWS.d/next/Library/2026-05-07-14-18-47.gh-issue-149489.bX9iHe.rst b/Misc/NEWS.d/next/Library/2026-05-07-14-18-47.gh-issue-149489.bX9iHe.rst deleted file mode 100644 index 4f47d36fe2c8..000000000000 --- a/Misc/NEWS.d/next/Library/2026-05-07-14-18-47.gh-issue-149489.bX9iHe.rst +++ /dev/null @@ -1,3 +0,0 @@ -Fix :mod:`~xml.etree.ElementTree` serialization to HTML. The content of -elements "xmp", "iframe", "noembed", "noframes", and "plaintext" is no longer -escaped. The "plaintext" element no longer have the closing tag. diff --git a/Misc/NEWS.d/next/Library/2026-05-07-21-58-17.gh-issue-149388.DDBPeA.rst b/Misc/NEWS.d/next/Library/2026-05-07-21-58-17.gh-issue-149388.DDBPeA.rst deleted file mode 100644 index 4a1c6f3f5b4e..000000000000 --- a/Misc/NEWS.d/next/Library/2026-05-07-21-58-17.gh-issue-149388.DDBPeA.rst +++ /dev/null @@ -1 +0,0 @@ -Make :class:`!asyncio.windows_utils.PipeHandle` closing idempotent. diff --git a/Misc/NEWS.d/next/Library/2026-05-08-15-08-35.gh-issue-112821.t9T1YD.rst b/Misc/NEWS.d/next/Library/2026-05-08-15-08-35.gh-issue-112821.t9T1YD.rst deleted file mode 100644 index cfbcde81493e..000000000000 --- a/Misc/NEWS.d/next/Library/2026-05-08-15-08-35.gh-issue-112821.t9T1YD.rst +++ /dev/null @@ -1,4 +0,0 @@ -In the REPL, autocompletion might run arbitrary code in the getter of a -descriptor. If that getter raised an exception, autocompletion would fail to -present any options for the entire object. Autocompletion now works as -expected for these objects. diff --git a/Misc/NEWS.d/next/Library/2026-05-12-06-24-54.gh-issue-149701.8v9RTm.rst b/Misc/NEWS.d/next/Library/2026-05-12-06-24-54.gh-issue-149701.8v9RTm.rst deleted file mode 100644 index 676d788cbce6..000000000000 --- a/Misc/NEWS.d/next/Library/2026-05-12-06-24-54.gh-issue-149701.8v9RTm.rst +++ /dev/null @@ -1 +0,0 @@ -Fix bad return code from Lib/venv/bin/activate if hashing is disabled diff --git a/Misc/NEWS.d/next/Library/2026-05-13-23-18-39.gh-issue-149801.S_FfGr.rst b/Misc/NEWS.d/next/Library/2026-05-13-23-18-39.gh-issue-149801.S_FfGr.rst deleted file mode 100644 index f9e8538527d2..000000000000 --- a/Misc/NEWS.d/next/Library/2026-05-13-23-18-39.gh-issue-149801.S_FfGr.rst +++ /dev/null @@ -1,2 +0,0 @@ -Add IANA registered names and aliases with leading zeros before number (like -IBM00858, CP00858, IBM01140, CP01140) for corresponding codecs. diff --git a/Misc/NEWS.d/next/Library/2026-05-16-21-08-33.gh-issue-149921.I1yNML.rst b/Misc/NEWS.d/next/Library/2026-05-16-21-08-33.gh-issue-149921.I1yNML.rst deleted file mode 100644 index 113bd1a802f7..000000000000 --- a/Misc/NEWS.d/next/Library/2026-05-16-21-08-33.gh-issue-149921.I1yNML.rst +++ /dev/null @@ -1,2 +0,0 @@ -Fix reference leaks in error paths of the :mod:`!_interpchannels` and -:mod:`!_interpqueues` extension modules. diff --git a/Misc/NEWS.d/next/Library/2026-05-17-02-25-56.gh-issue-149571.LNyuWJ.rst b/Misc/NEWS.d/next/Library/2026-05-17-02-25-56.gh-issue-149571.LNyuWJ.rst deleted file mode 100644 index 2b71d9cf2200..000000000000 --- a/Misc/NEWS.d/next/Library/2026-05-17-02-25-56.gh-issue-149571.LNyuWJ.rst +++ /dev/null @@ -1,2 +0,0 @@ -Fix the C implementation of :meth:`xml.etree.ElementTree.Element.itertext`: -it no longer emits text for comments and processing instructions. diff --git a/Misc/NEWS.d/next/Library/2026-05-17-22-37-02.gh-issue-88726.BAoL6j.rst b/Misc/NEWS.d/next/Library/2026-05-17-22-37-02.gh-issue-88726.BAoL6j.rst deleted file mode 100644 index ba9058d79c98..000000000000 --- a/Misc/NEWS.d/next/Library/2026-05-17-22-37-02.gh-issue-88726.BAoL6j.rst +++ /dev/null @@ -1,2 +0,0 @@ -The :mod:`email` package now uses standard MIME charset names "gb2312" and -"big5" instead of non-standard names "eucgb2312_cn" and "big5_tw". diff --git a/Misc/NEWS.d/next/Library/2026-05-18-07-44-46.gh-issue-149995.vvtFHn.rst b/Misc/NEWS.d/next/Library/2026-05-18-07-44-46.gh-issue-149995.vvtFHn.rst deleted file mode 100644 index a8e412b578da..000000000000 --- a/Misc/NEWS.d/next/Library/2026-05-18-07-44-46.gh-issue-149995.vvtFHn.rst +++ /dev/null @@ -1 +0,0 @@ -Update various docstrings in :mod:`typing`. diff --git a/Misc/NEWS.d/next/Library/2026-05-19-19-00-49.gh-issue-84353.ZU5zaQ.rst b/Misc/NEWS.d/next/Library/2026-05-19-19-00-49.gh-issue-84353.ZU5zaQ.rst deleted file mode 100644 index 84fb12e2abd8..000000000000 --- a/Misc/NEWS.d/next/Library/2026-05-19-19-00-49.gh-issue-84353.ZU5zaQ.rst +++ /dev/null @@ -1,5 +0,0 @@ -Preserve non-UTF-8 encoded filenames when appending to a -:class:`zipfile.ZipFile`. Previously, non-ASCII names stored in a legacy -encoding (without the UTF-8 flag bit set) could be corrupted when the -central directory was rewritten: they were decoded as cp437 and then -re-stored as UTF-8. diff --git a/Misc/NEWS.d/next/Library/2026-05-21-11-25-58.gh-issue-150175.8H4Caz.rst b/Misc/NEWS.d/next/Library/2026-05-21-11-25-58.gh-issue-150175.8H4Caz.rst deleted file mode 100644 index 80fc80d4d50a..000000000000 --- a/Misc/NEWS.d/next/Library/2026-05-21-11-25-58.gh-issue-150175.8H4Caz.rst +++ /dev/null @@ -1,3 +0,0 @@ -Fix race condition in :class:`unittest.mock.ThreadingMock` where -concurrent calls could lose increments to ``call_count`` and other -attributes due to a missing lock in ``_increment_mock_call``. diff --git a/Misc/NEWS.d/next/Library/2026-05-25-07-22-05.gh-issue-150372.9hLqhe.rst b/Misc/NEWS.d/next/Library/2026-05-25-07-22-05.gh-issue-150372.9hLqhe.rst deleted file mode 100644 index 7b83bd8fe73f..000000000000 --- a/Misc/NEWS.d/next/Library/2026-05-25-07-22-05.gh-issue-150372.9hLqhe.rst +++ /dev/null @@ -1,2 +0,0 @@ -:mod:`readline`: Fix a potential crash during tab completion caused by an -out-of-memory error during module initialization. diff --git a/Misc/NEWS.d/next/Library/2026-05-25-17-00-00.gh-issue-150406.jF3g63.rst b/Misc/NEWS.d/next/Library/2026-05-25-17-00-00.gh-issue-150406.jF3g63.rst deleted file mode 100644 index 230e961abd3f..000000000000 --- a/Misc/NEWS.d/next/Library/2026-05-25-17-00-00.gh-issue-150406.jF3g63.rst +++ /dev/null @@ -1,3 +0,0 @@ -Fix a possible crash occurring during :mod:`socket` module initialization -when the system is out of memory on platforms without a reentrant -``gethostbyname``. diff --git a/Misc/NEWS.d/next/Library/2026-05-31-17-47-30.gh-issue-150685.EBB2mU.rst b/Misc/NEWS.d/next/Library/2026-05-31-17-47-30.gh-issue-150685.EBB2mU.rst deleted file mode 100644 index eb7f31112d00..000000000000 --- a/Misc/NEWS.d/next/Library/2026-05-31-17-47-30.gh-issue-150685.EBB2mU.rst +++ /dev/null @@ -1 +0,0 @@ -Update bundled pip to 26.1.2 diff --git a/Misc/NEWS.d/next/Library/2026-06-04-18-22-56.gh-issue-143008.z5tw-J.rst b/Misc/NEWS.d/next/Library/2026-06-04-18-22-56.gh-issue-143008.z5tw-J.rst deleted file mode 100644 index e99bc39c45f9..000000000000 --- a/Misc/NEWS.d/next/Library/2026-06-04-18-22-56.gh-issue-143008.z5tw-J.rst +++ /dev/null @@ -1 +0,0 @@ -Fix race conditions when re-initializing a :class:`io.TextIOWrapper` object. diff --git a/Misc/NEWS.d/next/Library/2026-06-04-21-49-18.gh-issue-150913.EmptyBl.rst b/Misc/NEWS.d/next/Library/2026-06-04-21-49-18.gh-issue-150913.EmptyBl.rst deleted file mode 100644 index f95a6ee6ee15..000000000000 --- a/Misc/NEWS.d/next/Library/2026-06-04-21-49-18.gh-issue-150913.EmptyBl.rst +++ /dev/null @@ -1,3 +0,0 @@ -Fix :class:`sqlite3.Blob` slice assignment to raise -:exc:`TypeError` and :exc:`IndexError` for type and size mismatches -respectively, even when the target slice is empty. diff --git a/Misc/NEWS.d/next/Security/2026-03-20-09-29-42.gh-issue-146211.PQVbs7.rst b/Misc/NEWS.d/next/Security/2026-03-20-09-29-42.gh-issue-146211.PQVbs7.rst deleted file mode 100644 index 4993633b8ebe..000000000000 --- a/Misc/NEWS.d/next/Security/2026-03-20-09-29-42.gh-issue-146211.PQVbs7.rst +++ /dev/null @@ -1,2 +0,0 @@ -Reject CR/LF characters in tunnel request headers for the -HTTPConnection.set_tunnel() method. diff --git a/Misc/NEWS.d/next/Security/2026-03-25-00-51-03.gh-issue-146333.LqdL__bn.rst b/Misc/NEWS.d/next/Security/2026-03-25-00-51-03.gh-issue-146333.LqdL__bn.rst deleted file mode 100644 index 96d86ecc0a0f..000000000000 --- a/Misc/NEWS.d/next/Security/2026-03-25-00-51-03.gh-issue-146333.LqdL__bn.rst +++ /dev/null @@ -1,3 +0,0 @@ -Fix quadratic backtracking in :class:`configparser.RawConfigParser` option -parsing regexes (``OPTCRE`` and ``OPTCRE_NV``). A crafted configuration line -with many whitespace characters could cause excessive CPU usage. diff --git a/Misc/NEWS.d/next/Security/2026-03-29-12-51-33.gh-issue-146581.4vZfB0.rst b/Misc/NEWS.d/next/Security/2026-03-29-12-51-33.gh-issue-146581.4vZfB0.rst deleted file mode 100644 index 98e65549d790..000000000000 --- a/Misc/NEWS.d/next/Security/2026-03-29-12-51-33.gh-issue-146581.4vZfB0.rst +++ /dev/null @@ -1,5 +0,0 @@ -Fix vulnerability in :func:`shutil.unpack_archive` for ZIP files on Windows -which allowed to write files outside of the destination tree if the patch in -the archive contains a Windows drive prefix. Now such invalid paths will be -skipped. Files containing ".." in the name (like "foo..bar") are no longer -skipped. diff --git a/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst deleted file mode 100644 index 45cdeebe1b6d..000000000000 --- a/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst +++ /dev/null @@ -1,2 +0,0 @@ -A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass -the dash-prefix safety check. diff --git a/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst deleted file mode 100644 index 9502189ab199..000000000000 --- a/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst +++ /dev/null @@ -1,5 +0,0 @@ -Fix a dangling input pointer in :class:`lzma.LZMADecompressor`, -:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor` -when memory allocation fails with :exc:`MemoryError`, which could let a -subsequent :meth:`!decompress` call read or write through a stale pointer to -the already-released caller buffer. diff --git a/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst b/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst deleted file mode 100644 index 0b5cf85fedfb..000000000000 --- a/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst +++ /dev/null @@ -1,3 +0,0 @@ -Added buffer boundary check when using ``nbytes`` parameter with -:meth:`!asyncio.AbstractEventLoop.sock_recvfrom_into`. Only -relevant for Windows and the :class:`asyncio.ProactorEventLoop`. diff --git a/Misc/NEWS.d/next/Security/2026-04-21-13-46-30.gh-issue-90309.srvj9q.rst b/Misc/NEWS.d/next/Security/2026-04-21-13-46-30.gh-issue-90309.srvj9q.rst deleted file mode 100644 index d7d376737e4a..000000000000 --- a/Misc/NEWS.d/next/Security/2026-04-21-13-46-30.gh-issue-90309.srvj9q.rst +++ /dev/null @@ -1,3 +0,0 @@ -Base64-encode values when embedding cookies to JavaScript using the -:meth:`http.cookies.BaseCookie.js_output` method to avoid injection -and escaping. diff --git a/Misc/NEWS.d/next/Security/2026-04-26-17-49-58.gh-issue-149017.EiVFPo.rst b/Misc/NEWS.d/next/Security/2026-04-26-17-49-58.gh-issue-149017.EiVFPo.rst deleted file mode 100644 index 6aa7efb68a19..000000000000 --- a/Misc/NEWS.d/next/Security/2026-04-26-17-49-58.gh-issue-149017.EiVFPo.rst +++ /dev/null @@ -1 +0,0 @@ -Update bundled `libexpat `_ to version 2.8.0. diff --git a/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst b/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst deleted file mode 100644 index d1b5b368684e..000000000000 --- a/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst +++ /dev/null @@ -1,3 +0,0 @@ -Improved protection against XML hash-flooding attacks in -:mod:`xml.parsers.expat` and :mod:`xml.etree.ElementTree` when Python is -compiled with libExpat 2.8.0 or later. diff --git a/Misc/NEWS.d/next/Security/2026-04-27-16-36-11.gh-issue-149079.vKl-LM.rst b/Misc/NEWS.d/next/Security/2026-04-27-16-36-11.gh-issue-149079.vKl-LM.rst deleted file mode 100644 index 4ed22b58f740..000000000000 --- a/Misc/NEWS.d/next/Security/2026-04-27-16-36-11.gh-issue-149079.vKl-LM.rst +++ /dev/null @@ -1,5 +0,0 @@ -Fix a potential denial of service in :func:`unicodedata.normalize`. The -canonical ordering step of Unicode normalization used a quadratic-time insertion -sort for reordering combining characters, which could be exploited with -crafted input containing many combining characters in non-canonical order. -Replaced with a linear-time counting sort for long runs. diff --git a/Misc/NEWS.d/next/Security/2026-05-03-21-00-00.gh-issue-149486.tarflt.rst b/Misc/NEWS.d/next/Security/2026-05-03-21-00-00.gh-issue-149486.tarflt.rst deleted file mode 100644 index 7c69edb683cf..000000000000 --- a/Misc/NEWS.d/next/Security/2026-05-03-21-00-00.gh-issue-149486.tarflt.rst +++ /dev/null @@ -1,5 +0,0 @@ -:func:`tarfile.data_filter` now validates link targets using the same -normalised value that is written to disk, strips trailing separators from -the member name when resolving a symlink's directory, and rejects link -members that would replace the destination directory itself. This closes -several path-traversal bypasses of the ``data`` extraction filter. diff --git a/Misc/NEWS.d/next/Security/2026-05-10-18-05-32.gh-issue-87451.XkKB6M.rst b/Misc/NEWS.d/next/Security/2026-05-10-18-05-32.gh-issue-87451.XkKB6M.rst deleted file mode 100644 index 21a79c3e0e7d..000000000000 --- a/Misc/NEWS.d/next/Security/2026-05-10-18-05-32.gh-issue-87451.XkKB6M.rst +++ /dev/null @@ -1,6 +0,0 @@ -The :mod:`ftplib` module's undocumented ``ftpcp`` function no longer trusts -the IPv4 address value returned from the source server in response to the -``PASV`` command by default, completing the fix for CVE-2021-4189. As with -:class:`ftplib.FTP`, the former behavior can be re-enabled by setting the -``trust_server_pasv_ipv4_address`` attribute on the source :class:`ftplib.FTP` -instance to ``True``. Thanks to Qi Deng at Aurascape AI for the report. diff --git a/Misc/NEWS.d/next/Security/2026-05-11-21-15-07.gh-issue-149698.OudOcW.rst b/Misc/NEWS.d/next/Security/2026-05-11-21-15-07.gh-issue-149698.OudOcW.rst deleted file mode 100644 index 3c8671b9a5ad..000000000000 --- a/Misc/NEWS.d/next/Security/2026-05-11-21-15-07.gh-issue-149698.OudOcW.rst +++ /dev/null @@ -1,2 +0,0 @@ -Update bundled `libexpat `_ to version 2.8.1 -for the fix for :cve:`2026-45186`. diff --git a/Misc/NEWS.d/next/Security/2026-05-18-17-46-00.gh-issue-149835.EebFlk.rst b/Misc/NEWS.d/next/Security/2026-05-18-17-46-00.gh-issue-149835.EebFlk.rst deleted file mode 100644 index 20cab7365524..000000000000 --- a/Misc/NEWS.d/next/Security/2026-05-18-17-46-00.gh-issue-149835.EebFlk.rst +++ /dev/null @@ -1,3 +0,0 @@ -:func:`shutil.move` now resolves symlinks via :func:`os.path.realpath` -when checking whether the destination is inside the source directory, -preventing a symlink-based bypass of that guard. diff --git a/Misc/NEWS.d/next/Security/2026-05-30-09-36-20.gh-issue-150599.nlHqU-.rst b/Misc/NEWS.d/next/Security/2026-05-30-09-36-20.gh-issue-150599.nlHqU-.rst deleted file mode 100644 index a37d86cf423f..000000000000 --- a/Misc/NEWS.d/next/Security/2026-05-30-09-36-20.gh-issue-150599.nlHqU-.rst +++ /dev/null @@ -1,3 +0,0 @@ -Fix a possible stack buffer overflow in :mod:`bz2` when a -:class:`bz2.BZ2Decompressor` is reused after a decompression error. -The decompressor now becomes unusable after libbz2 reports an error. diff --git a/Misc/NEWS.d/next/Security/2026-06-09-12-27-17.gh-issue-151159.ng1cPU.rst b/Misc/NEWS.d/next/Security/2026-06-09-12-27-17.gh-issue-151159.ng1cPU.rst deleted file mode 100644 index e2309633c298..000000000000 --- a/Misc/NEWS.d/next/Security/2026-06-09-12-27-17.gh-issue-151159.ng1cPU.rst +++ /dev/null @@ -1 +0,0 @@ -Bumps the OpenSSL version to 3.0.21 on Android. diff --git a/Misc/NEWS.d/next/Tests/2026-05-13-14-53-23.gh-issue-149776.orqgsn.rst b/Misc/NEWS.d/next/Tests/2026-05-13-14-53-23.gh-issue-149776.orqgsn.rst deleted file mode 100644 index e86a9130ff9b..000000000000 --- a/Misc/NEWS.d/next/Tests/2026-05-13-14-53-23.gh-issue-149776.orqgsn.rst +++ /dev/null @@ -1,2 +0,0 @@ -Fix test_socket on Linux kernel 7.1 and newer: skip UDP Lite tests if it's -not supported. Patch by Victor Stinner. diff --git a/Misc/NEWS.d/next/Tests/2026-06-09-11-52-52.gh-issue-151130.1vslPH.rst b/Misc/NEWS.d/next/Tests/2026-06-09-11-52-52.gh-issue-151130.1vslPH.rst deleted file mode 100644 index 0333e66446ce..000000000000 --- a/Misc/NEWS.d/next/Tests/2026-06-09-11-52-52.gh-issue-151130.1vslPH.rst +++ /dev/null @@ -1 +0,0 @@ -Add more tests for ``PyWeakref_*`` C API. diff --git a/Misc/NEWS.d/next/Windows/2026-06-09-11-40-17.gh-issue-151159.9si8Fo.rst b/Misc/NEWS.d/next/Windows/2026-06-09-11-40-17.gh-issue-151159.9si8Fo.rst deleted file mode 100644 index ae2131533e12..000000000000 --- a/Misc/NEWS.d/next/Windows/2026-06-09-11-40-17.gh-issue-151159.9si8Fo.rst +++ /dev/null @@ -1 +0,0 @@ -Update macOS installer to use OpenSSL 3.0.21. diff --git a/Misc/NEWS.d/next/Windows/2026-06-09-12-04-21.gh-issue-151159.O2NVrd.rst b/Misc/NEWS.d/next/Windows/2026-06-09-12-04-21.gh-issue-151159.O2NVrd.rst deleted file mode 100644 index 81ba86fab4ee..000000000000 --- a/Misc/NEWS.d/next/Windows/2026-06-09-12-04-21.gh-issue-151159.O2NVrd.rst +++ /dev/null @@ -1 +0,0 @@ -Updated bundled version of OpenSSL to 3.0.21. diff --git a/Misc/NEWS.d/next/macOS/2025-10-14-00-17-48.gh-issue-115119.470I1N.rst b/Misc/NEWS.d/next/macOS/2025-10-14-00-17-48.gh-issue-115119.470I1N.rst deleted file mode 100644 index d59da4b87b7b..000000000000 --- a/Misc/NEWS.d/next/macOS/2025-10-14-00-17-48.gh-issue-115119.470I1N.rst +++ /dev/null @@ -1 +0,0 @@ -Update macOS installer to use libmpdecimal 4.0.1. diff --git a/Misc/NEWS.d/next/macOS/2026-05-31-10-40-00.gh-issue-150644.zLWyjj.rst b/Misc/NEWS.d/next/macOS/2026-05-31-10-40-00.gh-issue-150644.zLWyjj.rst deleted file mode 100644 index 7452a7c765c0..000000000000 --- a/Misc/NEWS.d/next/macOS/2026-05-31-10-40-00.gh-issue-150644.zLWyjj.rst +++ /dev/null @@ -1,3 +0,0 @@ -When system logging is enabled (with ``config.use_system_logger``, messages -are now tagged as public. This allows the macOS 26 system logger to view -messages without special configuration. diff --git a/Misc/NEWS.d/next/macOS/2026-06-09-01-27-48.gh-issue-124111.MDDDD6.rst b/Misc/NEWS.d/next/macOS/2026-06-09-01-27-48.gh-issue-124111.MDDDD6.rst deleted file mode 100644 index f626453dbb32..000000000000 --- a/Misc/NEWS.d/next/macOS/2026-06-09-01-27-48.gh-issue-124111.MDDDD6.rst +++ /dev/null @@ -1 +0,0 @@ -Update macOS installer to use Tcl/Tk 8.6.18. diff --git a/README.rst b/README.rst index df4ec5ab666b..480a559cb790 100644 --- a/README.rst +++ b/README.rst @@ -1,4 +1,4 @@ -This is Python version 3.13.13 +This is Python version 3.13.14 ============================== .. image:: https://github.com/python/cpython/workflows/Tests/badge.svg