Log message:
python*: explicitly add --with-system-expat

To make sure expat module is linked against expat library.

Bump PKGREVISION.

Log message:
python*: add SUPERSEDES

Log message:
python*: include some standard modules in the base Python package

As proposed on tech-pkg

Bump PKGREVISION.

Log message:
python39 py39-html-docs: updated to 3.9.18

Python 3.9.18

Security

gh-108310: Fixed an issue where instances of ssl.SSLSocket were vulnerable to a \ 
bypass of the TLS handshake and included protections (like certificate \ 
verification) and treating sent unencrypted data as if it were post-handshake \ 
TLS encrypted data. Security issue reported as CVE-2023-40217 by Aapo Oksman. \ 
Patch by Gregory P. Smith.

Library

gh-107845: tarfile.data_filter() now takes the location of symlinks into account \ 
when determining their target, so it will no longer reject some valid tarballs \ 
with LinkOutsideDestinationError.

Tools/Demos

gh-107565: Update multissltests and GitHub CI workflows to use OpenSSL 1.1.1v, \ 
3.0.10, and 3.1.2.

C API

gh-99612: Fix PyUnicode_DecodeUTF8Stateful() for ASCII-only data: *consumed was \ 
not set.

Log message:
python3*: when linking with pkgsrc gettext, pass -lintl. When linking
with builtin gettext, NFCI. Fixes PREFER_PKGSRC=gettext-lib builds on at
least NetBSD 9 and 10.

Log message:
python39: Fix env vars for sysconfig data when cross-compiling.

Paves the way to cross-version-compiling (e.g., netbsd9 building
packages for netbsd10) and cross-OS-compilation (e.g., macOS building
packages for NetBSD).

Log message:
python: Override sys.platform with PY_PLATNAME when cross-compiling.

For this purpose, factor the PY_PLATNAME definition out into a new
lang/pythonNN/platname.mk file.  It's not the same for 2.x and 3.x;
perhaps we could factor it out further into a single 2.x vs 3.x
conditional but this is a more mechanical change that makes it easier
to audit for now.

Log message:
lang/python39, 310, 311: Handle TOOLBASE/LOCALBASE split.

Log message:
python39 py39-html-docs: updated to 3.9.17

Python 3.9.17

Security
gh-103142: The version of OpenSSL used in our binary builds has been upgraded to \ 
1.1.1u to address several CVEs.
gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory \ 
traversal based on the input if no out_file was specified.
gh-104049: Do not expose the local on-disk location in directory indexes \ 
produced by http.client.SimpleHTTPRequestHandler.
gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space \ 
characters following the specification for URLs defined by WHATWG in response to \ 
CVE-2023-24329. Patch by Illia Volochii.
gh-101727: Updated the OpenSSL version used in Windows and macOS binary release \ 
builds to 1.1.1t to address CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 per \ 
the OpenSSL 2023-02-07 security advisory.
gh-101283: subprocess.Popen now uses a safer approach to find cmd.exe when \ 
launching with shell=True. Patch by Eryk Sun, based on a patch by Oleg Iarygin.

Core and Builtins
gh-102126: Fix deadlock at shutdown when clearing thread states if any finalizer \ 
tries to acquire the runtime head lock. Patch by Kumar Aditya.
gh-100892: Fix race while iterating over thread states in clearing \ 
threading.local. Patch by Kumar Aditya.

Library
gh-103935: Use io.open_code() for files to be executed instead of raw open()
gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have \ 
a new a filter argument that allows limiting tar features than may be surprising \ 
or dangerous, such as creating files outside the destination directory. See \ 
Extraction filters for details.
gh-101997: Upgrade pip wheel bundled with ensurepip (pip 23.0.1)

Windows
gh-100180: Update Windows installer to OpenSSL 1.1.1s

macOS
gh-103142: Update macOS installer to use OpenSSL 1.1.1u.

Log message:
python39 py39-html-docs: updated to 3.9.16

Python 3.9.16 final

Security
gh-100001: python -m http.server no longer allows terminal control characters \ 
sent within a garbage request to be printed to the stderr server log.

This is done by changing the http.server BaseHTTPRequestHandler .log_message \ 
method to replace control characters with a \xHH hex escape before printing.
gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc \ 
module
gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio \ 
related name resolution functions no longer involves a quadratic algorithm. This \ 
prevents a potential CPU denial of service if an out-of-spec excessive length \ 
hostname involving bidirectional characters were decoded. Some protocols such as \ 
urllib http 3xx redirects potentially allow for an attacker to supply such a \ 
name.
gh-98739: Update bundled libexpat to 2.5.0
gh-98517: Port XKCP’s fix for the buffer overflows in SHA-3 (CVE-2022-37454).
gh-97514: On Linux the multiprocessing module returns to using filesystem backed \ 
unix domain sockets for communication with the forkserver process instead of the \ 
Linux abstract socket namespace. Only code that chooses to use the \ 
“forkserver” start method is affected.

Abstract sockets have no permissions and could allow any user on the system in \ 
the same network namespace (often the whole system) to inject code into the \ 
multiprocessing forkserver process. This was a potential privilege escalation. \ 
Filesystem based socket permissions restrict this to the forkserver process user \ 
as was the default in Python 3.8 and earlier.

This prevents Linux CVE-2022-42919.
gh-68966: The deprecated mailcap module now refuses to inject unsafe text \ 
(filenames, MIME types, parameters) into shell commands. Instead of using such \ 
text, it will warn and act as if a match was not found (or for test commands, as \ 
if the test failed).