Log message:
python37, py37-html-docs: removed; end of life; use Python 3.8, 3.9, 3.10 or 3.11

Log message:
python: Override sys.platform with PY_PLATNAME when cross-compiling.

For this purpose, factor the PY_PLATNAME definition out into a new
lang/pythonNN/platname.mk file.  It's not the same for 2.x and 3.x;
perhaps we could factor it out further into a single 2.x vs 3.x
conditional but this is a more mechanical change that makes it easier
to audit for now.

Log message:
python37 py37-html-docs: updated to 3.7.17

Python 3.7.17

Security
gh-103142: The version of OpenSSL used in our binary builds has been upgraded to \ 
1.1.1u to address several CVEs.
gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory \ 
traversal based on the input if no out_file was specified.
gh-104049: Do not expose the local on-disk location in directory indexes \ 
produced by http.client.SimpleHTTPRequestHandler.
gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space \ 
characters following the specification for URLs defined by WHATWG in response to \ 
CVE-2023-24329. Patch by Illia Volochii.
gh-101727: Updated the OpenSSL version used in Windows and macOS binary release \ 
builds to 1.1.1t to address CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 per \ 
the OpenSSL 2023-02-07 security advisory.
gh-101283: subprocess.Popen now uses a safer approach to find cmd.exe when \ 
launching with shell=True. Patch by Eryk Sun, based on a patch by Oleg Iarygin.

Library
gh-101997: Upgrade pip wheel bundled with ensurepip (pip 23.0.1)

Build
gh-102306: Avoid GHA CI macOS test_posix failure by using the appropriate macOS SDK.

Windows
gh-100180: Update Windows installer to OpenSSL 1.1.1s

Log message:
python37: update to version 3.7.16

Changelog:

Python 3.7.16

Release Date: Dec. 6, 2022
This is a security release of Python 3.7

Note: The release you're looking at is Python 3.7.16, a security bugfix release \ 
for the legacy 3.7 series. Python 3.11 is now the latest feature release series \ 
of Python 3. Get the latest release of 3.11.x here.
Security content in this release

    gh-98739: Updated bundled libexpat to 2.5.0 to fix CVE-2022-43680 (heap \ 
use-after-free).
    gh-98517: Port XKCP’s fix for the buffer overflows in SHA-3 to fix \ 
CVE-2022-37454.
    gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio \ 
related name resolution functions no longer involves a quadratic algorithm to \ 
fix CVE-2022-45061. This prevents a potential CPU denial of service if an \ 
out-of-spec excessive length hostname involving bidirectional characters were \ 
decoded. Some protocols such as urllib http 3xx redirects potentially allow for \ 
an attacker to supply such a name.
    gh-68966: The deprecated mailcap module now refuses to inject unsafe text \ 
(filenames, MIME types, parameters) into shell commands to address \ 
CVE-2015-20107. Instead of using such text, it will warn and act as if a match \ 
was not found (or for test commands, as if the test failed).
    gh-100001: python -m http.server no longer allows terminal control \ 
characters sent within a garbage request to be printed to the stderr server log.

No installers

According to the release calendar specified in PEP 537, Python 3.7 is now in the \ 
"security fixes only" stage of its life cycle: 3.7 branch only accepts \ 
security fixes and releases of those are made irregularly in source-only form \ 
until June 2023. Python 3.7 does not receive regular bug fixes anymore, and \ 
binary installers are no longer provided for it. Python 3.7.9 was the last full \ 
bugfix release of Python 3.7 with binary installers.

Log message:
lang/python37: Note pkgsrc deprecation

Log message:
python37 py37-html-docs: updated to 3.7.15

Python 3.7.15

Security

gh-97616: Fix multiplying a list by an integer (list *= int): detect the integer \ 
overflow when the new allocated length is close to the maximum size. Issue \ 
reported by Jordan Limor. Patch by Victor Stinner.
gh-97612: Fix a shell code injection vulnerability in the \ 
get-remote-certificate.py example script. The script no longer uses a shell to \ 
run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by \ 
Victor Stinner.

Core and Builtins

gh-96848: Fix command line parsing: reject -X int_max_str_digits option with no \ 
value (invalid) when the PYTHONINTMAXSTRDIGITS environment variable is set to a \ 
valid limit. Patch by Victor Stinner.
gh-95778: When ValueError is raised if an integer is larger than the limit, \ 
mention the sys.set_int_max_str_digits() function in the error message. Patch by \ 
Victor Stinner.

Library

gh-97005: Update bundled libexpat to 2.4.9

Windows

gh-96577: Fixes a potential buffer overrun in msilib.

Log message:
python37 py37-html-docs: updated to 3.7.14

Python 3.7.14

Security
gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 \ 
(octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a \ 
ValueError if the number of digits in string form is above a limit to avoid \ 
potential denial of service attacks due to the algorithmic complexity. This is a \ 
mitigation for CVE-2020-10735.

This new limit can be configured or disabled by environment variable, command \ 
line flag, or sys APIs. See the integer string conversion length limitation \ 
documentation. The default limit is 4300 digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback \ 
from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.
gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server \ 
when an URI path starts with //. Vulnerability discovered, and initial fix \ 
proposed, by Hamza Avvan.

Core and Builtins
gh-93065: Fix contextvars HAMT implementation to handle iteration over deep trees.

The bug was discovered and fixed by Eli Libman. See MagicStack/immutables#84 for \ 
more details.

Library
bpo-36073: Raise ProgrammingError instead of segfaulting on recursive usage of \ 
cursors in sqlite3 converters. Patch by Sergey Fedoseev.

Documentation
gh-91888: Add a new gh role to the documentation to link to GitHub issues.
bpo-47138: Pin Jinja to a version compatible with Sphinx version 2.3.1.

Tests
gh-94208: test_ssl is now checking for supported TLS version and protocols in \ 
more tests.
bpo-47016: Create a GitHub Actions workflow for verifying bundled pip and \ 
setuptools. Patch by Illia Volochii and Adam Turner.
bpo-41306: Fixed a failure in test_tk.test_widgets.ScaleTest happening when \ 
executing the test with Tk 8.6.10.

Windows
bpo-47194: Update zlib to v1.2.12 to resolve CVE-2018-25032.

Log message:
python37: Skip __pycache__ files seen in macOS build too.

Log message:
python37: Skip wrkrefs exposed by pkg-config change.

Log message:
python37 py37-html-docs: updated to 3.7.13

Python 3.7.13 final

Library

bpo-46985: Upgrade pip wheel bundled with ensurepip (pip 22.0.4)
bpo-46932: Update bundled libexpat to 2.4.7
bpo-46811: Make test suite support Expat >=2.4.5
bpo-46784: Fix libexpat symbols collisions with user dynamically loaded or \ 
statically linked libexpat in embedded Python.
bpo-46756: Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and \ 
urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to \ 
bypass authorization. For example, access to URI example.org/foobar was allowed \ 
if the user was authorized for URI example.org/foo.

Build

bpo-47024: Update Windows builds and macOS installer build to use OpenSSL 1.1.1n.
bpo-45405: Prevent internal configure error when running configure with recent \ 
versions of clang. Patch by David Bohman.

Windows

bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and \ 
CVE-2019-12900
bpo-46948: Prevent CVE-2022-26488 by ensuring the Add to PATH option in the \ 
Windows installer uses the correct path when being repaired.