Log message:
python39 py39-html-docs: updated to 3.9.19

Python 3.9.19

Security

gh-115398: Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) \ 
by adding five new methods:

xml.etree.ElementTree.XMLParser.flush()
xml.etree.ElementTree.XMLPullParser.flush()
xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
xml.sax.expatreader.ExpatParser.flush()
gh-115399: Update bundled libexpat to 2.6.0
gh-113659: Skip .pth files with names starting with a dot or hidden file attribute.

Core and Builtins

gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 codecs read out of bounds

Library

gh-115197: urllib.request no longer resolves the hostname before checking it \ 
against the system’s proxy bypass list on macOS and Windows.
gh-115133: Fix tests for XMLPullParser with Expat 2.6.0.
gh-81194: Fix a crash in socket.if_indextoname() with specific value (UINT_MAX). \ 
Fix an integer overflow in socket.if_indextoname() on 64-bit non-Windows \ 
platforms.
gh-109858: Protect zipfile from “quoted-overlap” zipbomb. It now raises \ 
BadZipFile when try to read an entry that overlaps with other entry or central \ 
directory.
gh-107077: Seems that in some conditions, OpenSSL will return SSL_ERROR_SYSCALL \ 
instead of SSL_ERROR_SSL when a certification verification has failed, but the \ 
error parameters will still contain ERR_LIB_SSL and \ 
SSL_R_CERTIFICATE_VERIFY_FAILED. We are now detecting this situation and raising \ 
the appropiate ssl.SSLCertVerificationError. Patch by Pablo Galindo
gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup, which now no longer \ 
dereferences symlinks when working around file system permission errors.

Documentation

gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under “XML \ 
vulnerabilities”.

Windows

gh-111239: Update Windows builds to use zlib v1.3.1.
gh-109991: Windows builds now use OpenSSL 1.1.1w. Note that OpenSSL 1.1 has \ 
reached its end of life and no future fixes will be made, and this version of \ 
Python is no longer receiving maintenance fixes and will not be updated to \ 
OpenSSL 3.0.

Tools/Demos

gh-109991: Update GitHub CI workflows to use OpenSSL 3.0.11 and multissltests to \ 
use 1.1.1w and 3.0.11.

Log message:
python39 py39-html-docs: updated to 3.9.18

Python 3.9.18

Security

gh-108310: Fixed an issue where instances of ssl.SSLSocket were vulnerable to a \ 
bypass of the TLS handshake and included protections (like certificate \ 
verification) and treating sent unencrypted data as if it were post-handshake \ 
TLS encrypted data. Security issue reported as CVE-2023-40217 by Aapo Oksman. \ 
Patch by Gregory P. Smith.

Library

gh-107845: tarfile.data_filter() now takes the location of symlinks into account \ 
when determining their target, so it will no longer reject some valid tarballs \ 
with LinkOutsideDestinationError.

Tools/Demos

gh-107565: Update multissltests and GitHub CI workflows to use OpenSSL 1.1.1v, \ 
3.0.10, and 3.1.2.

C API

gh-99612: Fix PyUnicode_DecodeUTF8Stateful() for ASCII-only data: *consumed was \ 
not set.

Log message:
python39 py39-html-docs: updated to 3.9.17

Python 3.9.17

Security
gh-103142: The version of OpenSSL used in our binary builds has been upgraded to \ 
1.1.1u to address several CVEs.
gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory \ 
traversal based on the input if no out_file was specified.
gh-104049: Do not expose the local on-disk location in directory indexes \ 
produced by http.client.SimpleHTTPRequestHandler.
gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space \ 
characters following the specification for URLs defined by WHATWG in response to \ 
CVE-2023-24329. Patch by Illia Volochii.
gh-101727: Updated the OpenSSL version used in Windows and macOS binary release \ 
builds to 1.1.1t to address CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 per \ 
the OpenSSL 2023-02-07 security advisory.
gh-101283: subprocess.Popen now uses a safer approach to find cmd.exe when \ 
launching with shell=True. Patch by Eryk Sun, based on a patch by Oleg Iarygin.

Core and Builtins
gh-102126: Fix deadlock at shutdown when clearing thread states if any finalizer \ 
tries to acquire the runtime head lock. Patch by Kumar Aditya.
gh-100892: Fix race while iterating over thread states in clearing \ 
threading.local. Patch by Kumar Aditya.

Library
gh-103935: Use io.open_code() for files to be executed instead of raw open()
gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have \ 
a new a filter argument that allows limiting tar features than may be surprising \ 
or dangerous, such as creating files outside the destination directory. See \ 
Extraction filters for details.
gh-101997: Upgrade pip wheel bundled with ensurepip (pip 23.0.1)

Windows
gh-100180: Update Windows installer to OpenSSL 1.1.1s

macOS
gh-103142: Update macOS installer to use OpenSSL 1.1.1u.

Log message:
python39 py39-html-docs: updated to 3.9.16

Python 3.9.16 final

Security
gh-100001: python -m http.server no longer allows terminal control characters \ 
sent within a garbage request to be printed to the stderr server log.

This is done by changing the http.server BaseHTTPRequestHandler .log_message \ 
method to replace control characters with a \xHH hex escape before printing.
gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc \ 
module
gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio \ 
related name resolution functions no longer involves a quadratic algorithm. This \ 
prevents a potential CPU denial of service if an out-of-spec excessive length \ 
hostname involving bidirectional characters were decoded. Some protocols such as \ 
urllib http 3xx redirects potentially allow for an attacker to supply such a \ 
name.
gh-98739: Update bundled libexpat to 2.5.0
gh-98517: Port XKCP’s fix for the buffer overflows in SHA-3 (CVE-2022-37454).
gh-97514: On Linux the multiprocessing module returns to using filesystem backed \ 
unix domain sockets for communication with the forkserver process instead of the \ 
Linux abstract socket namespace. Only code that chooses to use the \ 
“forkserver” start method is affected.

Abstract sockets have no permissions and could allow any user on the system in \ 
the same network namespace (often the whole system) to inject code into the \ 
multiprocessing forkserver process. This was a potential privilege escalation. \ 
Filesystem based socket permissions restrict this to the forkserver process user \ 
as was the default in Python 3.8 and earlier.

This prevents Linux CVE-2022-42919.
gh-68966: The deprecated mailcap module now refuses to inject unsafe text \ 
(filenames, MIME types, parameters) into shell commands. Instead of using such \ 
text, it will warn and act as if a match was not found (or for test commands, as \ 
if the test failed).

Log message:
python39 py39-html-docs: updated to 3.9.15

Python 3.9.15

Security

gh-97616: Fix multiplying a list by an integer (list *= int): detect the integer \ 
overflow when the new allocated length is close to the maximum size. Issue \ 
reported by Jordan Limor. Patch by Victor Stinner.
gh-97612: Fix a shell code injection vulnerability in the \ 
get-remote-certificate.py example script. The script no longer uses a shell to \ 
run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by \ 
Victor Stinner.
Core and Builtins
gh-96848: Fix command line parsing: reject -X int_max_str_digits option with no \ 
value (invalid) when the PYTHONINTMAXSTRDIGITS environment variable is set to a \ 
valid limit. Patch by Victor Stinner.
gh-95778: When ValueError is raised if an integer is larger than the limit, \ 
mention the sys.set_int_max_str_digits() function in the error message. Patch by \ 
Victor Stinner.

Library

gh-97005: Update bundled libexpat to 2.4.9

Windows

gh-96577: Fixes a potential buffer overrun in msilib.

macOS

gh-97897: The macOS 13 SDK includes support for the mkfifoat and mknodat system \ 
calls. Using the dir_fd option with either os.mkfifo() or os.mknod() could \ 
result in a segfault if cpython is built with the macOS 13 SDK but run on an \ 
earlier version of macOS. Prevent this by adding runtime support for detection \ 
of these system calls (“weaklinking”) as is done for other newer syscalls on \ 
macOS.

Log message:
python39 py39-html-docs: updated to 3.9.14

Python 3.9.14

Security
gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 \ 
(octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a \ 
ValueError if the number of digits in string form is above a limit to avoid \ 
potential denial of service attacks due to the algorithmic complexity. This is a \ 
mitigation for CVE-2020-10735.

This new limit can be configured or disabled by environment variable, command \ 
line flag, or sys APIs. See the integer string conversion length limitation \ 
documentation. The default limit is 4300 digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback \ 
from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.
gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server \ 
when an URI path starts with //. Vulnerability discovered, and initial fix \ 
proposed, by Hamza Avvan.

Core and Builtins
gh-93065: Fix contextvars HAMT implementation to handle iteration over deep trees.

The bug was discovered and fixed by Eli Libman. See MagicStack/immutables#84 for \ 
more details.

Library
gh-94821: Fix binding of unix socket to empty address on Linux to use an \ 
available address from the abstract namespace, instead of “0”.
gh-91810: Suppress writing an XML declaration in open files in \ 
ElementTree.write() with encoding='unicode' and xml_declaration=None.
bpo-45393: Fix the formatting for await x and not x in the operator precedence \ 
table when using the help() system.
bpo-46197: Fix ensurepip environment isolation for subprocess running pip.

Tests
gh-95280: Fix problem with test_ssl test_get_ciphers on systems that require \ 
perfect forward secrecy (PFS) ciphers.
gh-94208: test_ssl is now checking for supported TLS version and protocols in \ 
more tests.
bpo-47016: Create a GitHub Actions workflow for verifying bundled pip and \ 
setuptools. Patch by Illia Volochii and Adam Turner.

Log message:
python39 py39-html-docs: updated to 3.9.13

Python 3.9.13

Core and Builtins

gh-92311: Fixed a bug where setting frame.f_lineno to jump over a list \ 
comprehension could misbehave or crash.
gh-92112: Fix crash triggered by an evil custom mro() on a metaclass.
gh-92036: Fix a crash in subinterpreters related to the garbage collector. When \ 
a subinterpreter is deleted, untrack all objects tracked by its GC. To prevent a \ 
crash in deallocator functions expecting objects to be tracked by the GC, leak a \ 
strong reference to these objects on purpose, so they are never deleted and \ 
their deallocator functions are not called. Patch by Victor Stinner.
gh-91421: Fix a potential integer overflow in _Py_DecodeUTF8Ex.
bpo-46775: Some Windows system error codes(>= 10000) are now mapped into the \ 
correct errno and may now raise a subclass of OSError. Patch by Dong-hee Na.
bpo-46962: Classes and functions that unconditionally declared their docstrings \ 
ignoring the --without-doc-strings compilation flag no longer do so.

The classes affected are pickle.PickleBuffer, testcapi.RecursingInfinitelyError, \ 
and types.GenericAlias.

The functions affected are 24 methods in ctypes.

Patch by Oleg Iarygin.
bpo-36819: Fix crashes in built-in encoders with error handlers that return \ 
position less or equal than the starting position of non-encodable characters.

Library

gh-91581: utcfromtimestamp() no longer attempts to resolve fold in the pure \ 
Python implementation, since the fold is never 1 in UTC. In addition to being \ 
slightly faster in the common case, this also prevents some errors when the \ 
timestamp is close to datetime.min. Patch by Paul Ganssle.
gh-92530: Fix an issue that occurred after interrupting threading.Condition.notify().
gh-92049: Forbid pickling constants re._constants.SUCCESS etc. Previously, \ 
pickling did not fail, but the result could not be unpickled.
bpo-47029: Always close the read end of the pipe used by multiprocessing.Queue \ 
after the last write of buffered data to the write end of the pipe to avoid \ 
BrokenPipeError at garbage collection and at multiprocessing.Queue.close() \ 
calls. Patch by Géry Ogam.
gh-91910: Add missing f prefix to f-strings in error messages from the \ 
multiprocessing and asyncio modules.
gh-91810: ElementTree method write() and function tostring() now use the text \ 
file’s encoding (“UTF-8” if not available) instead of locale encoding in \ 
XML declaration when encoding="unicode" is specified.
gh-91832: Add required attribute to argparse.Action repr output.
gh-91734: Fix OSS audio support on Solaris.
gh-91700: Compilation of regular expression containing a conditional expression \ 
(?(group)...) now raises an appropriate re.error if the group number refers to \ 
not defined group. Previously an internal RuntimeError was raised.
gh-91676: Fix unittest.IsolatedAsyncioTestCase to shutdown the per test event \ 
loop executor before returning from its run method so that a not yet stopped or \ 
garbage collected executor state does not persist beyond the test.
gh-90568: Parsing \N escapes of Unicode Named Character Sequences in a regular \ 
expression raises now re.error instead of TypeError.
gh-91595: Fix the comparison of character and integer inside \ 
Tools.gdb.libpython.write_repr(). Patch by Yu Liu.
gh-90622: Worker processes for concurrent.futures.ProcessPoolExecutor are no \ 
longer spawned on demand (a feature added in 3.9) when the multiprocessing \ 
context start method is "fork" as that can lead to deadlocks in the \ 
child processes due to a fork happening while threads are running.
gh-91575: Update case-insensitive matching in the re module to the latest \ 
Unicode version.
gh-91581: Remove an unhandled error case in the C implementation of calls to \ 
datetime.fromtimestamp with no time zone (i.e. getting a local time from an \ 
epoch timestamp). This should have no user-facing effect other than giving a \ 
possibly more accurate error message when called with timestamps that fall on \ 
10000-01-01 in the local time. Patch by Paul Ganssle.
bpo-34480: Fix a bug where _markupbase raised an UnboundLocalError when an \ 
invalid keyword was found in marked section. Patch by Marek Suscak.
bpo-27929: Fix asyncio.loop.sock_connect() to only resolve names for \ 
socket.AF_INET or socket.AF_INET6 families. Resolution may not make sense for \ 
other families, like socket.AF_BLUETOOTH and socket.AF_UNIX.
bpo-43323: Fix errors in the email module if the charset itself contains \ 
undecodable/unencodable characters.
bpo-46787: Fix concurrent.futures.ProcessPoolExecutor exception memory leak
bpo-46415: Fix ipaddress.ip_{address,interface,network} raising TypeError \ 
instead of ValueError if given invalid tuple as address parameter.
bpo-44911: IsolatedAsyncioTestCase will no longer throw an exception while \ 
cancelling leaked tasks. Patch by Bar Harel.
bpo-44493: Add missing terminated NUL in sockaddr_un’s length

This was potentially observable when using non-abstract AF_UNIX datagram sockets \ 
to processes written in another programming language.
bpo-42627: Fix incorrect parsing of Windows registry proxy settings
bpo-36073: Raise ProgrammingError instead of segfaulting on recursive usage of \ 
cursors in sqlite3 converters. Patch by Sergey Fedoseev.

Documentation

gh-91888: Add a new gh role to the documentation to link to GitHub issues.
gh-91783: Document security issues concerning the use of the function \ 
shutil.unpack_archive()
gh-91547: Remove “Undocumented modules” page.
bpo-44347: Clarify the meaning of dirs_exist_ok, a kwarg of shutil.copytree().
bpo-38668: Update the introduction to documentation for os.path to remove \ 
warnings that became irrelevant after the implementations of PEP 383 and PEP \ 
529.
bpo-47138: Pin Jinja to a version compatible with Sphinx version 2.4.4.
bpo-46962: All docstrings in code snippets are now wrapped into PyDoc_STR() to \ 
follow the guideline of PEP 7’s Documentation Strings paragraph. Patch by Oleg \ 
Iarygin.
bpo-26792: Improve the docstrings of runpy.run_module() and runpy.run_path(). \ 
Original patch by Andrew Brezovsky.
bpo-45790: Adjust inaccurate phrasing in Defining Extension Types: Tutorial \ 
about the ob_base field and the macros used to access its contents.
bpo-42340: Document that in some circumstances KeyboardInterrupt may cause the \ 
code to enter an inconsistent state. Provided a sample workaround to avoid it if \ 
needed.
bpo-41233: Link the errnos referenced in Doc/library/exceptions.rst to their \ 
respective section in Doc/library/errno.rst, and vice versa. Previously this was \ 
only done for EINTR and InterruptedError. Patch by Yan “yyyyyyyan” Orestes.
bpo-38056: Overhaul the Error Handlers documentation in codecs.
bpo-13553: Document tkinter.Tk args.

Tests

gh-91607: Fix test_concurrent_futures to test the correct multiprocessing start \ 
method context in several cases where the test logic mixed this up.
bpo-47205: Skip test for sched_getaffinity() and sched_setaffinity() error case \ 
on FreeBSD.
bpo-29890: Add tests for ipaddress.IPv4Interface and ipaddress.IPv6Interface \ 
construction with tuple arguments. Original patch and tests by louisom.

Build

bpo-47103: Windows PGInstrument builds now copy a required DLL into the output \ 
directory, making it easier to run the profile stage of a PGO build.

Windows

bpo-47194: Update zlib to v1.2.12 to resolve CVE-2018-25032.
bpo-46785: Fix race condition between os.stat() and unlinking a file on Windows, \ 
by using errors codes returned by FindFirstFileW() when appropriate in \ 
win32_xstat_impl.
bpo-40859: Update Windows build to use xz-5.2.5

Tools/Demos

gh-91583: Fix regression in the code generated by Argument Clinic for functions \ 
with the defining_class parameter.

Log message:
python39 py39-html-docs: updated to 3.9.12

Python 3.9.12 final

Core and Builtins

bpo-46968: Check for the existence of the “sys/auxv.h” header in \ 
faulthandler to avoid compilation problems in systems where this header \ 
doesn’t exist. Patch by Pablo Galindo

Library

bpo-47101: hashlib.algorithms_available now lists only algorithms that are \ 
provided by activated crypto providers on OpenSSL 3.0. Legacy algorithms are not \ 
listed unless the legacy provider has been loaded into the default OSSL context.
bpo-23691: Protect the re.finditer() iterator from re-entering.
bpo-42369: Fix thread safety of zipfile._SharedFile.tell() to avoid a \ 
“zipfile.BadZipFile: Bad CRC-32 for file” exception when reading a ZipFile \ 
from multiple threads.
bpo-38256: Fix binascii.crc32() when it is compiled to use zlib’c crc32 to \ 
work properly on inputs 4+GiB in length instead of returning the wrong result. \ 
The workaround prior to this was to always feed the function data in increments \ 
smaller than 4GiB or to just call the zlib module function.
bpo-39394: A warning about inline flags not at the start of the regular \ 
expression now contains the position of the flag.
bpo-47061: Deprecate the various modules listed by PEP 594:
aifc, asynchat, asyncore, audioop, cgi, cgitb, chunk, crypt, imghdr, msilib, \ 
nntplib, nis, ossaudiodev, pipes, smtpd, sndhdr, spwd, sunau, telnetlib, uu, \ 
xdrlib
bpo-2604: Fix bug where doctests using globals would fail when run multiple times.
bpo-45997: Fix asyncio.Semaphore re-aquiring FIFO order.
bpo-47022: The asynchat, asyncore and smtpd modules have been deprecated since \ 
at least Python 3.6. Their documentation has now been updated to note they will \ 
removed in Python 3.12 (PEP 594).
bpo-46421: Fix a unittest issue where if the command was invoked as python -m \ 
unittest and the filename(s) began with a dot (.), a ValueError is returned.
bpo-40296: Fix supporting generic aliases in pydoc.
bpo-14156: argparse.FileType now supports an argument of ‘-’ in binary mode, \ 
returning the .buffer attribute of sys.stdin/sys.stdout as appropriate. Modes \ 
including ‘x’ and ‘a’ are treated equivalently to ‘w’ when argument \ 
is ‘-’. Patch contributed by Josh Rosenberg

Log message:
python39 py39-html-docs: updated to 3.9.11

Python 3.9.11 final

Core and Builtins

bpo-46852: Rename the private undocumented float.__set_format__() method to \ 
float.__setformat__() to fix a typo introduced in Python 3.7. The method is only \ 
used by test_float. Patch by Victor Stinner.
bpo-46794: Bump up the libexpat version into 2.4.6
bpo-46762: Fix an assert failure in debug builds when a ‘<’, ‘>’, \ 
or ‘=’ is the last character in an f-string that’s missing a closing right \ 
brace.
bpo-46732: Correct the docstring for the __bool__() method. Patch by Jelle Zijlstra.
bpo-40479: Add a missing call to va_end() in Modules/_hashopenssl.c.
bpo-46615: When iterating over sets internally in setobject.c, acquire strong \ 
references to the resulting items from the set. This prevents crashes in \ 
corner-cases of various set operations where the set gets mutated.
bpo-43721: Fix docstrings of getter, setter, and deleter to clarify that they \ 
create a new copy of the property.
bpo-46503: Fix an assert when parsing some invalid N escape sequences in f-strings.
bpo-46417: Fix a race condition on setting a type __bases__ attribute: the \ 
internal function add_subclass() now gets the PyTypeObject.tp_subclasses member \ 
after calling PyWeakref_NewRef() which can trigger a garbage collection which \ 
can indirectly modify PyTypeObject.tp_subclasses. Patch by Victor Stinner.
bpo-46383: Fix invalid signature of _zoneinfo’s module_free function to \ 
resolve a crash on wasm32-emscripten platform.

Library

bpo-43253: Fix a crash when closing transports where the underlying socket \ 
handle is already invalid on the Proactor event loop.
bpo-47004: Apply bugfixes from importlib_metadata 4.11.3, including bugfix for \ 
EntryPoint.extras, which was returning match objects and not the extras strings.
bpo-46985: Upgrade pip wheel bundled with ensurepip (pip 22.0.4)
bpo-46968: faulthandler: On Linux 5.14 and newer, dynamically determine size of \ 
signal handler stack size CPython allocates using getauxval(AT_MINSIGSTKSZ). \ 
This changes allows for Python extension’s request to Linux kernel to use \ 
AMX_TILE instruction set on Sapphire Rapids Xeon processor to succeed, \ 
unblocking use of the ISA in frameworks.
bpo-46955: Expose asyncio.base_events.Server as asyncio.Server. Patch by Stefan \ 
Zabka.
bpo-46932: Update bundled libexpat to 2.4.7
bpo-25707: Fixed a file leak in xml.etree.ElementTree.iterparse() when the \ 
iterator is not exhausted. Patch by Jacob Walls.
bpo-44886: Inherit asyncio proactor datagram transport from \ 
asyncio.DatagramTransport.
bpo-46827: Support UDP sockets in asyncio.loop.sock_connect() for selector-based \ 
event loops. Patch by Thomas Grainger.
bpo-46811: Make test suite support Expat >=2.4.5
bpo-46252: Raise TypeError if ssl.SSLSocket is passed to transport-based APIs.
bpo-46784: Fix libexpat symbols collisions with user dynamically loaded or \ 
statically linked libexpat in embedded Python.
bpo-39327: shutil.rmtree() can now work with VirtualBox shared folders when \ 
running from the guest operating-system.
bpo-46756: Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and \ 
urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to \ 
bypass authorization. For example, access to URI example.org/foobar was allowed \ 
if the user was authorized for URI example.org/foo.
bpo-45863: When the tarfile module creates a pax format archive, it will put an \ 
integer representation of timestamps in the ustar header (if possible) for the \ 
benefit of older unarchivers, in addition to the existing full-precision \ 
timestamps in the pax extended header.
bpo-46672: Fix NameError in asyncio.gather() when initial type check fails.
bpo-45948: Fixed a discrepancy in the C implementation of the \ 
xml.etree.ElementTree module. Now, instantiating an \ 
xml.etree.ElementTree.XMLParser with a target=None keyword provides a default \ 
xml.etree.ElementTree.TreeBuilder target as the Python implementation does.
bpo-46591: Make the IDLE doc URL on the About IDLE dialog clickable.
bpo-46400: expat: Update libexpat from 2.4.1 to 2.4.4
bpo-46487: Add the get_write_buffer_limits method to \ 
asyncio.transports.WriteTransport and to the SSL transport.
bpo-46539: In typing.get_type_hints(), support evaluating stringified ClassVar \ 
and Final annotations inside Annotated. Patch by Gregory Beauregard.
bpo-46491: Allow typing.Annotated to wrap typing.Final and typing.ClassVar. \ 
Patch by Gregory Beauregard.
bpo-46436: Fix command-line option -d/--directory in module http.server which is \ 
ignored when combined with command-line option --cgi. Patch by Géry Ogam.
bpo-41403: Make mock.patch() raise a TypeError with a relevant error message on \ 
invalid arg. Previously it allowed a cryptic AttributeError to escape.
bpo-46474: In importlib.metadata.EntryPoint.pattern, avoid potential REDoS by \ 
limiting ambiguity in consecutive whitespace.
bpo-46469: asyncio generic classes now return types.GenericAlias in \ 
__class_getitem__ instead of the same class.
bpo-46434: pdb now gracefully handles help when __doc__ is missing, for example \ 
when run with pregenerated optimized .pyc files.
bpo-46333: The __eq__() and __hash__() methods of typing.ForwardRef now honor \ 
the module parameter of typing.ForwardRef. Forward references from different \ 
modules are now differentiated.
bpo-43118: Fix a bug in inspect.signature() that was causing it to fail on some \ 
subclasses of classes with a __text_signature__ referencing module globals. \ 
Patch by Weipeng Hong.
bpo-21987: Fix an issue with tarfile.TarFile.getmember() getting a directory \ 
name with a trailing slash.
bpo-20392: Fix inconsistency with uppercase file extensions in \ 
MimeTypes.guess_type(). Patch by Kumar Aditya.
bpo-46080: Fix exception in argparse help text generation if a \ 
argparse.BooleanOptionalAction argument’s default is argparse.SUPPRESS and it \ 
has help specified. Patch by Felix Fontein.
bpo-44439: Fix .write() method of a member file in ZipFile, when the input data \ 
is an object that supports the buffer protocol, the file length may be wrong.
bpo-45703: When a namespace package is imported before another module from the \ 
same namespace is created/installed in a different sys.path location while the \ 
program is running, calling the importlib.invalidate_caches() function will now \ 
also guarantee the new module is noticed.
bpo-24959: Fix bug where unittest sometimes drops frames from tracebacks of \ 
exceptions raised in tests.

Documentation

bpo-46463: Fixes escape4chm.py script used when building the CHM documentation file

Tests

bpo-46913: Fix test_faulthandler.test_sigfpe() if Python is built with undefined \ 
behavior sanitizer (UBSAN): disable UBSAN on the faulthandler_sigfpe() function. \ 
Patch by Victor Stinner.
bpo-46708: Prevent default asyncio event loop policy modification warning after \ 
test_asyncio execution.
bpo-46616: Ensures test_importlib.test_windows cleans up registry keys after \ 
completion.
bpo-44359: test_ftplib now silently ignores socket errors to prevent logging \ 
unhandled threading exceptions. Patch by Victor Stinner.
bpo-46542: Fix a Python crash in test_lib2to3 when using Python built in debug \ 
mode: limit the recursion limit. Patch by Victor Stinner.
bpo-46576: test_peg_generator now disables compiler optimization when testing \ 
compilation of its own C extensions to significantly speed up the testing on \ 
non-debug builds of CPython.
bpo-46542: Fix test_json tests checking for RecursionError: modify these tests \ 
to use support.infinite_recursion(). Patch by Victor Stinner.
bpo-13886: Skip test_builtin PTY tests on non-ASCII characters if the readline \ 
module is loaded. The readline module changes input() behavior, but test_builtin \ 
is not intented to test the readline module. Patch by Victor Stinner.

Build

bpo-47024: Update OpenSSL to 1.1.1n for macOS installers and all Windows builds.
bpo-38472: Fix GCC detection in setup.py when cross-compiling. The C compiler is \ 
now run with LC_ALL=C. Previously, the detection failed with a German locale.
bpo-46513: configure no longer uses AC_C_CHAR_UNSIGNED macro and pyconfig.h no \ 
longer defines reserved symbol __CHAR_UNSIGNED__.
bpo-45925: Update Windows installer to use SQLite 3.37.2.
bpo-47032: Ensure Windows install builds fail correctly with a non-zero exit \ 
code when part of the build fails.

Windows

bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and \ 
CVE-2019-12900
bpo-46948: Prevent CVE-2022-26488 by ensuring the Add to PATH option in the \ 
Windows installer uses the correct path when being repaired.
bpo-46638: Ensures registry virtualization is consistently disabled. For 3.10 \ 
and earlier, it remains enabled (some registry writes are protected), while for \ 
3.11 and later it is disabled (registry modifications affect all applications).
macOS
bpo-45925: Update macOS installer to SQLite 3.37.2.

IDLE

bpo-46630: Make query dialogs on Windows start with a cursor in the entry box.
bpo-45296: Clarify close, quit, and exit in IDLE. In the File menu, ‘Close’ \ 
and ‘Exit’ are now ‘Close Window’ (the current one) and ‘Exit’ is \ 
now ‘Exit IDLE’ (by closing all windows). In Shell, ‘quit()’ and \ 
‘exit()’ mean ‘close Shell’. If there are no other windows, this also \ 
exits IDLE.
bpo-45447: Apply IDLE syntax highlighting to pyi files. Patch by Alex Waygood \ 
and Terry Jan Reedy.

Log message:
python39 py39-html-docs: updated to 3.9.10

Python 3.9.10 final

Core and Builtins

bpo-46070: Py_EndInterpreter() now explicitly untracks all objects currently \ 
tracked by the GC. Previously, if an object was used later by another \ 
interpreter, calling PyObject_GC_UnTrack() on the object crashed if the previous \ 
or the next object of the PyGC_Head structure became a dangling pointer. Patch \ 
by Victor Stinner.
bpo-46085: Fix iterator cache mechanism of OrderedDict.
bpo-46110: Add a maximum recursion check to the PEG parser to avoid stack \ 
overflow. Patch by Pablo Galindo
bpo-46000: Improve compatibility of the curses module with NetBSD curses.
bpo-45614: Fix traceback display for exceptions with invalid module name.
bpo-45806: Re-introduced fix that allows recovery from stack overflow without \ 
crashing the interpreter. The original fix as part of bpo-42500 was reverted \ 
(see release notes for Python 3.9.4) since it introduced an ABI change in a \ 
bugfix release which is not allowed. The new fix doesn’t introduce any ABI \ 
changes. Patch by Mark Shannon.
bpo-45822: Fixed a bug in the parser that was causing it to not respect PEP 263 \ 
coding cookies when no flags are provided. Patch by Pablo Galindo
bpo-45820: Fix a segfault when the parser fails without reading any input. Patch \ 
by Pablo Galindo
bpo-42540: Fix crash when os.fork() is called with an active non-default memory \ 
allocator.

Library

bpo-40479: Fix hashlib usedforsecurity option to work correctly with OpenSSL \ 
3.0.0 in FIPS mode.
bpo-46070: Fix possible segfault when importing the asyncio module from \ 
different sub-interpreters in parallel. Patch by Erlend E. Aasland.
bpo-46278: Reflect context argument in AbstractEventLoop.call_*() methods. Loop \ 
implementations already support it.
bpo-46239: Improve error message when importing asyncio.windows_events on \ 
non-Windows.
bpo-20369: concurrent.futures.wait() no longer blocks forever when given \ 
duplicate Futures. Patch by Kumar Aditya.
bpo-46105: Honor spec when generating requirement specs with urls and extras \ 
(importlib_metadata 4.8.3).
bpo-26952: argparse raises ValueError with clear message when trying to render \ 
usage for an empty mutually-exclusive group. Previously it raised a cryptic \ 
IndexError.
bpo-27718: Fix help for the signal module. Some functions (e.g. signal() and \ 
getsignal()) were omitted.
bpo-46032: The registry() method of functools.singledispatch() functions checks \ 
now the first argument or the first parameter annotation and raises a TypeError \ 
if it is not supported. Previously unsupported “types” were ignored (e.g. \ 
typing.List[int]) or caused an error at calling time (e.g. list[int]).
bpo-46018: Ensure that math.expm1() does not raise on underflow.
bpo-27946: Fix possible crash when getting an attribute of \ 
class:xml.etree.ElementTree.Element simultaneously with replacing the attrib \ 
dict.
bpo-13236: unittest.TextTestResult and unittest.TextTestRunner flush now the \ 
output stream more often.
bpo-37658: Fix issue when on certain conditions asyncio.wait_for() may allow a \ 
coroutine to complete successfully, but fail to return the result, potentially \ 
causing memory leaks or other issues.
bpo-45831: faulthandler can now write ASCII-only strings (like filenames and \ 
function names) with a single write() syscall when dumping a traceback. It \ 
reduces the risk of getting an unreadable dump when two threads or two processes \ 
dump a traceback to the same file (like stderr) at the same time. Patch by \ 
Victor Stinner.
bpo-41735: Fix thread lock in zlib.Decompress.flush() method before \ 
PyObject_GetBuffer.
bpo-45664: Fix types.resolve_bases() and types.new_class() for \ 
types.GenericAlias instance as a base.
bpo-45663: Fix dataclasses.is_dataclass() for dataclasses which are subclasses \ 
of types.GenericAlias.
bpo-45662: Fix the repr of dataclasses.InitVar with a type alias to the built-in \ 
class, e.g. InitVar[list[int]].
bpo-43498: Avoid a possible “RuntimeError: dictionary changed size during \ 
iteration” when adjusting the process count of ProcessPoolExecutor.
bpo-29620: assertWarns() no longer raises a RuntimeException when accessing a \ 
module’s __warningregistry__ causes importation of a new module, or when a new \ 
module is imported in another thread. Patch by Kernc.

Documentation

bpo-19737: Update the documentation for the globals() function.
bpo-45840: Improve cross-references in the documentation for the data model.
bpo-45788: Link doc for sys.prefix to sysconfig doc on installation paths.
bpo-25381: In the extending chapter of the extending doc, update a paragraph \ 
about the global variables containing exception information.
bpo-43905: Expanded astuple() and asdict() docs, warning about deepcopy being \ 
applied and providing a workaround.
bpo-41028: Language and version switchers, previously maintained in every \ 
cpython branches, are now handled by docsbuild-script.

Tests

bpo-46205: Fix hang in runtest_mp due to race condition
bpo-46263: Fix test_capi on FreeBSD 14-dev: instruct jemalloc to not fill freed \ 
memory with junk byte.
bpo-46150: Now fakename in test_pathlib.PosixPathTest.test_expanduser is checked \ 
to be non-existent.
bpo-46129: Rewrite asyncio.locks tests with unittest.IsolatedAsyncioTestCase usage.
bpo-23819: Fixed asyncio tests in python optimized mode. Patch by Kumar Aditya.
bpo-46114: Fix test case for OpenSSL 3.0.1 version. OpenSSL 3.0 uses 0xMNN00PP0L.
bpo-19460: Add new Test for email.mime.nonmultipart.MIMENonMultipart.
bpo-45835: Fix race condition in test_queue tests with multiple “feeder” threads.

Build

bpo-46263: configure no longer sets MULTIARCH on FreeBSD platforms.
bpo-46106: Updated OpenSSL to 1.1.1m in Windows builds, macOS installer builds, \ 
and CI. Patch by Kumar Aditya.
bpo-44035: CI now verifies that autoconf files have been regenerated with a \ 
current and unpatched autoconf package.
bpo-33393: Update config.guess to 2021-06-03 and config.sub to 2021-08-14. \ 
Makefile now has an update-config target to make updating more convenient.
bpo-45866: make regen-all now produces the same output when run from a directory \ 
other than the source tree: when building Python out of the source tree. pegen \ 
now strips directory of the “generated by pygen from <FILENAME>” \ 
header Patch by Victor Stinner.
bpo-41498: Python now compiles on platforms without sigset_t. Several functions \ 
in signal are not available when sigset_t is missing.
bpo-45881: setup.py now uses CC from environment first to discover multiarch and \ 
cross compile paths.

Windows

bpo-45901: When installed through the Microsoft Store and set as the default app \ 
for *.py files, command line arguments will now be passed to Python when \ 
invoking a script without explicitly launching Python (that is, script.py args \ 
rather than python script.py args).

macOS

bpo-40477: The Python Launcher app for macOS now properly launches scripts and, \ 
if necessary, the Terminal app when running on recent macOS releases.
bpo-45732: Update python.org macOS installer to use Tcl/Tk 8.6.12.

Tools/Demos

bpo-45838: Fix line number calculation when debugging Python with GDB.

C API

bpo-39026: Fix Python.h to build C extensions with Xcode: remove a relative \ 
include from Include/cpython/pystate.h.