Path to this page:
Subject: CVS commit: pkgsrc/lang
From: Adam Ciarcinski
Date: 2021-04-03 08:22:06
Message id: 20210403062206.B2E6CFA95@cvs.NetBSD.org
Log Message:
python38: updated to 3.8.9
Python 3.8.9 final
Security
bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which \
could be abused to read arbitrary files on the disk (directory traversal \
vulnerability). Moreover, even source code of Python modules can contain \
sensitive data like passwords. Vulnerability reported by David Schwörer.
bpo-43285: ftplib no longer trusts the IP address value returned from the server \
in response to the PASV command by default. This prevents a malicious FTP server \
from using the response to probe IPv4 address and port combinations on the \
client network.
Code that requires the former vulnerable behavior may set a \
trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True \
to re-enable it.
bpo-43439: Add audit hooks for gc.get_objects(), gc.get_referrers() and \
gc.get_referents(). Patch by Pablo Galindo.
Core and Builtins
bpo-43660: Fix crash that happens when replacing sys.stderr with a callable that \
can remove the object while an exception is being printed. Patch by Pablo \
Galindo.
bpo-35883: Python no longer fails at startup with a fatal error if a command \
line argument contains an invalid Unicode character. The Py_DecodeLocale() \
function now escapes byte sequences which would be decoded as Unicode characters \
outside the [U+0000; U+10ffff] range.
bpo-43406: Fix a possible race condition where PyErr_CheckSignals tries to \
execute a non-Python signal handler.
Library
bpo-35930: Raising an exception raised in a “future” instance will create \
reference cycles.
bpo-43577: Fix deadlock when using ssl.SSLContext debug callback with \
ssl.SSLContext.sni_callback().
bpo-43423: subprocess.communicate() no longer raises an IndexError when there is \
an empty stdout or stderr IO buffer during a timeout on Windows.
bpo-27820: Fixed long-standing bug of smtplib.SMTP where doing AUTH LOGIN with \
initial_response_ok=False will fail.
The cause is that SMTP.auth_login _always_ returns a password if provided with a \
challenge string, thus non-compliant with the standard for AUTH LOGIN.
Also fixes bug with the test for smtpd.
bpo-43399: Fix ElementTree.extend not working on iterators when using the Python \
implementation
bpo-43316: The python -m gzip command line application now properly fails when \
detecting an unsupported extension. It exits with a non-zero exit code and \
prints an error message to stderr.
bpo-43260: Fix TextIOWrapper can not flush internal buffer forever after very \
large text is written.
bpo-42782: Fail fast in shutil.move() to avoid creating destination directories \
on failure.
bpo-37193: Fixed memory leak in socketserver.ThreadingMixIn introduced in Python 3.7.
Documentation
bpo-43199: Answer “Why is there no goto?” in the Design and History FAQ.
bpo-43407: Clarified that a result from time.monotonic(), time.perf_counter(), \
time.process_time(), or time.thread_time() can be compared with the result from \
any following call to the same function - not just the next immediate call.
bpo-27646: Clarify that ‘yield from <expr>’ works with any iterable, \
not just iterators.
bpo-36346: Update some deprecated unicode APIs which are documented as “will \
be removed in 4.0” to “3.12”. See PEP 623 for detail.
Tests
bpo-37945: Fix test_getsetlocale_issue1813() of test_locale: skip the test if \
setlocale() fails. Patch by Victor Stinner.
bpo-41561: Add workaround for Ubuntu’s custom OpenSSL security level policy.
Build
bpo-43631: Update macOS, Windows, and CI to OpenSSL 1.1.1k.
bpo-43617: Improve configure.ac: Check for presence of autoconf-archive package \
and remove our copies of M4 macros.
macOS
bpo-41837: Update macOS installer build to use OpenSSL 1.1.1j.
IDLE
bpo-42225: Document that IDLE can fail on Unix either from misconfigured IP \
masquerage rules or failure displaying complex colored (non-ascii) characters.
bpo-43283: Document why printing to IDLE’s Shell is often slower than printing \
to a system terminal and that it can be made faster by pre-formatting a single \
string before printing.
Files: