./lang/python39, Interpreted, interactive, object-oriented programming language

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 3.9.16, Package name: python39-3.9.16, Maintainer: pkgsrc-users

Python is an interpreted, interactive, object-oriented
programming language that combines remarkable power with
very clear syntax. For an introduction to programming in
Python you are referred to the Python Tutorial. The
Python Library Reference documents built-in and standard
types, constants, functions and modules. Finally, the
Python Reference Manual describes the syntax and semantics
of the core language in (perhaps too) much detail.

Python's basic power can be extended with your own modules
written in C or C++. On most systems such modules may be
dynamically loaded. Python is also adaptable as an exten-
sion language for existing applications. See the internal
documentation for hints.

This package provides Python version 3.9.x.

Package options: x11

Master sites:

Filesize: 19276.168 KB

Version history: (Expand)

CVS history: (Expand)

   2022-12-07 12:52:44 by Adam Ciarcinski | Files touched by this commit (4) | Package updated
Log message:
python39 py39-html-docs: updated to 3.9.16

Python 3.9.16 final

gh-100001: python -m http.server no longer allows terminal control characters \ 
sent within a garbage request to be printed to the stderr server log.

This is done by changing the http.server BaseHTTPRequestHandler .log_message \ 
method to replace control characters with a \xHH hex escape before printing.
gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc \ 
gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio \ 
related name resolution functions no longer involves a quadratic algorithm. This \ 
prevents a potential CPU denial of service if an out-of-spec excessive length \ 
hostname involving bidirectional characters were decoded. Some protocols such as \ 
urllib http 3xx redirects potentially allow for an attacker to supply such a \ 
gh-98739: Update bundled libexpat to 2.5.0
gh-98517: Port XKCP’s fix for the buffer overflows in SHA-3 (CVE-2022-37454).
gh-97514: On Linux the multiprocessing module returns to using filesystem backed \ 
unix domain sockets for communication with the forkserver process instead of the \ 
Linux abstract socket namespace. Only code that chooses to use the \ 
“forkserver” start method is affected.

Abstract sockets have no permissions and could allow any user on the system in \ 
the same network namespace (often the whole system) to inject code into the \ 
multiprocessing forkserver process. This was a potential privilege escalation. \ 
Filesystem based socket permissions restrict this to the forkserver process user \ 
as was the default in Python 3.8 and earlier.

This prevents Linux CVE-2022-42919.
gh-68966: The deprecated mailcap module now refuses to inject unsafe text \ 
(filenames, MIME types, parameters) into shell commands. Instead of using such \ 
text, it will warn and act as if a match was not found (or for test commands, as \ 
if the test failed).
   2022-10-12 10:37:14 by Adam Ciarcinski | Files touched by this commit (4) | Package updated
Log message:
python39 py39-html-docs: updated to 3.9.15

Python 3.9.15


gh-97616: Fix multiplying a list by an integer (list *= int): detect the integer \ 
overflow when the new allocated length is close to the maximum size. Issue \ 
reported by Jordan Limor. Patch by Victor Stinner.
gh-97612: Fix a shell code injection vulnerability in the \ 
get-remote-certificate.py example script. The script no longer uses a shell to \ 
run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by \ 
Victor Stinner.
Core and Builtins
gh-96848: Fix command line parsing: reject -X int_max_str_digits option with no \ 
value (invalid) when the PYTHONINTMAXSTRDIGITS environment variable is set to a \ 
valid limit. Patch by Victor Stinner.
gh-95778: When ValueError is raised if an integer is larger than the limit, \ 
mention the sys.set_int_max_str_digits() function in the error message. Patch by \ 
Victor Stinner.


gh-97005: Update bundled libexpat to 2.4.9


gh-96577: Fixes a potential buffer overrun in msilib.


gh-97897: The macOS 13 SDK includes support for the mkfifoat and mknodat system \ 
calls. Using the dir_fd option with either os.mkfifo() or os.mknod() could \ 
result in a segfault if cpython is built with the macOS 13 SDK but run on an \ 
earlier version of macOS. Prevent this by adding runtime support for detection \ 
of these system calls (“weaklinking”) as is done for other newer syscalls on \ 
   2022-09-07 17:33:20 by Adam Ciarcinski | Files touched by this commit (6) | Package updated
Log message:
python39 py39-html-docs: updated to 3.9.14

Python 3.9.14

gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 \ 
(octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a \ 
ValueError if the number of digits in string form is above a limit to avoid \ 
potential denial of service attacks due to the algorithmic complexity. This is a \ 
mitigation for CVE-2020-10735.

This new limit can be configured or disabled by environment variable, command \ 
line flag, or sys APIs. See the integer string conversion length limitation \ 
documentation. The default limit is 4300 digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback \ 
from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.
gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server \ 
when an URI path starts with //. Vulnerability discovered, and initial fix \ 
proposed, by Hamza Avvan.

Core and Builtins
gh-93065: Fix contextvars HAMT implementation to handle iteration over deep trees.

The bug was discovered and fixed by Eli Libman. See MagicStack/immutables#84 for \ 
more details.

gh-94821: Fix binding of unix socket to empty address on Linux to use an \ 
available address from the abstract namespace, instead of “0”.
gh-91810: Suppress writing an XML declaration in open files in \ 
ElementTree.write() with encoding='unicode' and xml_declaration=None.
bpo-45393: Fix the formatting for await x and not x in the operator precedence \ 
table when using the help() system.
bpo-46197: Fix ensurepip environment isolation for subprocess running pip.

gh-95280: Fix problem with test_ssl test_get_ciphers on systems that require \ 
perfect forward secrecy (PFS) ciphers.
gh-94208: test_ssl is now checking for supported TLS version and protocols in \ 
more tests.
bpo-47016: Create a GitHub Actions workflow for verifying bundled pip and \ 
setuptools. Patch by Illia Volochii and Adam Turner.
   2022-07-07 17:26:43 by Pierre Pronchery | Files touched by this commit (4)
Log message:
python{39,310}: fix the build when the work directory is in $PREFIX

As documented in pkg/56774, when WRKOBJDIR is in LOCALBASE (eg set to
${LOCALBASE}/work) then changes done to Python's setup.py made it
unable to locate its own built-in modules, then failing to bootstrap and

As suggested by tnn@; tested on NetBSD/amd64.

XXX pull-up to pkgsrc-2022Q2
   2022-06-30 13:19:02 by Nia Alarie | Files touched by this commit (524)
Log message:
*: Revbump packages that use Python at runtime without a PKGNAME prefix
   2022-05-18 10:07:32 by Adam Ciarcinski | Files touched by this commit (5) | Package updated
Log message:
python39 py39-html-docs: updated to 3.9.13

Python 3.9.13

Core and Builtins

gh-92311: Fixed a bug where setting frame.f_lineno to jump over a list \ 
comprehension could misbehave or crash.
gh-92112: Fix crash triggered by an evil custom mro() on a metaclass.
gh-92036: Fix a crash in subinterpreters related to the garbage collector. When \ 
a subinterpreter is deleted, untrack all objects tracked by its GC. To prevent a \ 
crash in deallocator functions expecting objects to be tracked by the GC, leak a \ 
strong reference to these objects on purpose, so they are never deleted and \ 
their deallocator functions are not called. Patch by Victor Stinner.
gh-91421: Fix a potential integer overflow in _Py_DecodeUTF8Ex.
bpo-46775: Some Windows system error codes(>= 10000) are now mapped into the \ 
correct errno and may now raise a subclass of OSError. Patch by Dong-hee Na.
bpo-46962: Classes and functions that unconditionally declared their docstrings \ 
ignoring the --without-doc-strings compilation flag no longer do so.

The classes affected are pickle.PickleBuffer, testcapi.RecursingInfinitelyError, \ 
and types.GenericAlias.

The functions affected are 24 methods in ctypes.

Patch by Oleg Iarygin.
bpo-36819: Fix crashes in built-in encoders with error handlers that return \ 
position less or equal than the starting position of non-encodable characters.


gh-91581: utcfromtimestamp() no longer attempts to resolve fold in the pure \ 
Python implementation, since the fold is never 1 in UTC. In addition to being \ 
slightly faster in the common case, this also prevents some errors when the \ 
timestamp is close to datetime.min. Patch by Paul Ganssle.
gh-92530: Fix an issue that occurred after interrupting threading.Condition.notify().
gh-92049: Forbid pickling constants re._constants.SUCCESS etc. Previously, \ 
pickling did not fail, but the result could not be unpickled.
bpo-47029: Always close the read end of the pipe used by multiprocessing.Queue \ 
after the last write of buffered data to the write end of the pipe to avoid \ 
BrokenPipeError at garbage collection and at multiprocessing.Queue.close() \ 
calls. Patch by Géry Ogam.
gh-91910: Add missing f prefix to f-strings in error messages from the \ 
multiprocessing and asyncio modules.
gh-91810: ElementTree method write() and function tostring() now use the text \ 
file’s encoding (“UTF-8” if not available) instead of locale encoding in \ 
XML declaration when encoding="unicode" is specified.
gh-91832: Add required attribute to argparse.Action repr output.
gh-91734: Fix OSS audio support on Solaris.
gh-91700: Compilation of regular expression containing a conditional expression \ 
(?(group)...) now raises an appropriate re.error if the group number refers to \ 
not defined group. Previously an internal RuntimeError was raised.
gh-91676: Fix unittest.IsolatedAsyncioTestCase to shutdown the per test event \ 
loop executor before returning from its run method so that a not yet stopped or \ 
garbage collected executor state does not persist beyond the test.
gh-90568: Parsing \N escapes of Unicode Named Character Sequences in a regular \ 
expression raises now re.error instead of TypeError.
gh-91595: Fix the comparison of character and integer inside \ 
Tools.gdb.libpython.write_repr(). Patch by Yu Liu.
gh-90622: Worker processes for concurrent.futures.ProcessPoolExecutor are no \ 
longer spawned on demand (a feature added in 3.9) when the multiprocessing \ 
context start method is "fork" as that can lead to deadlocks in the \ 
child processes due to a fork happening while threads are running.
gh-91575: Update case-insensitive matching in the re module to the latest \ 
Unicode version.
gh-91581: Remove an unhandled error case in the C implementation of calls to \ 
datetime.fromtimestamp with no time zone (i.e. getting a local time from an \ 
epoch timestamp). This should have no user-facing effect other than giving a \ 
possibly more accurate error message when called with timestamps that fall on \ 
10000-01-01 in the local time. Patch by Paul Ganssle.
bpo-34480: Fix a bug where _markupbase raised an UnboundLocalError when an \ 
invalid keyword was found in marked section. Patch by Marek Suscak.
bpo-27929: Fix asyncio.loop.sock_connect() to only resolve names for \ 
socket.AF_INET or socket.AF_INET6 families. Resolution may not make sense for \ 
other families, like socket.AF_BLUETOOTH and socket.AF_UNIX.
bpo-43323: Fix errors in the email module if the charset itself contains \ 
undecodable/unencodable characters.
bpo-46787: Fix concurrent.futures.ProcessPoolExecutor exception memory leak
bpo-46415: Fix ipaddress.ip_{address,interface,network} raising TypeError \ 
instead of ValueError if given invalid tuple as address parameter.
bpo-44911: IsolatedAsyncioTestCase will no longer throw an exception while \ 
cancelling leaked tasks. Patch by Bar Harel.
bpo-44493: Add missing terminated NUL in sockaddr_un’s length

This was potentially observable when using non-abstract AF_UNIX datagram sockets \ 
to processes written in another programming language.
bpo-42627: Fix incorrect parsing of Windows registry proxy settings
bpo-36073: Raise ProgrammingError instead of segfaulting on recursive usage of \ 
cursors in sqlite3 converters. Patch by Sergey Fedoseev.


gh-91888: Add a new gh role to the documentation to link to GitHub issues.
gh-91783: Document security issues concerning the use of the function \ 
gh-91547: Remove “Undocumented modules” page.
bpo-44347: Clarify the meaning of dirs_exist_ok, a kwarg of shutil.copytree().
bpo-38668: Update the introduction to documentation for os.path to remove \ 
warnings that became irrelevant after the implementations of PEP 383 and PEP \ 
bpo-47138: Pin Jinja to a version compatible with Sphinx version 2.4.4.
bpo-46962: All docstrings in code snippets are now wrapped into PyDoc_STR() to \ 
follow the guideline of PEP 7’s Documentation Strings paragraph. Patch by Oleg \ 
bpo-26792: Improve the docstrings of runpy.run_module() and runpy.run_path(). \ 
Original patch by Andrew Brezovsky.
bpo-45790: Adjust inaccurate phrasing in Defining Extension Types: Tutorial \ 
about the ob_base field and the macros used to access its contents.
bpo-42340: Document that in some circumstances KeyboardInterrupt may cause the \ 
code to enter an inconsistent state. Provided a sample workaround to avoid it if \ 
bpo-41233: Link the errnos referenced in Doc/library/exceptions.rst to their \ 
respective section in Doc/library/errno.rst, and vice versa. Previously this was \ 
only done for EINTR and InterruptedError. Patch by Yan “yyyyyyyan” Orestes.
bpo-38056: Overhaul the Error Handlers documentation in codecs.
bpo-13553: Document tkinter.Tk args.


gh-91607: Fix test_concurrent_futures to test the correct multiprocessing start \ 
method context in several cases where the test logic mixed this up.
bpo-47205: Skip test for sched_getaffinity() and sched_setaffinity() error case \ 
on FreeBSD.
bpo-29890: Add tests for ipaddress.IPv4Interface and ipaddress.IPv6Interface \ 
construction with tuple arguments. Original patch and tests by louisom.


bpo-47103: Windows PGInstrument builds now copy a required DLL into the output \ 
directory, making it easier to run the profile stage of a PGO build.


bpo-47194: Update zlib to v1.2.12 to resolve CVE-2018-25032.
bpo-46785: Fix race condition between os.stat() and unlinking a file on Windows, \ 
by using errors codes returned by FindFirstFileW() when appropriate in \ 
bpo-40859: Update Windows build to use xz-5.2.5


gh-91583: Fix regression in the code generated by Argument Clinic for functions \ 
with the defining_class parameter.
   2022-04-22 16:25:35 by Sijmen J. Mulder | Files touched by this commit (2)
Log message:
lang/python39: Fix build on OpenBSD
   2022-04-03 12:51:19 by Taylor R Campbell | Files touched by this commit (4)
Log message:
lang/python39: Make it cross-compile.