Log message:
python39 py39-html-docs: updated to 3.9.15

Python 3.9.15

Security

gh-97616: Fix multiplying a list by an integer (list *= int): detect the integer \ 
overflow when the new allocated length is close to the maximum size. Issue \ 
reported by Jordan Limor. Patch by Victor Stinner.
gh-97612: Fix a shell code injection vulnerability in the \ 
get-remote-certificate.py example script. The script no longer uses a shell to \ 
run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by \ 
Victor Stinner.
Core and Builtins
gh-96848: Fix command line parsing: reject -X int_max_str_digits option with no \ 
value (invalid) when the PYTHONINTMAXSTRDIGITS environment variable is set to a \ 
valid limit. Patch by Victor Stinner.
gh-95778: When ValueError is raised if an integer is larger than the limit, \ 
mention the sys.set_int_max_str_digits() function in the error message. Patch by \ 
Victor Stinner.

Library

gh-97005: Update bundled libexpat to 2.4.9

Windows

gh-96577: Fixes a potential buffer overrun in msilib.

macOS

gh-97897: The macOS 13 SDK includes support for the mkfifoat and mknodat system \ 
calls. Using the dir_fd option with either os.mkfifo() or os.mknod() could \ 
result in a segfault if cpython is built with the macOS 13 SDK but run on an \ 
earlier version of macOS. Prevent this by adding runtime support for detection \ 
of these system calls (“weaklinking”) as is done for other newer syscalls on \ 
macOS.

Log message:
python39 py39-html-docs: updated to 3.9.14

Python 3.9.14

Security
gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 \ 
(octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a \ 
ValueError if the number of digits in string form is above a limit to avoid \ 
potential denial of service attacks due to the algorithmic complexity. This is a \ 
mitigation for CVE-2020-10735.

This new limit can be configured or disabled by environment variable, command \ 
line flag, or sys APIs. See the integer string conversion length limitation \ 
documentation. The default limit is 4300 digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback \ 
from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.
gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server \ 
when an URI path starts with //. Vulnerability discovered, and initial fix \ 
proposed, by Hamza Avvan.

Core and Builtins
gh-93065: Fix contextvars HAMT implementation to handle iteration over deep trees.

The bug was discovered and fixed by Eli Libman. See MagicStack/immutables#84 for \ 
more details.

Library
gh-94821: Fix binding of unix socket to empty address on Linux to use an \ 
available address from the abstract namespace, instead of “0”.
gh-91810: Suppress writing an XML declaration in open files in \ 
ElementTree.write() with encoding='unicode' and xml_declaration=None.
bpo-45393: Fix the formatting for await x and not x in the operator precedence \ 
table when using the help() system.
bpo-46197: Fix ensurepip environment isolation for subprocess running pip.

Tests
gh-95280: Fix problem with test_ssl test_get_ciphers on systems that require \ 
perfect forward secrecy (PFS) ciphers.
gh-94208: test_ssl is now checking for supported TLS version and protocols in \ 
more tests.
bpo-47016: Create a GitHub Actions workflow for verifying bundled pip and \ 
setuptools. Patch by Illia Volochii and Adam Turner.

Log message:
python{39,310}: fix the build when the work directory is in $PREFIX

As documented in pkg/56774, when WRKOBJDIR is in LOCALBASE (eg set to
${LOCALBASE}/work) then changes done to Python's setup.py made it
unable to locate its own built-in modules, then failing to bootstrap and
build.

As suggested by tnn@; tested on NetBSD/amd64.

XXX pull-up to pkgsrc-2022Q2

Log message:
*: Revbump packages that use Python at runtime without a PKGNAME prefix

Log message:
python39 py39-html-docs: updated to 3.9.13

Python 3.9.13

Core and Builtins

gh-92311: Fixed a bug where setting frame.f_lineno to jump over a list \ 
comprehension could misbehave or crash.
gh-92112: Fix crash triggered by an evil custom mro() on a metaclass.
gh-92036: Fix a crash in subinterpreters related to the garbage collector. When \ 
a subinterpreter is deleted, untrack all objects tracked by its GC. To prevent a \ 
crash in deallocator functions expecting objects to be tracked by the GC, leak a \ 
strong reference to these objects on purpose, so they are never deleted and \ 
their deallocator functions are not called. Patch by Victor Stinner.
gh-91421: Fix a potential integer overflow in _Py_DecodeUTF8Ex.
bpo-46775: Some Windows system error codes(>= 10000) are now mapped into the \ 
correct errno and may now raise a subclass of OSError. Patch by Dong-hee Na.
bpo-46962: Classes and functions that unconditionally declared their docstrings \ 
ignoring the --without-doc-strings compilation flag no longer do so.

The classes affected are pickle.PickleBuffer, testcapi.RecursingInfinitelyError, \ 
and types.GenericAlias.

The functions affected are 24 methods in ctypes.

Patch by Oleg Iarygin.
bpo-36819: Fix crashes in built-in encoders with error handlers that return \ 
position less or equal than the starting position of non-encodable characters.

Library

gh-91581: utcfromtimestamp() no longer attempts to resolve fold in the pure \ 
Python implementation, since the fold is never 1 in UTC. In addition to being \ 
slightly faster in the common case, this also prevents some errors when the \ 
timestamp is close to datetime.min. Patch by Paul Ganssle.
gh-92530: Fix an issue that occurred after interrupting threading.Condition.notify().
gh-92049: Forbid pickling constants re._constants.SUCCESS etc. Previously, \ 
pickling did not fail, but the result could not be unpickled.
bpo-47029: Always close the read end of the pipe used by multiprocessing.Queue \ 
after the last write of buffered data to the write end of the pipe to avoid \ 
BrokenPipeError at garbage collection and at multiprocessing.Queue.close() \ 
calls. Patch by Géry Ogam.
gh-91910: Add missing f prefix to f-strings in error messages from the \ 
multiprocessing and asyncio modules.
gh-91810: ElementTree method write() and function tostring() now use the text \ 
file’s encoding (“UTF-8” if not available) instead of locale encoding in \ 
XML declaration when encoding="unicode" is specified.
gh-91832: Add required attribute to argparse.Action repr output.
gh-91734: Fix OSS audio support on Solaris.
gh-91700: Compilation of regular expression containing a conditional expression \ 
(?(group)...) now raises an appropriate re.error if the group number refers to \ 
not defined group. Previously an internal RuntimeError was raised.
gh-91676: Fix unittest.IsolatedAsyncioTestCase to shutdown the per test event \ 
loop executor before returning from its run method so that a not yet stopped or \ 
garbage collected executor state does not persist beyond the test.
gh-90568: Parsing \N escapes of Unicode Named Character Sequences in a regular \ 
expression raises now re.error instead of TypeError.
gh-91595: Fix the comparison of character and integer inside \ 
Tools.gdb.libpython.write_repr(). Patch by Yu Liu.
gh-90622: Worker processes for concurrent.futures.ProcessPoolExecutor are no \ 
longer spawned on demand (a feature added in 3.9) when the multiprocessing \ 
context start method is "fork" as that can lead to deadlocks in the \ 
child processes due to a fork happening while threads are running.
gh-91575: Update case-insensitive matching in the re module to the latest \ 
Unicode version.
gh-91581: Remove an unhandled error case in the C implementation of calls to \ 
datetime.fromtimestamp with no time zone (i.e. getting a local time from an \ 
epoch timestamp). This should have no user-facing effect other than giving a \ 
possibly more accurate error message when called with timestamps that fall on \ 
10000-01-01 in the local time. Patch by Paul Ganssle.
bpo-34480: Fix a bug where _markupbase raised an UnboundLocalError when an \ 
invalid keyword was found in marked section. Patch by Marek Suscak.
bpo-27929: Fix asyncio.loop.sock_connect() to only resolve names for \ 
socket.AF_INET or socket.AF_INET6 families. Resolution may not make sense for \ 
other families, like socket.AF_BLUETOOTH and socket.AF_UNIX.
bpo-43323: Fix errors in the email module if the charset itself contains \ 
undecodable/unencodable characters.
bpo-46787: Fix concurrent.futures.ProcessPoolExecutor exception memory leak
bpo-46415: Fix ipaddress.ip_{address,interface,network} raising TypeError \ 
instead of ValueError if given invalid tuple as address parameter.
bpo-44911: IsolatedAsyncioTestCase will no longer throw an exception while \ 
cancelling leaked tasks. Patch by Bar Harel.
bpo-44493: Add missing terminated NUL in sockaddr_un’s length

This was potentially observable when using non-abstract AF_UNIX datagram sockets \ 
to processes written in another programming language.
bpo-42627: Fix incorrect parsing of Windows registry proxy settings
bpo-36073: Raise ProgrammingError instead of segfaulting on recursive usage of \ 
cursors in sqlite3 converters. Patch by Sergey Fedoseev.

Documentation

gh-91888: Add a new gh role to the documentation to link to GitHub issues.
gh-91783: Document security issues concerning the use of the function \ 
shutil.unpack_archive()
gh-91547: Remove “Undocumented modules” page.
bpo-44347: Clarify the meaning of dirs_exist_ok, a kwarg of shutil.copytree().
bpo-38668: Update the introduction to documentation for os.path to remove \ 
warnings that became irrelevant after the implementations of PEP 383 and PEP \ 
529.
bpo-47138: Pin Jinja to a version compatible with Sphinx version 2.4.4.
bpo-46962: All docstrings in code snippets are now wrapped into PyDoc_STR() to \ 
follow the guideline of PEP 7’s Documentation Strings paragraph. Patch by Oleg \ 
Iarygin.
bpo-26792: Improve the docstrings of runpy.run_module() and runpy.run_path(). \ 
Original patch by Andrew Brezovsky.
bpo-45790: Adjust inaccurate phrasing in Defining Extension Types: Tutorial \ 
about the ob_base field and the macros used to access its contents.
bpo-42340: Document that in some circumstances KeyboardInterrupt may cause the \ 
code to enter an inconsistent state. Provided a sample workaround to avoid it if \ 
needed.
bpo-41233: Link the errnos referenced in Doc/library/exceptions.rst to their \ 
respective section in Doc/library/errno.rst, and vice versa. Previously this was \ 
only done for EINTR and InterruptedError. Patch by Yan “yyyyyyyan” Orestes.
bpo-38056: Overhaul the Error Handlers documentation in codecs.
bpo-13553: Document tkinter.Tk args.

Tests

gh-91607: Fix test_concurrent_futures to test the correct multiprocessing start \ 
method context in several cases where the test logic mixed this up.
bpo-47205: Skip test for sched_getaffinity() and sched_setaffinity() error case \ 
on FreeBSD.
bpo-29890: Add tests for ipaddress.IPv4Interface and ipaddress.IPv6Interface \ 
construction with tuple arguments. Original patch and tests by louisom.

Build

bpo-47103: Windows PGInstrument builds now copy a required DLL into the output \ 
directory, making it easier to run the profile stage of a PGO build.

Windows

bpo-47194: Update zlib to v1.2.12 to resolve CVE-2018-25032.
bpo-46785: Fix race condition between os.stat() and unlinking a file on Windows, \ 
by using errors codes returned by FindFirstFileW() when appropriate in \ 
win32_xstat_impl.
bpo-40859: Update Windows build to use xz-5.2.5

Tools/Demos

gh-91583: Fix regression in the code generated by Argument Clinic for functions \ 
with the defining_class parameter.

Log message:
lang/python39: Fix build on OpenBSD

Log message:
lang/python39: Make it cross-compile.

Log message:
python39 py39-html-docs: updated to 3.9.12

Python 3.9.12 final

Core and Builtins

bpo-46968: Check for the existence of the “sys/auxv.h” header in \ 
faulthandler to avoid compilation problems in systems where this header \ 
doesn’t exist. Patch by Pablo Galindo

Library

bpo-47101: hashlib.algorithms_available now lists only algorithms that are \ 
provided by activated crypto providers on OpenSSL 3.0. Legacy algorithms are not \ 
listed unless the legacy provider has been loaded into the default OSSL context.
bpo-23691: Protect the re.finditer() iterator from re-entering.
bpo-42369: Fix thread safety of zipfile._SharedFile.tell() to avoid a \ 
“zipfile.BadZipFile: Bad CRC-32 for file” exception when reading a ZipFile \ 
from multiple threads.
bpo-38256: Fix binascii.crc32() when it is compiled to use zlib’c crc32 to \ 
work properly on inputs 4+GiB in length instead of returning the wrong result. \ 
The workaround prior to this was to always feed the function data in increments \ 
smaller than 4GiB or to just call the zlib module function.
bpo-39394: A warning about inline flags not at the start of the regular \ 
expression now contains the position of the flag.
bpo-47061: Deprecate the various modules listed by PEP 594:
aifc, asynchat, asyncore, audioop, cgi, cgitb, chunk, crypt, imghdr, msilib, \ 
nntplib, nis, ossaudiodev, pipes, smtpd, sndhdr, spwd, sunau, telnetlib, uu, \ 
xdrlib
bpo-2604: Fix bug where doctests using globals would fail when run multiple times.
bpo-45997: Fix asyncio.Semaphore re-aquiring FIFO order.
bpo-47022: The asynchat, asyncore and smtpd modules have been deprecated since \ 
at least Python 3.6. Their documentation has now been updated to note they will \ 
removed in Python 3.12 (PEP 594).
bpo-46421: Fix a unittest issue where if the command was invoked as python -m \ 
unittest and the filename(s) began with a dot (.), a ValueError is returned.
bpo-40296: Fix supporting generic aliases in pydoc.
bpo-14156: argparse.FileType now supports an argument of ‘-’ in binary mode, \ 
returning the .buffer attribute of sys.stdin/sys.stdout as appropriate. Modes \ 
including ‘x’ and ‘a’ are treated equivalently to ‘w’ when argument \ 
is ‘-’. Patch contributed by Josh Rosenberg

Log message:
python39 py39-html-docs: updated to 3.9.11

Python 3.9.11 final

Core and Builtins

bpo-46852: Rename the private undocumented float.__set_format__() method to \ 
float.__setformat__() to fix a typo introduced in Python 3.7. The method is only \ 
used by test_float. Patch by Victor Stinner.
bpo-46794: Bump up the libexpat version into 2.4.6
bpo-46762: Fix an assert failure in debug builds when a ‘<’, ‘>’, \ 
or ‘=’ is the last character in an f-string that’s missing a closing right \ 
brace.
bpo-46732: Correct the docstring for the __bool__() method. Patch by Jelle Zijlstra.
bpo-40479: Add a missing call to va_end() in Modules/_hashopenssl.c.
bpo-46615: When iterating over sets internally in setobject.c, acquire strong \ 
references to the resulting items from the set. This prevents crashes in \ 
corner-cases of various set operations where the set gets mutated.
bpo-43721: Fix docstrings of getter, setter, and deleter to clarify that they \ 
create a new copy of the property.
bpo-46503: Fix an assert when parsing some invalid N escape sequences in f-strings.
bpo-46417: Fix a race condition on setting a type __bases__ attribute: the \ 
internal function add_subclass() now gets the PyTypeObject.tp_subclasses member \ 
after calling PyWeakref_NewRef() which can trigger a garbage collection which \ 
can indirectly modify PyTypeObject.tp_subclasses. Patch by Victor Stinner.
bpo-46383: Fix invalid signature of _zoneinfo’s module_free function to \ 
resolve a crash on wasm32-emscripten platform.

Library

bpo-43253: Fix a crash when closing transports where the underlying socket \ 
handle is already invalid on the Proactor event loop.
bpo-47004: Apply bugfixes from importlib_metadata 4.11.3, including bugfix for \ 
EntryPoint.extras, which was returning match objects and not the extras strings.
bpo-46985: Upgrade pip wheel bundled with ensurepip (pip 22.0.4)
bpo-46968: faulthandler: On Linux 5.14 and newer, dynamically determine size of \ 
signal handler stack size CPython allocates using getauxval(AT_MINSIGSTKSZ). \ 
This changes allows for Python extension’s request to Linux kernel to use \ 
AMX_TILE instruction set on Sapphire Rapids Xeon processor to succeed, \ 
unblocking use of the ISA in frameworks.
bpo-46955: Expose asyncio.base_events.Server as asyncio.Server. Patch by Stefan \ 
Zabka.
bpo-46932: Update bundled libexpat to 2.4.7
bpo-25707: Fixed a file leak in xml.etree.ElementTree.iterparse() when the \ 
iterator is not exhausted. Patch by Jacob Walls.
bpo-44886: Inherit asyncio proactor datagram transport from \ 
asyncio.DatagramTransport.
bpo-46827: Support UDP sockets in asyncio.loop.sock_connect() for selector-based \ 
event loops. Patch by Thomas Grainger.
bpo-46811: Make test suite support Expat >=2.4.5
bpo-46252: Raise TypeError if ssl.SSLSocket is passed to transport-based APIs.
bpo-46784: Fix libexpat symbols collisions with user dynamically loaded or \ 
statically linked libexpat in embedded Python.
bpo-39327: shutil.rmtree() can now work with VirtualBox shared folders when \ 
running from the guest operating-system.
bpo-46756: Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and \ 
urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to \ 
bypass authorization. For example, access to URI example.org/foobar was allowed \ 
if the user was authorized for URI example.org/foo.
bpo-45863: When the tarfile module creates a pax format archive, it will put an \ 
integer representation of timestamps in the ustar header (if possible) for the \ 
benefit of older unarchivers, in addition to the existing full-precision \ 
timestamps in the pax extended header.
bpo-46672: Fix NameError in asyncio.gather() when initial type check fails.
bpo-45948: Fixed a discrepancy in the C implementation of the \ 
xml.etree.ElementTree module. Now, instantiating an \ 
xml.etree.ElementTree.XMLParser with a target=None keyword provides a default \ 
xml.etree.ElementTree.TreeBuilder target as the Python implementation does.
bpo-46591: Make the IDLE doc URL on the About IDLE dialog clickable.
bpo-46400: expat: Update libexpat from 2.4.1 to 2.4.4
bpo-46487: Add the get_write_buffer_limits method to \ 
asyncio.transports.WriteTransport and to the SSL transport.
bpo-46539: In typing.get_type_hints(), support evaluating stringified ClassVar \ 
and Final annotations inside Annotated. Patch by Gregory Beauregard.
bpo-46491: Allow typing.Annotated to wrap typing.Final and typing.ClassVar. \ 
Patch by Gregory Beauregard.
bpo-46436: Fix command-line option -d/--directory in module http.server which is \ 
ignored when combined with command-line option --cgi. Patch by Géry Ogam.
bpo-41403: Make mock.patch() raise a TypeError with a relevant error message on \ 
invalid arg. Previously it allowed a cryptic AttributeError to escape.
bpo-46474: In importlib.metadata.EntryPoint.pattern, avoid potential REDoS by \ 
limiting ambiguity in consecutive whitespace.
bpo-46469: asyncio generic classes now return types.GenericAlias in \ 
__class_getitem__ instead of the same class.
bpo-46434: pdb now gracefully handles help when __doc__ is missing, for example \ 
when run with pregenerated optimized .pyc files.
bpo-46333: The __eq__() and __hash__() methods of typing.ForwardRef now honor \ 
the module parameter of typing.ForwardRef. Forward references from different \ 
modules are now differentiated.
bpo-43118: Fix a bug in inspect.signature() that was causing it to fail on some \ 
subclasses of classes with a __text_signature__ referencing module globals. \ 
Patch by Weipeng Hong.
bpo-21987: Fix an issue with tarfile.TarFile.getmember() getting a directory \ 
name with a trailing slash.
bpo-20392: Fix inconsistency with uppercase file extensions in \ 
MimeTypes.guess_type(). Patch by Kumar Aditya.
bpo-46080: Fix exception in argparse help text generation if a \ 
argparse.BooleanOptionalAction argument’s default is argparse.SUPPRESS and it \ 
has help specified. Patch by Felix Fontein.
bpo-44439: Fix .write() method of a member file in ZipFile, when the input data \ 
is an object that supports the buffer protocol, the file length may be wrong.
bpo-45703: When a namespace package is imported before another module from the \ 
same namespace is created/installed in a different sys.path location while the \ 
program is running, calling the importlib.invalidate_caches() function will now \ 
also guarantee the new module is noticed.
bpo-24959: Fix bug where unittest sometimes drops frames from tracebacks of \ 
exceptions raised in tests.

Documentation

bpo-46463: Fixes escape4chm.py script used when building the CHM documentation file

Tests

bpo-46913: Fix test_faulthandler.test_sigfpe() if Python is built with undefined \ 
behavior sanitizer (UBSAN): disable UBSAN on the faulthandler_sigfpe() function. \ 
Patch by Victor Stinner.
bpo-46708: Prevent default asyncio event loop policy modification warning after \ 
test_asyncio execution.
bpo-46616: Ensures test_importlib.test_windows cleans up registry keys after \ 
completion.
bpo-44359: test_ftplib now silently ignores socket errors to prevent logging \ 
unhandled threading exceptions. Patch by Victor Stinner.
bpo-46542: Fix a Python crash in test_lib2to3 when using Python built in debug \ 
mode: limit the recursion limit. Patch by Victor Stinner.
bpo-46576: test_peg_generator now disables compiler optimization when testing \ 
compilation of its own C extensions to significantly speed up the testing on \ 
non-debug builds of CPython.
bpo-46542: Fix test_json tests checking for RecursionError: modify these tests \ 
to use support.infinite_recursion(). Patch by Victor Stinner.
bpo-13886: Skip test_builtin PTY tests on non-ASCII characters if the readline \ 
module is loaded. The readline module changes input() behavior, but test_builtin \ 
is not intented to test the readline module. Patch by Victor Stinner.

Build

bpo-47024: Update OpenSSL to 1.1.1n for macOS installers and all Windows builds.
bpo-38472: Fix GCC detection in setup.py when cross-compiling. The C compiler is \ 
now run with LC_ALL=C. Previously, the detection failed with a German locale.
bpo-46513: configure no longer uses AC_C_CHAR_UNSIGNED macro and pyconfig.h no \ 
longer defines reserved symbol __CHAR_UNSIGNED__.
bpo-45925: Update Windows installer to use SQLite 3.37.2.
bpo-47032: Ensure Windows install builds fail correctly with a non-zero exit \ 
code when part of the build fails.

Windows

bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and \ 
CVE-2019-12900
bpo-46948: Prevent CVE-2022-26488 by ensuring the Add to PATH option in the \ 
Windows installer uses the correct path when being repaired.
bpo-46638: Ensures registry virtualization is consistently disabled. For 3.10 \ 
and earlier, it remains enabled (some registry writes are protected), while for \ 
3.11 and later it is disabled (registry modifications affect all applications).
macOS
bpo-45925: Update macOS installer to SQLite 3.37.2.

IDLE

bpo-46630: Make query dialogs on Windows start with a cursor in the entry box.
bpo-45296: Clarify close, quit, and exit in IDLE. In the File menu, ‘Close’ \ 
and ‘Exit’ are now ‘Close Window’ (the current one) and ‘Exit’ is \ 
now ‘Exit IDLE’ (by closing all windows). In Shell, ‘quit()’ and \ 
‘exit()’ mean ‘close Shell’. If there are no other windows, this also \ 
exits IDLE.
bpo-45447: Apply IDLE syntax highlighting to pyi files. Patch by Alex Waygood \ 
and Terry Jan Reedy.

Log message:
According to the noted issue, the compiler to avoid is llvm-gcc-4.2,
which means 11.x and 12.x according to mk/platform/Darwin.mk. On 10.x
(i386 Snow Leopard Server, at least), no problem with the system gcc.
Adjust the scope of the workaround to match.