Log message:
python310 py310-html-docs: updated to 3.10.14

Python 3.10.14

Security

gh-115398: Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) \ 
by adding five new methods:
xml.etree.ElementTree.XMLParser.flush()
xml.etree.ElementTree.XMLPullParser.flush()
xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
xml.sax.expatreader.ExpatParser.flush()
gh-115399: Update bundled libexpat to 2.6.0
gh-114572: ssl.SSLContext.cert_store_stats() and ssl.SSLContext.get_ca_certs() \ 
now correctly lock access to the certificate store, when the ssl.SSLContext is \ 
shared across multiple threads.
gh-113659: Skip .pth files with names starting with a dot or hidden file attribute.

Core and Builtins

gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 codecs read out of bounds

Library

gh-115197: urllib.request no longer resolves the hostname before checking it \ 
against the system’s proxy bypass list on macOS and Windows.
gh-115133: Fix tests for XMLPullParser with Expat 2.6.0.
gh-81194: Fix a crash in socket.if_indextoname() with specific value (UINT_MAX). \ 
Fix an integer overflow in socket.if_indextoname() on 64-bit non-Windows \ 
platforms.
gh-109858: Protect zipfile from “quoted-overlap” zipbomb. It now raises \ 
BadZipFile when try to read an entry that overlaps with other entry or central \ 
directory.
gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup, which now no longer \ 
dereferences symlinks when working around file system permission errors.

Documentation

gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under “XML \ 
vulnerabilities”.

Windows

gh-111239: Update Windows builds to use zlib v1.3.1.
gh-109991: Windows builds now use OpenSSL 1.1.1w. Note that OpenSSL 1.1 has \ 
reached its end of life and no future fixes will be made, and this version of \ 
Python is no longer receiving maintenance fixes and will not be updated to \ 
OpenSSL 3.0.

Tools/Demos

gh-109991: Update GitHub CI workflows to use OpenSSL 3.0.11 and multissltests to \ 
use 1.1.1w, 3.0.11, and 3.1.3.

Log message:
python310 py310-html-docs: updated to 3.10.13

Python 3.10.13

Security

gh-108310: Fixed an issue where instances of ssl.SSLSocket were vulnerable to a \ 
bypass of the TLS handshake and included protections (like certificate \ 
verification) and treating sent unencrypted data as if it were post-handshake \ 
TLS encrypted data. Security issue reported as CVE-2023-40217 by Aapo Oksman. \ 
Patch by Gregory P. Smith.

Library

gh-107845: tarfile.data_filter() now takes the location of symlinks into account \ 
when determining their target, so it will no longer reject some valid tarballs \ 
with LinkOutsideDestinationError.

Tools/Demos

gh-107565: Update multissltests and GitHub CI workflows to use OpenSSL 1.1.1v, \ 
3.0.10, and 3.1.2.

C API

gh-99612: Fix PyUnicode_DecodeUTF8Stateful() for ASCII-only data: *consumed was \ 
not set.

Log message:
python310 py310-html-docs: updated to 3.10.12

Python 3.10.12

Security
gh-103142: The version of OpenSSL used in our binary builds has been upgraded to \ 
1.1.1u to address several CVEs.
gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory \ 
traversal based on the input if no out_file was specified.
gh-104049: Do not expose the local on-disk location in directory indexes \ 
produced by http.client.SimpleHTTPRequestHandler.
gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space \ 
characters following the specification for URLs defined by WHATWG in response to \ 
CVE-2023-24329. Patch by Illia Volochii.

Library
gh-103935: Use io.open_code() for files to be executed instead of raw open()
gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have \ 
a new a filter argument that allows limiting tar features than may be surprising \ 
or dangerous, such as creating files outside the destination directory. See \ 
Extraction filters for details.

Documentation
gh-89412: Add missing documentation for the end_lineno and end_offset attributes \ 
of the traceback.TracebackException class.

Build
gh-103262: Fixes Windows installer build to work with latest compilers.

Log message:
python310 py310-html-docs: updated to 3.10.11

Python 3.10.11

Security

gh-101727: Updated the OpenSSL version used in Windows and macOS binary release \ 
builds to 1.1.1t to address CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 per \ 
the OpenSSL 2023-02-07 security advisory.
gh-101283: subprocess.Popen now uses a safer approach to find cmd.exe when \ 
launching with shell=True. Patch by Eryk Sun, based on a patch by Oleg Iarygin.

Core and Builtins

gh-102416: Do not memoize incorrectly automatically generated loop rules in the \ 
parser. Patch by Pablo Galindo.
gh-102356: Fix a bug that caused a crash when deallocating deeply nested filter \ 
objects. Patch by Marta Gómez Macías.
gh-102397: Fix segfault from race condition in signal handling during garbage \ 
collection. Patch by Kumar Aditya.
gh-102126: Fix deadlock at shutdown when clearing thread states if any finalizer \ 
tries to acquire the runtime head lock. Patch by Kumar Aditya.
gh-102027: Fix SSE2 and SSE3 detection in _blake2 internal module. Patch by Max \ 
Bachmann.
gh-101967: Fix possible segfault in positional_only_passed_as_keyword function, \ 
when new list created.
gh-101765: Fix SystemError / segmentation fault in iter __reduce__ when internal \ 
access of builtins.__dict__ keys mutates the iter object.

Library

gh-102947: Improve traceback when dataclasses.fields() is called on a \ 
non-dataclass. Patch by Alex Waygood
gh-101979: Fix a bug where parentheses in the metavar argument to \ 
argparse.ArgumentParser.add_argument() were dropped. Patch by Yeojin Kim.
gh-102179: Fix os.dup2() error message for negative fds.
gh-101961: For the binary mode, fileinput.hookcompressed() doesn’t set the \ 
encoding value even if the value is None. Patch by Gihwan Kim.
gh-101936: The default value of fp becomes io.BytesIO if HTTPError is \ 
initialized without a designated fp parameter. Patch by Long Vo.
gh-101566: In zipfile, apply fix for extractall on the underlying zipfile after \ 
being wrapped in Path.
gh-101997: Upgrade pip wheel bundled with ensurepip (pip 23.0.1)
gh-101892: Callable iterators no longer raise SystemError when the callable \ 
object exhausts the iterator but forgets to either return a sentinel value or \ 
raise StopIteration.
gh-97786: Fix potential undefined behaviour in corner cases of \ 
floating-point-to-time conversions.
gh-101517: Fixed bug where bdb looks up the source line with linecache with a \ 
lineno=None, which causes it to fail with an unhandled exception.
gh-101673: Fix a pdb bug where ll clears the changes to local variables.
gh-96931: Fix incorrect results from ssl.SSLSocket.shared_ciphers()
gh-88233: Correctly preserve “extra” fields in zipfile regardless of their \ 
ordering relative to a zip64 “extra.”
gh-95495: When built against OpenSSL 3.0, the ssl module had a bug where it \ 
reported unauthenticated EOFs (i.e. without close_notify) as a clean TLS-level \ 
EOF. It now raises SSLEOFError, matching the behavior in previous versions of \ 
OpenSSL. The options attribute on SSLContext also no longer includes \ 
OP_IGNORE_UNEXPECTED_EOF by default. This option may be set to specify the \ 
previous OpenSSL 3.0 behavior.
gh-94440: Fix a concurrent.futures.process bug where ProcessPoolExecutor \ 
shutdown could hang after a future has been quickly submitted and canceled.

Documentation

gh-103112: Add docstring to http.client.HTTPResponse.read() to fix pydoc output.
gh-85417: Update cmath documentation to clarify behaviour on branch cuts.
gh-97725: Fix asyncio.Task.print_stack() description for file=None. Patch by \ 
Oleg Iarygin.

Tests

gh-102980: Improve test coverage on pdb.
gh-102537: Adjust the error handling strategy in \ 
test_zoneinfo.TzPathTest.python_tzpath_context. Patch by Paul Ganssle.
gh-101377: Improved test_locale_calendar_formatweekday of calendar.

Build

gh-102711: Fix -Wstrict-prototypes compiler warnings.

Windows

gh-101759: Update Windows installer to SQLite 3.40.1.
gh-101614: Correctly handle extensions built against debug binaries that \ 
reference python3_d.dll.

macOS

gh-103207: Add instructions to the macOS installer welcome display on how to \ 
workaround the macOS 13 Ventura “The installer encountered an error” \ 
failure.
gh-101759: Update macOS installer to SQLite 3.40.1.
gh-87235: On macOS python3 /dev/fd/9 9</path/to/script.py failed for any \ 
script longer than a couple of bytes.

Log message:
python310 py310-html-docs: updated to 3.10.9

Python 3.10.9 final

Security

gh-100001: python -m http.server no longer allows terminal control characters \ 
sent within a garbage request to be printed to the stderr server log.

This is done by changing the http.server BaseHTTPRequestHandler .log_message \ 
method to replace control characters with a \xHH hex escape before printing.

gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc \ 
module

gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio \ 
related name resolution functions no longer involves a quadratic algorithm. This \ 
prevents a potential CPU denial of service if an out-of-spec excessive length \ 
hostname involving bidirectional characters were decoded. Some protocols such as \ 
urllib http 3xx redirects potentially allow for an attacker to supply such a \ 
name.

gh-98739: Update bundled libexpat to 2.5.0

gh-98517: Port XKCP’s fix for the buffer overflows in SHA-3 (CVE-2022-37454).

gh-97514: On Linux the multiprocessing module returns to using filesystem backed \ 
unix domain sockets for communication with the forkserver process instead of the \ 
Linux abstract socket namespace. Only code that chooses to use the \ 
“forkserver” start method is affected.

Abstract sockets have no permissions and could allow any user on the system in \ 
the same network namespace (often the whole system) to inject code into the \ 
multiprocessing forkserver process. This was a potential privilege escalation. \ 
Filesystem based socket permissions restrict this to the forkserver process user \ 
as was the default in Python 3.8 and earlier.

This prevents Linux CVE-2022-42919.

Core and Builtins

gh-99578: Fix a reference bug in _imp.create_builtin() after the creation of the \ 
first sub-interpreter for modules builtins and sys. Patch by Victor Stinner.
gh-99581: Fixed a bug that was causing a buffer overflow if the tokenizer copies \ 
a line missing the newline caracter from a file that is as long as the available \ 
tokenizer buffer. Patch by Pablo galindo
gh-96055: Update faulthandler to emit an error message with the proper \ 
unexpected signal number. Patch by Dong-hee Na.
gh-98852: Fix subscription of types.GenericAlias instances containing bare \ 
generic types: for example tuple[A, T][int], where A is a generic type, and T is \ 
a type variable.
gh-98415: Fix detection of MAC addresses for uuid on certain OSs. Patch by Chaim \ 
Sanders
gh-92119: Print exception class name instead of its string representation when \ 
raising errors from ctypes calls.
gh-93696: Allow pdb to locate source for frozen modules in the standard library.
bpo-31718: Raise ValueError instead of SystemError when methods of uninitialized \ 
io.IncrementalNewlineDecoder objects are called. Patch by Oren Milman.
bpo-38031: Fix a possible assertion failure in io.FileIO when the opener returns \ 
an invalid file descriptor.

Library

gh-100001: Also escape s in the http.server BaseHTTPRequestHandler.log_message \ 
so that it is technically possible to parse the line and reconstruct what the \ 
original data was. Without this a xHH is ambiguious as to if it is a hex \ 
replacement we put in or the characters r”x” came through in the original \ 
request line.
gh-93453: asyncio.get_event_loop() now only emits a deprecation warning when a \ 
new event loop was created implicitly. It no longer emits a deprecation warning \ 
if the current event loop was set.
gh-51524: Fix bug when calling trace.CoverageResults with valid infile.
gh-99645: Fix a bug in handling class cleanups in unittest.TestCase. Now \ 
addClassCleanup() uses separate lists for different TestCase subclasses, and \ 
doClassCleanups() only cleans up the particular class.
gh-97001: Release the GIL when calling termios APIs to avoid blocking threads.
gh-99341: Fix ast.increment_lineno() to also cover ast.TypeIgnore when changing \ 
line numbers.
gh-74044: Fixed bug where inspect.signature() reported incorrect arguments for \ 
decorated methods.
gh-99275: Fix SystemError in ctypes when exception was not set during \ 
__initsubclass__.
gh-99155: Fix statistics.NormalDist pickle with 0 and 1 protocols.
gh-99134: Update the bundled copy of pip to version 22.3.1.
gh-99130: Apply bugfixes from importlib_metadata 4.11.4, namely: In \ 
PathDistribution._name_from_stem, avoid including parts of the extension in the \ 
result. In PathDistribution._normalized_name, ensure names loaded from the stem \ 
of the filename are also normalized, ensuring duplicate entry points by packages \ 
varying only by non-normalized name are hidden.
gh-83004: Clean up refleak on failed module initialisation in _zoneinfo
gh-83004: Clean up refleaks on failed module initialisation in in _pickle
gh-83004: Clean up refleak on failed module initialisation in _io.
gh-98897: Fix memory leak in math.dist() when both points don’t have the same \ 
dimension. Patch by Kumar Aditya.
gh-98793: Fix argument typechecks in _overlapped.WSAConnect() and \ 
_overlapped.Overlapped.WSASendTo() functions.
gh-98740: Fix internal error in the re module which in very rare circumstances \ 
prevented compilation of a regular expression containing a conditional \ 
expression without the “else” branch.
gh-98703: Fix asyncio.StreamWriter.drain() to call protocol.connection_lost \ 
callback only once on Windows.
gh-98624: Add a mutex to unittest.mock.NonCallableMock to protect concurrent \ 
access to mock attributes.
gh-89237: Fix hang on Windows in subprocess.wait_closed() in asyncio with \ 
ProactorEventLoop. Patch by Kumar Aditya.
gh-98458: Fix infinite loop in unittest when a self-referencing chained \ 
exception is raised
gh-97928: tkinter.Text.count() raises now an exception for options starting with \ 
“-” instead of silently ignoring them.
gh-97966: On uname_result, restored expectation that _fields and _asdict would \ 
include all six properties including processor.
gh-98331: Update the bundled copies of pip and setuptools to versions 22.3 and \ 
65.5.0 respectively.
gh-96035: Fix bug in urllib.parse.urlparse() that causes certain port numbers \ 
containing whitespace, underscores, plus and minus signs, or non-ASCII digits to \ 
be incorrectly accepted.
gh-98251: Allow venv to pass along PYTHON* variables to ensurepip and pip when \ 
they do not impact path resolution
gh-98178: On macOS, fix a crash in syslog.syslog() in multi-threaded \ 
applications. On macOS, the libc syslog() function is not thread-safe, so \ 
syslog.syslog() no longer releases the GIL to call it. Patch by Victor Stinner.
gh-96151: Allow BUILTINS to be a valid field name for frozen dataclasses.
gh-98086: Make sure patch.dict() can be applied on async functions.
gh-88863: To avoid apparent memory leaks when asyncio.open_connection() raises, \ 
break reference cycles generated by local exception and future instances (which \ 
has exception instance as its member var). Patch by Dong Uk, Kang.
gh-93858: Prevent error when activating venv in nested fish instances.
bpo-46364: Restrict use of sockets instead of pipes for stdin of subprocesses \ 
created by asyncio to AIX platform only.
bpo-38523: shutil.copytree() now applies the ignore_dangling_symlinks argument \ 
recursively.
bpo-36267: Fix IndexError in argparse.ArgumentParser when a store_true action is \ 
given an explicit argument.

Documentation

gh-92892: Document that calling variadic functions with ctypes requires special \ 
care on macOS/arm64 (and possibly other platforms).

Tests

gh-99892: Skip test_normalization() of test_unicodedata if it fails to download \ 
NormalizationTest.txt file from pythontest.net. Patch by Victor Stinner.
bpo-34272: Some C API tests were moved into the new Lib/test/test_capi/ directory.

Build

gh-99086: Fix -Wimplicit-int, -Wstrict-prototypes, and \ 
-Wimplicit-function-declaration compiler warnings in configure checks.
gh-99086: Fix -Wimplicit-int compiler warning in configure check for \ 
PTHREAD_SCOPE_SYSTEM.
gh-97731: Specify the full path to the source location for make docclean (needed \ 
for cross-builds).
gh-98671: Fix NO_MISALIGNED_ACCESSES being not defined for the SHA3 extension \ 
when HAVE_ALIGNED_REQUIRED is set. Allowing builds on hardware that unaligned \ 
memory accesses are not allowed.

Windows

gh-99345: Use faster initialization functions to detect install location for \ 
Windows Store package
gh-98689: Update Windows builds to zlib v1.2.13. v1.2.12 has CVE-2022-37434, but \ 
the vulnerable inflateGetHeader API is not used by Python.
gh-94328: Update Windows installer to use SQLite 3.39.4.
bpo-40882: Fix a memory leak in multiprocessing.shared_memory.SharedMemory on \ 
Windows.

macOS

gh-94328: Update macOS installer to SQLite 3.39.4.

IDLE

gh-97527: Fix a bug in the previous bugfix that caused IDLE to not start when \ 
run with 3.10.8, 3.12.0a1, and at least Microsoft Python 3.10.2288.0 installed \ 
without the Lib/test package. 3.11.0 was never affected.

Tools/Demos

gh-95731: Fix handling of module docstrings in Tools/i18n/pygettext.py.

Log message:
python310 py310-html-docs: updated to 3.10.8

Python 3.10.8

Security

gh-97616: Fix multiplying a list by an integer (list *= int): detect the integer \ 
overflow when the new allocated length is close to the maximum size. Issue \ 
reported by Jordan Limor. Patch by Victor Stinner.
gh-97612: Fix a shell code injection vulnerability in the \ 
get-remote-certificate.py example script. The script no longer uses a shell to \ 
run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by \ 
Victor Stinner.
gh-68966: The deprecated mailcap module now refuses to inject unsafe text \ 
(filenames, MIME types, parameters) into shell commands. Instead of using such \ 
text, it will warn and act as if a match was not found (or for test commands, as \ 
if the test failed).

Core and Builtins

gh-96078: os.sched_yield() now release the GIL while calling sched_yield(2). \ 
Patch by Dong-hee Na.
gh-97943: Bugfix: PyFunction_GetAnnotations() should return a borrowed \ 
reference. It was returning a new reference.
gh-97591: Fixed a missing incref/decref pair in Exception.__setstate__(). Patch \ 
by Ofey Chan.
gh-96848: Fix command line parsing: reject -X int_max_str_digits option with no \ 
value (invalid) when the PYTHONINTMAXSTRDIGITS environment variable is set to a \ 
valid limit. Patch by Victor Stinner.
gh-95921: Fix overly-broad source position information for chained comparisons \ 
used as branching conditions.
gh-96821: Fix undefined behaviour in _testcapimodule.c.
gh-95778: When ValueError is raised if an integer is larger than the limit, \ 
mention the sys.set_int_max_str_digits() function in the error message. Patch by \ 
Victor Stinner.
gh-96387: At Python exit, sometimes a thread holding the GIL can wait forever \ 
for a thread (usually a daemon thread) which requested to drop the GIL, whereas \ 
the thread already exited. To fix the race condition, the thread which requested \ 
the GIL drop now resets its request before exiting. Issue discovered and \ 
analyzed by Mingliang ZHAO. Patch by Victor Stinner.
gh-96864: Fix a possible assertion failure, fatal error, or SystemError if a \ 
line tracing event raises an exception while opcode tracing is enabled.
gh-96678: Fix undefined behaviour in C code of null pointer arithmetic.
gh-96641: Do not expose KeyWrapper in _functools.
gh-96611: When loading a file with invalid UTF-8 inside a multi-line string, a \ 
correct SyntaxError is emitted.
gh-95196: Disable incorrect pickling of the C implemented classmethod descriptors.
gh-96352: Fix AttributeError missing name and obj attributes in \ 
object.__getattribute__(). Patch by Philip Georgi.
bpo-42316: Document some places where an assignment expression needs parentheses.

Library

gh-87730: Wrap network errors consistently in urllib FTP support, so the test \ 
suite doesn’t fail when a network is available but the public internet is not \ 
reachable.
gh-97825: Fixes AttributeError when subprocess.check_output() is used with \ 
argument input=None and either of the arguments encoding or errors are used.
gh-96827: Avoid spurious tracebacks from asyncio when default executor cleanup \ 
is delayed until after the event loop is closed (e.g. as the result of a \ 
keyboard interrupt).
gh-97592: Avoid a crash in the C version of \ 
asyncio.Future.remove_done_callback() when an evil argument is passed.
gh-97639: Remove tokenize.NL check from tabnanny.
gh-97545: Make Semaphore run faster.
gh-73588: Fix generation of the default name of tkinter.Checkbutton. Previously, \ 
checkbuttons in different parent widgets could have the same short name and \ 
share the same state if arguments “name” and “variable” are not \ 
specified. Now they are globally unique.
gh-97005: Update bundled libexpat to 2.4.9
gh-85760: Fix race condition in asyncio where process_exited() called before the \ 
pipe_data_received() leading to inconsistent output. Patch by Kumar Aditya.
gh-96819: Fixed check in multiprocessing.resource_tracker that guarantees that \ 
the length of a write to a pipe is not greater than PIPE_BUF.
gh-96741: Corrected type annotation for dataclass attribute \ 
pstats.FunctionProfile.ncalls to be str.
gh-96652: Fix the faulthandler implementation of faulthandler.register(signal, \ 
chain=True) if the sigaction() function is not available: don’t call the \ 
previous signal handler if it’s NULL. Patch by Victor Stinner.
gh-96073: In inspect, fix overeager replacement of “typing.” in formatting \ 
annotations.
gh-90467: Fix asyncio.streams.StreamReaderProtocol to keep a strong reference to \ 
the created task, so that it’s not garbage collected
gh-96052: Fix handling compiler warnings (SyntaxWarning and DeprecationWarning) \ 
in codeop.compile_command() when checking for incomplete input. Previously it \ 
emitted warnings and raised a SyntaxError. Now it always returns None for \ 
incomplete input without emitting any warnings.
gh-91212: Fixed flickering of the turtle window when the tracer is turned off. \ 
Patch by Shin-myoung-serp.
gh-74116: Allow asyncio.StreamWriter.drain() to be awaited concurrently by \ 
multiple tasks. Patch by Kumar Aditya.
gh-90155: Fix broken asyncio.Semaphore when acquire is cancelled.
gh-92986: Fix ast.unparse() when ImportFrom.level is None
gh-91539: Improve performance of urllib.request.getproxies_environment when \ 
there are many environment variables

Documentation

gh-97741: Fix ! in c domain ref target syntax via a conf.py patch, so it works \ 
as intended to disable ref target resolution.
gh-95588: Clarified the conflicting advice given in the ast documentation about \ 
ast.literal_eval() being “safe” for use on untrusted input while at the same \ 
time warning that it can crash the process. The latter statement is true and is \ 
deemed unfixable without a large amount of work unsuitable for a bugfix. So we \ 
keep the warning and no longer claim that literal_eval is safe.
gh-93031: Update tutorial introduction output to use 3.10+ SyntaxError invalid range.

Build

gh-96729: Ensure that Windows releases built with Tools\msi\buildrelease.bat are \ 
upgradable to and from official Python releases.

Windows

gh-97728: Fix possible crashes caused by the use of uninitialized variables when \ 
pass invalid arguments in os.system() on Windows and in Windows-specific modules \ 
(like winreg).
gh-90989: Clarify some text in the Windows installer.
gh-96577: Fixes a potential buffer overrun in msilib.

macOS

gh-97897: The macOS 13 SDK includes support for the mkfifoat and mknodat system \ 
calls. Using the dir_fd option with either os.mkfifo() or os.mknod() could \ 
result in a segfault if cpython is built with the macOS 13 SDK but run on an \ 
earlier version of macOS. Prevent this by adding runtime support for detection \ 
of these system calls (“weaklinking”) as is done for other newer syscalls on \ 
macOS.

Log message:
py310-html-docs: updated to 3.10.7

Match python310 version.

Log message:
python310 py310-html-docs: updated to 3.10.6

Python 3.10.6 final
Release date: 2022-08-01

Security
gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server \ 
when an URI path starts with //. Vulnerability discovered, and initial fix \ 
proposed, by Hamza Avvan.
gh-92888: Fix memoryview use after free when accessing the backing buffer in \ 
certain cases.
Core and Builtins
gh-95355: _PyPegen_Parser_New now properly detects token memory allocation \ 
errors. Patch by Honglin Zhu.
gh-94938: Fix error detection in some builtin functions when keyword argument \ 
name is an instance of a str subclass with overloaded __eq__ and __hash__. \ 
Previously it could cause SystemError or other undesired behavior.
gh-94949: ast.parse() will no longer parse parenthesized context managers when \ 
passed feature_version less than (3, 9). Patch by Shantanu Jain.
gh-94947: ast.parse() will no longer parse assignment expressions when passed \ 
feature_version less than (3, 8). Patch by Shantanu Jain.
gh-94869: Fix the column offsets for some expressions in multi-line f-strings \ 
ast nodes. Patch by Pablo Galindo.
gh-91153: Fix an issue where a bytearray item assignment could crash if it’s \ 
resized by the new value’s __index__() method.
gh-94329: Compile and run code with unpacking of extremely large sequences \ 
(1000s of elements). Such code failed to compile. It now compiles and runs \ 
correctly.
gh-94360: Fixed a tokenizer crash when reading encoded files with syntax errors \ 
from stdin with non utf-8 encoded text. Patch by Pablo Galindo
gh-94192: Fix error for dictionary literals with invalid expression as value.
gh-93964: Strengthened compiler overflow checks to prevent crashes when \ 
compiling very large source files.
gh-93671: Fix some exponential backtrace case happening with deeply nested \ 
sequence patterns in match statements. Patch by Pablo Galindo
gh-93021: Fix the __text_signature__ for __get__() methods implemented in C. \ 
Patch by Jelle Zijlstra.
gh-92930: Fixed a crash in _pickle.c from mutating collections during __reduce__ \ 
or persistent_id.
gh-92914: Always round the allocated size for lists up to the nearest even number.
gh-92858: Improve error message for some suites with syntax error before ‘:’
Library
gh-95339: Update bundled pip to 22.2.1.

gh-95045: Fix GC crash when deallocating _lsprof.Profiler by untracking it \ 
before calling any callbacks. Patch by Kumar Aditya.

gh-95087: Fix IndexError in parsing invalid date in the email module.

gh-95199: Upgrade bundled setuptools to 63.2.0.

gh-95194: Upgrade bundled pip to 22.2.

gh-93899: Fix check for existence of os.EFD_CLOEXEC, os.EFD_NONBLOCK and \ 
os.EFD_SEMAPHORE flags on older kernel versions where these flags are not \ 
present. Patch by Kumar Aditya.

gh-95166: Fix concurrent.futures.Executor.map() to cancel the currently waiting \ 
on future on an error - e.g. TimeoutError or KeyboardInterrupt.

gh-93157: Fix fileinput module didn’t support errors option when inplace is true.

gh-94821: Fix binding of unix socket to empty address on Linux to use an \ 
available address from the abstract namespace, instead of “0”.

gh-94736: Fix crash when deallocating an instance of a subclass of \ 
_multiprocessing.SemLock. Patch by Kumar Aditya.

gh-94637: SSLContext.set_default_verify_paths() now releases the GIL around \ 
SSL_CTX_set_default_verify_paths call. The function call performs I/O and CPU \ 
intensive work.

gh-94510: Re-entrant calls to sys.setprofile() and sys.settrace() now raise \ 
RuntimeError. Patch by Pablo Galindo.

gh-92336: Fix bug where linecache.getline() fails on bad files with \ 
UnicodeDecodeError or SyntaxError. It now returns an empty string as per the \ 
documentation.

gh-89988: Fix memory leak in pickle.Pickler when looking up dispatch_table. \ 
Patch by Kumar Aditya.

gh-94254: Fixed types of struct module to be immutable. Patch by Kumar Aditya.

gh-94245: Fix pickling and copying of typing.Tuple[()].

gh-94207: Made _struct.Struct GC-tracked in order to fix a reference leak in the \ 
_struct module.

gh-94101: Manual instantiation of ssl.SSLSession objects is no longer allowed as \ 
it lead to misconfigured instances that crashed the interpreter when attributes \ 
where accessed on them.

gh-84753: inspect.iscoroutinefunction(), inspect.isgeneratorfunction(), and \ 
inspect.isasyncgenfunction() now properly return True for duck-typed \ 
function-like objects like instances of unittest.mock.AsyncMock.

This makes inspect.iscoroutinefunction() consistent with the behavior of \ 
asyncio.iscoroutinefunction(). Patch by Mehdi ABAAKOUK.

gh-83499: Fix double closing of file description in tempfile.

gh-79512: Fixed names and __module__ value of weakref classes ReferenceType, \ 
ProxyType, CallableProxyType. It makes them pickleable.

gh-90494: copy.copy() and copy.deepcopy() now always raise a TypeError if \ 
__reduce__() returns a tuple with length 6 instead of silently ignore the 6th \ 
item or produce incorrect result.

gh-90549: Fix a multiprocessing bug where a global named resource (such as a \ 
semaphore) could leak when a child process is spawned (as opposed to forked).

gh-79579: sqlite3 now correctly detects DML queries with leading comments. Patch \ 
by Erlend E. Aasland.

gh-93421: Update sqlite3.Cursor.rowcount when a DML statement has run to \ 
completion. This fixes the row count for SQL queries like UPDATE ... RETURNING. \ 
Patch by Erlend E. Aasland.

gh-91810: Suppress writing an XML declaration in open files in \ 
ElementTree.write() with encoding='unicode' and xml_declaration=None.

gh-93353: Fix the importlib.resources.as_file() context manager to remove the \ 
temporary file if destroyed late during Python finalization: keep a local \ 
reference to the os.remove() function. Patch by Victor Stinner.

gh-83658: Make multiprocessing.Pool raise an exception if maxtasksperchild is \ 
not None or a positive int.

gh-74696: shutil.make_archive() no longer temporarily changes the current \ 
working directory during creation of standard .zip or tar archives.

gh-91577: Move imports in SharedMemory methods to module level so that they can \ 
be executed late in python finalization.

bpo-47231: Fixed an issue with inconsistent trailing slashes in tarfile longname \ 
directories.

bpo-46755: In QueueHandler, clear stack_info from LogRecord to prevent stack \ 
trace from being written twice.

bpo-46053: Fix OSS audio support on NetBSD.

bpo-46197: Fix ensurepip environment isolation for subprocess running pip.

bpo-45924: Fix asyncio incorrect traceback when future’s exception is raised \ 
multiple times. Patch by Kumar Aditya.

bpo-34828: sqlite3.Connection.iterdump() now handles databases that use \ 
AUTOINCREMENT in one or more tables.
Documentation
gh-94321: Document the PEP 246 style protocol type sqlite3.PrepareProtocol.
gh-86128: Document a limitation in ThreadPoolExecutor where its exit handler is \ 
executed before any handlers in atexit.
gh-61162: Clarify sqlite3 behavior when Using the connection as a context manager.
gh-87260: Align sqlite3 argument specs with the actual implementation.
gh-86986: The minimum Sphinx version required to build the documentation is now 3.2.
gh-88831: Augmented documentation of asyncio.create_task(). Clarified the need \ 
to keep strong references to tasks and added a code snippet detailing how to to \ 
this.
bpo-47161: Document that pathlib.PurePath does not collapse initial double \ 
slashes because they denote UNC paths.
Tests
gh-95280: Fix problem with test_ssl test_get_ciphers on systems that require \ 
perfect forward secrecy (PFS) ciphers.

gh-95212: Make multiprocessing test case test_shared_memory_recreate parallel-safe.

gh-91330: Added more tests for dataclasses to cover behavior with data \ 
descriptor-based fields.

# Write your Misc/NEWS entry below. It should be a simple ReST paragraph. # \ 
Don’t start with “- Issue #<n>: ” or “- gh-issue-<n>: ” or \ 
that sort of stuff. \ 
###########################################################################

gh-94208: test_ssl is now checking for supported TLS version and protocols in \ 
more tests.

gh-93951: In test_bdb.StateTestCase.test_skip, avoid including auxiliary importers.

gh-93957: Provide nicer error reporting from subprocesses in \ 
test_venv.EnsurePipTest.test_with_pip.

gh-57539: Increase calendar test coverage for \ 
calendar.LocaleTextCalendar.formatweekday().

gh-92886: Fixing tests that fail when running with optimizations (-O) in \ 
test_zipimport.py

bpo-47016: Create a GitHub Actions workflow for verifying bundled pip and \ 
setuptools. Patch by Illia Volochii and Adam Turner.
Build
gh-94841: Fix the possible performance regression of PyObject_Free() compiled \ 
with MSVC version 1932.
bpo-45816: Python now supports building with Visual Studio 2022 (MSVC v143, VS \ 
Version 17.0). Patch by Jeremiah Vivian.
Windows
gh-90844: Allow virtual environments to correctly launch when they have spaces \ 
in the path.
gh-92841: asyncio no longer throws RuntimeError: Event loop is closed on \ 
interpreter exit after asynchronous socket activity. Patch by Oleg Iarygin.
bpo-42658: Support native Windows case-insensitive path comparisons by using \ 
LCMapStringEx instead of str.lower() in ntpath.normcase(). Add LCMapStringEx to \ 
the _winapi module.
IDLE
gh-95511: Fix the Shell context menu copy-with-prompts bug of copying an extra \ 
line when one selects whole lines.
gh-95471: In the Edit menu, move Select All and add a new separator.
gh-95411: Enable using IDLE’s module browser with .pyw files.
gh-89610: Add .pyi as a recognized extension for IDLE on macOS. This allows \ 
opening stub files by double clicking on them in the Finder.
Tools/Demos
gh-94538: Fix Argument Clinic output to custom file destinations. Patch by \ 
Erlend E. Aasland.
gh-94430: Allow parameters named module and self with custom C names in Argument \ 
Clinic. Patch by Erlend E. Aasland
C API
gh-94930: Fix SystemError raised when PyArg_ParseTupleAndKeywords() is used with \ 
# in (...) but without PY_SSIZE_T_CLEAN defined.
gh-94864: Fix PyArg_Parse* with deprecated format units “u” and “Z”. It \ 
returned 1 (success) when warnings are turned into exceptions.

Log message:
python310 py310-html-docs: updated to 3.10.5

Python 3.10.5 final

Core and Builtins

gh-93418: Fixed an assert where an f-string has an equal sign ‘=’ following \ 
an expression, but there’s no trailing brace. For example, f”{i=”.

gh-91924: Fix __ltrace__ debug feature if the stdout encoding is not UTF-8. \ 
Patch by Victor Stinner.

gh-93061: Backward jumps after async for loops are no longer given dubious line \ 
numbers.

gh-93065: Fix contextvars HAMT implementation to handle iteration over deep trees.

The bug was discovered and fixed by Eli Libman. See MagicStack/immutables#84 for \ 
more details.

gh-92311: Fixed a bug where setting frame.f_lineno to jump over a list \ 
comprehension could misbehave or crash.

gh-92112: Fix crash triggered by an evil custom mro() on a metaclass.

gh-92036: Fix a crash in subinterpreters related to the garbage collector. When \ 
a subinterpreter is deleted, untrack all objects tracked by its GC. To prevent a \ 
crash in deallocator functions expecting objects to be tracked by the GC, leak a \ 
strong reference to these objects on purpose, so they are never deleted and \ 
their deallocator functions are not called. Patch by Victor Stinner.

gh-91421: Fix a potential integer overflow in _Py_DecodeUTF8Ex.

bpo-47212: Raise IndentationError instead of SyntaxError for a bare except with \ 
no following indent. Improve SyntaxError locations for an un-parenthesized \ 
generator used as arguments. Patch by Matthieu Dartiailh.

bpo-47182: Fix a crash when using a named unicode character like "\N{digit \ 
nine}" after the main interpreter has been initialized a second time.

bpo-46775: Some Windows system error codes(>= 10000) are now mapped into the \ 
correct errno and may now raise a subclass of OSError. Patch by Dong-hee Na.

bpo-47117: Fix a crash if we fail to decode characters in interactive mode if \ 
the tokenizer buffers are uninitialized. Patch by Pablo Galindo.

bpo-39829: Removed the __len__() call when initializing a list and moved \ 
initializing to list_extend. Patch by Jeremiah Pascual.

bpo-46962: Classes and functions that unconditionally declared their docstrings \ 
ignoring the --without-doc-strings compilation flag no longer do so.

The classes affected are ctypes.UnionType, pickle.PickleBuffer, \ 
testcapi.RecursingInfinitelyError, and types.GenericAlias.

The functions affected are 24 methods in ctypes.

Patch by Oleg Iarygin.

bpo-36819: Fix crashes in built-in encoders with error handlers that return \ 
position less or equal than the starting position of non-encodable characters.

Library

gh-93156: Accessing the pathlib.PurePath.parents sequence of an absolute path \ 
using negative index values produced incorrect results.

gh-89973: Fix re.error raised in fnmatch if the pattern contains a character \ 
range with upper bound lower than lower bound (e.g. [c-a]). Now such ranges are \ 
interpreted as empty ranges.

gh-93010: In a very special case, the email package tried to append the \ 
nonexistent InvalidHeaderError to the defect list. It should have been \ 
InvalidHeaderDefect.

gh-92839: Fixed crash resulting from calling bisect.insort() or \ 
bisect.insort_left() with the key argument not equal to None.

gh-91581: utcfromtimestamp() no longer attempts to resolve fold in the pure \ 
Python implementation, since the fold is never 1 in UTC. In addition to being \ 
slightly faster in the common case, this also prevents some errors when the \ 
timestamp is close to datetime.min. Patch by Paul Ganssle.

gh-92530: Fix an issue that occurred after interrupting threading.Condition.notify().

gh-92049: Forbid pickling constants re._constants.SUCCESS etc. Previously, \ 
pickling did not fail, but the result could not be unpickled.

bpo-47029: Always close the read end of the pipe used by multiprocessing.Queue \ 
after the last write of buffered data to the write end of the pipe to avoid \ 
BrokenPipeError at garbage collection and at multiprocessing.Queue.close() \ 
calls. Patch by Géry Ogam.

gh-91401: Provide a fail-safe way to disable subprocess use of vfork() via a \ 
private subprocess._USE_VFORK attribute. While there is currently no known need \ 
for this, if you find a need please only set it to False. File a CPython issue \ 
as to why you needed it and link to that from a comment in your code. This \ 
attribute is documented as a footnote in 3.11.

gh-91910: Add missing f prefix to f-strings in error messages from the \ 
multiprocessing and asyncio modules.

gh-91810: ElementTree method write() and function tostring() now use the text \ 
file’s encoding (“UTF-8” if not available) instead of locale encoding in \ 
XML declaration when encoding="unicode" is specified.

gh-91832: Add required attribute to argparse.Action repr output.

gh-91734: Fix OSS audio support on Solaris.

gh-91700: Compilation of regular expression containing a conditional expression \ 
(?(group)...) now raises an appropriate re.error if the group number refers to \ 
not defined group. Previously an internal RuntimeError was raised.

gh-91676: Fix unittest.IsolatedAsyncioTestCase to shutdown the per test event \ 
loop executor before returning from its run method so that a not yet stopped or \ 
garbage collected executor state does not persist beyond the test.

gh-90568: Parsing \N escapes of Unicode Named Character Sequences in a regular \ 
expression raises now re.error instead of TypeError.

gh-91595: Fix the comparison of character and integer inside \ 
Tools.gdb.libpython.write_repr(). Patch by Yu Liu.

gh-90622: Worker processes for concurrent.futures.ProcessPoolExecutor are no \ 
longer spawned on demand (a feature added in 3.9) when the multiprocessing \ 
context start method is "fork" as that can lead to deadlocks in the \ 
child processes due to a fork happening while threads are running.

gh-91575: Update case-insensitive matching in the re module to the latest \ 
Unicode version.

gh-91581: Remove an unhandled error case in the C implementation of calls to \ 
datetime.fromtimestamp with no time zone (i.e. getting a local time from an \ 
epoch timestamp). This should have no user-facing effect other than giving a \ 
possibly more accurate error message when called with timestamps that fall on \ 
10000-01-01 in the local time. Patch by Paul Ganssle.

bpo-47260: Fix os.closerange() potentially being a no-op in a Linux seccomp sandbox.

bpo-39064: zipfile.ZipFile now raises zipfile.BadZipFile instead of ValueError \ 
when reading a corrupt zip file in which the central directory offset is \ 
negative.

bpo-47151: When subprocess tries to use vfork, it now falls back to fork if \ 
vfork returns an error. This allows use in situations where vfork isn’t \ 
allowed by the OS kernel.

bpo-27929: Fix asyncio.loop.sock_connect() to only resolve names for \ 
socket.AF_INET or socket.AF_INET6 families. Resolution may not make sense for \ 
other families, like socket.AF_BLUETOOTH and socket.AF_UNIX.

bpo-43323: Fix errors in the email module if the charset itself contains \ 
undecodable/unencodable characters.

bpo-47101: hashlib.algorithms_available now lists only algorithms that are \ 
provided by activated crypto providers on OpenSSL 3.0. Legacy algorithms are not \ 
listed unless the legacy provider has been loaded into the default OSSL context.

bpo-46787: Fix concurrent.futures.ProcessPoolExecutor exception memory leak

bpo-45393: Fix the formatting for await x and not x in the operator precedence \ 
table when using the help() system.

bpo-46415: Fix ipaddress.ip_{address,interface,network} raising TypeError \ 
instead of ValueError if given invalid tuple as address parameter.

bpo-28249: Set doctest.DocTest.lineno to None when object does not have __doc__.

bpo-45138: Fix a regression in the sqlite3 trace callback where bound parameters \ 
were not expanded in the passed statement string. The regression was introduced \ 
in Python 3.10 by bpo-40318. Patch by Erlend E. Aasland.

bpo-44493: Add missing terminated NUL in sockaddr_un’s length

This was potentially observable when using non-abstract AF_UNIX datagram sockets \ 
to processes written in another programming language.

bpo-42627: Fix incorrect parsing of Windows registry proxy settings

bpo-36073: Raise ProgrammingError instead of segfaulting on recursive usage of \ 
cursors in sqlite3 converters. Patch by Sergey Fedoseev.

Documentation

gh-86438: Clarify that -W and PYTHONWARNINGS are matched literally and \ 
case-insensitively, rather than as regular expressions, in warnings.
gh-92240: Added release dates for “What’s New in Python 3.X” for 3.0, 3.1, \ 
3.2, 3.8 and 3.10
gh-91888: Add a new gh role to the documentation to link to GitHub issues.
gh-91783: Document security issues concerning the use of the function \ 
shutil.unpack_archive()
gh-91547: Remove “Undocumented modules” page.
bpo-44347: Clarify the meaning of dirs_exist_ok, a kwarg of shutil.copytree().
bpo-38668: Update the introduction to documentation for os.path to remove \ 
warnings that became irrelevant after the implementations of PEP 383 and PEP \ 
529.
bpo-47138: Pin Jinja to a version compatible with Sphinx version 3.2.1.
bpo-46962: All docstrings in code snippets are now wrapped into PyDoc_STR() to \ 
follow the guideline of PEP 7’s Documentation Strings paragraph. Patch by Oleg \ 
Iarygin.
bpo-26792: Improve the docstrings of runpy.run_module() and runpy.run_path(). \ 
Original patch by Andrew Brezovsky.
bpo-40838: Document that inspect.getdoc(), inspect.getmodule(), and \ 
inspect.getsourcefile() might return None.
bpo-45790: Adjust inaccurate phrasing in Defining Extension Types: Tutorial \ 
about the ob_base field and the macros used to access its contents.
bpo-42340: Document that in some circumstances KeyboardInterrupt may cause the \ 
code to enter an inconsistent state. Provided a sample workaround to avoid it if \ 
needed.
bpo-41233: Link the errnos referenced in Doc/library/exceptions.rst to their \ 
respective section in Doc/library/errno.rst, and vice versa. Previously this was \ 
only done for EINTR and InterruptedError. Patch by Yan “yyyyyyyan” Orestes.
bpo-38056: Overhaul the Error Handlers documentation in codecs.
bpo-13553: Document tkinter.Tk args.

Tests

gh-92886: Fixing tests that fail when running with optimizations (-O) in \ 
test_imaplib.py.
gh-92670: Skip test_shutil.TestCopy.test_copyfile_nonexistent_dir test on AIX as \ 
the test uses a trailing slash to force the OS consider the path as a directory, \ 
but on AIX the trailing slash has no effect and is considered as a file.
gh-91904: Fix initialization of PYTHONREGRTEST_UNICODE_GUARD which prevented \ 
running regression tests on non-UTF-8 locale.
gh-91607: Fix test_concurrent_futures to test the correct multiprocessing start \ 
method context in several cases where the test logic mixed this up.
bpo-47205: Skip test for sched_getaffinity() and sched_setaffinity() error case \ 
on FreeBSD.
bpo-47104: Rewrite asyncio.to_thread() tests to use unittest.IsolatedAsyncioTestCase.
bpo-29890: Add tests for ipaddress.IPv4Interface and ipaddress.IPv6Interface \ 
construction with tuple arguments. Original patch and tests by louisom.

Build

bpo-47103: Windows PGInstrument builds now copy a required DLL into the output \ 
directory, making it easier to run the profile stage of a PGO build.

Windows

gh-92984: Explicitly disable incremental linking for non-Debug builds
bpo-47194: Update zlib to v1.2.12 to resolve CVE-2018-25032.
bpo-46785: Fix race condition between os.stat() and unlinking a file on Windows, \ 
by using errors codes returned by FindFirstFileW() when appropriate in \ 
win32_xstat_impl.
bpo-40859: Update Windows build to use xz-5.2.5

Tools/Demos
gh-91583: Fix regression in the code generated by Argument Clinic for functions \ 
with the defining_class parameter.

Log message:
python310 py310-html-docs: updated to 3.10.4

Python 3.10.4 final

Core and Builtins

bpo-46968: Check for the existence of the “sys/auxv.h” header in \ 
faulthandler to avoid compilation problems in systems where this header \ 
doesn’t exist. Patch by Pablo Galindo

Library

bpo-23691: Protect the re.finditer() iterator from re-entering.

bpo-42369: Fix thread safety of zipfile._SharedFile.tell() to avoid a \ 
“zipfile.BadZipFile: Bad CRC-32 for file” exception when reading a ZipFile \ 
from multiple threads.

bpo-38256: Fix binascii.crc32() when it is compiled to use zlib’c crc32 to \ 
work properly on inputs 4+GiB in length instead of returning the wrong result. \ 
The workaround prior to this was to always feed the function data in increments \ 
smaller than 4GiB or to just call the zlib module function.

bpo-39394: A warning about inline flags not at the start of the regular \ 
expression now contains the position of the flag.

bpo-47061: Deprecate the various modules listed by PEP 594:

aifc, asynchat, asyncore, audioop, cgi, cgitb, chunk, crypt, imghdr, msilib, \ 
nntplib, nis, ossaudiodev, pipes, smtpd, sndhdr, spwd, sunau, telnetlib, uu, \ 
xdrlib

bpo-2604: Fix bug where doctests using globals would fail when run multiple times.

bpo-45997: Fix asyncio.Semaphore re-aquiring FIFO order.

bpo-47022: The asynchat, asyncore and smtpd modules have been deprecated since \ 
at least Python 3.6. Their documentation and deprecation warnings and have now \ 
been updated to note they will removed in Python 3.12 (PEP 594).

bpo-46421: Fix a unittest issue where if the command was invoked as python -m \ 
unittest and the filename(s) began with a dot (.), a ValueError is returned.

bpo-40296: Fix supporting generic aliases in pydoc.