3.9.1
Lots of changes major changes. track xdis API has changes.
Separate Phases more clearly:
disassembly
tokenization
parsing
abstracting to AST (more is done in newer projects)
printing
Although we do not decompile bytecode greater than 3.8, code supports running from up to 3.12.
Many bugs fixed.
A lot of Linting and coding style modernization.
Work done in preparation for Blackhat Asia 2024
Python 3.10.14
Security
gh-115398: Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:
xml.etree.ElementTree.XMLParser.flush()
xml.etree.ElementTree.XMLPullParser.flush()
xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
xml.sax.expatreader.ExpatParser.flush()
gh-115399: Update bundled libexpat to 2.6.0
gh-114572: ssl.SSLContext.cert_store_stats() and ssl.SSLContext.get_ca_certs() now correctly lock access to the certificate store, when the ssl.SSLContext is shared across multiple threads.
gh-113659: Skip .pth files with names starting with a dot or hidden file attribute.
Core and Builtins
gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 codecs read out of bounds
Library
gh-115197: urllib.request no longer resolves the hostname before checking it against the system’s proxy bypass list on macOS and Windows.
gh-115133: Fix tests for XMLPullParser with Expat 2.6.0.
gh-81194: Fix a crash in socket.if_indextoname() with specific value (UINT_MAX). Fix an integer overflow in socket.if_indextoname() on 64-bit non-Windows platforms.
gh-109858: Protect zipfile from “quoted-overlap” zipbomb. It now raises BadZipFile when try to read an entry that overlaps with other entry or central directory.
gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup, which now no longer dereferences symlinks when working around file system permission errors.
Documentation
gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under “XML vulnerabilities”.
Windows
gh-111239: Update Windows builds to use zlib v1.3.1.
gh-109991: Windows builds now use OpenSSL 1.1.1w. Note that OpenSSL 1.1 has reached its end of life and no future fixes will be made, and this version of Python is no longer receiving maintenance fixes and will not be updated to OpenSSL 3.0.
Tools/Demos
gh-109991: Update GitHub CI workflows to use OpenSSL 3.0.11 and multissltests to use 1.1.1w, 3.0.11, and 3.1.3.
Python 3.9.19
Security
gh-115398: Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:
xml.etree.ElementTree.XMLParser.flush()
xml.etree.ElementTree.XMLPullParser.flush()
xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
xml.sax.expatreader.ExpatParser.flush()
gh-115399: Update bundled libexpat to 2.6.0
gh-113659: Skip .pth files with names starting with a dot or hidden file attribute.
Core and Builtins
gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 codecs read out of bounds
Library
gh-115197: urllib.request no longer resolves the hostname before checking it against the system’s proxy bypass list on macOS and Windows.
gh-115133: Fix tests for XMLPullParser with Expat 2.6.0.
gh-81194: Fix a crash in socket.if_indextoname() with specific value (UINT_MAX). Fix an integer overflow in socket.if_indextoname() on 64-bit non-Windows platforms.
gh-109858: Protect zipfile from “quoted-overlap” zipbomb. It now raises BadZipFile when try to read an entry that overlaps with other entry or central directory.
gh-107077: Seems that in some conditions, OpenSSL will return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL when a certification verification has failed, but the error parameters will still contain ERR_LIB_SSL and SSL_R_CERTIFICATE_VERIFY_FAILED. We are now detecting this situation and raising the appropiate ssl.SSLCertVerificationError. Patch by Pablo Galindo
gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup, which now no longer dereferences symlinks when working around file system permission errors.
Documentation
gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under “XML vulnerabilities”.
Windows
gh-111239: Update Windows builds to use zlib v1.3.1.
gh-109991: Windows builds now use OpenSSL 1.1.1w. Note that OpenSSL 1.1 has reached its end of life and no future fixes will be made, and this version of Python is no longer receiving maintenance fixes and will not be updated to OpenSSL 3.0.
Tools/Demos
gh-109991: Update GitHub CI workflows to use OpenSSL 3.0.11 and multissltests to use 1.1.1w and 3.0.11.
Python 3.8.19
Security
gh-115398: Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:
xml.etree.ElementTree.XMLParser.flush()
xml.etree.ElementTree.XMLPullParser.flush()
xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
xml.sax.expatreader.ExpatParser.flush()
gh-115399: Update bundled libexpat to 2.6.0
gh-113659: Skip .pth files with names starting with a dot or hidden file attribute.
Core and Builtins
gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 codecs read out of bounds
Library
gh-115197: urllib.request no longer resolves the hostname before checking it against the system’s proxy bypass list on macOS and Windows.
gh-115133: Fix tests for XMLPullParser with Expat 2.6.0.
gh-81194: Fix a crash in socket.if_indextoname() with specific value (UINT_MAX). Fix an integer overflow in socket.if_indextoname() on 64-bit non-Windows platforms.
gh-109858: Protect zipfile from “quoted-overlap” zipbomb. It now raises BadZipFile when try to read an entry that overlaps with other entry or central directory.
gh-107077: Seems that in some conditions, OpenSSL will return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL when a certification verification has failed, but the error parameters will still contain ERR_LIB_SSL and SSL_R_CERTIFICATE_VERIFY_FAILED. We are now detecting this situation and raising the appropiate ssl.SSLCertVerificationError. Patch by Pablo Galindo
gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup, which now no longer dereferences symlinks when working around file system permission errors.
Documentation
gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under “XML vulnerabilities”.
Tests
gh-108310: SSL tests for pre-handshake close were previously not enabled on Python 3.8 due to an incorrect backport. This is now fixed. Patch by Lumír Balhar.
Windows
gh-111239: Update Windows builds to use zlib v1.3.1.
gh-109991: Windows builds now use OpenSSL 1.1.1w. Note that OpenSSL 1.1 has reached its end of life and no future fixes will be made, and this version of Python is no longer receiving maintenance fixes and will not be updated to OpenSSL 3.0.
Version 21.7.1 (Current)
Notable Changes
This release reverts 51389, which landed in Node.js 21.7.0. It is a documented feature that t.after() hooks are run even if a test has no subtests. The hook can be used to clean up the test itself.
Python with braces. Because Python is awesome, but whitespace is awful.
Bython is a Python preprosessor which translates curly brackets into
indentation.
Changelog:
Updated BSD port of JDK 17
Additional features include:
Update to 17.0.10 GA
Fixes for compilation with LLVM 16 and 17
Build fixes for OpenBSD
Working extended file attribute support for FreeBSD
Changelog:
Updated BSD port of JDK 21
Additional features include:
Update to 21.0.2 GA
Fixes for compilation with LLVM 16 and 17
Working extended file attribute support for FreeBSD
PHP 8.3.4 (2024-03-14)
- Core:
. Fix ZTS persistent resource crashes on shutdown. (nielsdos)
- Curl:
. Fix failing tests due to string changes in libcurl 8.6.0. (Ayesh)
- DOM:
. Fix unlikely memory leak in case of namespace removal with extremely deep
trees. (nielsdos)
. Fix reference access in dimensions for DOMNodeList and DOMNodeMap.
(nielsdos)
- Fileinfo:
. Fixed bug GH-13344 (finfo::buffer(): Failed identify data 0:(null),
backport). (nielsdos)
- FPM:
. Fixed bug #75712 (getenv in php-fpm should not read $_ENV, $_SERVER).
(Jakub Zelenka)
- GD:
. Fixed bug GH-12019 (detection of image formats in system gd library).
(Michael Orlitzky)
- MySQLnd:
. Fixed bug GH-11950 ([mysqlnd] Fixed not to set CR_MALFORMED_PACKET to error
if CR_SERVER_GONE_ERROR is already set). (Saki Takamachi)
- PDO:
. Fix various PDORow bugs. (Girgias)
- PGSQL:
. Fixed bug GH-13354 (pg_execute/pg_send_query_params/pg_send_execute
with null value passed by reference). (George Barbarosie)
- SPL:
. Fixed bug GH-13531 (Unable to resize SplfixedArray after being unserialized
in PHP 8.2.15). (nielsdos)
- Standard:
. Fixed bug GH-13279 (Instable array during in-place modification in uksort).
(ilutov)
. Fixed array key as hash to string (case insensitive) comparison typo
for the second operand buffer size (albeit unused for now). (A. Slepykh)
- XML:
. Fixed bug GH-13517 (Multiple test failures when building with
--with-expat). (nielsdos)
Rakudo compiler, Release #169 (2024.02)
2024-02-29
On behalf of the Rakudo development team, I?m very happy to announce the
February 2024 release of Rakudo #169. Rakudo is an implementation of the Raku1
language.
The source tarball for this release is available from https://rakudo.org/files/
rakudo. Pre-compiled archives will be available shortly.
New in 2024.02:
* Improvements:
+ Better errors for common array parameter mistakes [47fb8c35]
+ Improve stability in heavy async situations [761153bc][5c289878]
* Additions:
+ Add Int/Real coercing versions of infix:<div|mod> [71c0151a]
+ Implement sub form of &trans, mainly to support feed operators
[b238fad8]
+ Provide native int coercers to Int/Cool [a67842ac][1eaa9d71][dc5414d6]
* Fixes:
+ Avoid leaking repo.lock handle [155818f4][e6207699][7ca96bbd][a723c387]
* Deprecations:
* Internal:
+ Document and/or streamline dispatchers and related [d176728c][78d4fbc0]
[344f7978][e6fd943f][02bc10c2][ccbe370a][07049e7f][b151e2d7][35760ceb]
+ Streamline "core" (bootstrap, core, metamodel) [51297879][bae06a2c]
[6117df24][e93208ce][b0dd4ef4][6b231533][024212cd][8e840a51][19da50e3]
[88151678][975b6634][1dfd7b4b][9f0d361b][80ac4336][760e7a72][eef53371]
[02aaf9e9][0b759a7a][614571d2][67153138][4c86ef77][dab2c235][c944dae4]
[2e4113c5][69877047][d49cd4e0][9a828454][de923f1b][1ce9b4c6][3c9f07a8]
[24a1e67c][4181d461][2c64cbc7][4f64b487][5585454f][cf773dc2][68cd850f]
[fd936efe][04229899][3c218265][192d7d0a][3271329c][71dcfd42][52dfda3f]
[b720babd][9f7a3419]
* RakuAST Development:
+ RakuAST: some nano optimizations [9478d5c7]
See following page for more info
https://rakudo.org/post/announce-rakudo-release-2024.02
Version 21.7.0 (Current)
Text Styling
Loading and parsing environment variables
Support for multi-line values for .env file
sea: support embedding assets
vm: support using the default loader to handle dynamic import()
crypto: implement crypto.hash()
v0.1.3 (2024-03-05)
Replace usage of deprecated path argument to pytest hook pytest_collect_file() with usage of the file_path argument introduced in pytest 7
Vala 0.56.15
============
* Various improvements and bug fixes:
- codegen:
+ Use GWeakRef for [SingleInstance] constructors
+ Remove static mutex initialization
+ Correctly return FALSE on uncaught error in async ctor
+ Cast generic return value from g_ptr_array_index()
+ Don't use pre-assigned *_parent_iface field if an instance is given
+ Emit diagnostic pragmas for GCC 14, Clang 16 compatibility
- vala:
+ Keep depfile empty if no dependencies were written
+ Treat negative integer/float ranks as non-compatible
+ Move formal_target_type when transforming method-call/object-creation
+ Follow the logic of GIrParser.locate_gir() to find gir files
- girparser:
+ Don't blindly translate utf8 to string and check the ctype too
+ Issue a warning for `record` inside `transparent union`
+ Don't discard explictly given ctype of parameters
- libvaladoc: Fix build with graphviz >= 10.0.1
* Bindings:
- glib-2.0,posix: Define _GNU_SOURCE for sincos*()
- gio-2.0: Fix pointer-sign errors of some uint8[]-typed paramters
- gio-2.0,gmodule-2.0: Update from 2.79.x git
- gmodule-2.0: Improvements and updates from 2.76
- gtk4: Fix GLib.Value parameter in Expression.evaluate()
- gtk4: Update to 4.13.9~f46fb7c6
- libsoup-3.0: Don't skip uri_copy
- v4l2: Fix FrameivalEnum.stepwise type mismatch with v4l2_frmivalenum
This minor release includes 5 security fixes following the security policy:
- crypto/x509: Verify panics on certificates with an unknown public key
algorithm
Verifying a certificate chain which contains a certificate with an unknown
public key algorithm will cause Certificate.Verify to panic.
This affects all crypto/tls clients, and servers that set Config.ClientAuth
to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default
behavior is for TLS servers to not verify client certificates.
Thanks to John Howard (Google) for reporting this issue.
This is CVE-2024-24783 and Go issue https://go.dev/issue/65390.
- net/http: memory exhaustion in Request.ParseMultipartForm
When parsing a multipart form (either explicitly with
Request.ParseMultipartForm or implicitly with Request.FormValue,
Request.PostFormValue, or Request.FormFile), limits on the total size of the
parsed form were not applied to the memory consumed while reading a single
form line. This permitted a maliciously crafted input containing very long
lines to cause allocation of arbitrarily large amounts of memory, potentially
leading to memory exhaustion.
ParseMultipartForm now correctly limits the maximum size of form lines.
Thanks to Bartek Nowotarski for reporting this issue.
This is CVE-2023-45290 and Go issue https://go.dev/issue/65383.
- net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and
cookies on HTTP redirect
When following an HTTP redirect to a domain which is not a subdomain match or
exact match of the initial domain, an http.Client does not forward sensitive
headers such as "Authorization" or "Cookie". For example, a redirect from
foo.com to www.foo.com will forward the Authorization header, but a redirect
to bar.com will not.
A maliciously crafted HTTP redirect could cause sensitive headers to be
unexpectedly forwarded.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-45289 and Go issue https://go.dev/issue/65065.
- html/template: errors returned from MarshalJSON methods may break template
escaping
If errors returned from MarshalJSON methods contain user controlled data,
they may be used to break the contextual auto-escaping behavior of the
html/template package, allowing for subsequent actions to inject unexpected
content into templates.
Thanks to RyotaK (https://ryotak.net) for reporting this issue.
This is CVE-2024-24785 and Go issue https://go.dev/issue/65697.
- net/mail: comments in display names are incorrectly handled
The ParseAddressList function incorrectly handles comments (text within
parentheses) within display names. Since this is a misalignment with
conforming address parsers, it can result in different trust decisions being
made by programs using different parsers.
Thanks to Juho Nurminen of Mattermost and Slonser
(https://github.com/Slonser) for reporting this issue.
This is CVE-2024-24784 and Go issue https://go.dev/issue/65083.
This minor release includes 5 security fixes following the security policy:
- crypto/x509: Verify panics on certificates with an unknown public key
algorithm
Verifying a certificate chain which contains a certificate with an unknown
public key algorithm will cause Certificate.Verify to panic.
This affects all crypto/tls clients, and servers that set Config.ClientAuth
to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default
behavior is for TLS servers to not verify client certificates.
Thanks to John Howard (Google) for reporting this issue.
This is CVE-2024-24783 and Go issue https://go.dev/issue/65390.
- net/http: memory exhaustion in Request.ParseMultipartForm
When parsing a multipart form (either explicitly with
Request.ParseMultipartForm or implicitly with Request.FormValue,
Request.PostFormValue, or Request.FormFile), limits on the total size of the
parsed form were not applied to the memory consumed while reading a single
form line. This permitted a maliciously crafted input containing very long
lines to cause allocation of arbitrarily large amounts of memory, potentially
leading to memory exhaustion.
ParseMultipartForm now correctly limits the maximum size of form lines.
Thanks to Bartek Nowotarski for reporting this issue.
This is CVE-2023-45290 and Go issue https://go.dev/issue/65383.
- net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and
cookies on HTTP redirect
When following an HTTP redirect to a domain which is not a subdomain match or
exact match of the initial domain, an http.Client does not forward sensitive
headers such as "Authorization" or "Cookie". For example, a redirect from
foo.com to www.foo.com will forward the Authorization header, but a redirect
to bar.com will not.
A maliciously crafted HTTP redirect could cause sensitive headers to be
unexpectedly forwarded.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-45289 and Go issue https://go.dev/issue/65065.
- html/template: errors returned from MarshalJSON methods may break template
escaping
If errors returned from MarshalJSON methods contain user controlled data,
they may be used to break the contextual auto-escaping behavior of the
html/template package, allowing for subsequent actions to inject unexpected
content into templates.
Thanks to RyotaK (https://ryotak.net) for reporting this issue.
This is CVE-2024-24785 and Go issue https://go.dev/issue/65697.
- net/mail: comments in display names are incorrectly handled
The ParseAddressList function incorrectly handles comments (text within
parentheses) within display names. Since this is a misalignment with
conforming address parsers, it can result in different trust decisions being
made by programs using different parsers.
Thanks to Juho Nurminen of Mattermost and Slonser
(https://github.com/Slonser) for reporting this issue.
This is CVE-2024-24784 and Go issue https://go.dev/issue/65083.
Changelog:
## v1.0.0 - 2024-03-04
### Language changes
- Comments have been added to the JavaScript prelude to indicate which members
are in the public API and which are internal.
### Build tool
- Fixed a bug where the exported package interface would not have a module's
documentation.
## v1.0.0-rc2 - 2024-02-14
### Bug fixes
- Fixed a bug where the exhaustiveness checker could crash for some generic
types.
### Formatter
- The format used by the formatter has been improved in some niche cases.
## v1.0.0-rc1 - 2024-02-10
### Language changes
- Using a reserved word is now a compile error, not a warning.
- Inexhaustive matches are now compile errors, not warnings.
- The warning for an unused module alias now shows how to not assign a name to
the module.
- Type aliases with unused type parameters now emit an error.
- Type definitions with duplicate type parameters now emit an error.
### Formatter
- Now the formatter will nest pipelines and binary operators that are used as
function arguments, list items or as tuple items.
- The format function literals used as the last argument in a function call
on long lines has been improved.
### Build tool
- If a package contains a `todo` expression then the build tool will now refuse
to publish it to Hex.
- The search bar in generated docs now has a darker background color.
- `gleam export` now takes a `package-interface` option to export a json file
containing metadata about the root package.
- `gleam docs build` now creates a json file containing metadata about the root
package.
- The order of dependencies in `manifest.toml` is now in alphabetical order.
- The search bar in generated docs now has a darker background color.
- The generated docs no longer shows whether an argument is discarded or
not in a function signature.
- It is now possible to use `gleam run -m` to run a dependency module even if
that dependency uses a compile target that your project does not support.
### Bug fixes
- Fixed a bug the build tool could be make to attempt to run a main function
that does not support the current target in some circumstances.
- Fixed a bug where the exhaustiveness checker could crash when checking nested
values inserted into the parent type using type parameters.
- Fixed a bug where `functionname(_name)` would incorrectly parse as a function
capture instead of a syntax error.
- Fixed a bug where external only functions would "successfully" compile for a
target they do not support, leading to a runtime error.
Don't have macOS handy to test but it looks like this'll be required,
judging by the bulk logs. Worst case, the build will fail in a
different way on macOS.
Pkgsrc changes:
* stop pretending to support NetBSD/8.x, all NetBSD binary kits are
now built for 9.x or newer. Simplify conditionals correspondingly.
See lang/rust for detailed upstream changes.