go1.16.2 (released 2021/03/11) includes fixes to cgo, the compiler, linker,
the go command, and the syscall and time packages. See the Go 1.16.2 milestone
on our issue tracker for details.
- encoding/xml: infinite loop when using xml.NewTokenDecoder with a
custom TokenReader
The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by
xml.NewTokenDecoder may enter an infinite loop when operating on a custom
xml.TokenReader which returns an EOF in the middle of an open XML element.
Thanks to Sam Whited for reporting this issue.
This issue is CVE-2021-27918 and Go issue golang.org/issue/44913.
- archive/zip: panic when calling Reader.Open
The Reader.Open API, new in Go 1.16, will panic when used on a ZIP archive
containing files that start with "../".
This issue is CVE-2021-27919 and Go issue golang.org/issue/44916.
Add php80 package version 8.0.3 (PHP 8.0.3) with current PHP framework
of pkgsrc.
PHP is a widely-used open source general-purpose scripting language
that is especially suited for web development and can be embedded
into HTML. It is modular, and object-oriented. Much of its syntax
is borrowed from C, Java and Perl with a couple of unique PHP-specific
features thrown in. The language is designed to allow web developers
to write dynamically generated pages quickly.
PHP 8.0 comes with numerous improvements and new features such as
* Union Types
* Named Arguments
* Match Expressions
* Attributes
* Constructor Property Promotion
* Nullsafe Operator
* Weak Maps
* Just In Time Compilation
* And much much more...
Add code frament for supporting php-json.
With forthcoming php80, php-json will not separate package from php80 since
PHP 8 always build json extension in it.
Changes since last version: an option to create a version that supports
32-bit values for the X86/64 platform with a heap size of up to 16Gb.
Otherwise, minor bugfixes and changes.
The package has also been updated to remove some superfluous patches that
have been moved upstream and fix a build problem reported in PR pkg/55569
pkgsrc changes:
---------------
* Update some PLIST entries since the version of packages documented does
not always match the last patchlevel version of OTP.
* Bump revision
upstream changes:
-----------------
Patch Package: OTP 23.2.7
Git Tag: OTP-23.2.7
Date: 2021-03-03
Trouble Report Id: OTP-12960, OTP-17228
Seq num: ERIERL-598, ERIERL-614
System: OTP
Release: 23
Application: kernel-7.2.1, ssl-10.2.4
Predecessor: OTP 23.2.6
Check out the git tag OTP-23.2.7, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- kernel-7.2.1 ----------------------------------------------------
---------------------------------------------------------------------
The kernel-7.2.1 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-12960 Application(s): kernel
Related Id(s): ERIERL-598, PR-4509
When using the DNS resolver option
servfail_retry_timeout it did not honour the overall
call time-out in e.g inet_res:getbyname/3. This
misbehaviour has now been fixed. Also, the
servfail_retry_timeout behaviour has been improved to
only be enforced for servers that gives a servfail
answer.
Full runtime dependencies of kernel-7.2.1: erts-11.0, sasl-3.0,
stdlib-3.13
---------------------------------------------------------------------
--- ssl-10.2.4 ------------------------------------------------------
---------------------------------------------------------------------
The ssl-10.2.4 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-17228 Application(s): ssl
Related Id(s): ERIERL-614
Enhance logging option log_level to support none and
all, also restore backwards compatibility for log_alert
option.
Full runtime dependencies of ssl-10.2.4: crypto-4.2, erts-10.0,
inets-5.10.7, kernel-6.0, public_key-1.8, stdlib-3.12
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
20200120
+ resync with my-autoconf.
+ fix typos found with codespell.
+ when reading input in interactive mode, provide for extending the
buffer size for very long lines (Original-Mawk #59).
20200106
+ correct line-number shown in too-many-arguments error message for
the case where the function is a forward reference (report by
"mukti").
+ fix install for manpage when configure --srcdir option is used
(report by Rajeev V Pillai).
+ use both CFLAGS/LDFLAGS when linking in makefile (report by
Rajeev V Pillai).
+ fix clang-9 warning in bi_funct.c (report by Rajeev V Pillai).
+ minor improvement to gcc warning options, from vile
20191231
+ updated configure macros
+ update config.guess and config.sub
20190203
+ improve manpage formatting, e.g., for man2html
+ improve debug-traces
20190129
+ eliminate non-portable tdestroy() from zmalloc no-leaks code.
+ updated configure macros
+ update config.guess and config.sub
20181114
+ revert a change for memory-leaks which made the forced-exit via a
user function inconsistent with earlier versions (report by Sihera
Andre).
+ amend a change for memory-leaks to avoid a double-free (Original-Mawk
#56).
Changelog:
Bugfixes since 1.4.2
Fixed "-d:fulldebug switch does not compile with gc:arc" (#16214)
Fixed "Strange behavior when calling into Nim" (#16249)
Fixed "VC++ winnt.h fatal error "No Target Architecture" in stdlib_io." (#14259)
Fixed "osLastError may randomly raise defect and crash" (#16359)
Fixed "& shows as & in docs" (#16364)
Fixed "gc:arc - SIGSEGV for rawAlloc on windows" (#16365)
Fixed "generic importc proc's don't work (breaking lots of vmops procs for js)" (#16428)
Fixed "[ARC] Compiler error with a closure proc in a macro " (#15043)
Fixed "genericAssignAux runtime error" (#16706)
Fixed "Concept: codegen ignores parameter passing" (#16897)
Fixed "{.push exportc.} interacts with anonymous functions" (#16967)
Fixed "ARC exports a dangerous 'dispose' proc" (#17003)
Fixed "Cursor inference leading to corrupt memory with a tuple" (#17033)
Fixed "toOpenArray doesn't work in VM; toOpenArray with var openArray doesn't work in nim js" (#15952)
Fixed "memory allocation during {.global.} init breaks GC" (#17085)
this has been broken in all platforms' bulk builds for quite some time.
there is a much newer version being worked on in wip, but for now it is
probably best to start by installing lang/rakudo.
pkgsrc changes:
---------------
* Update some PLIST entries since the version of packages documented does
not always match the last patchlevel version of OTP.
* Bump revision
upstream changes:
-----------------
Patch Package: OTP 23.2.6
Git Tag: OTP-23.2.6
Date: 2021-02-25
Trouble Report Id: OTP-17173, OTP-17205, OTP-17220
Seq num: ERIERL-581, ERIERL-608
System: OTP
Release: 23
Application: inets-7.3.2, ssh-4.10.8
Predecessor: OTP 23.2.5
Check out the git tag OTP-23.2.6, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- inets-7.3.2 -----------------------------------------------------
---------------------------------------------------------------------
The inets-7.3.2 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-17205 Application(s): inets
Related Id(s): ERIERL-608
Solves CVE-2021-27563, that is make sure no form of
relative path can be used to go outside webservers
directory.
OTP-17220 Application(s): inets
Make sure HEAD requests rejects directory links
Full runtime dependencies of inets-7.3.2: erts-6.0, kernel-3.0,
mnesia-4.12, runtime_tools-1.8.14, ssl-5.3.4, stdlib-3.5
---------------------------------------------------------------------
--- ssh-4.10.8 ------------------------------------------------------
---------------------------------------------------------------------
The ssh-4.10.8 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-17173 Application(s): ssh
Related Id(s): ERIERL-581
Don't timeout slow connection setups and tear-downs. A
rare crash risk for the controller is also removed.
Full runtime dependencies of ssh-4.10.8: crypto-4.6.4, erts-9.0,
kernel-5.3, public_key-1.6.1, stdlib-3.4.1
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
Patch Package: OTP 23.2.5
Git Tag: OTP-23.2.5
Date: 2021-02-16
Trouble Report Id: OTP-17185, OTP-17190, OTP-17191
Seq num: ERIERL-606, ERL-1476, GH-4192
System: OTP
Release: 23
Application: erts-11.1.8, ssl-10.2.3, tools-3.4.3
Predecessor: OTP 23.2.4
Check out the git tag OTP-23.2.5, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- erts-11.1.8 -----------------------------------------------------
---------------------------------------------------------------------
The erts-11.1.8 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-17185 Application(s): erts
Fixed a bug that could cause some work scheduled for
execution on scheduler threads to be delayed until
other similar work appeared. Beside delaying various
cleanup of internal data structures also the following
could be delayed:
-- Termination of a distribution controller process
-- Disabling of the distribution on a node
-- Gathering of memory allocator information using the
instrument module
-- Enabling, disabling, and gathering of msacc
information
-- Delivery of 'CHANGE' messages when time offset is
monitored
-- A call to erlang:cancel_timer()
-- A call to erlang:read_timer()
-- A call to erlang:statistics(io | garbage_collection
| scheduler_wall_time)
-- A call to ets:all()
-- A call to erlang:memory()
-- A call to erlang:system_info({allocator |
allocator_sizes, _})
-- A call to erlang:trace_delivered()
The bug existed on runtime systems running on all types
of hardware except for x86/x86_64.
Full runtime dependencies of erts-11.1.8: kernel-7.0, sasl-3.3,
stdlib-3.13
---------------------------------------------------------------------
--- ssl-10.2.3 ------------------------------------------------------
---------------------------------------------------------------------
The ssl-10.2.3 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-17190 Application(s): ssl
Related Id(s): ERIERL-606
Avoid race when the first two upgrade server handshakes
(that is servers that use a gen_tcp socket as input to
ssl:handshake/2,3) start close to each other. Could
lead to that one of the handshakes would fail.
Full runtime dependencies of ssl-10.2.3: crypto-4.2, erts-10.0,
inets-5.10.7, kernel-6.0, public_key-1.8, stdlib-3.12
---------------------------------------------------------------------
--- tools-3.4.3 -----------------------------------------------------
---------------------------------------------------------------------
The tools-3.4.3 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-17191 Application(s): tools
Related Id(s): ERL-1476, GH-4192, OTP-16922
Correct the Xref analysis undefined_functions to not
report internally generated behaviour_info/1.
Full runtime dependencies of tools-3.4.3: compiler-5.0, erts-11.0,
erts-9.1, kernel-5.4, runtime_tools-1.8.14, stdlib-3.4
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
Version 14.16.0 'Fermium' (LTS)
This is a security release.
Notable changes
Vulnerabilities fixed:
CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
CVE-2021-22884: DNS rebinding in --inspect
Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt
Version 12.21.0 'Erbium' (LTS)
This is a security release.
Notable changes
Vulnerabilities fixed:
CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
CVE-2021-22884: DNS rebinding in --inspect
Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt
Version 10.24.0 'Dubnium' (LTS)
This is a security release.
Notable changes
Vulnerabilities fixed:
CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
CVE-2021-22884: DNS rebinding in --inspect
Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt
Python 3.9.2 final
Release date: 2021-02-19
Windows
bpo-43155: PyCMethod_New() is now present in python3.lib.
Python 3.9.2 release candidate 1
Release date: 2021-02-16
Security
bpo-42967: Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator.
bpo-42938: Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values.
Core and Builtins
bpo-42819: readline: Explicitly disable bracketed paste in the interactive interpreter, even if it’s set in the inputrc, is enabled by default (eg GNU Readline 8.1), or a user calls readline.read_init_file(). The Python REPL has not implemented bracketed paste support. Also, bracketed mode writes the "\x1b[?2004h" escape sequence into stdout which causes test failures in applications that don’t support it. It can still be explicitly enabled by calling readline.parse_and_bind("set enable-bracketed-paste on"). Patch by Dustin Rodrigues.
bpo-42806: Fix the column offsets for f-strings ast nodes surrounded by parentheses and for nodes that spawn multiple lines. Patch by Pablo Galindo.
bpo-40631: Fix regression where a single parenthesized starred expression was a valid assignment target.
bpo-32381: Fix encoding name when running a .pyc file on Windows: PyRun_SimpleFileExFlags() now uses the correct encoding to decode the filename.
bpo-42536: Several built-in and standard library types now ensure that their internal result tuples are always tracked by the garbage collector:
collections.OrderedDict.items()
dict.items()
enumerate()
functools.reduce()
itertools.combinations()
itertools.combinations_with_replacement()
itertools.permutations()
itertools.product()
itertools.zip_longest()
zip()
Previously, they could have become untracked by a prior garbage collection. Patch by Brandt Bucher.
bpo-42195: The __args__ of the parameterized generics for typing.Callable and collections.abc.Callable are now consistent. The __args__ for collections.abc.Callable are now flattened while typing.Callable’s have not changed. To allow this change, types.GenericAlias can now be subclassed and collections.abc.Callable’s __class_getitem__ will now return a subclass of types.GenericAlias. Tests for typing were also updated to not subclass things like Callable[..., T] as that is not a valid base class. Finally, both types no longer validate their argtypes, in Callable[[argtypes], resulttype] to prepare for PEP 612. Patch by Ken Jin.
Library
bpo-43102: The namedtuple __new__ method had its __builtins__ set to None instead of an actual dictionary. This created problems for introspection tools.
bpo-43108: Fixed a reference leak in the curses module. Patch by Pablo Galindo
bpo-42944: Fix random.Random.sample when counts argument is not None.
bpo-42931: Add randbytes() to random.__all__.
bpo-42780: Fix os.set_inheritable() for O_PATH file descriptors on Linux.
bpo-42851: remove __init_subclass__ support for Enum members
bpo-41748: Fix HTMLParser parsing rules for element attributes containing commas with spaces. Patch by Karl Dubost.
bpo-42759: Fixed equality comparison of tkinter.Variable and tkinter.font.Font. Objects which belong to different Tcl interpreters are now always different, even if they have the same name.
bpo-42756: Configure LMTP Unix-domain socket to use socket global default timeout when a timeout is not explicitly provided.
bpo-23328: Allow / character in username, password fields on _PROXY envars.
bpo-42655: subprocess extra_groups is now correctly passed into setgroups() system call.
bpo-42727: EnumMeta.__prepare__ now accepts **kwds to properly support __init_subclass__
bpo-42681: Fixed range checks for color and pair numbers in curses.
bpo-37961: Fix crash in tracemalloc.Traceback.__repr__() (regressed in Python 3.9).
bpo-42630: tkinter functions and constructors which need a default root window raise now RuntimeError with descriptive message instead of obscure AttributeError or NameError if it is not created yet or cannot be created automatically.
bpo-42644: logging.disable will now validate the types and value of its parameter. It also now accepts strings representing the levels (as does loging.setLevel) instead of only the numerical values.
bpo-36541: Fixed lib2to3.pgen2 to be able to parse PEP-570 positional only argument syntax.
bpo-42517: Enum: private names will raise a DeprecationWarning; in 3.10 they will become normal attributes
bpo-42678: Enum: call __init_subclass__ after members have been added
bpo-42532: Remove unexpected call of __bool__ when passing a spec_arg argument to a Mock.
bpo-42388: Fix subprocess.check_output(…, input=None) behavior when text=True to be consistent with that of the documentation and universal_newlines=True.
bpo-34463: Fixed discrepancy between traceback and the interpreter in formatting of SyntaxError with lineno not set (traceback was changed to match interpreter).
bpo-42375: subprocess module update for DragonFlyBSD support.
bpo-42384: Make pdb populate sys.path[0] exactly the same as regular python execution.
bpo-42383: Fix pdb: previously pdb would fail to restart the debugging target if it was specified using a relative path and the current directory changed.
bpo-42318: Fixed support of non-BMP characters in tkinter on macOS.
bpo-42163: Restore compatibility for uname_result around deepcopy and _replace.
bpo-39825: Windows: Change sysconfig.get_config_var('EXT_SUFFIX') to the expected full platform_tag.extension format. Previously it was hard-coded to .pyd, now it is compatible with distutils.sysconfig and will result in something like .cp38-win_amd64.pyd. This brings windows into conformance with the other platforms.
bpo-42059: typing.TypedDict types created using the alternative call-style syntax now correctly respect the total keyword argument when setting their __required_keys__ and __optional_keys__ class attributes.
bpo-39101: Fixed tests using IsolatedAsyncioTestCase from hanging on BaseExceptions.
bpo-42005: Fix CLI of cProfile and profile to catch BrokenPipeError.
bpo-41907: fix format() behavior for IntFlag
bpo-41889: Enum: fix regression involving inheriting a multiply-inherited enum
bpo-41891: Ensure asyncio.wait_for waits for task completion
bpo-41604: Don’t decrement the reference count of the previous user_ptr when set_panel_userptr fails.
bpo-40219: Lowered tkinter.ttk.LabeledScale dummy widget to prevent hiding part of the content label.
bpo-40084: Fix Enum.__dir__: dir(Enum.member) now includes attributes as well as methods.
bpo-39068: Fix initialization race condition in a85encode() and b85encode() in base64. Patch by Brandon Stansbury.
bpo-33289: Correct call to tkinter.colorchooser to return RGB triplet of ints instead of floats. Patch by Cheryl Sabella.
Documentation
bpo-40304: Fix doc for type(name, bases, dict). Patch by Boris Verkhovskiy and Éric Araujo.
bpo-42811: Updated importlib.utils.resolve_name() doc to use __spec__.parent instead of __package__. (Thanks Yair Frid.)
bpo-17140: Add documentation for the multiprocessing.pool.ThreadPool class.
Tests
bpo-42794: Update test_nntplib to use offical group name of news.aioe.org for testing. Patch by Dong-hee Na.
bpo-40810: In sqlite3, fix CheckTraceCallbackContent for SQLite pre 3.7.15.
Build
bpo-43174: Windows build now uses /utf-8 compiler option.
bpo-42692: Fix __builtin_available check on older compilers. Patch by Joshua Root.
bpo-42604: Now all platforms use a value for the “EXT_SUFFIX” build variable derived from SOABI (for instance in freeBSD, “EXT_SUFFIX” is now “.cpython-310d.so” instead of “.so”). Previosuly only Linux, Mac and VxWorks were using a value for “EXT_SUFFIX” that included “SOABI”.
bpo-42598: Fix implicit function declarations in configure which could have resulted in incorrect configuration checks. Patch contributed by Joshua Root.
bpo-29076: Add fish shell support to macOS installer.
Windows
bpo-41837: Updated Windows installer to include OpenSSL 1.1.1i
bpo-42584: Upgrade Windows installer to use SQLite 3.34.0.
macOS
bpo-42504: Ensure that the value of sysconfig.get_config_var(‘MACOSX_DEPLOYMENT_TARGET’) is always a string, even in when the value is parsable as an integer.
bpo-42361: Update macOS installer build to use Tcl/Tk 8.6.11 (rc2, expected to be final release).
bpo-41837: Update macOS installer build to use OpenSSL 1.1.1i.
bpo-42584: Update macOS installer to use SQLite 3.34.0.
IDLE
bpo-43008: Make IDLE invoke sys.excepthook() in normal, 2-process mode. Patch by Ken Hilton.
bpo-33065: Fix problem debugging user classes with __repr__ method.
bpo-23544: Disable Debug=>Stack Viewer when user code is running or Debugger is active, to prevent hang or crash. Patch by Zackery Spytz.
bpo-32631: Finish zzdummy example extension module: make menu entries work; add docstrings and tests with 100% coverage.
Tools/Demos
bpo-42726: Fixed Python 3 compatibility issue with gdb/libpython.py handling of attribute dictionaries.
bpo-42613: Fix freeze.py tool to use the prope config and library directories. Patch by Victor Stinner.
C API
bpo-43030: Fixed a compiler warning in Py_UNICODE_ISSPACE() on platforms with signed wchar_t.
bpo-42591: Export the Py_FrozenMain() function: fix a Python 3.9.0 regression. Python 3.9 uses -fvisibility=hidden and the function was not exported explicitly and so not exported.
bpo-40052: Fix an alignment build warning/error in function PyVectorcall_Function(). Patch by Andreas Schneider, Antoine Pitrou and Petr Viktorin.
Python 3.8.8
Security
bpo-42967: Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator.
bpo-42938: Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values.
Core and Builtins
bpo-42819: readline: Explicitly disable bracketed paste in the interactive interpreter, even if it’s set in the inputrc, is enabled by default (eg GNU Readline 8.1), or a user calls readline.read_init_file(). The Python REPL has not implemented bracketed paste support. Also, bracketed mode writes the "\x1b[?2004h" escape sequence into stdout which causes test failures in applications that don’t support it. It can still be explicitly enabled by calling readline.parse_and_bind("set enable-bracketed-paste on"). Patch by Dustin Rodrigues.
Library
bpo-43108: Fixed a reference leak in the curses module. Patch by Pablo Galindo
bpo-42780: Fix os.set_inheritable() for O_PATH file descriptors on Linux.
bpo-41748: Fix HTMLParser parsing rules for element attributes containing commas with spaces. Patch by Karl Dubost.
bpo-42759: Fixed equality comparison of tkinter.Variable and tkinter.font.Font. Objects which belong to different Tcl interpreters are now always different, even if they have the same name.
bpo-23328: Allow / character in username, password fields on _PROXY envars.
bpo-42681: Fixed range checks for color and pair numbers in curses.
bpo-42531: importlib.resources.path() now works for packages missing the optional __file__ attribute (more specifically, packages whose __spec__.origin is None).
bpo-42388: Fix subprocess.check_output(…, input=None) behavior when text=True to be consistent with that of the documentation and universal_newlines=True.
bpo-42384: Make pdb populate sys.path[0] exactly the same as regular python execution.
bpo-42383: Fix pdb: previously pdb would fail to restart the debugging target if it was specified using a relative path and the current directory changed.
bpo-42318: Fixed support of non-BMP characters in tkinter on macOS.
bpo-42005: Fix CLI of cProfile and profile to catch BrokenPipeError.
bpo-41604: Don’t decrement the reference count of the previous user_ptr when set_panel_userptr fails.
bpo-26407: Unexpected errors in calling the __iter__ method are no longer masked by TypeError in csv.reader(), csv.writer.writerow() and csv.writer.writerows().
bpo-39068: Fix initialization race condition in a85encode() and b85encode() in base64. Patch by Brandon Stansbury.
bpo-36589: The curses.update_lines_cols() function now returns None instead of 1 on success.
bpo-33289: Correct call to tkinter.colorchooser to return RGB triplet of ints instead of floats. Patch by Cheryl Sabella.
Documentation
bpo-40304: Fix doc for type(name, bases, dict). Patch by Boris Verkhovskiy and Éric Araujo.
bpo-42811: Updated importlib.utils.resolve_name() doc to use __spec__.parent instead of __package__. (Thanks Yair Frid.)
Tests
bpo-42794: Update test_nntplib to use offical group name of news.aioe.org for testing. Patch by Dong-hee Na.
bpo-40810: In sqlite3, fix CheckTraceCallbackContent for SQLite pre 3.7.15.
Build
bpo-29076: Add fish shell support to macOS installer.
Windows
bpo-41837: Updated Windows installer to include OpenSSL 1.1.1i
bpo-42584: Upgrade Windows installer to use SQLite 3.34.0.
macOS
bpo-41837: Update macOS installer build to use OpenSSL 1.1.1i.
bpo-42584: Update macOS installer to use SQLite 3.34.0.
IDLE
bpo-43008: Make IDLE invoke sys.excepthook() in normal, 2-process mode. Patch by Ken Hilton.
bpo-33065: Fix problem debugging user classes with __repr__ method.
bpo-42508: Keep IDLE running on macOS. Remove obsolete workaround that prevented running files with shortcuts when using new universal2 installers built on macOS 11.
bpo-23544: Disable Debug=>Stack Viewer when user code is running or Debugger is active, to prevent hang or crash. Patch by Zackery Spytz.
bpo-32631: Finish zzdummy example extension module: make menu entries work; add docstrings and tests with 100% coverage.
Tools/Demos
bpo-42726: Fixed Python 3 compatibility issue with gdb/libpython.py handling of attribute dictionaries.
C API
bpo-43030: Fixed a compiler warning in Py_UNICODE_ISSPACE() on platforms with signed wchar_t.
bpo-40052: Fix an alignment build warning/error in function PyVectorcall_Function(). Patch by Andreas Schneider, Antoine Pitrou and Petr Viktorin.
This touches all compiled std library files after installation, to avoid
extra recompilations when a dependent package (most likely a newer Go
release) is being built.
Patch from mlelstv@ in PR pkg/55900.
