Correct a merge botch introduced in a previous commit. It was intended
that a variable be redefined, but it was committed in an incomplete
testing state.
Like the other test, because /dev/shm isn't available in the build
environment doesn't mean it won't be available on the destination
machine for the packages.
This attempts to build and run a program that uses POSIX semaphores.
This fails in a pbulk sandbox that doesn't contain /dev/shm, resulting
in a broken package where the idea that the platform doesn't support
POSIX semaphores is baked in forever. In newer Python versions,
this means Python doesn't even build properly.
XXX: We might want to avoid it on other platforms too...
Backport 3 vulnerability fixes from Python 3.6 using rebased patches
from Gentoo. These are:
bpo-39017 (CVE-2019-20907): infinite loop in tarfile.py
bpo-39503 (CVE-2020-8492): ReDoS on AbstractBasicAuthHandler
bpo-39603 (no CVE): header injection via HTTP method
'Python". For all other distributions built with distutils, we sure
don't (and, mind you, it's very unlikely to be the exact same version as
Python itself). This should fix a whole bunch of py27-* packages broken
with the previous commit. Thanks wiz@ for the heads up.
1. LD_LIBRARY_PATH does _not_ take precedence over DT_RPATH
(e.g. Linux)
2. A previous libpython with the same major.minor is already installed
(e.g. a previous version of this package)
hold, the built python will be linked with the installed libpython,
causing it to report an old teeny version in sys.version_info while
staging the install. Then "make package" fails with PLIST mismatches for
{,Pattern}Grammar.*.pickle.
pkgsrc knows which version we're building. Pass that down instead.
For platforms that weren't having this problem, no functional change
intended. For platforms that were, this simply restores "make package",
so no PKGREVISION bump.
Python 2.7.18, the last release of Python 2
The CPython core developers are pleased to announce the immediate availability of Python 2.7.18.
Python 2.7.18 is the last Python 2.7
release and therefore the last Python 2 release. It's time for the CPython
community to say a fond but firm farewell to Python 2.
Download this unique, commemorative Python release on python.org.
Python 2.7 has been under active development since the release of Python 2.6,
more than 11 years ago. Over all those years, CPython's core developers and
contributors sedulously applied bug fixes to the 2.7 branch, no small task as
the Python 2 and 3 branches diverged. There were large changes midway through
Python 2.7's life such as PEP 466's feature backports to the ssl module and
hash randomization. Traditionally, these features would never have been added
to a branch in maintenance mode, but exceptions were made to keep Python 2 users
secure. Thank you to CPython's community for such dedication.
Python 2.7 was lucky to have the services of two generations of binary builders
and operating system experts, Martin von Löwis and Steve Dower for Windows, and
Ronald Oussoren and Ned Deily for macOS. The reason we provided binary Python
2.7 releases for macOS 10.9, an operating system obsoleted by Apple 4 years ago,
or why the "Microsoft Visual C++ Compiler for Python 2.7" exists is the
dedication of these individuals.
Python 3 would be nowhere without the dedication of the wider community. Library
maintainers followed CPython by maintaining Python 2 support for many years but
also threw their weight behind the Python 3 statement.
Linux distributors chased Python 2 out of their
archives. Users migrated hundreds of millions of lines of code, developed
porting guides, and kept Python 2 in their brain while Python 3 gained 10 years
of improvements.
Finally, thank you to GvR for creating Python 0.9, 1, 2, and 3.
Long live Python 3+!
2.7.17:
Escape the server title of :class:`DocXMLRPCServer.DocXMLRPCServer` when
rendering the document page as HTML.
Update vendorized expat library version to 2.2.8, which resolves
CVE-2019-15903.
Updated OpenSSL to 1.0.2s in Windows installer
Don't set cookie for a request when the request path is a prefix match of
the cookie's path attribute but doesn't end with "/".
Don't send cookies of domain A without Domain attribute to domain B when
domain A is a suffix match of domain B while using a cookiejar with
:class:`cookielib.DefaultCookiePolicy` policy.
Fix parsing of invalid email addresses with more than one ``@`` (e.g.
a@b@c.com.) to not return the part before 2nd ``@`` as valid email address.
Fixes mishandling of pre-normalization characters in urlsplit().
Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or
control characters through into the underlying http client request. Such
potentially malicious header injection URLs now cause an httplib.InvalidURL
exception to be raised.
Changes urlsplit() to raise ValueError when the URL contains characters that
decompose under IDNA encoding (NFKC-normalization) into characters that
affect how the URL is parsed.
CVE-2019-9948: Avoid file reading by disallowing ``local-file://`` and
``local_file://`` URL schemes in :func:`urllib.urlopen`,
:meth:`urllib.URLopener.open` and :meth:`urllib.URLopener.retrieve`.
Fix race in PyThread_release_lock that was leading to memory corruption and
deadlocks. The fix applies to POSIX systems where Python locks are
implemented with mutex and condition variable because POSIX semaphores are
either not provided, or are known to be broken. One particular example of
such system is macOS.
valgrind: suppress a false alarm in memory leak checks. _PyWarnings_Init()
only allocates memory once at startup but it is not released at exit. Ignore
this issue to be able to catch other bugs more easily.
Fix possible overflow in ``wrap_lenfunc()`` when ``sizeof(long) <
sizeof(Py_ssize_t)`` (e.g., 64-bit Windows).
pymalloc returns memory blocks aligned by 16 bytes, instead of 8 bytes, on
64-bit platforms to conform x86-64 ABI. Recent compilers assume this
alignment more often.
Fix signed integer overflow in _ctypes.c's ``PyCArrayType_new()``.
Fix a possible double ``PyMem_FREE()`` due to tokenizer.c's ``tok_nextc()``.
Fix a possible reference leak in :func:`itertools.count`.
PyOS_StdioReadline() no longer leaks memory when realloc() fails.
Fix an unlikely memory leak on conversion from string to float in the
function ``_Py_dg_strtod()`` used by ``float(str)``, ``complex(str)``,
:func:`pickle.load`, :func:`marshal.load`, etc.
Fix use of uninitialized memory in cPickle when reading a truncated pickle
from a file object.
Clarified Doc string for builtin filter function. 2nd Argument can be any
iterable.
Allow the rare code that wants to send invalid http requests from the
`http.client` library a way to do so. The fixes for bpo-30458 led to
breakage for some projects that were relying on this ability to test their
own behavior in the face of bad requests.
Fix a memory leak in comparison of :class:`sqlite3.Row` objects.
_hashlib no longer calls obsolete OpenSSL initialization function with
OpenSSL 1.1.0+.
Fixed a crash in the :func:`tee` iterator when re-enter it. RuntimeError is
now raised in this case.
Fix C compiler warning caused by distutils.ccompiler.CCompiler.has_function.
Fix file descriptors transfer in multiprocessing on FreeBSD: use
``CMSG_SPACE()`` rather than ``CMSG_LEN()``; see :rfc:`3542`.
Update wheels bundled with ensurepip (pip 19.2.3 and setuptools 41.2.0)
Update vendorized expat version to 2.2.7.
:func:`urlparse.urlsplit` error message for invalid ``netloc`` according to
NFKC normalization is now a :class:`str` string, rather than a
:class:`unicode` string, to prevent error when displaying the error.
:meth:`msilib.Directory.start_component()` no longer fails if *keyfile* is
not ``None``.
Rename the :meth:`test_ascii_replace` to :meth:`test_ascii_strict`.
Fix :mod:`distutils.sysconfig` if :data:`sys.executable` is ``None`` or an
empty string: use :func:`os.getcwd` to initialize ``project_base``. Fix
also the distutils build command: don't use :data:`sys.executable` if it is
``None`` or an empty string.
Fix buffer overflow in :meth:`~socket.socket.send` and
:meth:`~socket.socket.sendall` methods of :func:`socket.socket` for data
larger than 2 GiB.
Fix a possible reference leak in the json module.
Fix a possible reference leak in the io module.
Fix two possible reference leaks in the hotshot module.
Fix ``CFLAGS`` in ``customize_compiler()`` of ``distutils.sysconfig``: when
the ``CFLAGS`` environment variable is defined, don't override ``CFLAGS``
variable with the ``OPT`` variable anymore.
Update ensurepip to install pip 19.0.3 and setuptools 40.8.0.
Fix linuxaudiodev.linux_audio_device() error handling: close the internal
file descriptor if it fails to open the device.
Fix memory leak in ctypes POINTER handling of large values.
Fix two unlikely reference leaks in _hashopenssl. The leaks only occur in
out-of-memory cases.
Resolve potential name clash with libm's sinpi().
Fix ``setup.py check --restructuredtext`` for files containing ``include``
directives.
Fix PyList_GetItem index description to include 0.
Replace the dead link to the Tkinter 8.5 reference by John Shipman, New
Mexico Tech, with a link to the archive.org copy.
Improve the examples in the "How do I convert a number to string?" question
of the "Programming" section of the FAQ.
Fix documentation build for sphinx<1.6.
Explicitly set master_doc variable in conf.py for compliance with Sphinx 2.0
Add glossary entry for 'magic method'.
Fix test_wsgiref.testEnviron() to no longer depend on the environment
variables (don't fail if "X" variable is set).
Add --cleanup option to python3 -m test to remove ``test_python_*``
directories of previous failed jobs. Add "make cleantest" to run ``python3
-m test --cleanup``.
test_gdb no longer fails if it gets an "unexpected" message on stderr: it
now ignores stderr. The purpose of test_gdb is to test that python-gdb.py
commands work as expected, not to test gdb.
Update Lib/test/selfsigned_pythontestdotnet.pem to match
self-signed.pythontest.net's new TLS certificate.
Skip specific nntplib and ssl networking tests when they would otherwise
fail due to a modern OS or distro with a default OpenSSL policy of rejecting
connections to servers with weak certificates or disabling TLS below
TLSv1.2.
Fix reference leak hunting in regrtest: compute also deltas (of reference
count and file descriptor count) during warmup, to ensure that everything is
initialized before starting to hunt reference leaks.
test_posix.PosixUidGidTests: add tests for invalid uid/gid type (str).
Add test.support.TEST_HTTP_URL and replace references of
http://www.example.com by this new constant.
Avoid test_ttk_guionly ComboboxTest failure with macOS Cocoa Tk.
Re-enable missing widget testcases in test_ttk_guionly.
Fix ``test_default_ecdh_curve`` when TLSv1.3 is enabled by default.
In Solaris family, we must be sure to use ``-D_REENTRANT``.
Fix detection of the bind_textdomain_codeset function for building gettext
support into the locale module.
``make tags`` and ``make TAGS`` now also parse ``Modules/_io/*.c`` and
``Modules/_io/*.h``.
Fix SSL module build with OpenSSL 1.1.0
Updates bundled OpenSSL to 1.0.2t
Include the ``FORMAT_MESSAGE_IGNORE_INSERTS`` flag in ``FormatMessageW()``
calls.
Update Windows builds to use SQLite 3.28.0.
Correctly handle string length in ``msilib.SummaryInfo.GetProperty()`` to
prevent it from truncating the last character.
Updated OpenSSL to 1.0.2t in macOS installer for 2.7.x.
When building 2.7 on macOS without system header files installed in
``/usr/include``, a few extension modules dependent on system-supplied
third-party libraries were not being built, most notably zlib.
Update macOS installer to use SQLite 3.28.0.
Updated OpenSSL to 1.0.2s in macOS installer.
Support building Python on macOS without /usr/include installed. As of macOS
10.14, system header files are only available within an SDK provided by
either the Command Line Tools or the Xcode app.
Properly 'attach' search dialogs to their main window so that they behave
like other dialogs and do not get hidden behind their main window.
When saving a file, call os.fsync() so bits are flushed to e.g. USB drive.
2to3 now works when run from a zipped standard library.
Fix the argument handling in Tools/scripts/lll.py.
Fix the cast on error in :c:func:`PyLong_AsUnsignedLongLongMask()`.
Because python won't even try to build it.
You only see nis_failed.so if there is an error building it, when
it wanted to build it, and that should be fixed accordingly.
In a nutshell, if the yp headers are installed, python will build
the nis module, otherwise it won't.
On netbsd systems at least, if you have the yp headers installed and
subsequently re-install over the top with MKYP=no you get into the state
where the headers are installed, but the functions are no longer in libc.
This is an error with *your* system - either rebuild with MKYP=yes OR
remove the yp headers from include/rpc and include/rpcsvc.
Follow on fix for PR pkg/53673.
Match the logic used by setup.py: it looks for two headers in the default
include path. This helps newer glibc linux.
Omit PLIST.dll on python3* because it doesn't appear in the PLIST.
Make PLIST.dll true on all non-IRIX.
tested: NetBSD-current, FreeBSD 11.2, Ubuntu 18.10, CentOS 6.9, Source Mage
From Dr. Thomas Orgis, myself, and with pointers to a change from leot.
PR pkg/53673
Since Python 2.7.15 patches/patch-ah is no longer needed and badly interfere
(e.g. with it `curses.KEY_*' are no longer exposed):
- Prototypes of NetBSD curses(3) are as described, no need to patch them
- Avoid {lines,columns} -> {nlines,columns} rename, they are properly
undef-ed due HAVE_TERM_H.
- Use keyname() (it should be present since NetBSD 2.0)
Bump PKGREVISION for devel/py-curses so it will be properly rebuild.
Fixes PR pkg/53330 reported by <oster>.
Upstream changelog, slightly reordered:
Security
--------
- bpo-31530: Fixed crashes when iterating over a file on multiple threads.
This resolves CVE-2018-1000030.
- bpo-32997: A regex in fpformat was vulnerable to catastrophic
backtracking. This regex was a potential DOS vector (REDOS). Based on
typical uses of fpformat the risk seems low. The regex has been refactored
and is now safe. Patch by Jamie Davis.
- bpo-32981: Regexes in difflib and poplib were vulnerable to catastrophic
backtracking. These regexes formed potential DOS vectors (REDOS). They
have been refactored. This resolves CVE-2018-1060 and CVE-2018-1061. Patch
by Jamie Davis.
- bpo-31339: Rewrite time.asctime() and time.ctime(). Backport and adapt the
_asctime() function from the master branch to not depend on the
implementation of asctime() and ctime() from the external C library. This
change fixes a bug when Python is run using the musl C library.
- bpo-30730: Prevent environment variables injection in subprocess on
Windows. Prevent passing other environment variables and command
arguments.
- bpo-30694: Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple
security vulnerabilities including: CVE-2017-9233 (External entity
infinite loop DoS), CVE-2016-9063 (Integer overflow, re-fix),
CVE-2016-0718 (Fix regression bugs from 2.2.0's fix to CVE-2016-0718) and
CVE-2012-0876 (Counter hash flooding with SipHash). Note: the
CVE-2016-5300 (Use os- specific entropy sources like getrandom) doesn't
impact Python, since Python already gets entropy from the OS to set the
expat secret using ``XML_SetHashSalt()``.
- bpo-30500: Fix urllib.splithost() to correctly parse fragments. For
example, ``splithost('//127.0.0.1#@evil.com/')`` now correctly returns the
``127.0.0.1`` host, instead of treating ``@evil.com`` as the host in an
authentification (``login@host``).
- bpo-29591: Update expat copy from 2.1.1 to 2.2.0 to get fixes of
CVE-2016-0718 and CVE-2016-4472. See
https://sourceforge.net/p/expat/bugs/537/ for more information.
Core and Builtins
-----------------
- bpo-33374: Tweak the definition of PyGC_Head, so compilers do not believe
it is always 16-byte aligned on x86. This prevents crashes with more
aggressive optimizations present in GCC 8.
- bpo-33026: Fixed jumping out of "with" block by setting f_lineno.
- bpo-17288: Prevent jumps from 'return' and 'exception' trace events.
- bpo-18533: ``repr()`` on a dict containing its own ``viewvalues()`` or
``viewitems()`` no longer raises ``RuntimeError``. Instead, use ``...``,
as for other recursive structures. Patch by Ben North.
- bpo-10544: Yield expressions are now deprecated in comprehensions and
generator expressions when checking Python 3 compatibility. They are still
permitted in the definition of the outermost iterable, as that is
evaluated directly in the enclosing scope.
- bpo-32137: The repr of deeply nested dict now raises a RecursionError
instead of crashing due to a stack overflow.
- bpo-20047: Bytearray methods partition() and rpartition() now accept only
bytes-like objects as separator, as documented. In particular they now
raise TypeError rather of returning a bogus result when an integer is
passed as a separator.
- bpo-31733: Add a new PYTHONSHOWREFCOUNT environment variable. In debug
mode, Python now only print the total reference count if
PYTHONSHOWREFCOUNT is set.
- bpo-31692: Add a new PYTHONSHOWALLOCCOUNT environment variable. When
Python is compiled with COUNT_ALLOCS, PYTHONSHOWALLOCCOUNT now has to be
set to dump allocation counts into stderr on shutdown. Moreover,
allocations statistics are now dumped into stderr rather than stdout.
- bpo-31478: Prevent unwanted behavior in `_random.Random.seed()` in case
the argument has a bad ``__abs__()`` method. Patch by Oren Milman.
- bpo-31490: Fix an assertion failure in `ctypes` class definition, in case
the class has an attribute whose name is specified in ``_anonymous_`` but
not in ``_fields_``. Patch by Oren Milman.
- bpo-31411: Raise a TypeError instead of SystemError in case
warnings.onceregistry is not a dictionary. Patch by Oren Milman.
- bpo-31343: Include sys/sysmacros.h for major(), minor(), and makedev().
GNU C libray plans to remove the functions from sys/types.h.
- bpo-31311: Fix a crash in the ``__setstate__()`` method of
`ctypes._CData`, in case of a bad ``__dict__``. Patch by Oren Milman.
- bpo-31243: Fix a crash in some methods of `io.TextIOWrapper`, when the
decoder's state is invalid. Patch by Oren Milman.
- bpo-31095: Fix potential crash during GC caused by ``tp_dealloc`` which
doesn't call ``PyObject_GC_UnTrack()``.
- bpo-30657: Fixed possible integer overflow in PyString_DecodeEscape. Patch
by Jay Bosamiya.
- bpo-27945: Fixed various segfaults with dict when input collections are
mutated during searching, inserting or comparing. Based on patches by
Duane Griffin and Tim Mitchell.
- bpo-25794: Fixed type.__setattr__() and type.__delattr__() for non-
interned or unicode attribute names. Based on patch by Eryk Sun.
- bpo-29935: Fixed error messages in the index() method of tuple and list
when pass indices of wrong type.
- bpo-28598: Support __rmod__ for subclasses of str being called before
str.__mod__. Patch by Martijn Pieters.
- bpo-29602: Fix incorrect handling of signed zeros in complex constructor
for complex subclasses and for inputs having a __complex__ method. Patch
by Serhiy Storchaka.
- bpo-29347: Fixed possibly dereferencing undefined pointers when creating
weakref objects.
- bpo-14376: Allow sys.exit to accept longs as well as ints. Patch by Gareth
Rees.
- bpo-29028: Fixed possible use-after-free bugs in the subscription of the
buffer object with custom index object.
- bpo-29145: Fix overflow checks in string, bytearray and unicode. Patch by
jan matejek and Xiang Zhang.
- bpo-28932: Do not include <sys/random.h> if it does not exist.
Library
-------
- bpo-33096: Allow ttk.Treeview.insert to insert iid that has a false
boolean value. Note iid=0 and iid=False would be same. Patch by Garvit
Khatri.
- bpo-33127: The ssl module now compiles with LibreSSL 2.7.1.
- bpo-30622: The ssl module now detects missing NPN support in LibreSSL.
- bpo-21060: Rewrite confusing message from setup.py upload from "No dist
file created in earlier command" to the more helpful "Must create and
upload files in one command".
- bpo-30157: Fixed guessing quote and delimiter in csv.Sniffer.sniff() when
only the last field is quoted. Patch by Jake Davis.
- bpo-32647: The ctypes module used to depend on indirect linking for
dlopen. The shared extension is now explicitly linked against libdl on
platforms with dl.
- bpo-32304: distutils' upload command no longer corrupts tar files ending
with a CR byte, and no longer tries to convert CR to CRLF in any of the
upload text fields.
- bpo-31848: Fix the error handling in Aifc_read.initfp() when the SSND
chunk is not found. Patch by Zackery Spytz.
- bpo-32521: The nis module is now compatible with new libnsl and headers
location.
- bpo-32539: Fix ``OSError`` for ``os.listdir`` with deep paths (starting
with ``\\?\``) on windows. Patch by Anthony Sottile.
- bpo-32521: glibc has removed Sun RPC. Use replacement libtirpc headers and
library in nis module.
- bpo-18035: ``telnetlib``: ``select.error`` doesn't have an ``errno``
attribute. Patch by Segev Finer.
- bpo-32185: The SSL module no longer sends IP addresses in SNI TLS
extension on platforms with OpenSSL 1.0.2+ or inet_pton.
- bpo-32186: Creating io.FileIO() and builtin file() objects now release the
GIL when checking the file descriptor. io.FileIO.readall(),
io.FileIO.read(), and file.read() now release the GIL when getting the
file size. Fixed hang of all threads with inaccessible NFS server. Patch
by Nir Soffer.
- bpo-32110: ``codecs.StreamReader.read(n)`` now returns not more than *n*
characters/bytes for non-negative *n*. This makes it compatible with
``read()`` methods of other file-like objects.
- bpo-21149: Silence a `'NoneType' object is not callable` in
`_removeHandlerRef` error that could happen when a logging Handler is
destroyed as part of cyclic garbage collection during process shutdown.
- bpo-31764: Prevent a crash in ``sqlite3.Cursor.close()`` in case the
``Cursor`` object is uninitialized. Patch by Oren Milman.
- bpo-31955: Fix CCompiler.set_executable() of distutils to handle properly
Unicode strings.
- bpo-9678: Fixed determining the MAC address in the uuid module:
* Using ifconfig on NetBSD and OpenBSD.
* Using arp on Linux, FreeBSD, NetBSD and OpenBSD.
Based on patch by Takayuki Shimizukawa.
- bpo-30057: Fix potential missed signal in signal.signal().
- bpo-31927: Fixed reading arbitrary data when parse a AF_BLUETOOTH address
on NetBSD and DragonFly BSD.
- bpo-27666: Fixed stack corruption in curses.box() and curses.ungetmouse()
when the size of types chtype or mmask_t is less than the size of C long.
curses.box() now accepts characters as arguments. Based on patch by Steve
Fink.
- bpo-25720: Fix the method for checking pad state of curses WINDOW. Patch
by Masayuki Yamamoto.
- bpo-31893: Fixed the layout of the kqueue_event structure on OpenBSD and
NetBSD. Fixed the comparison of the kqueue_event objects.
- bpo-31891: Fixed building the curses module on NetBSD.
- bpo-30058: Fixed buffer overflow in select.kqueue.control().
- bpo-31770: Prevent a crash when calling the ``__init__()`` method of a
``sqlite3.Cursor`` object more than once. Patch by Oren Milman.
- bpo-31728: Prevent crashes in `_elementtree` due to unsafe cleanup of
`Element.text` and `Element.tail`. Patch by Oren Milman.
- bpo-31752: Fix possible crash in timedelta constructor called with custom
integers.
- bpo-31681: Fix pkgutil.get_data to avoid leaking open files.
- bpo-31675: Fixed memory leaks in Tkinter's methods splitlist() and split()
when pass a string larger than 2 GiB.
- bpo-30806: Fix the string representation of a netrc object.
- bpo-30347: Stop crashes when concurrently iterate over itertools.groupby()
iterators.
- bpo-25732: `functools.total_ordering()` now implements the `__ne__`
method.
- bpo-31351: python -m ensurepip now exits with non-zero exit code if pip
bootstrapping has failed.
- bpo-31544: The C accelerator module of ElementTree ignored exceptions
raised when looking up TreeBuilder target methods in XMLParser().
- bpo-31455: The C accelerator module of ElementTree ignored exceptions
raised when looking up TreeBuilder target methods in XMLParser().
- bpo-25404: SSLContext.load_dh_params() now supports non-ASCII path.
- bpo-28958: ssl.SSLContext() now uses OpenSSL error information when a
context cannot be instantiated.
- bpo-27448: Work around a `gc.disable()` race condition in the `subprocess`
module that could leave garbage collection disabled when multiple threads
are spawning subprocesses at once. Users are *strongly encouraged* to use
the `subprocess32` module from PyPI on Python 2.7 instead, it is much more
reliable.
- bpo-31170: expat: Update libexpat from 2.2.3 to 2.2.4. Fix copying of
partial characters for UTF-8 input (libexpat bug 115):
https://github.com/libexpat/libexpat/issues/115
- bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3.
- bpo-31334: Fix ``poll.poll([timeout])`` in the ``select`` module for
arbitrary negative timeouts on all OSes where it can only be a non-
negative integer or -1. Patch by Riccardo Coccioli.
- bpo-10746: Fix ctypes producing wrong PEP 3118 type codes for integer
types.
- bpo-30102: The ssl and hashlib modules now call
OPENSSL_add_all_algorithms_noconf() on OpenSSL < 1.1.0. The function
detects CPU features and enables optimizations on some CPU architectures
such as POWER8. Patch is based on research from Gustavo Serra Scalet.
- bpo-30502: Fix handling of long oids in ssl. Based on patch by Christian
Heimes.
- bpo-25684: Change ``ttk.OptionMenu`` radiobuttons to be unique across
instances of ``OptionMenu``.
- bpo-29169: Update zlib to 1.2.11.
- bpo-30746: Prohibited the '=' character in environment variable names in
``os.putenv()`` and ``os.spawn*()``.
- bpo-28994: The traceback no longer displayed for SystemExit raised in a
callback registered by atexit.
- bpo-30418: On Windows, subprocess.Popen.communicate() now also ignore
EINVAL on stdin.write() if the child process is still running but closed
the pipe.
- bpo-30378: Fix the problem that logging.handlers.SysLogHandler cannot
handle IPv6 addresses.
- bpo-29960: Preserve generator state when _random.Random.setstate() raises
an exception. Patch by Bryan Olson.
- bpo-30310: tkFont now supports unicode options (e.g. font family).
- bpo-30414: multiprocessing.Queue._feed background running thread do not
break from main loop on exception.
- bpo-30003: Fix handling escape characters in HZ codec. Based on patch by
Ma Lin.
- bpo-30375: Warnings emitted when compile a regular expression now always
point to the line in the user code. Previously they could point into
inners of the re module if emitted from inside of groups or conditionals.
- bpo-30363: Running Python with the -3 option now warns about regular
expression syntax that is invalid or has different semantic in Python 3 or
will change the behavior in future Python versions.
- bpo-30365: Running Python with the -3 option now emits deprecation
warnings for getchildren() and getiterator() methods of the Element class
in the xml.etree.cElementTree module and when pass the html argument to
xml.etree.ElementTree.XMLParser().
- bpo-30365: Fixed a deprecation warning about the doctype() method of the
xml.etree.ElementTree.XMLParser class. Now it is emitted only when define
the doctype() method in the subclass of XMLParser.
- bpo-30329: imaplib now catchs the Windows socket WSAEINVAL error (code
10022) on shutdown(SHUT_RDWR): An invalid operation was attempted. This
error occurs sometimes on SSL connections.
- bpo-30342: Fix sysconfig.is_python_build() if Python is built with Visual
Studio 2008 (VS 9.0).
- bpo-29990: Fix range checking in GB18030 decoder. Original patch by Ma
Lin.
- bpo-30243: Removed the __init__ methods of _json's scanner and encoder.
Misusing them could cause memory leaks or crashes. Now scanner and
encoder objects are completely initialized in the __new__ methods.
- bpo-26293: Change resulted because of zipfile breakage. (See also:
bpo-29094)
- bpo-30070: Fixed leaks and crashes in errors handling in the parser
module.
- bpo-30061: Fixed crashes in IOBase methods next() and readlines() when
readline() or next() respectively return non-sizeable object. Fixed
possible other errors caused by not checking results of PyObject_Size(),
PySequence_Size(), or PyMapping_Size().
- bpo-30011: Fixed race condition in HTMLParser.unescape().
- bpo-30068: _io._IOBase.readlines will check if it's closed first when hint
is present.
- bpo-27863: Fixed multiple crashes in ElementTree caused by race conditions
and wrong types.
- bpo-29942: Fix a crash in itertools.chain.from_iterable when encountering
long runs of empty iterables.
- bpo-29861: Release references to tasks, their arguments and their results
as soon as they are finished in multiprocessing.Pool.
- bpo-27880: Fixed integer overflow in cPickle when pickle large strings or
too many objects.
- bpo-29110: Fix file object leak in aifc.open() when file is given as a
filesystem path and is not in valid AIFF format. Original patch by Anthony
Zhang.
- bpo-29354: Fixed inspect.getargs() for parameters which are cell
variables.
- bpo-29335: Fix subprocess.Popen.wait() when the child process has exited
to a stopped instead of terminated state (ex: when under ptrace).
- bpo-29219: Fixed infinite recursion in the repr of uninitialized
ctypes.CDLL instances.
- bpo-29082: Fixed loading libraries in ctypes by unicode names on Windows.
Original patch by Chi Hsuan Yen.
- bpo-29188: Support glibc 2.24 on Linux: don't use getentropy() function
but read from /dev/urandom to get random bytes, for example in
os.urandom(). On Linux, getentropy() is implemented which getrandom() is
blocking mode, whereas os.urandom() should not block.
- bpo-29142: In urllib, suffixes in no_proxy environment variable with
leading dots could match related hostnames again (e.g. .b.c matches
a.b.c). Patch by Milan Oberkirch.
- bpo-13051: Fixed recursion errors in large or resized
curses.textpad.Textbox. Based on patch by Tycho Andersen.
- bpo-9770: curses.ascii predicates now work correctly with negative
integers.
- bpo-28427: old keys should not remove new values from WeakValueDictionary
when collecting from another thread.
- bpo-28998: More APIs now support longs as well as ints.
- bpo-28923: Remove editor artifacts from Tix.py, including encoding not
recognized by codecs.lookup.
- bpo-29019: Fix dict.fromkeys(x) overallocates when x is sparce dict.
Original patch by Rasmus Villemoes.
- bpo-19542: Fix bugs in WeakValueDictionary.setdefault() and
WeakValueDictionary.pop() when a GC collection happens in another thread.
- bpo-28925: cPickle now correctly propagates errors when unpickle instances
of old-style classes.
Documentation
-------------
- bpo-27212: Modify documentation for the :func:`islice` recipe to consume
initial values up to the start index.
- bpo-32800: Update link to w3c doc for xml default namespaces.
- bpo-17799: Explain real behaviour of sys.settrace and sys.setprofile and
their C-API counterparts regarding which type of events are received in
each function. Patch by Pablo Galindo Salgado.
- bpo-8243: Add a note about curses.addch and curses.addstr exception
behavior when writing outside a window, or pad.
- bpo-21649: Add RFC 7525 and Mozilla server side TLS links to SSL
documentation.
- bpo-30176: Add missing attribute related constants in curses
documentation.
- bpo-28929: Link the documentation to its source file on GitHub.
- bpo-26355: Add canonical header link on each page to corresponding major
version of the documentation. Patch by Matthias Bussonnier.
- bpo-12067: Rewrite Comparisons section in the Expressions chapter of the
language reference. Some of the details of comparing mixed types were
incorrect or ambiguous. Added default behaviour and consistency
suggestions for user- defined classes. Based on patch from Andy Maier.
Tests
-----
- bpo-31719: Fix test_regrtest.test_crashed() on s390x. Add a new
_testcapi._read_null() function to crash Python in a reliable way on
s390x. On s390x, ctypes.string_at(0) returns an empty string rather than
crashing.
- bpo-31518: Debian Unstable has disabled TLS 1.0 and 1.1 for
SSLv23_METHOD(). Change TLS/SSL protocol of some tests to PROTOCOL_TLS or
PROTOCOL_TLSv1_2 to make them pass on Debian.
- bpo-25674: Remove sha256.tbs-internet.com ssl test
- bpo-11790: Fix sporadic failures in
test_multiprocessing.WithProcessesTestCondition.
- bpo-30236: Backported test.regrtest options -m/--match and -G/--failfast
from Python 3.
- bpo-30223: To unify running tests in Python 2.7 and Python 3, the test
package can be run as a script. This is equivalent to running the
test.regrtest module as a script.
- bpo-30207: To simplify backports from Python 3, the test.test_support
module was converted into a package and renamed to test.support. The
test.script_helper module was moved into the test.support package. Names
test.test_support and test.script_helper are left as aliases to
test.support and test.support.script_helper.
- bpo-30197: Enhanced function swap_attr() in the test.test_support module.
It now works when delete replaced attribute inside the with statement.
The old value of the attribute (or None if it doesn't exist) now will be
assigned to the target of the "as" clause, if there is one. Also
backported function swap_item().
- bpo-28087: Skip test_asyncore and test_eintr poll failures on macOS. Skip
some tests of select.poll when running on macOS due to unresolved issues
with the underlying system poll function on some macOS versions.
- bpo-15083: Convert ElementTree doctests to unittests.
Build
-----
- bpo-33163: Upgrade pip to 9.0.3 and setuptools to v39.0.1.
- bpo-32616: Disable computed gotos by default for clang < 5.0. It caused
significant performance regression.
- bpo-32635: Fix segfault of the crypt module when libxcrypt is provided
instead of libcrypt at the system.
- bpo-31934: Abort the build when building out of a not clean source tree.
- bpo-31474: Fix -Wint-in-bool-context warnings in PyMem_MALLOC and
PyMem_REALLOC macros
- bpo-29243: Prevent unnecessary rebuilding of Python during ``make test``,
``make install`` and some other make targets when configured with
``--enable- optimizations``.
- bpo-23404: Don't regenerate generated files based on file modification
time anymore: the action is now explicit. Replace ``make touch`` with
``make regen-all``.
- bpo-27593: sys.version and the platform module python_build(),
python_branch(), and python_revision() functions now use git information
rather than hg when building from a repo.
- bpo-29643: Fix ``--enable-optimization`` configure option didn't work.
- bpo-29572: Update Windows build and OS X installers to use OpenSSL 1.0.2k.
- bpo-28768: Fix implicit declaration of function _setmode. Patch by
Masayuki Yamamoto
Windows
-------
- bpo-33184: Update Windows build to use OpenSSL 1.0.2o.
- bpo-32903: Fix a memory leak in os.chdir() on Windows if the current
directory is set to a UNC path.
- bpo-30855: Bump Tcl/Tk to 8.5.19.
- bpo-30450: Pull build dependencies from GitHub rather than svn.python.org.
macOS
-----
- bpo-32726: Provide an additional, more modern macOS installer variant that
supports macOS 10.9+ systems in 64-bit mode only. Upgrade the supplied
third-party libraries to OpenSSL 1.0.2n and SQLite 3.22.0. The 10.9+
installer now supplies its own private copy of Tcl/Tk 8.6.8.
- bpo-24414: Default macOS deployment target is now set by ``configure`` to
the build system's OS version (as is done by Python 3), not ``10.4``;
override with, for example, ``./configure MACOSX_DEPLOYMENT_TARGET=10.4``.
- bpo-17128: All 2.7 macOS installer variants now supply their own version
of ``OpenSSL 1.0.2``; the Apple-supplied SSL libraries and root
certificates are not longer used. The ``Installer Certificate`` command
in ``/Applications/Python 2.7`` may be used to download and install a
default set of root certificates from the third-party ``certifi`` package.
- bpo-11485: python.org macOS Pythons no longer supply a default SDK value
(e.g. ``-isysroot /``) or specific compiler version default (e.g.
``gcc-4.2``) when building extension modules. Use ``CC``, ``SDKROOT``,
and ``DEVELOPER_DIR`` environment variables to override compilers or to
use an SDK. See Apple's ``xcrun`` man page for more info.
- bpo-33184: Update macOS installer build to use OpenSSL 1.0.2o.
Tools/Demos
-----------
- bpo-31920: Fixed handling directories as arguments in the ``pygettext``
script. Based on patch by Oleg Krasnikov.
- bpo-30109: Fixed Tools/scripts/reindent.py for non-ASCII files. It now
processes files as binary streams. This also fixes "make reindent".
- bpo-24960: 2to3 and lib2to3 can now read pickled grammar files using
pkgutil.get_data() rather than probing the filesystem. This lets 2to3 and
lib2to3 work when run from a zipfile.
C API
-----
- bpo-20891: Fix PyGILState_Ensure(). When PyGILState_Ensure() is called in
a non-Python thread before PyEval_InitThreads(), only call
PyEval_InitThreads() after calling PyThreadState_New() to fix a crash.
- bpo-31626: When Python is built in debug mode, the memory debug hooks now
fail with a fatal error if realloc() fails to shrink a memory block,
because the debug hook just erased freed bytes without keeping a copy of
them.
Python 2.7.14:
Core and Builtins
- bpo-30657: Fixed possible integer overflow in PyString_DecodeEscape.
- bpo-27945: Fixed various segfaults with dict when input collections are
mutated during searching, inserting or comparing. Based on patches by
Duane Griffin and Tim Mitchell.
- bpo-25794: Fixed type.__setattr__() and type.__delattr__() for
non-interned or unicode attribute names. Based on patch by Eryk Sun.
- bpo-29935: Fixed error messages in the index() method of tuple and list
when pass indices of wrong type.
- bpo-28598: Support __rmod__ for subclasses of str being called before
str.__mod__. Patch by Martijn Pieters.
- bpo-29602: Fix incorrect handling of signed zeros in complex constructor for
complex subclasses and for inputs having a __complex__ method. Patch
by Serhiy Storchaka.
- bpo-29347: Fixed possibly dereferencing undefined pointers
when creating weakref objects.
- Issue 14376: Allow sys.exit to accept longs as well as ints. Patch
by Gareth Rees.
- Issue 29028: Fixed possible use-after-free bugs in the subscription of the
buffer object with custom index object.
- Issue 29145: Fix overflow checks in string, bytearray and unicode.
Patch by jan matejek and Xiang Zhang.
- Issue 28932: Do not include <sys/random.h> if it does not exist.
Extension Modules
- bpo-31170: Update vendorized expat to 2.2.4.
- Issue 29169: Update zlib to 1.2.11.
WINDOW structure.
Include <term.h> when needed and rename lines and columns vars to avoid
conflicts.
Builds and works with NetBSD-8 curses, so use mk/curses.buildlink3.mk
and test for getsyx(3) in curses rather than indescriminately linking
to ncurses.
Core and Builtins
-----------------
- Issue 28847: dumbdbm no longer writes the index file in when it is not
changed and supports reading read-only files.
- Issue 11145: Fixed miscellaneous issues with C-style formatting of types
with custom __oct__ and __hex__.
- Issue 24469: Fixed memory leak caused by int subclasses without overridden
tp_free (e.g. C-inherited Cython classes).
- Issue 19398: Extra slash no longer added to sys.path components in case of
empty compile-time PYTHONPATH components.
- Issue 21720: Improve exception message when the type of fromlist is unicode.
fromlist parameter of __import__() only accepts str in Python 2 and this
will help to identify the problem especially when the unicode_literals
future import is used.
- Issue 26906: Resolving special methods of uninitialized type now causes
implicit initialization of the type instead of a fail.
- Issue 18287: PyType_Ready() now checks that tp_name is not NULL.
Original patch by Niklas Koep.
- Issue 24098: Fixed possible crash when AST is changed in process of
compiling it.
- Issue 28350: String constants with null character no longer interned.
- Issue 27942: String constants now interned recursively in tuples and frozensets.
- Issue 15578: Correctly incref the parent module while importing.
- Issue 26307: The profile-opt build now applies PGO to the built-in modules.
- Issue 26020: set literal evaluation order did not match documented behaviour.
- Issue 27870: A left shift of zero by a large integer no longer attempts
to allocate large amounts of memory.
- Issue 25604: Fix a minor bug in integer true division; this bug could
potentially have caused off-by-one-ulp results on platforms with
unreliable ldexp implementations.
- Issue 27473: Fixed possible integer overflow in str, unicode and bytearray
concatenations and repetitions. Based on patch by Xiang Zhang.
- Issue 27507: Add integer overflow check in bytearray.extend(). Patch by
Xiang Zhang.
- Issue 27581: Don't rely on wrapping for overflow check in
PySequence_Tuple(). Patch by Xiang Zhang.
- Issue 23908: os functions, open() and the io.FileIO constructor now reject
unicode paths with embedded null character on Windows instead of silently
truncating them.
- Issue 27514: Make having too many statically nested blocks a SyntaxError
instead of SystemError.
