(contains already fixed issues, #11662 patch-b{a,b}, #8674,#7673 patch-bc)
What's New in Python 2.5.6?
===========================
*Release date: 26-May-2011*
What's New in Python 2.5.6c1?
=============================
*Release date: 17-Apr-2011*
Library
-------
- Issue #11442: Add a charset parameter to the Content-type in SimpleHTTPServer
to avoid XSS attacks.
- Issue #11662: Make urllib and urllib2 ignore redirections if the
scheme is not HTTP, HTTPS or FTP (CVE-2011-1521).
- Issue #8674: Fixed a number of incorrect or undefined-behaviour-inducing
overflow checks in the audioop module (CVE-2010-1634).
- Issue #7673: Fix security vulnerability (CVE-2010-2089) in the audioop
module, ensure that the input string length is a multiple of the frame size.
definitions which do things behind the client pkgs back, in particular
manipulate the library search path
It is well possible that this causes some fallout, but I hope it
will be small and can be dealt with on a per-pkg basis.
(partly) suggested by Mark Davies on tech-pkg
-stricter redirect handling in urllib, to prevent redirects to eg
"file://" URLs (CVE-2011-1521)
-stricter argument checks in the audioop module (CVE-2010-2089)
(ok to update during freeze by wiz@)
Extension Modules
-----------------
- expat: Fix DoS via XML document with malformed UTF-8 sequences
(CVE_2009_3560).
- expat: Fix DoS via malformed XML (CVE-2009-3720).
Core and builtins
-----------------
- Issue #6990: Fix threading.local subclasses leaving old state around
after a reference cycle GC which could be recycled by new locals.
Library
-------
- Issue #7403: logging: Fixed possible race condition in lock creation.
- Issue #5068: Fixed the tarfile._BZ2Proxy.read() method that would loop
forever on incomplete input. That caused tarfile.open() to hang when used
with mode 'r' or 'r:bz2' and a fileobj argument that contained no data or
partial bzip2 compressed data.
* not "_sqlite", but "_sqlite3"
* "bsddb" does not exists, probably removed/renamed before Python24
* "cjkcodes" does not exists (and should not be disabled)
* missng "," afiter it
* "mpz" was removed in Python24.
earlier, but there became no-ops due to my change to db4/bl3 and thus
didn't do harm. Now that part of that change was backed out they became
harmful again and thus need to go.
changes. The "dbm" module could fail to build correctly, erroring out with:
*** WARNING: renaming "dbm" since importing it failed: build/lib.linux-i686-2.5/dbm.so: undefined symbol: dbm_firstkey
In this case, the "dbm" module has accidentally linked with "databases/gdbm",
which happens to be installed, but was never buildlinked in. It may be
relevant that /usr/include/gdbm/ndbm.h is installed on this system.
Remove the "gdbm" test from the "dbm" module configuration, leaving the "ndbm"
support, and the fall-back "bdb" support (which will likely fall back to db4).
Bump PKGREVISION - the package would still install, but with missing
functionality.
on Linux one can't build some extensions against an old Python (with
spurious -ldb4 linkage) anymore
also sync the bl3 files of the non-default versions with python25
for consistency
the exported libraries
(according to the CVS log, this was only to work around spurious db4
dependencies which are hopefully fixed by my last change to db4/bl3)
What's New in Python 2.5.4?
===========================
*Release date: 23-Dec-2008*
Core and builtins
-----------------
- Revert patch for #1706039, as it can crash the interpreter.
- Added test case to ensure attempts to read from a file opened for writing
fail.
What's New in Python 2.5.3?
===========================
*Release date: 19-Dec-2008*
Build
-----
- In the OSX installer, update SQLite to 3.6.7, and change bsddb URL.
Build against system Tcl framework.
What's New in Python 2.5.3c1?
=============================
*Release date: 13-Dec-2008*
Core and builtins
-----------------
- Issue #1706039: Support continued reading from a file even after
EOF was hit.
- Issue #1683: prevent forking from interfering in threading storage.
- Issue #4597: Fixed several opcodes that weren't always propagating
exceptions.
- Issue #4589: Propagated an exception thrown by a context manager's
__exit__ method's result while it's being converted to bool.
- Issue #4317: Fixed a crash in the imageop.rgb2rgb8() function.
- Issue #4230: If ``__getattr__`` is a descriptor, it now functions correctly.
- Issue #4048: The parser module now correctly validates relative imports.
- Issue #4176: Fixed a crash when pickling an object which ``__reduce__``
method does not return iterators for the 4th and 5th items.
- Issue #3967: Fixed a crash in the count() and find() methods of string-like
objects, when the "start" parameter is a huge value.
- Issue #3936: The parser warnings for using "as" and "with" as variable names
didn't fire after import statements.
- Issue #3751: str.rpartition would perform a left-partition when called with
a unicode argument.
- Issue #3537: Fix an assertion failure when an empty but presized dict
object was stored in the freelist.
- Apply security patches from Apple.
- Issue #2620: Overflow checking when allocating or reallocating memory
was not always being done properly in some python types and extension
modules. PyMem_MALLOC, PyMem_REALLOC, PyMem_NEW and PyMem_RESIZE have
all been updated to perform better checks and places in the code that
would previously leak memory on the error path when such an allocation
failed have been fixed.
- Issue #2242: Fix a crash when decoding invalid utf-7 input on certain
Windows / Visual Studio versions.
- Issue #3360: Fix incorrect parsing of '020000000000.0', which
produced a ValueError instead of giving the correct float.
- Issue #3242: Fix a crash inside the print statement, if sys.stdout is
set to a custom object whose write() method happens to install
another file in sys.stdout.
- Issue #3088: Corrected a race condition in classes derived from
threading.local: the first member set by a thread could be saved in
another thread's dictionary.
- Issue #3100: Corrected a crash on deallocation of a subclassed weakref which
holds the last (strong) reference to its referent.
- Issue #1686386: Tuple's tp_repr did not take into account the possibility of
having a self-referential tuple, which is possible from C code. Nor did
object's tp_str consider that a type's tp_str could do something that could
lead to an inifinite recursion. Py_ReprEnter() and Py_EnterRecursiveCall(),
respectively, fixed the issues. (Backport of r58288 from trunk.)
- Patch #1442: properly report exceptions when the PYTHONSTARTUP file
cannot be executed.
- The compilation of a class nested in another class used to leak one
reference on the outer class name.
- Issue #1477: With narrow Unicode builds, the unicode escape sequence
\Uxxxxxxxx did not accept values outside the Basic Multilingual Plane. This
affected raw unicode literals and the 'raw-unicode-escape' codec. Now
UTF-16 surrogates are generated in this case, like normal unicode literals
and the 'unicode-escape' codec.
- Issue #2321: use pymalloc for unicode object string data to reduce
memory usage in some circumstances.
- Issue #2238: Some syntax errors in *args and **kwargs expressions could give
bogus error messages.
- Issue #2587: In the C API, PyString_FromStringAndSize() takes a signed size
parameter but was not verifying that it was greater than zero. Values
less than zero will now raise a SystemError and return NULL to indicate a
bug in the calling C code.
- Issue #2588, #2589: Fix potential integer underflow and overflow
conditions in the PyOS_vsnprintf C API function.
- Issue #1204: The configure script now tests for additional libraries
that may be required when linking against readline. This fixes issues
with x86_64 builds on some platforms (a few Linux flavors and OpenBSD).
- Issue #3678: Correctly pass LDFLAGS and LDLAST to the linker on shared
library targets in the Makefile.
Library
-------
- Issue #3767: Convert Tk object to string in tkColorChooser.
- Issue #4342: Always convert Text.index result to string.
- Issue 3248: Allow placing ScrolledText in a PanedWindow.
- Issue #4084: Fix max, min, max_mag and min_mag Decimal methods to
give correct results in the case where one argument is a quiet NaN
and the other is a finite number that requires rounding.
- Issue #1776581 and #4302. Minor corrections to smtplib.
- Issue #3774: Fixed an error when create a Tkinter menu item without command
and then remove it.
- Assigning methods to ctypes.Structure and ctypes.Union subclasses
after creation of the class does now work correctly. See Issue #1700288.
- Issue #3895: _lsprof could be crashed with an external timer that did not
return a float when a Profiler object is garbage collected.
- Issues #3968 and #3969: two minor turtle problems.
- Issue #3547: Fixed ctypes structures bitfields of varying integer
sizes.
- Issue #3762: platform.architecture() fails if python is lanched via
its symbolic link.
- Issue #3554: ctypes.string_at and ctypes.wstring_at did call Python
api functions without holding the GIL, which could lead to a fatal
error when they failed.
- Issue #2234: distutils failed for some versions of the cygwin compiler. The
version reported by these tools does not necessarily follow the python
version numbering scheme, so the module is less strict when parsing it.
- Issue #2222: Fixed reference leak when occured os.rename()
fails unicode conversion on 2nd parameter. (windows only)
- Issue #3134: shutil referenced undefined WindowsError symbol.
- Issue #1342811: Fix leak in Tkinter.Menu.delete. Commands associated to
menu entries were not deleted.
- Issue #799428: Fix Tkinter.Misc._nametowidget to unwrap Tcl command objects.
- Issue #3339: dummy_thread.acquire() could return None which is not a valid
return value.
- Issue #3116 and #1792: Fix quadratic behavior in marshal.dumps().
- Issue #2682: ctypes callback functions no longer contain a cyclic
reference to themselves.
- Issue #2670: Fix a failure in urllib2.build_opener(), when passed two
handlers that derive the same default base class.
- Issue #2495: tokenize.untokenize now inserts a space between two consecutive
string literals; previously, ["" ""] was rendered as [""""], which is
incorrect python code.
- Issue #2482: Make sure that the coefficient of a Decimal is always
stored as a str instance, not as a unicode instance. This ensures
that str(Decimal) is always an instance of str. This fixes a
regression from Python 2.5.1 to Python 2.5.2.
- Issue #2478: fix failure of decimal.Decimal(0).sqrt()
- Issue #2432: give DictReader the dialect and line_num attributes
advertised in the docs.
- Issue #1747858: Fix chown to work with large uid's and gid's on 64-bit
platforms.
- Bug #2220: handle rlcompleter attribute match failure more gracefully.
- Bug #1725737: In distutil's sdist, exclude RCS, CVS etc. also in the
root directory, and also exclude .hg, .git, .bzr, and _darcs.
- Bug #1389051: imaplib causes excessive memory fragmentation when reading
large messages.
- Bug #1389051, 1092502: fix excessively large memory allocations when
calling .read() on a socket object wrapped with makefile().
- Bug #1433694: minidom's .normalize() failed to set .nextSibling for
last child element.
- Issue #2791: subprocess.Popen.communicate explicitly closes its
stdout and stderr fds rather than leaving them open until the
instance is destroyed.
- Issue #2632: Prevent socket.read(bignumber) from over allocating memory
in the common case when the data is returned from the underlying socket
in increments much smaller than bignumber.
- Issue #1857: subprocess.Popen.poll gained an additional _deadstate keyword
argument in python 2.5, this broke code that subclassed Popen to include its
own poll method. Fixed my moving _deadstate to an _internal_poll method.
- Issue #2113: Fix error in subprocess.Popen if the select system call is
interrupted by a signal.
- Issue #874900: after an os.fork() call the threading module state is cleaned
up in the child process to prevent deadlock and report proper thread counts
if the new process uses the threading module.
- Issue #3309: Fix bz2.BZFile iterator to release its internal lock
properly when raising an exception due to the bz2file being closed.
Prevents a deadlock.
Extension Modules
-----------------
- Issue #1040026: Fix os.times result on systems where HZ is incorrect.
- Issue #4228: Pack negative values the same way as 2.4 in struct's L format.
- Security Issue #2: imageop did not validate arguments correctly and could
segfault as a result.
- Issue 3886: [CVE-2008-2316] Possible integer overflow in the _hashopenssl
module was closed.
- Issue 1179: [CVE-2007-4965] Integer overflow in imageop module.
Also fixes rgbimg module.
- Issue #3205: When iterating over a BZ2File fails allocating memory, raise
a MemoryError rather than silently stop the iteration.
- Patch #2111: Avoid mmap segfault when modifying a PROT_READ block.
- zlib.decompressobj().flush(value) no longer crashes the interpreter when
passed a value less than or equal to zero.
- issue2858: Fix potential memory corruption when bsddb.db.DBEnv.lock_get
and other bsddb.db object constructors raised an exception.
- Issue #3120: On 64-bit Windows the subprocess module was truncating handles.
- Issue #1471: Arguments to fcntl.ioctl are no longer broken on 64-bit OpenBSD
and similar platforms due to sign extension.
- Issue #3312: Fix two crashes in sqlite3.
Tests
-----
- Issue #3863: Disabled a unit test of fork being called from a thread
when running on platforms known to exhibit OS bugs when attempting that.
- Issue #3261: test_cookielib had an improper file encoding specified.
- Patch #2232: os.tmpfile might fail on Windows if the user has no
permission to create files in the root directory.
Documentation
-------------
Build
-----
- Issue #4368: Don't define _XOPEN_SOURCE on FreeBSD 4.*.
This changes the buildlink3.mk files to use an include guard for the
recursive include. The use of BUILDLINK_DEPTH, BUILDLINK_DEPENDS,
BUILDLINK_PACKAGES and BUILDLINK_ORDER is handled by a single new
variable BUILDLINK_TREE. Each buildlink3.mk file adds a pair of
enter/exit marker, which can be used to reconstruct the tree and
to determine first level includes. Avoiding := for large variables
(BUILDLINK_ORDER) speeds up parse time as += has linear complexity.
The include guard reduces system time by avoiding reading files over and
over again. For complex packages this reduces both %user and %sys time to
half of the former time.
$PYTHON -c "from distutils import sysconfig; print sysconfig.get_config_var('SHLIBS');"
... where bdb.buildlink.mk has been used and it satisfied the requirement from
Pkgsrc (E.g. via databases/db4) would fail to build because the required -ldb4
library was not itself buildlinked.
To rectify this, pull in bdb.buildlink.mk in python??/buildlink3.mk under the
same conditions as it is pulled in in the package's own makefile.
No revision bump required, this almost certainly only affects packages and
environments that simply wouldn't build at all prior to the fix.
Fixes the build of py-ORBit on Linux (Python 2.4 or 2.5), and PR39377.
paths to PLIST.*. ;)
While here, patch sunaudiodev.c to use AUDIO_GETBUFINFO (when available)
and BSD AUDIO_FLUSH on NetBSD and OpenBSD. This could be
#ifdef AUDIO_FLUSH, but for now I am only certain about these two
platforms.
Bump PKGREVISION.
It probably needs plenty more polishing, especially on !NetBSD.
Python 2.4 will remain the default for some time.
For the new features in Python 2.5, look here:
* http://docs.python.org/whatsnew/whatsnew25.html