Python 3.7.14
Security
gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. This is a mitigation for CVE-2020-10735.
This new limit can be configured or disabled by environment variable, command line flag, or sys APIs. See the integer string conversion length limitation documentation. The default limit is 4300 digits in string form.
Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.
gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. Vulnerability discovered, and initial fix proposed, by Hamza Avvan.
Core and Builtins
gh-93065: Fix contextvars HAMT implementation to handle iteration over deep trees.
The bug was discovered and fixed by Eli Libman. See MagicStack/immutables#84 for more details.
Library
bpo-36073: Raise ProgrammingError instead of segfaulting on recursive usage of cursors in sqlite3 converters. Patch by Sergey Fedoseev.
Documentation
gh-91888: Add a new gh role to the documentation to link to GitHub issues.
bpo-47138: Pin Jinja to a version compatible with Sphinx version 2.3.1.
Tests
gh-94208: test_ssl is now checking for supported TLS version and protocols in more tests.
bpo-47016: Create a GitHub Actions workflow for verifying bundled pip and setuptools. Patch by Illia Volochii and Adam Turner.
bpo-41306: Fixed a failure in test_tk.test_widgets.ScaleTest happening when executing the test with Tk 8.6.10.
Windows
bpo-47194: Update zlib to v1.2.12 to resolve CVE-2018-25032.
Python 3.7.13 final
Library
bpo-46985: Upgrade pip wheel bundled with ensurepip (pip 22.0.4)
bpo-46932: Update bundled libexpat to 2.4.7
bpo-46811: Make test suite support Expat >=2.4.5
bpo-46784: Fix libexpat symbols collisions with user dynamically loaded or statically linked libexpat in embedded Python.
bpo-46756: Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI example.org/foobar was allowed if the user was authorized for URI example.org/foo.
Build
bpo-47024: Update Windows builds and macOS installer build to use OpenSSL 1.1.1n.
bpo-45405: Prevent internal configure error when running configure with recent versions of clang. Patch by David Bohman.
Windows
bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and CVE-2019-12900
bpo-46948: Prevent CVE-2022-26488 by ensuring the Add to PATH option in the Windows installer uses the correct path when being repaired.
Python 3.7.12 final
Security
bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 “Billion Laughs” vulnerability. This copy is most used on Windows and macOS.
bpo-43124: Made the internal putcmd function in smtplib sanitize input for presence of \r and \n characters to avoid (unlikely) command injection.
Library
bpo-45001: Made email date parsing more robust against malformed input, namely a whitespace-only Date: header. Patch by Wouter Bolsterlee.
Python 3.7.11 final
Security
bpo-44022: mod:http.client now avoids infinitely reading potential HTTP headers after a 100 Continue status response from the server.
bpo-43882: The presence of newline or tab characters in parts of a URL could allow some forms of attacks.
Following the controlling specification for URLs defined by WHATWG urllib.parse() now removes ASCII newlines and tabs from URLs, preventing such attacks.
bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer.
bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network.
Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it.
bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.
Core and Builtins
bpo-43660: Fix crash that happens when replacing sys.stderr with a callable that can remove the object while an exception is being printed. Patch by Pablo Galindo.
Tests
bpo-41561: Add workaround for Ubuntu’s custom OpenSSL security level policy.
Python 3.7.10
Security
bpo-42967: Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator.
bpo-42938: Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values.
bpo-42103: Prevented potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.
bpo-42051: The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. This should not affect users as entity declarations are not used in regular plist files.
bpo-40791: Add volatile to the accumulator variable in hmac.compare_digest, making constant-time-defeating optimizations less likely.
Library
bpo-42103: InvalidFileException and RecursionError are now the only errors caused by loading malformed binary Plist file (previously ValueError and TypeError could be raised in some specific cases).
bpo-41976: Fixed a bug that was causing ctypes.util.find_library() to return None when triying to locate a library in an environment when gcc>=9 is available and ldconfig is not. Patch by Pablo Galindo
Documentation
bpo-17140: Add documentation for the multiprocessing.pool.ThreadPool class.
Tests
bpo-42794: Update test_nntplib to use offical group name of news.aioe.org for testing. Patch by Dong-hee Na.
bpo-41944: Tests for CJK codecs no longer call eval() on content received via HTTP.
Python 3.7.9 final
Security
bpo-41304: Fixes python3x._pth being ignored on Windows, caused by the fix for bpo-29778 (CVE-2020-15801).
bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (CVE-2020-15523).
bpo-41004: CVE-2020-14422: The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).
bpo-39603: Prevent http header injection by rejecting control characters in http.client.putrequest(…).
Core and Builtins
bpo-33786: Fix asynchronous generators to handle GeneratorExit in athrow() correctly
Library
bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now UnpicklingError instead of crashing.
bpo-39017: Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).
bpo-41235: Fix the error handling in ssl.SSLContext.load_dh_params().
macOS
bpo-41100: Additional fixes for testing on macOS 11 Big Sur Intel. Note: macOS 11 is not yet released, this release of Python is not fully supported on 11.0, and not all tests pass.
Python 3.7.8 final
Tests
bpo-41009: Fix use of support.require_{linux|mac|freebsd}_version() decorators as class decorator.
macOS
bpo-41100: Fix configure error when building on macOS 11. Note that 3.7.8 was released shortly after the first developer preview of macOS 11 (Big Sur); there are other known issues with building and running on the developer preview. Big Sur is expected to be fully supported in a future bugfix release of Python 3.8.x and with 3.9.0.
Python 3.7.8 release candidate 1
Security
bpo-39073: Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
bpo-38576: Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised.
bpo-39503: CVE-2020-8492: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager.
Core and Builtins
bpo-40663: Correctly generate annotations where parentheses are omitted but required (e.g: Type[(str, int, *other))].
bpo-40417: Fix imp module deprecation warning when PyImport_ReloadModule is called. Patch by Robert Rouhani.
bpo-20526: Fix PyThreadState_Clear(). PyThreadState.frame is a borrowed reference, not a strong reference: PyThreadState_Clear() must not call Py_CLEAR(tstate->frame).
bpo-38894: Fix a bug that was causing incomplete results when calling pathlib.Path.glob in the presence of symlinks that point to files where the user does not have read access. Patch by Pablo Galindo and Matt Wozniski.
bpo-39871: Fix a possible SystemError in math.{atan2,copysign,remainder}() when the first argument cannot be converted to a float. Patch by Zachary Spytz.
bpo-39520: Fix unparsing of ext slices with no items (foo[:,]). Patch by Batuhan Taskaya.
bpo-24048: Save the live exception during import.c’s remove_module().
bpo-22490: Don’t leak environment variable __PYVENV_LAUNCHER__ into the interpreter session on macOS.
Library
bpo-40448: ensurepip now disables the use of pip cache when installing the bundled versions of pip and setuptools. Patch by Krzysztof Konopko.
bpo-40807: Stop codeop._maybe_compile, used by code.InteractiveInterpreter (and IDLE). from from emitting each warning three times.
bpo-38488: Update ensurepip to install pip 20.1.1 and setuptools 47.1.0.
bpo-40767: webbrowser now properly finds the default browser in pure Wayland systems by checking the WAYLAND_DISPLAY environment variable. Patch contributed by Jérémy Attali.
bpo-30008: Fix ssl code to be compatible with OpenSSL 1.1.x builds that use no-deprecated and --api=1.1.0.
bpo-25872: linecache could crash with a KeyError when accessed from multiple threads. Fix by Michael Graczyk.
bpo-40515: The ssl and hashlib modules now actively check that OpenSSL is build with thread support. Python 3.7.0 made thread support mandatory and no longer works safely with a no-thread builds.
bpo-13097: ctypes now raises an ArgumentError when a callback is invoked with more than 1024 arguments.
bpo-40559: Fix possible memory leak in the C implementation of asyncio.Task.
bpo-40457: The ssl module now support OpenSSL builds without TLS 1.0 and 1.1 methods.
bpo-40459: platform.win32_ver() now produces correct ptype strings instead of empty strings.
bpo-40138: Fix the Windows implementation of os.waitpid() for exit code larger than INT_MAX >> 8. The exit status is now interpreted as an unsigned number.
bpo-39942: Set “__main__” as the default module name when “__name__” is missing in typing.TypeVar. Patch by Weipeng Hong.
bpo-40287: Fixed SpooledTemporaryFile.seek() to return the position.
bpo-40196: Fix a bug in the symtable module that was causing incorrectly report global variables as local. Patch by Pablo Galindo.
bpo-40126: Fixed reverting multiple patches in unittest.mock. Patcher’s __exit__() is now never called if its __enter__() is failed. Returning true from __exit__() silences now the exception.
bpo-40089: Fix threading._after_fork(): if fork was not called by a thread spawned by threading.Thread, threading._after_fork() now creates a _MainThread instance for _main_thread, instead of a _DummyThread instance.
bpo-39503: AbstractBasicAuthHandler of urllib.request now parses all WWW-Authenticate HTTP headers and accepts multiple challenges per header: use the realm of the first Basic challenge.
bpo-40014: Fix os.getgrouplist(): if getgrouplist() function fails because the group list is too small, retry with a larger group list. On failure, the glibc implementation of getgrouplist() sets ngroups to the total number of groups. For other implementations, double the group list size.
bpo-40025: Raise TypeError when _generate_next_value_ is defined after members. Patch by Ethan Onstott.
bpo-40016: In re docstring, clarify the relationship between inline and argument compile flags.
bpo-39652: The column name found in sqlite3.Cursor.description is now truncated on the first ‘[‘ only if the PARSE_COLNAMES option is set.
bpo-38662: The ensurepip module now invokes pip via the runpy module. Hence it is no longer tightly coupled with the internal API of the bundled pip version, allowing easier updates to a newer pip version both internally and for distributors.
bpo-39916: More reliable use of os.scandir() in Path.glob(). It no longer emits a ResourceWarning when interrupted.
bpo-39850: multiprocessing now supports abstract socket addresses (if abstract sockets are supported in the running platform). Patch by Pablo Galindo.
bpo-39828: Fix json.tool to catch BrokenPipeError. Patch by Dong-hee Na.
bpo-39040: Fix parsing of invalid mime headers parameters by collapsing whitespace between encoded words in a bare-quote-string.
bpo-35714: struct.error is now raised if there is a null character in a struct format string.
bpo-36541: lib2to3 now recognizes named assignment expressions (the walrus operator, :=)
bpo-29620: assertWarns() no longer raises a RuntimeException when accessing a module’s __warningregistry__ causes importation of a new module, or when a new module is imported in another thread. Patch by Kernc.
bpo-34226: Fix cgi.parse_multipart without content_length. Patch by Roger Duran
bpo-31758: Prevent crashes when using an uninitialized _elementtree.XMLParser object. Patch by Oren Milman.
Documentation
bpo-40561: Provide docstrings for webbrowser open functions.
bpo-27635: The pickle documentation incorrectly claimed that __new__ isn’t called by default when unpickling.
bpo-39879: Updated Data model docs to include dict() insertion order preservation. Patch by Furkan Onder and Samy Lahfa.
bpo-39677: Changed operand name of MAKE_FUNCTION from argc to flags for module dis
bpo-39435: Fix an incorrect signature for pickle.loads() in the docs
bpo-38387: Document PyDoc_STRVAR macro in the C-API reference.
Tests
bpo-40964: Disable remote imaplib tests, host cyrus.andrew.cmu.edu is blocking incoming connections.
bpo-40055: distutils.tests now saves/restores warnings filters to leave them unchanged. Importing tests imports docutils which imports pkg_resources which adds a warnings filter.
bpo-40436: test_gdb and test.pythoninfo now check gdb command exit code.
bpo-39932: Fix multiprocessing test_heap(): a new Heap object is now created for each test run.
bpo-40162: Update Travis CI configuration to OpenSSL 1.1.1f.
bpo-40146: Update OpenSSL to 1.1.1f in Azure Pipelines.
bpo-40019: test_gdb now skips tests if it detects that gdb failed to read debug information because the Python binary is optimized.
bpo-27807: test_site.test_startup_imports() is now skipped if a path of sys.path contains a .pth file.
bpo-39793: Use the same domain when testing make_msgid. Patch by Batuhan Taskaya.
bpo-1812: Fix newline handling in doctest.testfile when loading from a package whose loader has a get_data method. Patch by Peter Donis.
bpo-37957: test.regrtest now can receive a list of test patterns to ignore (using the -i/–ignore argument) or a file with a list of patterns to ignore (using the –ignore-file argument). Patch by Pablo Galindo.
bpo-38502: test.regrtest now uses process groups in the multiprocessing mode (-jN command line option) if process groups are available: if os.setsid() and os.killpg() functions are available.
bpo-37421: multiprocessing tests now stop the ForkServer instance if it’s running: close the “alive” file descriptor to ask the server to stop and then remove its UNIX address.
bpo-37421: multiprocessing tests now explicitly call _run_finalizers() to immediately remove temporary directories created by tests.
Build
bpo-40653: Move _dirnameW out of HAVE_SYMLINK to fix a potential compiling issue.
bpo-38360: Support single-argument form of macOS -isysroot flag.
bpo-40204: Pin Sphinx version to 2.3.1 in Doc/Makefile.
bpo-40158: Fix CPython MSBuild Properties in NuGet Package (build/native/python.props)
Windows
bpo-40164: Updates Windows OpenSSL to 1.1.1g
bpo-39631: Changes the registered MIME type for .py files on Windows to text/x-python instead of text/plain.
bpo-40650: Include winsock2.h in pytime.c for timeval.
bpo-39930: Ensures the required vcruntime140.dll is included in install packages.
bpo-39847: Avoid hang when computer is hibernated whilst waiting for a mutex (for lock-related objects from threading) around 49-day uptime.
bpo-38492: Remove pythonw.exe dependency on the Microsoft C++ runtime.
macOS
bpo-39580: Avoid opening Finder window if running installer from the command line.
bpo-40400: Update the macOS installer build scripts to build with Python 3.x and to build correctly on newer macOS systems with SIP.
bpo-40741: Update macOS installer to use SQLite 3.32.2.
bpo-38329: python.org macOS installers now update the Current version symlink of /Library/Frameworks/Python.framework/Versions for 3.9 installs. Previously, Current was only updated for Python 2.x installs. This should make it easier to embed Python 3 into other macOS applications.
bpo-40164: Update macOS installer builds to use OpenSSL 1.1.1g.
IDLE
bpo-39885: Make context menu Cut and Copy work again when right-clicking within a selection.
bpo-40723: Make test_idle pass when run after import.
bpo-27115: For ‘Go to Line’, use a Query box subclass with IDLE standard behavior and improved error checking.
bpo-39885: Since clicking to get an IDLE context menu moves the cursor, any text selection should be and now is cleared.
bpo-39852: Edit “Go to line” now clears any selection, preventing accidental deletion. It also updates Ln and Col on the status bar.
bpo-38439: Add a 256×256 pixel IDLE icon to support more modern environments. Created by Andrew Clover. Delete the unused macOS idle.icns icon file.
bpo-38689: IDLE will no longer freeze when inspect.signature fails when fetching a calltip.
Tools/Demos
bpo-40479: Update multissltest helper to test with latest OpenSSL 1.0.2, 1.1.0, 1.1.1, and 3.0.0-alpha.
bpo-40179: Fixed translation of #elif in Argument Clinic.
bpo-40163: Fix multissltest tool. OpenSSL has changed download URL for old releases. The multissltest tool now tries to download from current and old download URLs.
bpo-36184: Port python-gdb.py to FreeBSD. python-gdb.py now checks for “take_gil” function name to check if a frame tries to acquire the GIL, instead of checking for “pthread_cond_timedwait” which is specific to Linux and can be a different condition than the GIL.
bpo-39889: Fixed unparse.py for extended slices containing a single element (e.g. a[i:j,]). Remove redundant tuples when index with a tuple (e.g. a[i, j]).
C API
bpo-39884: _PyMethodDef_RawFastCallDict() and _PyMethodDef_RawFastCallKeywords() now include the method name in the SystemError “bad call flags” error message to ease debug.
bpo-38643: PyNumber_ToBase() now raises a SystemError instead of crashing when called with invalid base.
Python 3.7.7 final
Library
bpo-13487: Avoid a possible “RuntimeError: dictionary changed size during iteration” from inspect.getmodule() when it tried to loop through sys.modules.
Documentation
bpo-17422: The language reference no longer restricts default class namespaces to dicts only.
Python 3.7.7 release candidate 1
Security
bpo-39401: Avoid unsafe load of api-ms-win-core-path-l1-1-0.dll at startup on Windows 7.
Core and Builtins
bpo-39776: Fix race condition where threads created by PyGILState_Ensure() could get a duplicate id.
This affects consumers of tstate->id like the contextvar caching machinery, which could return invalid cached objects under heavy thread load (observed in embedded scenarios).
bpo-39778: Fixed a crash due to incorrect handling of weak references in collections.OrderedDict classes. Patch by Pablo Galindo.
bpo-39382: Fix a use-after-free in the single inheritance path of issubclass(), when the __bases__ of an object has a single reference, and so does its first item. Patch by Yonatan Goldschmidt.
bpo-39606: Fix regression caused by fix for bpo-39386, that prevented calling aclose on an async generator that had already been closed or exhausted.
bpo-39510: Fix segfault in readinto() method on closed BufferedReader.
bpo-39453: Fixed a possible crash in list.__contains__() when a list is changed during comparing items. Patch by Dong-hee Na.
bpo-39427: Document all possibilities for the -X options in the command line help section. Patch by Pablo Galindo.
bpo-39421: Fix possible crashes when operating with the functions in the heapq module and custom comparison operators.
bpo-39386: Prevent double awaiting of async iterator.
bpo-38588: Fix possible crashes in dict and list when calling PyObject_RichCompareBool().
bpo-39031: When parsing an “elif” node, lineno and col_offset of the node now point to the “elif” keyword and not to its condition, making it consistent with the “if” node. Patch by Lysandros Nikolaou.
bpo-38610: Fix possible crashes in several list methods by holding strong references to list elements when calling PyObject_RichCompareBool().
Library
bpo-39794: Add –without-decimal-contextvar build option. This enables a thread-local rather than a coroutine local context.
bpo-39769: The compileall.compile_dir() function’s ddir parameter and the compileall command line flag -d no longer write the wrong pathname to the generated pyc file for submodules beneath the root of the directory tree being compiled. This fixes a regression introduced with Python 3.5.
bpo-30566: Fix IndexError when trying to decode an invalid string with punycode codec.
bpo-39649: Remove obsolete check for __args__ in bdb.Bdb.format_stack_entry.
bpo-27657: The original fix for bpo-27657, “Fix urlparse() with numeric paths” (GH-16839) included in 3.7.6, inadvertently introduced a behavior change that broke several third-party packages relying on the original undefined parsing behavior. The change is reverted in 3.7.7, restoring the behavior of 3.7.5 and earlier releases.
bpo-21016: The pydoc and trace modules now use the sysconfig module to get the path to the Python standard library, to support uncommon installation path like /usr/lib64/python3.9/ on Fedora. Patch by Jan Matějek.
bpo-39548: Fix handling of header in urllib.request.AbstractDigestAuthHandler when the optional qop parameter is not present.
bpo-39450: Striped whitespace from docstring before returning it from unittest.case.shortDescription().
bpo-39493: Mark typing.IO.closed as a property
bpo-39485: Fix a bug in unittest.mock.create_autospec() that would complain about the wrong number of arguments for custom descriptors defined in an extension module returning functions.
bpo-39430: Fixed race condition in lazy imports in tarfile.
bpo-39389: Write accurate compression level metadata in gzip archives, rather than always signaling maximum compression.
bpo-39274: bool(fraction.Fraction) now returns a boolean even if (numerator != 0) does not return a boolean (ex: numpy number).
bpo-39242: Updated the Gmane domain from news.gmane.org to news.gmane.io which is used for examples of NNTP news reader server and nntplib tests.
bpo-39152: Fix ttk.Scale.configure([name]) to return configuration tuple for name or all options. Giovanni Lombardo contributed part of the patch.
bpo-39198: If an exception were to be thrown in Logger.isEnabledFor (say, by asyncio timeouts or stopit) , the logging global lock may not be released appropriately, resulting in deadlock. This change wraps that block of code with try...finally to ensure the lock is released.
bpo-39191: Perform a check for running loop before starting a new task in loop.run_until_complete() to fail fast; it prevents the side effect of new task spawning before exception raising.
bpo-38871: Correctly parenthesize filter-based statements that contain lambda expressions in mod:lib2to3. Patch by Dong-hee Na.
bpo-39142: A change was made to logging.config.dictConfig to avoid converting instances of named tuples to ConvertingTuple. It’s assumed that named tuples are too specialised to be treated like ordinary tuples; if a user of named tuples requires ConvertingTuple functionality, they will have to implement that themselves in their named tuple class.
bpo-38971: Open issue in the BPO indicated a desire to make the implementation of codecs.open() at parity with io.open(), which implements a try/except to assure file stream gets closed before an exception is raised.
bpo-39057: urllib.request.proxy_bypass_environment() now ignores leading dots and no longer ignores a trailing newline.
bpo-39056: Fixed handling invalid warning category in the -W option. No longer import the re module if it is not needed.
bpo-39055: base64.b64decode() with validate=True raises now a binascii.Error if the input ends with a single \n.
bpo-38878: Fixed __subclasshook__ of os.PathLike to return a correct result upon inheritence. Patch by Bar Harel.
bpo-35182: Fixed Popen.communicate() subsequent call crash when the child process has already closed any piped standard stream, but still continues to be running. Patch by Andriy Maletsky.
bpo-38473: Use signature from inner mock for autospecced methods attached with unittest.mock.attach_mock(). Patch by Karthikeyan Singaravelan.
bpo-38293: Add copy.copy() and copy.deepcopy() support to property() objects.
bpo-37953: In typing, improved the __hash__ and __eq__ methods for ForwardReferences.
bpo-36406: Handle namespace packages in doctest. Patch by Karthikeyan Singaravelan.
Documentation
bpo-13790: Change ‘string’ to ‘specification’ in format doc.
bpo-39530: Fix misleading documentation about mixed-type numeric comparisons.
bpo-17422: The language reference now specifies restrictions on class namespaces. Adapted from a patch by Ethan Furman.
bpo-39654: In pyclbr doc, update ‘class’ to ‘module’ where appropriate and add readmodule comment. Patch by Hakan Çelik.
bpo-39392: Explain that when filling with turtle, overlap regions may be left unfilled.
bpo-39381: Mention in docs that asyncio.get_event_loop() implicitly creates new event loop only if called from the main thread.
bpo-38918: Add an entry for __module__ in the “function” & “method” sections of the inspect docs types and members table
bpo-3530: In the ast module documentation, fix a misleading NodeTransformer example and add advice on when to use the fix_missing_locations function.
Tests
bpo-38546: Fix test_ressources_gced_in_workers() of test_concurrent_futures: explicitly stop the manager to prevent leaking a child process running in the background after the test completes.
Build
bpo-39144: The ctags and etags build targets both include Modules/_ctypes and Python standard library source files.
Windows
bpo-38597: distutils will no longer statically link vcruntime140.dll when a redistributable version is unavailable. All future releases of CPython will include a copy of this DLL to ensure distributed extensions can continue to load.
bpo-38380: Update Windows builds to use SQLite 3.31.1
bpo-39439: Reduce overhead when using multiprocessing in a Windows virtual environment
bpo-39185: The build.bat script has additional options for very-quiet output (-q) and very-verbose output (-vv)
macOS
bpo-38380: Update macOS builds to use SQLite 3.31.1
IDLE
bpo-39781: Selecting code context lines no longer causes a jump.
bpo-39663: Add tests for pyparse find_good_parse_start().
bpo-39600: In the font configuration window, remove duplicated font names.
bpo-30780: Add remaining configdialog tests for buttons and highlights and keys tabs.
bpo-39388: IDLE Settings Cancel button now cancels pending changes
bpo-39050: Make IDLE Settings dialog Help button work again.
bpo-34118: Tag memoryview, range, and tuple as classes, the same as list, etcetera, in the library manual built-in functions list.
bpo-38792: Close an IDLE shell calltip if a KeyboardInterrupt or shell restart occurs. Patch by Zackery Spytz.
bpo-32989: Add tests for editor newline_and_indent_event method. Remove dead code from pyparse find_good_parse_start method.
Changes:
3.7.5
-----
Documentation
* bpo-26868: Fix example usage of PyModule_AddObject() to properly handle
errors.
* bpo-37979: Added a link to dateutil.parser.isoparse in the
datetime.fromisoformat documentation. Patch by Paul Ganssle
* bpo-37937: Mention frame.f_trace in sys.settrace() docs.
* bpo-37726: Stop recommending getopt in the tutorial for command line
argument parsing and promote argparse.
* bpo-32910: Remove implementation-specific behaviour of how venv’s
Deactivate works.
* bpo-37256: Fix wording of arguments for Request in urllib.request
* bpo-37284: Add a brief note to indicate that any new sys.implementation
required attributes must go through the PEP process.
* bpo-30088: Documented that mailbox.Maildir constructor doesn’t attempt to
verify the maildir folder layout correctness. Patch by Sviatoslav
Sydorenko.
* bpo-37487: Fix PyList_GetItem index description to include 0.
* bpo-37478: Added possible exceptions to the description of os.chdir().
* bpo-37004: In the documentation for difflib, a note was added explicitly
warning that the results of SequenceMatcher’s ratio method may depend on
the order of the input strings.
* bpo-35803: Document and test that tempfile functions may accept a path-like
object for the dir argument. Patch by Anthony Sottile.
* bpo-34293: Fix the Doc/Makefile regarding PAPER environment variable and
PDF builds
Python 3.7.4 final
Core and Builtins
bpo-37500: Due to unintended side effects, revert the change introduced by bpo-1875 in 3.7.4rc1 to check for syntax errors in dead conditional code blocks.
Documentation
bpo-37149: Replace the dead link to the Tkinter 8.5 reference by John Shipman, New Mexico Tech, with a link to the archive.org copy.
Python 3.7.4 release candidate 2
Security
bpo-37463: ssl.match_hostname() no longer accepts IPv4 addresses with additional text after the address and only quad-dotted notation without trailing whitespaces. Some inet_aton() implementations ignore whitespace and all data after whitespace, e.g. ‘127.0.0.1 whatever’.
Core and Builtins
bpo-24214: Improved support of the surrogatepass error handler in the UTF-8 and UTF-16 incremental decoders.
Library
bpo-37440: http.client now enables TLS 1.3 post-handshake authentication for default context or if a cert_file is passed to HTTPSConnection.
bpo-37437: Update vendorized expat version to 2.2.7.
bpo-37428: SSLContext.post_handshake_auth = True no longer sets SSL_VERIFY_POST_HANDSHAKE verify flag for client connections. Although the option is documented as ignored for clients, OpenSSL implicitly enables cert chain validation when the flag is set.
bpo-32627: Fix compile error when _uuid headers conflicting included.
Windows
bpo-37369: Fixes path for sys.executable when running from the Microsoft Store.
bpo-35360: Update Windows builds to use SQLite 3.28.0.
macOS
bpo-34602: Avoid test suite failures on macOS by no longer calling resource.setrlimit to increase the process stack size limit at runtime. The runtime change is no longer needed since the interpreter is being built with a larger default stack size.
Changes:
3.7.3
=====
Documentation
-------------
- bpo-36083: Fix formatting of --check-hash-based-pycs options in the
manpage Synopsis.
- bpo-34764: Improve example of iter() with 2nd sentinel argument.
- bpo-21314: A new entry was added to the Core Language Section of the
Programming FAQ, which explaines the usage of slash(/) in the signature of
a function. Patch by Lysandros Nikolaou
- bpo-22062: Update documentation and docstrings for pathlib. Original patch
by Mike Short.
Changes:
3.7.2
=====
Documentation
-------------
- bpo-35089: Remove mention of ``typing.io`` and ``typing.re``. Their types
should be imported from ``typing`` directly.
- bpo-35038: Fix the documentation about an unexisting `f_restricted`
attribute in the frame object. Patch by Stéphane Wirtel
- bpo-35044: Fix the documentation with the role ``exc`` for the
appropriated exception. Patch by Stéphane Wirtel
- bpo-35035: Rename documentation for :mod:`email.utils` to
``email.utils.rst``.
- bpo-34967: Use app.add_object_type() instead of the deprecated Sphinx
function app.description_unit()
- bpo-11233: Create availability directive for documentation. Original
patch by Georg Brandl.
- bpo-33594: Document ``getargspec``, ``from_function`` and ``from_builtin``
as deprecated in their respective docstring, and include version since
deprecation in DeprecationWarning message.
- bpo-32613: Update the faq/windows.html to use the py command from PEP 397
instead of python.
Changes:
3.7.1
-----
Documentation
=============
- bpo-32174: chm document displays non-ASCII charaters properly on some
MBCS Windows systems.
- bpo-34790: Document how passing coroutines to asyncio.wait() can be
confusing.
- bpo-28617: Fixed info in the stdtypes docs concerning the types that
support membership tests.
- bpo-34065: Fix wrongly written basicConfig documentation markup syntax
- bpo-33460: replaced ellipsis with correct error codes in tutorial
chapter 3.
- bpo-33847: Add `@' operator entry to index.
- bpo-25041: Document AF_PACKET in the socket module.
adam
nia
leot