Python 3.9.14
Security
gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. This is a mitigation for CVE-2020-10735.
This new limit can be configured or disabled by environment variable, command line flag, or sys APIs. See the integer string conversion length limitation documentation. The default limit is 4300 digits in string form.
Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.
gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. Vulnerability discovered, and initial fix proposed, by Hamza Avvan.
Core and Builtins
gh-93065: Fix contextvars HAMT implementation to handle iteration over deep trees.
The bug was discovered and fixed by Eli Libman. See MagicStack/immutables#84 for more details.
Library
gh-94821: Fix binding of unix socket to empty address on Linux to use an available address from the abstract namespace, instead of “0”.
gh-91810: Suppress writing an XML declaration in open files in ElementTree.write() with encoding='unicode' and xml_declaration=None.
bpo-45393: Fix the formatting for await x and not x in the operator precedence table when using the help() system.
bpo-46197: Fix ensurepip environment isolation for subprocess running pip.
Tests
gh-95280: Fix problem with test_ssl test_get_ciphers on systems that require perfect forward secrecy (PFS) ciphers.
gh-94208: test_ssl is now checking for supported TLS version and protocols in more tests.
bpo-47016: Create a GitHub Actions workflow for verifying bundled pip and setuptools. Patch by Illia Volochii and Adam Turner.
Python 3.8.14
Security
gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. This is a mitigation for CVE-2020-10735.
This new limit can be configured or disabled by environment variable, command line flag, or sys APIs. See the integer string conversion length limitation documentation. The default limit is 4300 digits in string form.
Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.
gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. Vulnerability discovered, and initial fix proposed, by Hamza Avvan.
Core and Builtins
gh-93065: Fix contextvars HAMT implementation to handle iteration over deep trees.
The bug was discovered and fixed by Eli Libman. See MagicStack/immutables#84 for more details.
Library
bpo-46197: Fix ensurepip environment isolation for subprocess running pip.
bpo-36073: Raise ProgrammingError instead of segfaulting on recursive usage of cursors in sqlite3 converters. Patch by Sergey Fedoseev.
Documentation
gh-91888: Add a new gh role to the documentation to link to GitHub issues.
bpo-47138: Pin Jinja to a version compatible with Sphinx version 2.4.4.
Tests
gh-94208: test_ssl is now checking for supported TLS version and protocols in more tests.
bpo-47016: Create a GitHub Actions workflow for verifying bundled pip and setuptools. Patch by Illia Volochii and Adam Turner.
bpo-46114: Fix test case for OpenSSL 3.0.1 version. OpenSSL 3.0 uses 0xMNN00PP0L.
Windows
bpo-47194: Update zlib to v1.2.12 to resolve CVE-2018-25032.
4.37.1 (released 2022-08-24)
----------------------------
- [subset] Fixed regression introduced with v4.37.0 while subsetting the VarStore of
``HVAR`` and ``VVAR`` tables, whereby an ``AttributeError: subset_varidxes`` was
thrown because an apparently unused import statement (with the side-effect of
dynamically binding that ``subset_varidxes`` method to the VarStore class) had been
accidentally deleted in an unrelated PR.
- [pens] Added ``cairoPen``.
- [gvar] Read ``gvar`` more lazily by not parsing all of the ``glyf`` table.
- [ttGlyphSet] Make ``drawPoints(pointPen)`` method work for CFF fonts as well via
adapter pen.
4.37.0 (released 2022-08-23)
----------------------------
- [varLib.models] Reverted PR 2717 which added support for "narrow tents" in v4.36.0,
as it introduced a regression. It will be restored in upcoming release
once we found a solution to the bug.
- [cff.specializer] Fixed issue in charstring generalizer with the ``blend`` operator.
- [varLib.models] Added support for extrapolation.
- [ttGlyphSet] Ensure the newly added ``_TTVarGlyphSet`` inherits from ``_TTGlyphSet``
to keep backward compatibility with existing API.
- [kern] Allow compiling legacy kern tables with more than 64k entries (d21cfdede).
- [visitor] Added new visitor API to traverse tree of objects and dispatch based
on the attribute type: cf. ``fontTools.misc.visitor`` and ``fontTools.ttLib.ttVisitor``. Added ``fontTools.ttLib.scaleUpem`` module that uses the latter to
change a font's units-per-em and scale all the related fields accordingly.
4.36.0 (released 2022-08-17)
----------------------------
- [varLib.models] Use a simpler model that generates narrower "tents" (regions, master
supports) whenever possible: specifically when any two axes that actively "cooperate"
(have masters at non-zero positions for both axes) have a complete set of intermediates.
The simpler algorithm produces fewer overlapping regions and behaves better with
respect to rounding at the peak positions than the generic solver, always matching
intermediate masters exactly, instead of maximally 0.5 units off. This may be useful
when 100% metrics compatibility is desired.
- [feaLib] Remove warning when about ``GDEF`` not being built when explicitly not
requested; don't build one unconditonally even when not requested.
- [ttFont] ``TTFont.getGlyphSet`` method now supports selecting a location that
represents an instance of a variable font (supports both user-scale and normalized
axes coordinates via the ``normalized=False`` parameter). Currently this only works
for TrueType-flavored variable fonts.
4.35.0 (released 2022-08-15)
----------------------------
- [otData/otConverters] Added support for 'biased' PaintSweepGradient start/end angles
to match latest COLRv1 spec.
- [varLib.instancer] Fixed bug in ``_instantiateFeatureVariations`` when at the same
time pinning one axis and restricting the range of a subsequent axis; the wrong axis
tag was being used in the latter step (as the records' axisIdx was updated in the
preceding step but looked up using the old axes order in the following step).
- [mtiLib] Pad script tags with space when less than 4 char long.
- [merge] Use ``'.'`` instead of ``'#'`` in duplicate glyph names.
- [gvar] Added support for lazily loading glyph variations.
- [varLib] In ``build_many``, we forgot to pass on ``colr_layer_reuse`` parameter to
the ``build`` method.
- [svgPathPen] Add a main that prints SVG for input text (6df779fd).
- [cffLib.width] Fixed off-by-one in optimized values; previous code didn't match the
code block above it (2963fa50).
- [varLib.interpolatable] Support reading .designspace and .glyphs files (via optional
``glyphsLib``).
- Compile some modules with Cython when available and building/installing fonttools
from source: ``varLib.iup`` (35% faster), ``pens.momentsPen`` (makes
``varLib.interpolatable`` 3x faster).
- [feaLib] Allow features to be built for VF without also building a GDEF table (e.g.
only build GSUB); warn when GDEF would be needed but isn't requested.
- [otBase] Fixed ``AttributeError`` when uharfbuzz < 0.23.0 and 'repack' method is
missing (32aa8eaf). Use new ``uharfbuzz.repack_with_tag`` when available (since
uharfbuzz>=0.30.0), enables table-specific optimizations to be performed during
repacking.
- [statisticsPen] By default report all glyphs (4139d891). Avoid division-by-zero
(52b28f90).
- [feaLib] Added missing required argument to FeatureLibError exception
- [varLib.merge] Fixed error during error reporting. Fixed undefined
``NotANone`` variable.
4.34.4 (released 2022-07-07)
----------------------------
- Fixed typo in varLib/merger.py that causes NameError merging COLR glyphs
containing more than 255 layers.
4.34.3 (released 2022-07-07)
----------------------------
- [designspaceLib] Don't make up bad PS names when no STAT data
4.34.2 (released 2022-07-06)
----------------------------
- [varStore/subset] fixed KeyError exception to do with NO_VARIATION_INDEX while
subsetting varidxes in GPOS/GDEF (a08140d).
4.34.1 (released 2022-07-06)
----------------------------
- [instancer] When optimizing HVAR/VVAR VarStore, use_NO_VARIATION_INDEX=False to avoid
including NO_VARIATION_INDEX in AdvWidthMap, RsbMap, LsbMap mappings, which would
push the VarIdx width to maximum (4bytes), which is not desirable. This also fixes
a hard crash when attempting to subset a varfont after it had been partially instanced
with use_NO_VARIATION_INDEX=True.
4.34.0 (released 2022-07-06)
----------------------------
- [instancer] Set RIBBI bits in head and OS/2 table when cutting instances and the
subfamily nameID=2 contains strings like 'Italic' or 'Bold'.
- [otTraverse] Addded module containing methods for traversing trees of otData tables
.
- [otTables] Made DeltaSetIndexMap TTX dump less verbose by omitting no-op entries
.
- [colorLib.builder] Added option to disable PaintColrLayers's reuse of layers from
LayerList.
- [varLib] Added support for merging multiple master COLRv1 tables into a variable
COLR table. Base color glyphs of same name in different masters must have
identical paint graph structure (incl. number of layers, palette indices, number
of color line stops, corresponding paint formats at each level of the graph),
but can differ in the variable fields (e.g. PaintSolid.Alpha). PaintVar* tables
are produced when this happens and a VarStore/DeltaSetIndexMap is added to the
variable COLR table. It is possible for non-default masters to be 'sparse', i.e.
omit some of the color glyphs present in the default master.
- [feaLib] Let the Parser set nameIDs 1 through 6 that were previously reserved.
- [varLib.varStore] Support NO_VARIATION_INDEX in optimizer and instancer.
- [feaLib] Show all missing glyphs at once at end of parsing.
- [varLib.iup] Rewrite force-set conditions and limit DP loopback length.
For Noto Sans, IUP time drops from 23s down to 9s, with only a slight size increase
in the final font. This basically turns the algorithm from O(n^3) into O(n).
- [featureVars] Report about missing glyphs in substitution rules.
- [mutator/instancer] Added CLI flag to --no-recalc-timestamp.
- [SVG] Allow individual SVG documents in SVG OT table to be compressed on uncompressed,
and remember that when roundtripping to/from ttx. The SVG.docList is now a list
of SVGDocument namedtuple-like dataclass containing an extra ``compressed`` field,
and no longer a bare 3-tuple.
- [designspaceLib] Check for descriptor types with hasattr() to allow custom classes
that don't inherit the default descriptors.
- [subset] Enable sharing across subtables of extension lookups for harfbuzz packing
. Updated how table packing falls back to fontTools from harfbuzz.
- [subset] Updated default feature tags following current Harfbuzz.
- [svgLib] Fixed regex for real number to support e.g. 1e-4 in addition to 1.0e-4.
Support parsing negative rx, ry on arc commands.
- [subset] Fixed subsetting SinglePosFormat2 when ValueFormat=0.
NUMPY 1.23.0 RELEASED
Jun 22, 2022 – NumPy 1.23.0 is now available. The highlights of the release are:
Implementation of loadtxt in C, greatly improving its performance.
Exposure of DLPack at the Python level for easy data exchange.
Changes to the promotion and comparisons of structured dtypes.
Improvements to f2py.
The NumPy 1.23.0 release continues the ongoing work to improve the handling and promotion of dtypes, increase the execution speed, clarify the documentation, and expire old deprecations. It is the work of 151 contributors spread over 494 pull requests. The Python versions supported by this release 3.8-3.10. Python 3.11 will be supported when it reaches the rc stage.
38.0.0 - 2022-09-06
~~~~~~~~~~~~~~~~~~~
* Final deprecation of OpenSSL 1.1.0. The next release of ``cryptography``
will drop support.
* We no longer ship ``manylinux2010`` wheels. Users should upgrade to the
latest ``pip`` to ensure this doesn't cause issues downloading wheels on
their platform. We now ship ``manylinux_2_28`` wheels for users on new
enough platforms.
* Updated the minimum supported Rust version (MSRV) to 1.48.0, from 1.41.0.
Users with the latest ``pip`` will typically get a wheel and not need Rust
installed, but check :doc:`/installation` for documentation on installing a
newer ``rustc`` if required.
* :meth:`~cryptography.fernet.Fernet.decrypt` and related methods now accept
both ``str`` and ``bytes`` tokens.
* Parsing ``CertificateSigningRequest`` restores the behavior of enforcing
that the ``Extension`` ``critical`` field must be correctly encoded DER. See
`the issue <https://github.com/pyca/cryptography/issues/6368>`_ for complete
details.
* Added two new OpenSSL functions to the bindings to support an upcoming
``pyOpenSSL`` release.
* When parsing :class:`~cryptography.x509.CertificateRevocationList` and
:class:`~cryptography.x509.CertificateSigningRequest` values, it is now
enforced that the ``version`` value in the input must be valid according to
the rules of :rfc:`2986` and :rfc:`5280`.
* Using MD5 or SHA1 in :class:`~cryptography.x509.CertificateBuilder` and
other X.509 builders is deprecated and support will be removed in the next
version.
* Added additional APIs to
:class:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp`, including
:attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature_hash_algorithm`,
:attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature_algorithm`,
:attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature`, and
:attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.extension_bytes`.
* Added :attr:`~cryptography.x509.Certificate.tbs_precertificate_bytes`, allowing
users to access the to-be-signed pre-certificate data needed for signed
certificate timestamp verification.
* :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFHMAC` and
:class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC` now support
:attr:`~cryptography.hazmat.primitives.kdf.kbkdf.CounterLocation.MiddleFixed`
counter location.
* Fixed :rfc:`4514` name parsing to reverse the order of the RDNs according
to the section 2.1 of the RFC, affecting method
:meth:`~cryptography.x509.Name.from_rfc4514_string`.
* It is now possible to customize some aspects of encryption when serializing
private keys, using
:meth:`~cryptography.hazmat.primitives.serialization.PrivateFormat.encryption_builder`.
* Removed several legacy symbols from our OpenSSL bindings. Users of pyOpenSSL
versions older than 22.0 will need to upgrade.
* Added
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES128` and
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES256` classes.
These classes do not replace
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES` (which
allows all AES key lengths), but are intended for applications where
developers want to be explicit about key length.
0.3.2
* GHC 9.2.2 support
* Drop export executable
0.3.1
* GHC 9.0.1 and 9.2.1 support
* Add HasCallStack to unsafe* functions.
* Banish String on readMaybe and readEither.
This minor release includes 2 security fixes following the security policy:
net/http: handle server errors after sending GOAWAY
A closing HTTP/2 server connection could hang forever waiting for a clean
shutdown that was preempted by a subsequent fatal error. This failure mode
could be exploited to cause a denial of service.
Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher,
and Kaan Onarlioglu for reporting this.
This is CVE-2022-27664 and Go issue https://go.dev/issue/54658.
net/url: JoinPath does not strip relative path components in all circumstances
JoinPath and URL.JoinPath would not remove ../ path components appended to a
relative path. For example, JoinPath("https://go.dev", "../go") returned the
URL https://go.dev/../go, despite the JoinPath documentation stating that ../
path elements are cleaned from the result.
Thanks to q0jt for reporting this issue.
This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.
Containers with merging via monoidal accumulation. The Monoid instances
provided by the "containers" and "unordered-containers" packages merge
structures in a left-biased manner instead of using the underlying monoidal
structure of the value.
This package wraps the types provided by these packages, but provides
Monoid instances implemented in terms of the value type's mappend. For
instance, the Monoid Map instance looks like,
instance (Ord k, Semigroup a) => Monoid (MonoidalMap k a)
Per Conor McBride, the "Newtype" typeclass represents the packing and
unpacking of a newtype, and allows you to operate under that newtype with
functions such as "ala".
* Fix some C symbol blake2b prefix to be cryptonite_ prefix (fix mixing
with other C library)
* add hmac-lazy
* Fix compilation with GHC 9.2
* Drop support for GHC8.0, GHC8.2, GHC8.4, GHC8.6
The source code of the KOMA-Script user manuals has been reorganized.
The old 8+3 names of the manuals have been replaced by more canonical names
`scrguide-de.pdf` (German manual) and `scrguide-en.pdf` (English manual).
`README` has been replaced by `README.md`, `manifest.txt` bei `MANIFEST.md`.
The HTML wrapper files have been replaced by individual files for each class
and package linking to the corresponding chapter of the KOMA-Script user
manuals.
Additionally the issues 21, 23, 24, 25, 28, 29, 30, 31, 32, 33
have been fixed.
Maintenance release with documentation improvements and addition of
\etocimmediatedepthtag.toc as well as some other "immediate" variants of
macros writing to the .toc file. Refer to README.md for details.
The German language documentation was without updates since April 2015 and
had become obsolete in various ways. It is not distributed anymore.
This is a huge jump over several releases and it's impossible to list changes.
Please visit https://www.nushell.sh/blog/ for the details of every release.
Be aware that there are lots of changes across all aspects of Nushell.
- There's a new engine, new line editor, and new commands.
- Configuration files will not work and have to be re-written.
- Previous scripts will need to be updated, and you'll need to learn some of
the new ways of doing things in Nushell to get back to the same level of
comfort.
- Several shell improvements and behavior changes.
- There's also a new plugin architecture and quite a number of breaking
changes after fixing design flaws, cleaned-up the design, and rethought how
commands should work.
- New additional startup file (env.nu) which, sets up the environment that
you'll run Nushell in. As a result, you're able to set up important
environment variables like $env.NU_LIB_DIRS before 'config.nu' begins to run.
- Deeper integration with SQLite, new completion logic, introduction of
overlays, hooks, lazy dataframes, input overloading, input/output type,
new variable naming convention ...
So, please do read about the changes before.
