Python 3.10.7 final
Security
gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. This is a mitigation for CVE-2020-10735.
This new limit can be configured or disabled by environment variable, command line flag, or sys APIs. See the integer string conversion length limitation documentation. The default limit is 4300 digits in string form.
Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.
Core and Builtins
gh-96187: Fixed a bug that caused _PyCode_GetExtra to return garbage for negative indexes. Patch by Pablo Galindo
gh-95876: Fix format string in _PyPegen_raise_error_known_location that can lead to memory corruption on some 64bit systems. The function was building a tuple with i (int) instead of n (Py_ssize_t) for Py_ssize_t arguments.
gh-95605: Fix misleading contents of error message when converting an all-whitespace string to float.
gh-93592: coroutine.throw() now properly initializes the frame.f_back when resuming a stack of coroutines. This allows e.g. traceback.print_stack() to work correctly when an exception (such as CancelledError) is thrown into a coroutine.
gh-94996: ast.parse() will no longer parse function definitions with positional-only params when passed feature_version less than (3, 8). Patch by Shantanu Jain.
Library
gh-68163: Correct conversion of numbers.Rational’s to float.
gh-96159: Fix a performance regression in logging TimedRotatingFileHandler. Only check for special files when the rollover time has passed.
gh-96175: Fix unused localName parameter in the Attr class in xml.dom.minidom.
gh-95609: Update bundled pip to 22.2.2.
gh-95231: Fail gracefully if EPERM or ENOSYS is raised when loading crypt methods. This may happen when trying to load MD5 on a Linux kernel with FIPS enabled.
Documentation
gh-96098: Improve discoverability of the higher level concurrent.futures module by providing clearer links from the lower level threading and multiprocessing modules.
gh-95789: Update the default RFC base URL from deprecated tools.ietf.org to datatracker.ietf.org
gh-91207: Fix stylesheet not working in Windows CHM htmlhelp docs. Contributed by C.A.M. Gerlach.
bpo-47115: The documentation now lists which members of C structs are part of the Limited API/Stable ABI.
Tests
gh-95243: Mitigate the inherent race condition from using find_unused_port() in testSockName() by trying to find an unused port a few times before failing. Patch by Ross Burton.
Build
gh-94682: Build and test with OpenSSL 1.1.1q
IDLE
gh-65802: Document handling of extensions in Save As dialogs.
gh-95191: Include prompts when saving Shell (interactive input and output).
IPython 8.5.0
-------------
First release since a couple of month due to various reasons and timing preventing
me for sticking to the usual monthly release the last Friday of each month. This
is of non negligible size as it has more than two dozen PRs with various fixes
an bug fixes.
This minor release includes 2 security fixes following the security policy:
net/http: handle server errors after sending GOAWAY
A closing HTTP/2 server connection could hang forever waiting for a clean
shutdown that was preempted by a subsequent fatal error. This failure mode
could be exploited to cause a denial of service.
Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher,
and Kaan Onarlioglu for reporting this.
This is CVE-2022-27664 and Go issue https://go.dev/issue/54658.
net/url: JoinPath does not strip relative path components in all circumstances
JoinPath and URL.JoinPath would not remove ../ path components appended to a
relative path. For example, JoinPath("https://go.dev", "../go") returned the
URL https://go.dev/../go, despite the JoinPath documentation stating that ../
path elements are cleaned from the result.
Thanks to q0jt for reporting this issue.
This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.
What's New in astroid 2.12.8?
=============================
* Fixed a crash in the ``dataclass`` brain for ``InitVars`` without subscript typing.
* Fixed parsing of default values in ``dataclass`` attributes.
What's New in astroid 2.12.7?
=============================
* Fixed a crash in the ``dataclass`` brain for uninferable bases.
Changes in version 3.39.3 (2022-09-05):
Use a statement journal on DML statement affecting two or more database rows if the statement makes use of a SQL functions that might abort. See forum thread 9b9e4716c0d7bbd1.
Use a mutex to protect the PRAGMA temp_store_directory and PRAGMA data_store_directory statements, even though they are deprecated and documented as not being threadsafe. See forum post 719a11e1314d1c70.
Other bug and warning fixes. See the timeline for details.
Nmap 7.93 [2022-09-01]
o This release commemorates Nmap's 25th anniversary! It all started with this
September 1, 1997 Phrack article by Fyodor: https://nmap.org/p51-11.html.
o [Windows] Upgraded Npcap (our Windows raw packet capturing and
transmission driver) from version 1.50 to the latest version 1.71. It
includes dozens of performance improvements, bug fixes and feature
enhancements described at https://npcap.com/changelog.
o Ensure Nmap builds with OpenSSL 3.0 using no deprecated API functions.
Binaries for this release include OpenSSL 3.0.5.
o Upgrade included libraries: libssh2 1.10.0, zlib 1.2.12, Lua 5.3.6, libpcap 1.10.1
o Fix a bug that prevented Nmap from discovering interfaces on Linux
when no IPv4 addresses were configured. [Daniel Miller, nnposter]
o [NSE] NSE "exception handling" with nmap.new_try() will no longer
result in a stack traceback in debug output nor a "ERROR: script execution
failed" message in script output, since the intended behavior has always been
to end the script immediately without output. [Daniel Miller]
o Update the Nmap output DTD to match actual output since the
`<hosthint>` element was added in Nmap 7.90.
o [NSE] Fix newtargets support: since Nmap 7.92, scripts could not add
targets in script pre-scanning phase. [Daniel Miller]
o Scripts dhcp-discover and broadcast-dhcp-discover now support
setting a client identifier. [nnposter]
o Script oracle-tns-version was not reporting the version
correctly for Oracle 19c or newer [linholmes]
o Script redis-info was crashing or producing inaccurate
information about client connections and/or cluster nodes. [nnposter]
o Nmap and Nping were unable to obtain system routes on FreeBSD
[benpratt, nnposter]
o Script ipidseq was broken due to calling an unreachable library
function. [nnposter]
o Support for EC crypto was not properly enabled if Nmap
was compiled with OpenSSL in a custom location. [nnposter]
o [NSE] Improvements to event handling and pcap socket garbage collection,
fixing potential hangs and crashes. [Daniel Miller]
o We ceased creating the Nmap win32 binary zipfile. It was useful back when
you could just unzip it and run Nmap from there, but that hasn't worked well
for many years. The win32 self-installer handles Npcap installation and many
other dependencies and complexities. Anyone who needs the binaries for some
reason can still install Nmap on any system and retrieve them from there.
For now we're keeping the Win32 zipfile in the Nmap OEM Edition
(https://nmap.org/oem) for companies building Nmap into their own
products. But even in that case we believe that running the Nmap OEM
self-installer in silent mode is a better approach.
o Fix TDS7 password encoding for mssql.lua, which had been assuming
ASCII input even though other parts of the library had been passing it Unicode.
o Replace deprecated CPEs for IIS with their updated identifier,
cpe:/a:microsoft:internet_information_services [Esa Jokinen]
o [NSE] Fix script-terminating error when unknown BSON data types are
encountered. Added parsers for most standard data types. [Daniel Miller]
o [Ncat] Fix hostname/certificate comparison and matching to handle ASN.1
strings without null terminators, a similar bug to OpenSSL's CVE-2021-3712.
o [Ncat] Added support for SOCKS5 proxies that return bind addresses
as hostnames, instead of IPv4/IPv6 addresses. [pomu0325]
Version 0.11.3
* Add "hyperlink", "hyperlinkWithId" and "hyperlinkWithParams", and support
for clicable hyperlinks.
Version 0.11.2
* On Windows, fix compatability with the Windows I/O Manager (WinIO) when
GHC >= 9.0.1 but Win32 < 2.9.0.0.
* Improvements to Haddock documentation.
Version 0.15.5
This version is backwards compatible with save states from SameBoy 0.14.3
and newer, as well as save states from any BESS compliant emulator
New/Improved Features
* Both frontends now include links to the debugger documentation and to
the GitHub Sponsors page
Accuracy Improvements/Fixes
* Fixed a bug where certain color correction modes were desaturating
colors in an unbalanced manner
* Accurate emulation of the first-frame-behavior while emulating the
Game Boy Color and Game Boy Advance; fixes white flashes while playing
games developed by THQ
* More accurate emulation of the square channels sample repeat glitch,
fixing certain audio pops in LSDj and various games while using a
vibrato effect
Bug Fixes
* Fixed a bug where MBC state was not properly reset, fixing bugs
resulting in some games not booting correctly if they were loaded
after certain other games in the SDL frontend, libretro, and other
3rd-party frontends
Misc Internal Changes
* New memory management APIs for better integration of SameBoy as a
library
Security Vulnerabilities fixed in Firefox ESR 91.13
#CVE-2022-38472: Address bar spoofing via XSLT error handling
#CVE-2022-38473: Cross-origin XSLT Documents would have inherited the
parent's permissions
#CVE-2022-38478: Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2,
and Firefox ESR 91.13
## Version 22.9.0 (2022-09-06)
* Pass verbose flag down to libfetch operations too.
* Update show-keep/show-no-keep output format (Sunil Nimmagadda).
* Add -4 and -6 flags to force libfetch to use IPv4/IPv6 (Staffan Thomén,
Sebastian Wiedenroth).
* Convert many SQL queries to use sqlite3_snprintf() and sqlite3 format
strings to reduce potential SQL injection attacks (Taylor R Campbell).
* Use sqlite3 savepoints, fixing issue around interrupted local summary
updates (Taylor R Campbell).
* Use posix_spawn() on newer macOS.
Mozilla Foundation Security Advisory 2022-34
Security Vulnerabilities fixed in Firefox ESR 102.2
#CVE-2022-38472: Address bar spoofing via XSLT error handling
#CVE-2022-38473: Cross-origin XSLT Documents would have inherited the
parent's permissions
#CVE-2022-38476: Data race and potential use-after-free in PK11_ChangePW
#CVE-2022-38477: Memory safety bugs fixed in Firefox 104 and Firefox ESR
102.2
#CVE-2022-38478: Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2,
and Firefox ESR 91.13
This is useful for allowing packages that install python egg metadata
to benefit from the PRINT_PLIST_AWK defined in egg.mk even if they don't
actually use setup.py or normal Python build tools.
Version 2.3.5
Add support for BGRA glyphs display and scaling
Add "trackmemusage" property to use in improved _XftFontUncacheGlyph
Revised/completed manual page; all functions are documented.
What's New in astroid 2.12.6?
* Fix a crash involving ``Uninferable`` arguments to ``namedtuple()``.
* The ``dataclass`` brain now understands the ``kw_only`` keyword in dataclass decorators.
Changes:
1.0
---
* add jaq: a convenience wrapper script:
It wraps json2tsv, sets options for handling JSON data in a lossless manner
and uses awk as a "query language".
* json2tsv.1: properly escape backslashes, thanks adc!
An example of jaq:
echo '{"url":"https://codemadness.org/"}' |
jaq '$1 == ".url" { print $3 }'
I want to also thank all people who gave feedback,
2022-08-22
New Features
* (first contribution) add Inline type alias into uses assist:
* (first contribution) implement type inference for IntoFuture.
* consider bounds on inherent impl in method resolution (fixes nalgebra constructors).
* add LSP extension for cancelling running flychecks.
* allow running tests in inline module from anywhere in parent file.
* support disabling keyword hover popups (rust-analyzer.hover.documentation.keywords.enable).
Fixes
* resolve associated types of bare dyn types.
* resolve path Self alone in value namespace.
* support Self::assoc() syntax in Generate function.`
* replace Self in Inline call.
* fix incorrect type mismatch with cfg_if! and other macros in expression position.
* fix record completion filtering.
* escape keywords used as names in earlier editions.
* revert 12947, trigger workspace switches on all structure changes again.
* log rustfmt parsing errors as warnings.
Internal Improvements
* build release binaries on ubuntu-20.04.
* document interaction of checkOnSave.overrideCommand and multiple linked projects.
* add an HIR pretty-printer.
* make resolve_name_in_module a bit more lazy.
* fix a bunch of typos.
