python2-2.7.16

[Bruce Dubbs]

New point version.

[Bruce Dubbs]

Python News

What's New in Python 2.7.16 final?

*Release date: 2019-03-02*

IDLE

• bpo-32129: Avoid blurry IDLE application icon on macOS with Tk 8.6. Patch by Kevin Walzer.

What's New in Python 2.7.16 release candidate 1?

*Release date: 2019-02-16*

Security

• bpo-35746: [CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL distribution points with empty DP or URI correctly. A malicious or buggy certificate can result into segfault. Vulnerability (TALOS-2018-0758) reported by Colin Read and Nicolas Edet of Cisco.

• bpo-16039: CVE-2013-1752: Change use of readline() in :class:imaplib.IMAP4_SSL to limit line length.

• bpo-28043: SSLContext has improved default settings: OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE and HIGH ciphers without MD5.

• bpo-34791: The xml.sax and xml.dom.domreg no longer use environment variables to override parser implementations when sys.flags.ignore_environment is set by -E or -I arguments.

• bpo-34623: CVE-2018-14647: The C accelerated _elementtree module now initializes hash randomization salt from _Py_HashSecret instead of libexpat's default CSPRNG.

• bpo-34540: When shutil.make_archive falls back to the external zip problem, it uses :mod:subprocess to invoke it rather than :mod:distutils.spawn. This closes a possible shell injection vector.

• bpo-34405: Updated to OpenSSL 1.0.2p for Windows builds.

Core and Builtins

• bpo-35552: Format character %s in :c:func:`PyString_FromFormat` no longer read memory past the limit if *precision* is specified.

• bpo-35504: Fix segfaults and :exc:SystemError\ s when deleting certain attributes. Patch by Zackery Spytz.

• bpo-35368: :c:func:`PyMem_Malloc` is now also thread-safe in debug mode.

• bpo-35214: Fixed an out of bounds memory access when parsing a truncated unicode escape sequence at the end of a string such as u'\N'. It would read one byte beyond the end of the memory allocation.

• bpo-34974: The :class:bytearray constructor no longer convert unexpected exceptions (e.g. :exc:MemoryError and :exc:KeyboardInterrupt) to :exc:TypeError.

• bpo-22851: Fix a segfault when accessing generator.gi_frame.f_restricted when the generator is exhausted. Patch by Zackery Spytz.

• bpo-18560: Fix potential NULL pointer dereference in sum().

• bpo-34400: Fix undefined behavior in parsetok.c. Patch by Zackery Spytz.

• bpo-25083: Adding I/O error checking when reading .py files and aborting importing on error.

• bpo-25943: Fix potential heap corruption in the :mod:bsddb module. Patch by Zackery Spytz.

• bpo-34068: In :meth:io.IOBase.close, ensure that the :attr:~io.IOBase.closed attribute is not set with a live exception. Patch by Zackery Spytz and Serhiy Storchaka.

• bpo-34080: Fixed a memory leak in the compiler when it raised some uncommon errors during tokenizing.

• bpo-33956: Update vendored Expat library copy to version 2.2.5.

• bpo-30654: Fixed reset of the SIGINT handler to SIG_DFL on interpreter shutdown even when there was a custom handler set previously. Patch by Philipp Kerling.

• bpo-33645: Fixed an "unknown parsing error" on parsing the "<>" operator when run Python with both options -3 and -We.

• bpo-33622: Fixed a leak when the garbage collector fails to add an object with the del method or referenced by it into the :data:gc.garbage list. :c:func:`PyGC_Collect` can now be called when an exception is set and preserves it.

• bpo-33391: Fix a leak in set_symmetric_difference().

• bpo-25750: Fix rare Python crash due to bad refcounting in type_getattro() if a descriptor deletes itself from the class. Patch by Jeroen Demeyer.

• bpo-25862: Fix assertion failures in the tell() method of io.TextIOWrapper. Patch by Zackery Spytz.

Library

• bpo-8765: The write() method of buffered and unbuffered binary streams in the io module emits now a DeprecationWarning in Py3k mode for unicode argument.

• bpo-35052: Fix xml.dom.minidom cloneNode() on a document with an entity: pass the correct arguments to the user data handler of an entity.

• bpo-10496: :func:~distutils.utils.check_environ of :mod:distutils.utils now catchs :exc:KeyError on calling :func:pwd.getpwuid: don't create the HOME environment variable in this case.

• bpo-10496: :func:posixpath.expanduser now returns the input *path* unchanged if the HOME environment variable is not set and the current user has no home directory (if the current user identifier doesn't exist in the password database). This change fix the :mod:site module if the current user doesn't exist in the password database (if the user has no home directory).

• bpo-24746: Avoid stripping trailing whitespace in doctest fancy diff. Orignial patch by R. David Murray & Jairo Trad. Enhanced by Sanyam Khurana.

• bpo-35277: Update ensurepip to install pip 18.1 and setuptools 40.6.2.

• bpo-35062: Fix incorrect parsing of :class:_io.IncrementalNewlineDecoder's *translate* argument.

• bpo-35079: Improve difflib.SequenceManager.get_matching_blocks doc by adding 'non- overlapping' and changing '!=' to '<'.

• bpo-35017: :meth:socketserver.BaseServer.serve_forever now exits immediately if it's :meth:~socketserver.BaseServer.shutdown method is called while it is polling for new events.

• bpo-34794: Fixed a leak in Tkinter when pass the Python wrapper around Tcl_Obj back to Tcl/Tk.

• bpo-23420: Verify the value for the parameter '-s' of the cProfile CLI. Patch by Robert Kuska

• bpo-16965: The :term:2to3 :2to3fixer:execfile fixer now opens the file with mode 'rb'. Patch by Zackery Spytz.

• bpo-34936: Fix TclError in tkinter.Spinbox.selection_element(). Patch by Juliette Monsel.

• bpo-34866: Adding max_num_fields to cgi.FieldStorage to make DOS attacks harder by limiting the number of MiniFieldStorage objects created by FieldStorage.

• bpo-34738: ZIP files created by :mod:distutils will now include entries for directories.

• bpo-34652: Ensure :func:os.lchmod is never defined on Linux.

• bpo-34625: Update vendorized expat library version to 2.2.6.

• bpo-34610: Fixed iterator of :class:multiprocessing.managers.DictProxy.

• bpo-34530: distutils.spawn.find_executable() now falls back on :data:os.defpath if the PATH environment variable is not set.

• bpo-34472: Improved compatibility for streamed files in :mod:zipfile. Previously an optional signature was not being written and certain ZIP applications were not supported. Patch by Silas Sewell.

• bpo-6700: Fix inspect.getsourcelines for module level frames/tracebacks. Patch by Vladimir Matveev.

• bpo-31715: Associate .mjs file extension with application/javascript MIME Type.

• bpo-32947: Add OP_ENABLE_MIDDLEBOX_COMPAT and test workaround for TLSv1.3 for future compatibility with OpenSSL 1.1.1.

• bpo-34341: Appending to the ZIP archive with the ZIP64 extension no longer grows the size of extra fields of existing entries.

• bpo-34052: :meth:sqlite3.Connection.create_aggregate, :meth:sqlite3.Connection.create_function, :meth:sqlite3.Connection.set_authorizer, :meth:sqlite3.Connection.set_progress_handler methods raises TypeError when unhashable objects are passed as callable. These methods now don't pass such objects to SQLite API. Previous behavior could lead to segfaults. Patch by Sergey Fedoseev.

• bpo-34019: webbrowser: Correct the arguments passed to Opera Browser when opening a new URL using the webbrowser module. Patch by Bumsik Kim.

• bpo-33974: Fixed passing lists and tuples of strings containing special characters ", \, {, } and \n as options to :mod:~tkinter.ttk widgets.

• bpo-26544: Fixed implementation of :func:platform.libc_ver. It almost always returned version '2.9' for glibc.

• bpo-33767: The concatenation (+) and repetition (*) sequence operations now raise :exc:TypeError instead of :exc:SystemError when performed on :class:mmap.mmap objects. Patch by Zackery Spytz.

• bpo-11874: Use a better regex when breaking usage into wrappable parts. Avoids bogus assertion errors from custom metavar strings.

• bpo-33570: Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default.

• bpo-33542: Prevent uuid.get_node from using a DUID instead of a MAC on Windows. Patch by Zvi Effron

• bpo-33096: Removed unintentionally backported from Python 3 Tkinter files.

• bpo-20087: Updated alias mapping with glibc 2.27 supported locales.

• bpo-33422: Fix trailing quotation marks getting deleted when looking up byte/string literals on pydoc. Patch by Andrés Delfino.

• bpo-33336: imaplib now allows MOVE command in IMAP4.uid() (RFC 6851: IMAP MOVE Extension) and potentially as a name of supported method of IMAP4 object.

• bpo-33359: Fix running python -m curses.has_key.

• bpo-33131: Upgrade bundled version of pip to 10.0.1.

• bpo-33308: Fixed a crash in the :mod:parser module when converting an ST object to a tree of tuples or lists with line_info=False and col_info=True.

• bpo-33256: Fix display of <module> call in the html produced by cgitb.html(). Patch by Stéphane Blondon.

• bpo-32861: The urllib.robotparser's str representation now includes wildcard entries and the "Crawl-delay" and "Request-rate" fields. Patch by Michael Lazar.

• bpo-33038: gzip.GzipFile no longer produces an AttributeError exception when used with a file object with a non-string name attribute. Patch by Bo Bayles.

• bpo-32857: In :mod:tkinter, after_cancel(None) now raises a :exc:ValueError instead of canceling the first scheduled function. Patch by Cheryl Sabella.

• bpo-32502: uuid.uuid1 no longer raises an exception if a 64-bit hardware address is encountered.

• bpo-31608: Raise a TypeError instead of crashing if a collections.deque subclass returns a non-deque from new. Patch by Oren Milman.

• bpo-16865: Support arrays >=2GiB in :mod:ctypes. Patch by Segev Finer.

• bpo-29456: Fix bugs in hangul normalization: u1176, u11a7 and u11c3

Documentation

• bpo-35035: Rename documentation for :mod:email.utils to email.utils.rst.

• bpo-34967: Use app.add_object_type() instead of the deprecated Sphinx function app.description_unit()

• bpo-13407: Add a note to :mod:bz2 and :mod:tarfile stating that handling of multi-stream bzip2 files is not supported.

• bpo-33503: Fix broken pypi link

Tests

• bpo-34279: :func:test.support.run_unittest no longer raise :exc:TestDidNotRun if the test result contains skipped tests. The exception is now only raised if no test have been run and no test have been skipped.

• bpo-34279: regrtest issue a warning when no tests have been executed in a particular test file. Also, a new final result state is issued if no test have been executed across all test files. Patch by Pablo Galindo.

• bpo-34661: Fix test_shutil if unzip doesn't support -t.

• bpo-34542: Use 3072 RSA keys and SHA-256 signature for test certs and keys.

• bpo-34391: Fix ftplib test for TLS 1.3 by reading from data socket.

• bpo-34399: Update all RSA keys and DH params to use at least 2048 bits.

• bpo-33901: Fix test_gdbm on macOS with gdbm 1.15: add a larger value to make sure that the file size changes.

• bpo-33873: Fix a bug in regrtest that caused an extra test to run if --huntrleaks/-R was used. Exit with error in case that invalid parameters are specified to --huntrleaks/-R (at least one warmup run and one repetition must be used).

• bpo-29512: Rename Lib/test/bisect.py to Lib/test/bisect_cmd.py. The old name was in conflict with Lib/bisect.py, causing test failures, depending how tests were run.

• bpo-32962: Fixed test_gdb when Python is compiled with flags -mcet -fcf-protection -O0.

• bpo-33354: Skip test_ssl.test_load_dh_params when Python filesystem encoding cannot encode the provided path.

• bpo-19417: Add test_bdb.py.

Build

• bpo-35139: Fix a compiler error when statically linking pyexpat in Modules/Setup.

• bpo-34710: Fixed SSL module build with OpenSSL & pedantic CFLAGS.

• bpo-33015: Fix an undefined behaviour in the pthread implementation of :c:func:`PyThread_start_new_thread`: add a function wrapper to always return NULL.

• bpo-30345: Add -g to LDFLAGS when compiling with LTO to get debug symbols.

IDLE

• bpo-34275: Make IDLE calltips always visible on Mac. Some MacOS-tk combinations need .update_idletasks(). Patch by Kevin Walzer.

• bpo-34120: Fix unresponsiveness after closing certain windows and dialogs.

• bpo-33856: Add "help" in the welcome message of IDLE

• bpo-31500: Default fonts now are scaled on HiDPI displays.

Tools/Demos

• bpo-34989: python-gdb.py now handles errors on computing the line number of a Python frame.

• bpo-34500: Fix 2 ResourceWarning in difflib.py. Patch by Mickaël Schoentgen.

• bpo-29367: python-gdb.py now supports also method-wrapper (wrapperobject) objects.

• bpo-32962: python-gdb now catchs UnicodeDecodeError exceptions when calling string().

• bpo-32962: python-gdb now catchs ValueError on read_var(): when Python has no debug symbols for example.

C API

• bpo-33817: Fixed :c:func:`_PyString_Resize` and :c:func:`_PyUnicode_Resize` for empty strings. This fixed also :c:func:`PyString_FromFormat and :c:func:PyUnicode_FromFormat` when they return an empty string (e.g. PyString_FromFormat("%s", "")).

• bpo-34229: Check start and stop of slice object to be long when they are not int in :c:func:`PySlice_GetIndices`.

• bpo-23927: Fixed :exc:SystemError in :c:func:`PyArg_ParseTupleAndKeywords when the w*` format unit is used for optional parameter.

[Bruce Dubbs]

Fixed at revision 21283.

[Bruce Dubbs]

Milestone renamed