Python-3.9.5

[Douglas R. Reno]

New point version

[Douglas R. Reno]

Security

    bpo-43434: Creating a sqlite3.Connection object now also produces a sqlite3.connect auditing event. Previously this event was only produced by sqlite3.connect() calls. Patch by Erlend E. Aasland.

    bpo-43882: The presence of newline or tab characters in parts of a URL could allow some forms of attacks.

    Following the controlling specification for URLs defined by WHATWG urllib.parse() now removes ASCII newlines and tabs from URLs, preventing such attacks.

    bpo-43472: Ensures interpreter-level audit hooks receive the cpython.PyInterpreterState_New event when called through the _xxsubinterpreters module.

    bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4 address strings. Leading zeros are ambiguous and interpreted as octal notation by some libraries. For example the legacy function socket.inet_aton() treats leading zeros as octal notatation. glibc implementation of modern inet_pton() does not accept any leading zeros. For a while the ipaddress module used to accept ambiguous leading zeros.

    bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.

    bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame, and generator code/frame attribute access.

Core and Builtins

    bpo-43105: Importlib now resolves relative paths when creating module spec objects from file locations.

    bpo-42924: Fix bytearray repetition incorrectly copying data from the start of the buffer, even if the data is offset within the buffer (e.g. after reassigning a slice at the start of the bytearray to a shorter byte string).

Library

    bpo-43993: Update bundled pip to 21.1.1.

    bpo-43937: Fixed the turtle module working with non-default root window.

    bpo-43930: Update bundled pip to 21.1 and setuptools to 56.0.0

    bpo-43920: OpenSSL 3.0.0: load_verify_locations() now returns a consistent error message when cadata contains no valid certificate.

    bpo-43607: urllib can now convert Windows paths with \\?\ prefixes into URL paths.

    bpo-43284: platform.win32_ver derives the windows version from sys.getwindowsversion().platform_version which in turn derives the version from kernel32.dll (which can be of a different version than Windows itself). Therefore change the platform.win32_ver to determine the version using the platform module’s _syscmd_ver private function to return an accurate version.

    bpo-42248: [Enum] ensure exceptions raised in _missing__ are released

    bpo-43799: OpenSSL 3.0.0: define OPENSSL_API_COMPAT 1.1.1 to suppress deprecation warnings. Python requires OpenSSL 1.1.1 APIs.

    bpo-43794: Add ssl.OP_IGNORE_UNEXPECTED_EOF constants (OpenSSL 3.0.0)

    bpo-43789: OpenSSL 3.0.0: Don’t call the password callback function a second time when first call has signaled an error condition.

    bpo-43788: The header files for ssl error codes are now OpenSSL version-specific. Exceptions will now show correct reason and library codes. The make_ssl_data.py script has been rewritten to use OpenSSL’s text file with error codes.

    bpo-43655: tkinter dialog windows are now recognized as dialogs by window managers on macOS and X Window.

    bpo-43534: turtle.textinput() and turtle.numinput() create now a transient window working on behalf of the canvas window.

    bpo-43522: Fix problem with hostname_checks_common_name. OpenSSL does not copy hostflags from struct SSL_CTX to struct SSL.

    bpo-42967: Allow bytes separator argument in urllib.parse.parse_qs and urllib.parse.parse_qsl when parsing str query strings. Previously, this raised a TypeError.

    bpo-43176: Fixed processing of a dataclass that inherits from a frozen dataclass with no fields. It is now correctly detected as an error.

    bpo-41735: Fix thread locks in zlib module may go wrong in rare case. Patch by Ma Lin.

    bpo-36470: Fix dataclasses with InitVars and replace(). Patch by Claudiu Popa.

    bpo-32745: Fix a regression in the handling of ctypes’ ctypes.c_wchar_p type: embedded null characters would cause a ValueError to be raised. Patch by Zackery Spytz.

Documentation

    bpo-43959: The documentation on the PyContextVar C-API was clarified.

    bpo-43938: Update dataclasses documentation to express that FrozenInstanceError is derived from AttributeError.

    bpo-43755: Update documentation to reflect that unparenthesized lambda expressions can no longer be the expression part in an if clause in comprehensions and generator expressions since Python 3.9.

    bpo-43739: Fixing the example code in Doc/extending/extending.rst to declare and initialize the pmodule variable to be of the right type.

Tests

    bpo-43961: Fix test_logging.test_namer_rotator_inheritance() on Windows: use os.replace() rather than os.rename(). Patch by Victor Stinner.

    bpo-43842: Fix a race condition in the SMTP test of test_logging. Don’t close a file descriptor (socket) from a different thread while asyncore.loop() is polling the file descriptor. Patch by Victor Stinner.

    bpo-43811: Tests multiple OpenSSL versions on GitHub Actions. Use ccache to speed up testing.

    bpo-43791: OpenSSL 3.0.0: Disable testing of legacy protocols TLS 1.0 and 1.1. Tests are failing with TLSV1_ALERT_INTERNAL_ERROR.

Windows

    bpo-35306: Avoid raising errors from pathlib.Path.exists() when passed an invalid filename.

    bpo-38822: Fixed os.stat() failing on inaccessible directories with a trailing slash, rather than falling back to the parent directory’s metadata. This implicitly affected os.path.exists() and os.path.isdir().

    bpo-26227: Fixed decoding of host names in socket.gethostbyaddr() and socket.gethostbyname_ex().

    bpo-40432: Updated pegen regeneration script on Windows to find and use Python 3.8 or higher. Prior to this, pegen regeneration already required 3.8 or higher, but the script may have used lower versions of Python.

    bpo-43745: Actually updates Windows release to OpenSSL 1.1.1k. Earlier releases were mislabelled and actually included 1.1.1i again.

    bpo-43492: Upgrade Windows installer to use SQLite 3.35.5.

macOS

    bpo-42119: Fix check for macOS SDK paths when building Python. Narrow search to match contents of SDKs, namely only files in /System/Library, /System/IOSSupport, and /usr other than /usr/local. Previously, anything under /System was assumed to be in an SDK which causes problems with the new file system layout in 10.15+ where user file systems may appear to be mounted under /System. Paths in /Library were also incorrectly treated as SDK locations.

    bpo-44009: Provide “python3.x-intel64” executable to allow reliably forcing macOS universal2 framework builds to run under Rosetta 2 Intel-64 emulation on Apple Silicon Macs. This can be useful for testing or when universal2 wheels are not yet available.

    bpo-43492: Update macOS installer to use SQLite 3.35.4.

IDLE

    bpo-43655: IDLE dialog windows are now recognized as dialogs by window managers on macOS and X Window.

Contains several security fixes

[Douglas R. Reno]

Fixed at @d7a942197e713339d4dc1eedab4dafd4179a5cd8