Changelog

Python 3.6.15 final

Release date: 2021-09-03

Security

  • bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 “Billion Laughs” vulnerability. This copy is most used on Windows and macOS.

  • bpo-43124: Made the internal putcmd function in smtplib sanitize input for presence of \r and \n characters to avoid (unlikely) command injection.

Library

  • bpo-45001: Made email date parsing more robust against malformed input, namely a whitespace-only Date: header. Patch by Wouter Bolsterlee.

Tests

  • bpo-38965: Fix test_faulthandler on GCC 10. Use the “volatile” keyword in faulthandler._stack_overflow() to prevent tail call optimization on any compiler, rather than relying on compiler specific pragma.

Python 3.6.14 final

Release date: 2021-06-28

Security

  • bpo-44022: http.client now avoids infinitely reading potential HTTP headers after a 100 Continue status response from the server.

  • bpo-43882: The presence of newline or tab characters in parts of a URL could allow some forms of attacks.

    Following the controlling specification for URLs defined by WHATWG urllib.parse() now removes ASCII newlines and tabs from URLs, preventing such attacks.

  • bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer.

  • bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network.

    Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it.

  • bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.

Python 3.6.13 final

Release date: 2021-02-15

Security

  • bpo-42967: Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator.

  • bpo-42938: Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values.

  • bpo-42103: Prevented potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.

  • bpo-42051: The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. This should not affect users as entity declarations are not used in regular plist files.

  • bpo-40791: Add volatile to the accumulator variable in hmac.compare_digest, making constant-time-defeating optimizations less likely.

Core and Builtins

  • bpo-35560: Fix an assertion error in format() in debug build for floating point formatting with “n” format, zero padding and small width. Release build is not impacted. Patch by Karthikeyan Singaravelan.

Library

  • bpo-42103: InvalidFileException and RecursionError are now the only errors caused by loading malformed binary Plist file (previously ValueError and TypeError could be raised in some specific cases).

Tests

  • bpo-42794: Update test_nntplib to use offical group name of news.aioe.org for testing. Patch by Dong-hee Na.

  • bpo-41944: Tests for CJK codecs no longer call eval() on content received via HTTP.

Python 3.6.12 final

Release date: 2020-08-15

Security

  • bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (CVE-2020-15523).

  • bpo-41004: CVE-2020-14422: The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).

  • bpo-39603: Prevent http header injection by rejecting control characters in http.client.putrequest(…).

Library

  • bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now UnpicklingError instead of crashing.

  • bpo-39017: Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).

Python 3.6.11 final

Release date: 2020-06-27

There were no new changes in version 3.6.11.

Python 3.6.11 release candidate 1

Release date: 2020-06-17

Security

  • bpo-39073: Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.

  • bpo-38576: Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised.

  • bpo-39503: CVE-2020-8492: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager.

  • bpo-39401: Avoid unsafe load of api-ms-win-core-path-l1-1-0.dll at startup on Windows 7.

Core and Builtins

  • bpo-39510: Fix segfault in readinto() method on closed BufferedReader.

  • bpo-39421: Fix possible crashes when operating with the functions in the heapq module and custom comparison operators.

Library

Python 3.6.10 final

Release date: 2019-12-18

macOS

  • bpo-38295: Prevent failure of test_relative_path in test_py_compile on macOS Catalina.

Python 3.6.10 release candidate 1

Release date: 2019-12-11

Security

  • bpo-38945: Newline characters have been escaped when performing uu encoding to prevent them from overflowing into to content section of the encoded file. This prevents malicious or accidental modification of data during the decoding process.

  • bpo-37228: Due to significant security concerns, the reuse_address parameter of asyncio.loop.create_datagram_endpoint() is no longer supported. This is because of the behavior of SO_REUSEADDR in UDP. For more details, see the documentation for loop.create_datagram_endpoint(). (Contributed by Kyle Stanley, Antoine Pitrou, and Yury Selivanov in bpo-37228.)

  • bpo-38804: Fixes a ReDoS vulnerability in http.cookiejar. Patch by Ben Caller.

  • bpo-38243: Escape the server title of xmlrpc.server.DocXMLRPCServer when rendering the document page as HTML. (Contributed by Dong-hee Na in bpo-38243.)

  • bpo-38174: Update vendorized expat library version to 2.2.8, which resolves CVE-2019-15903.

  • bpo-37461: Fix an infinite loop when parsing specially crafted email headers. Patch by Abhilash Raj.

  • bpo-34155: Fix parsing of invalid email addresses with more than one @ (e.g. a@b@c.com.) to not return the part before 2nd @ as valid email address. Patch by maxking & jpic.

Library

  • bpo-38216: Allow the rare code that wants to send invalid http requests from the http.client library a way to do so. The fixes for bpo-30458 led to breakage for some projects that were relying on this ability to test their own behavior in the face of bad requests.

  • bpo-36564: Fix infinite loop in email header folding logic that would be triggered when an email policy’s max_line_length is not long enough to include the required markup and any values in the message. Patch by Paul Ganssle

Python 3.6.9 final

Release date: 2019-07-02

Library

  • bpo-37437: Update vendorized expat version to 2.2.7.

macOS

  • bpo-34602: Avoid test suite failures on macOS by no longer calling resource.setrlimit to increase the process stack size limit at runtime. The runtime change is no longer needed since the interpreter is being built with a larger default stack size.

Python 3.6.9 release candidate 1

Release date: 2019-06-18

Security

  • bpo-35907: CVE-2019-9948: Avoid file reading by disallowing local-file:// and local_file:// URL schemes in URLopener().open() and URLopener().retrieve() of urllib.request.

  • bpo-36742: Fixes mishandling of pre-normalization characters in urlsplit().

  • bpo-30458: Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause an http.client.InvalidURL exception to be raised.

  • bpo-36216: Changes urlsplit() to raise ValueError when the URL contains characters that decompose under IDNA encoding (NFKC-normalization) into characters that affect how the URL is parsed.

  • bpo-33529: Prevent fold function used in email header encoding from entering infinite loop when there are too many non-ASCII characters in a header.

  • bpo-35746: [CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL distribution points with empty DP or URI correctly. A malicious or buggy certificate can result into segfault. Vulnerability (TALOS-2018-0758) reported by Colin Read and Nicolas Edet of Cisco.

  • bpo-35121: Don’t send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with http.cookiejar.DefaultCookiePolicy policy. Patch by Karthikeyan Singaravelan.

Library

  • bpo-35643: Fixed a SyntaxWarning: invalid escape sequence in Modules/_sha3/cleanup.py. Patch by Mickaël Schoentgen.

  • bpo-35121: Don’t set cookie for a request when the request path is a prefix match of the cookie’s path attribute but doesn’t end with “/”. Patch by Karthikeyan Singaravelan.

Documentation

  • bpo-35605: Fix documentation build for sphinx<1.6. Patch by Anthony Sottile.

  • bpo-35564: Explicitly set master_doc variable in conf.py for compliance with Sphinx 2.0

Tests

  • bpo-36816: Update Lib/test/selfsigned_pythontestdotnet.pem to match self-signed.pythontest.net’s new TLS certificate.

  • bpo-35925: Skip specific nntplib and ssl networking tests when they would otherwise fail due to a modern OS or distro with a default OpenSSL policy of rejecting connections to servers with weak certificates or disabling TLS below TLSv1.2.

  • bpo-27313: Avoid test_ttk_guionly ComboboxTest failure with macOS Cocoa Tk.

  • bpo-32947: test_ssl fixes for TLS 1.3 and OpenSSL 1.1.1.

macOS

  • bpo-34602: Avoid failures setting macOS stack resource limit with resource.setrlimit. This reverts an earlier fix for bpo-18075 which forced a non-default stack size when building the interpreter executable on macOS.

Python 3.6.8 final

Release date: 2018-12-23

Library

  • bpo-31715: Associate .mjs file extension with application/javascript MIME Type.

Build

  • bpo-35499: make profile-opt no longer replaces CFLAGS_NODIST with CFLAGS. It now adds profile-guided optimization (PGO) flags to CFLAGS_NODIST: existing CFLAGS_NODIST flags are kept.

  • bpo-35257: Avoid leaking the linker flags from Link Time Optimizations (LTO) into distutils when compiling C extensions.

C API

Python 3.6.8 release candidate 1

Release date: 2018-12-11

Security

  • bpo-34812: The -I command line option (run Python in isolated mode) is now also copied by the multiprocessing and distutils modules when spawning child processes. Previously, only -E and -s options (enabled by -I) were copied.

  • bpo-34791: The xml.sax and xml.dom.domreg no longer use environment variables to override parser implementations when sys.flags.ignore_environment is set by -E or -I arguments.

Core and Builtins

  • bpo-35444: Fixed error handling in pickling methods when fail to look up builtin “getattr”.

  • bpo-35436: Fix various issues with memory allocation error handling. Patch by Zackery Spytz.

  • bpo-35357: Internal attributes’ names of unittest.mock._Call and unittest.mock.MagicProxy (name, parent & from_kall) are now prefixed with _mock_ in order to prevent clashes with widely used object attributes. Fixed minor typo in test function name.

  • bpo-35372: Fixed the code page decoder for input longer than 2 GiB containing undecodable bytes.

  • bpo-33954: For str.format(), float.__format__() and complex.__format__() methods for non-ASCII decimal point when using the “n” formatter.

  • bpo-35214: Fixed an out of bounds memory access when parsing a truncated unicode escape sequence at the end of a string such as '\N'. It would read one byte beyond the end of the memory allocation.

  • bpo-35214: The interpreter and extension modules have had annotations added so that they work properly under clang’s Memory Sanitizer. A new configure flag –with-memory-sanitizer has been added to make test builds of this nature easier to perform.

  • bpo-35193: Fix an off by one error in the bytecode peephole optimizer where it could read bytes beyond the end of bounds of an array when removing unreachable code. This bug was present in every release of Python 3.6 until now.

  • bpo-29341: Clarify in the docstrings of os methods that path-like objects are also accepted as input parameters.

  • bpo-35050: socket: Fix off-by-one bug in length check for AF_ALG name and type.

  • bpo-34974: bytes and bytearray constructors no longer convert unexpected exceptions (e.g. MemoryError and KeyboardInterrupt) to TypeError.

  • bpo-34973: Fixed crash in bytes() when the list argument is mutated while it is iterated.

  • bpo-34824: Fix a possible null pointer dereference in Modules/_ssl.c. Patch by Zackery Spytz.

  • bpo-1621: Do not assume signed integer overflow behavior (C undefined behavior) when performing set hash table resizing.

Library

  • bpo-35052: Fix xml.dom.minidom cloneNode() on a document with an entity: pass the correct arguments to the user data handler of an entity.

  • bpo-35330: When a Mock instance was used to wrap an object, if side_effect is used in one of the mocks of it methods, don’t call the original implementation and return the result of using the side effect the same way that it is done with return_value.

  • bpo-34172: Revert the fix for this issue previously released in 3.6.7 pending further investigation: Fix a reference issue inside multiprocessing.Pool that caused the pool to remain alive if it was deleted without being closed or terminated explicitly.

  • bpo-10496: posixpath.expanduser() now returns the input path unchanged if the HOME environment variable is not set and the current user has no home directory (if the current user identifier doesn’t exist in the password database). This change fix the site module if the current user doesn’t exist in the password database (if the user has no home directory).

  • bpo-35310: Fix a bug in select.select() where, in some cases, the file descriptor sequences were returned unmodified after a signal interruption, even though the file descriptors might not be ready yet. select.select() will now always return empty lists if a timeout has occurred. Patch by Oran Avraham.

  • bpo-35380: Enable TCP_NODELAY on Windows for proactor asyncio event loop.

  • bpo-35371: Fixed possible crash in os.utime() on Windows when pass incorrect arguments.

  • bpo-27903: Fix ResourceWarning in platform.dist() on SuSE and Caldera OpenLinux. Patch by Ville Skyttä.

  • bpo-28604: locale.localeconv() now sets temporarily the LC_CTYPE locale to the LC_MONETARY locale if the two locales are different and monetary strings are non-ASCII. This temporary change affects other threads.

  • bpo-35277: Update ensurepip to install pip 18.1 and setuptools 40.6.2.

  • bpo-35226: Recursively check arguments when testing for equality of unittest.mock.call objects and add note that tracking of parameters used to create ancestors of mocks in mock_calls is not possible.

  • bpo-35189: Modify the following fnctl function to retry if interrupted by a signal (EINTR): flock, lockf, fnctl

  • bpo-35062: Fix incorrect parsing of _io.IncrementalNewlineDecoder’s translate argument.

  • bpo-35079: Improve difflib.SequenceManager.get_matching_blocks doc by adding ‘non-overlapping’ and changing ‘!=’ to ‘<’.

  • bpo-35017: socketserver.BaseServer.serve_forever() now exits immediately if it’s shutdown() method is called while it is polling for new events.

  • bpo-31047: Fix ntpath.abspath regression where it didn’t remove a trailing separator on Windows. Patch by Tim Graham.

  • bpo-34794: Fixed a leak in Tkinter when pass the Python wrapper around Tcl_Obj back to Tcl/Tk.

  • bpo-35008: Fixed references leaks when call the __setstate__() method of xml.etree.ElementTree.Element in the C implementation for already initialized element.

  • bpo-23420: Verify the value for the parameter ‘-s’ of the cProfile CLI. Patch by Robert Kuska

  • bpo-16965: The 2to3 execfile fixer now opens the file with mode 'rb'. Patch by Zackery Spytz.

  • bpo-34966: pydoc now supports aliases not only to methods defined in the end class, but also to inherited methods. The docstring is not duplicated for aliases.

  • bpo-34941: Methods find(), findtext() and findall() of the Element class in the xml.etree.ElementTree module are now able to find children which are instances of Element subclasses.

  • bpo-34936: Fix TclError in tkinter.Spinbox.selection_element(). Patch by Juliette Monsel.

  • bpo-34900: Fixed unittest.TestCase.debug() when used to call test methods with subtests. Patch by Bruno Oliveira.

  • bpo-34866: Adding max_num_fields to cgi.FieldStorage to make DOS attacks harder by limiting the number of MiniFieldStorage objects created by FieldStorage.

  • bpo-34738: ZIP files created by distutils will now include entries for directories.

  • bpo-31177: Fix bug that prevented using reset_mock on mock instances with deleted attributes

  • bpo-34604: Fix possible mojibake in the error message of pwd.getpwnam and grp.getgrnam using string representation because of invisible characters or trailing whitespaces. Patch by William Grzybowski.

  • bpo-34574: OrderedDict iterators are not exhausted during pickling anymore. Patch by Sergey Fedoseev.

  • bpo-34052: sqlite3.Connection.create_aggregate(), sqlite3.Connection.create_function(), sqlite3.Connection.set_authorizer(), sqlite3.Connection.set_progress_handler() methods raises TypeError when unhashable objects are passed as callable. These methods now don’t pass such objects to SQLite API. Previous behavior could lead to segfaults. Patch by Sergey Fedoseev.

  • bpo-29877: compileall: import ProcessPoolExecutor only when needed, preventing hangs on low resource platforms

  • bpo-22005: Implemented unpickling instances of datetime, date and time pickled by Python 2. encoding='latin1' should be used for successful decoding.

Documentation

  • bpo-35089: Remove mention of typing.io and typing.re. Their types should be imported from typing directly.

  • bpo-35038: Fix the documentation about an unexisting f_restricted attribute in the frame object. Patch by Stéphane Wirtel

  • bpo-35035: Rename documentation for email.utils to email.utils.rst.

  • bpo-34967: Use app.add_object_type() instead of the deprecated Sphinx function app.description_unit()

  • bpo-33594: Document getargspec, from_function and from_builtin as deprecated in their respective docstring, and include version since deprecation in DeprecationWarning message.

  • bpo-32613: Update the faq/windows.html to use the py command from PEP 397 instead of python.

Tests

  • bpo-33725: test_multiprocessing_fork may crash on recent versions of macOS. Until the issue is resolved, skip the test on macOS.

  • bpo-35352: Modify test_asyncio to use the certificate set from the test directory.

  • bpo-35317: Fix mktime() overflow error in test_email: run test_localtime_daylight_true_dst_true() and test_localtime_daylight_false_dst_true() with a specific timezone.

  • bpo-21263: After several reports that test_gdb does not work properly on macOS and since gdb is not shipped by default anymore, test_gdb is now skipped on macOS when LLVM Clang has been used to compile Python. Patch by Lysandros Nikolaou

  • bpo-34279: regrtest issue a warning when no tests have been executed in a particular test file. Also, a new final result state is issued if no test have been executed across all test files. Patch by Pablo Galindo.

Build

  • bpo-35351: When building Python with clang and LTO, LTO flags are no longer passed into CFLAGS to build third-party C extensions through distutils.

  • bpo-35139: Fix a compiler error when statically linking pyexpat in Modules/Setup.

  • bpo-35011: Restores the use of pyexpatns.h to isolate our embedded copy of the expat C library so that its symbols do not conflict at link or dynamic loading time with an embedding application or other extension modules with their own version of libexpat.

  • bpo-28015: Have –with-lto works correctly with clang.

  • bpo-33015: Fix an undefined behaviour in the pthread implementation of PyThread_start_new_thread(): add a function wrapper to always return NULL.

  • bpo-31625: Stop using ranlib on static libraries. Instead, we assume ar supports the ‘s’ flag.

  • bpo-31354: Allow –with-lto to be used on all builds, not just make profile-opt.

Windows

  • bpo-35401: Updates Windows build to OpenSSL 1.0.2q

  • bpo-32890: Fix usage of GetLastError() instead of errno in os.execve() and os.truncate().

macOS

  • bpo-15663: The macOS 10.6+ installer now provides a private copy of Tcl/Tk 8.6, like the 10.9+ installer does.

  • bpo-35402: Update macOS installer to use Tcl/Tk 8.6.9.1. [NOTE: This change was reverted for the released python.org 3.6.8 macOS installers due to regressions found in Tk 8.6.9.1. For now, the installers provide Tcl/Tk 8.6.8.]

  • bpo-35401: Update macOS installer to use OpenSSL 1.0.2q.

  • bpo-35025: Properly guard the use of the CLOCK_GETTIME et al. macros in timemodule on macOS.

  • bpo-24658: On macOS, fix reading from and writing into a file with a size larger than 2 GiB.

IDLE

  • bpo-35213: Where appropriate, use ‘macOS’ in idlelib.

  • bpo-34864: On macOS, warn if the system preference “Prefer tabs when opening documents” is set to “Always”.

  • bpo-34864: Document two IDLE on MacOS issues. The System Preferences Dock “prefer tabs always” setting disables some IDLE features. Menus are a bit different than as described for Windows and Linux.

  • bpo-35202: Remove unused imports from lib/idlelib

  • bpo-33000: Document that IDLE’s shell has no line limit. A program that runs indefinitely can overfill memory.

  • bpo-23220: Explain how IDLE’s Shell displays output.

  • bpo-35099: Improve the doc about IDLE running user code. The section is renamed from “IDLE – console differences” is renamed “Running user code”. It mostly covers the implications of using custom sys.stdxxx objects.

  • bpo-35097: Add IDLE doc subsection explaining editor windows. Topics include opening, title and status bar, .py* extension, and running.

  • bpo-35093: Document the IDLE document viewer in the IDLE doc. Add a paragraph in “Help and preferences”, “Help sources” subsection.

  • bpo-35088: Update idlelib.help.copy_string docstring. We now use git and backporting instead of hg and forward merging.

  • bpo-35087: Update idlelib help files for the current doc build. The main change is the elimination of chapter-section numbers.

Tools/Demos

  • bpo-34989: python-gdb.py now handles errors on computing the line number of a Python frame.

Python 3.6.7 final

Release date: 2018-10-20

There were no new changes in version 3.6.7.

Python 3.6.7 release candidate 2

Release date: 2018-10-13

Core and Builtins

  • bpo-34879: Fix a possible null pointer dereference in bytesobject.c. Patch by Zackery Spytz.

  • bpo-34320: Fix dict(od) didn’t copy iteration order of OrderedDict.

Library

  • bpo-34769: Fix for async generators not finalizing when event loop is in debug mode and garbage collector runs in another thread.

  • bpo-34922: Fixed integer overflow in the digest() and hexdigest() methods for the SHAKE algorithm in the hashlib module.

  • bpo-34871: Fix inspect module polluted sys.modules when parsing __text_signature__ of callable.

  • bpo-34872: Fix self-cancellation in C implementation of asyncio.Task

  • bpo-34819: Use a monotonic clock to compute timeouts in Executor.map() and as_completed(), in order to prevent timeouts from deviating when the system clock is adjusted.

  • bpo-34521: Use socket.CMSG_SPACE() to calculate ancillary data size instead of socket.CMSG_LEN() in multiprocessing.reduction.recvfds() as RFC 3542 requires the use of the former for portable applications.

  • bpo-34282: Fix enum members getting shadowed by parent attributes.

  • bpo-34172: Fix a reference issue inside multiprocessing.Pool that caused the pool to remain alive if it was deleted without being closed or terminated explicitly.

  • bpo-33729: Fixed issues with arguments parsing in hashlib.

Documentation

  • bpo-32174: chm document displays non-ASCII charaters properly on some MBCS Windows systems.

Tests

  • bpo-32962: Fixed test_gdb when Python is compiled with flags -mcet -fcf-protection -O0.

macOS

  • bpo-34370: Revert to using the released Tk 8.6.8 with macOS installers instead of the Tk 8.6.x development snapshot used with 3.7.1rc1 and 3.6.7rc1. The snapshot introduced at least one significant regression (bpo-34927).

C API

Python 3.6.7 release candidate 1

Release date: 2018-09-26

Security

  • bpo-17239: The xml.sax and xml.dom.minidom parsers no longer processes external entities by default. External DTD and ENTITY declarations no longer load files or create network connections.

  • bpo-34623: CVE-2018-14647: The C accelerated _elementtree module now initializes hash randomization salt from _Py_HashSecret instead of libexpat’s default CSPRNG.

  • bpo-34405: Updated to OpenSSL 1.0.2p for Windows builds.

  • bpo-33871: Fixed sending the part of the file in os.sendfile() on macOS. Using the trailers argument could cause sending more bytes from the input file than was specified.

  • bpo-32533: Fixed thread-safety of error handling in _ssl.

Core and Builtins

  • bpo-34735: Fix a memory leak in Modules/timemodule.c. Patch by Zackery Spytz.

  • bpo-34588: Fix an off-by-one in the recursive call pruning feature of traceback formatting.

  • bpo-34527: On FreeBSD, Py_DecodeLocale() and Py_EncodeLocale() now also forces the ASCII encoding if the LC_CTYPE locale is “POSIX”, not only if the LC_CTYPE locale is “C”.

  • bpo-34400: Fix undefined behavior in parsetok.c. Patch by Zackery Spytz.

  • bpo-34377: Update valgrind suppression list to use _PyObject_Free/_PyObject_Realloc instead of PyObject_Free/PyObject_Realloc.

  • bpo-24618: Fixed reading invalid memory when create the code object with too small varnames tuple or too large argument counts.

  • bpo-34068: In io.IOBase.close(), ensure that the closed attribute is not set with a live exception. Patch by Zackery Spytz and Serhiy Storchaka.

  • bpo-34080: Fixed a memory leak in the compiler when it raised some uncommon errors during tokenizing.

  • bpo-34066: Disabled interruption by Ctrl-C between calling open() and entering a with block in with open().

  • bpo-33956: Update vendored Expat library copy to version 2.2.5.

  • bpo-24596: Decref the module object in PyRun_SimpleFileExFlags() before calling PyErr_Print(). Patch by Zackery Spytz.

  • bpo-33451: Close directly executed pyc files before calling PyEval_EvalCode().

  • bpo-33312: Fixed clang ubsan (undefined behavior sanitizer) warnings in dictobject.c by adjusting how the internal struct _dictkeysobject shared keys structure is declared.

  • bpo-25750: Fix rare Python crash due to bad refcounting in type_getattro() if a descriptor deletes itself from the class. Patch by Jeroen Demeyer.

  • bpo-25862: Fix assertion failures in the tell() method of io.TextIOWrapper. Patch by Zackery Spytz.

Library

  • bpo-34670: Add SSLContext.post_handshake_auth and SSLSocket.verify_client_post_handshake for TLS 1.3’s post handshake authentication feature.

  • bpo-34652: Ensure os.lchmod() is never defined on Linux.

  • bpo-34625: Update vendorized expat library version to 2.2.6.

  • bpo-32270: The subprocess module no longer mistakenly closes redirected fds even when they were in pass_fds when outside of the default {0, 1, 2} set.

  • bpo-34610: Fixed iterator of multiprocessing.managers.DictProxy.

  • bpo-34421: Fix distutils logging for non-ASCII strings. This caused installation issues on Windows.

  • bpo-34604: Fix possible mojibake in the error message of pwd.getpwnam and grp.getgrnam. Patch by William Grzybowski.

  • bpo-34530: distutils.spawn.find_executable() now falls back on os.defpath if the PATH environment variable is not set.

  • bpo-34563: On Windows, fix multiprocessing.Connection for very large read: fix _winapi.PeekNamedPipe() and _winapi.ReadFile() for read larger than INT_MAX (usually 2^31-1).

  • bpo-13312: Avoids a possible integer underflow (undefined behavior) in the time module’s year handling code when passed a very low negative year value.

  • bpo-34472: Improved compatibility for streamed files in zipfile. Previously an optional signature was not being written and certain ZIP applications were not supported. Patch by Silas Sewell.

  • bpo-6700: Fix inspect.getsourcelines for module level frames/tracebacks. Patch by Vladimir Matveev.

  • bpo-32947: Add OP_ENABLE_MIDDLEBOX_COMPAT and test workaround for TLSv1.3 for future compatibility with OpenSSL 1.1.1.

  • bpo-34341: Appending to the ZIP archive with the ZIP64 extension no longer grows the size of extra fields of existing entries.

  • bpo-18540: The imaplib.IMAP4 and imaplib.IMAP4_SSL classes now resolve to the local host IP correctly when the default value of host parameter ('') is used.

  • bpo-34246: smtplib.SMTP.send_message() no longer modifies the content of the mail_options argument. Patch by Pablo S. Blum de Aguiar.

  • bpo-31047: Fix ntpath.abspath for invalid paths on windows. Patch by Franz Woellert.

  • bpo-34263: asyncio’s event loop will not pass timeouts longer than one day to epoll/select etc.

  • bpo-32215: Fix performance regression in sqlite3 when a DML statement appeared in a different line than the rest of the SQL query.

  • bpo-19891: Ignore errors caused by missing / non-writable homedir while writing history during exit of an interactive session. Patch by Anthony Sottile.

  • bpo-940286: pydoc’s Helper.showtopic() method now prints the cross references of a topic correctly.

  • bpo-34164: base64.b32decode() could raise UnboundLocalError or OverflowError for incorrect padding. Now it always raises base64.Error in these cases.

  • bpo-33967: functools.singledispatch now raises TypeError instead of IndexError when no positional arguments are passed.

  • bpo-34054: The multiprocessing module now uses the monotonic clock time.monotonic() instead of the system clock time.time() to implement timeout.

  • bpo-34010: Fixed a performance regression for reading streams with tarfile. The buffered read should use a list, instead of appending to a bytes object.

  • bpo-34019: webbrowser: Correct the arguments passed to Opera Browser when opening a new URL using the webbrowser module. Patch by Bumsik Kim.

  • bpo-33978: Closed existing logging handlers before reconfiguration via fileConfig and dictConfig. Patch by Karthikeyan Singaravelan.

  • bpo-14117: Make minor tweaks to turtledemo. The ‘wikipedia’ example is now ‘rosette’, decribing what it draws. The ‘penrose’ print output is reduced. The’1024’ output of ‘tree’ is eliminated.

  • bpo-33974: Fixed passing lists and tuples of strings containing special characters ", \, {, } and \n as options to ttk widgets.

  • bpo-27500: Fix getaddrinfo to resolve IPv6 addresses correctly.

  • bpo-24567: Improve random.choices() to handle subnormal input weights that could occasionally trigger an IndexError.

  • bpo-33871: Fixed integer overflow in os.readv() and os.writev() and in os.sendfile() with headers or trailers arguments (on BSD-based OSes and macOS).

  • bpo-33899: Tokenize module now implicitly emits a NEWLINE when provided with input that does not have a trailing new line. This behavior now matches what the C tokenizer does internally. Contributed by Ammar Askar.

  • bpo-33916: bz2 and lzma: When Decompressor.__init__() is called twice, free the old lock to not leak memory.

  • bpo-32568: Make select.epoll() and its documentation consistent regarding sizehint and flags.

  • bpo-33663: Convert content length to string before putting to header.

  • bpo-26544: Fixed implementation of platform.libc_ver(). It almost always returned version ‘2.9’ for glibc.

  • bpo-27397: Make email module properly handle invalid-length base64 strings.

  • bpo-33476: Fix _header_value_parser.py when address group is missing final ‘;’. Contributed by Enrique Perez-Terron

  • bpo-33570: Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default.

  • bpo-33365: Print the header values besides the header keys instead just the header keys if debuglevel is set to >0 in http.client. Patch by Marco Strigl.

  • bpo-33336: imaplib now allows MOVE command in IMAP4.uid() (RFC 6851: IMAP MOVE Extension) and potentially as a name of supported method of IMAP4 object.

  • bpo-32356: asyncio.transport.resume_reading() and pause_reading() are now idempotent.

  • bpo-31608: Raise a TypeError instead of crashing if a collections.deque subclass returns a non-deque from __new__. Patch by Oren Milman.

  • bpo-29456: Fix bugs in hangul normalization: u1176, u11a7 and u11c3

Documentation

  • bpo-28617: Fixed info in the stdtypes docs concerning the types that support membership tests.

  • bpo-34065: Fix wrongly written basicConfig documentation markup syntax

  • bpo-33847: Add ‘@’ operator entry to index.

  • bpo-25041: Document AF_PACKET in the socket module.

Tests

  • bpo-34587: test_socket: Remove RDSTest.testCongestion(). The test tries to fill the receiver’s socket buffer and expects an error. But the RDS protocol doesn’t require that. Moreover, the Linux implementation of RDS expects that the producer of the messages reduces its rate, it’s not the role of the receiver to trigger an error. The test fails on Fedora 28 by design, so just remove it.

  • bpo-34661: Fix test_shutil if unzip doesn’t support -t.

  • bpo-34200: Fixed non-deterministic flakiness of test_pkg by not using the scary test.support.module_cleanup() logic to save and restore sys.modules contents between test cases.

  • bpo-34594: Fix usage of hardcoded errno values in the tests.

  • bpo-34542: Use 3072 RSA keys and SHA-256 signature for test certs and keys.

  • bpo-34391: Fix ftplib test for TLS 1.3 by reading from data socket.

  • bpo-34399: Update all RSA keys and DH params to use at least 2048 bits.

  • bpo-33746: Fix test_unittest when run in verbose mode.

  • bpo-33901: Fix test_dbm_gnu on macOS with gdbm 1.15: add a larger value to make sure that the file size changes.

  • bpo-33873: Fix a bug in regrtest that caused an extra test to run if –huntrleaks/-R was used. Exit with error in case that invalid parameters are specified to –huntrleaks/-R (at least one warmup run and one repetition must be used).

  • bpo-32663: Making sure the SMTPUTF8SimTests class of tests gets run in test_smtplib.py.

Build

  • bpo-34710: Fixed SSL module build with OpenSSL & pedantic CFLAGS.

  • bpo-34582: Add JUnit XML output for regression tests and update Azure DevOps builds.

  • bpo-34121: Fix detection of C11 atomic support on clang.

  • bpo-30345: Add -g to LDFLAGS when compiling with LTO to get debug symbols.

Windows

  • bpo-34770: Fix a possible null pointer dereference in pyshellext.cpp.

  • bpo-34603: Fix returning structs from functions produced by MSVC

  • bpo-34225: Ensure INCLUDE and LIB directories do not end with a backslash.

  • bpo-34006: Revert line length limit for Windows help docs. The line-length limit is not needed because the pages appear in a separate app rather than on a browser tab. It can also interact badly with the DPI setting.

  • bpo-31546: Restore running PyOS_InputHook while waiting for user input at the prompt. The restores integration of interactive GUI windows (such as Matplotlib figures) with the prompt on Windows.

  • bpo-30237: Output error when ReadConsole is canceled by CancelSynchronousIo instead of crashing.

  • bpo-29097: Fix bug where datetime.fromtimestamp() erronously throws an OSError on Windows for values between 0 and 86400. Patch by Ammar Askar.

macOS

  • bpo-34370: Have macOS 10.9+ installer builds for 3.7.1rc and 3.6.7rc use a development snapshot of Tk 8.6 (post-8.6.8) to mitigate certain scroller issues seen with IDLE and tkinter apps.

  • bpo-34405: Update to OpenSSL 1.0.2p for macOS installer builds.

  • bpo-31903: In _scproxy, drop the GIL when calling into SystemConfiguration to avoid deadlocks.

IDLE

  • bpo-34548: Use configured color theme for read-only text views.

  • bpo-1529353: Enable “squeezing” of long outputs in the shell, to avoid performance degradation and to clean up the history without losing it. Squeezed outputs may be copied, viewed in a separate window, and “unsqueezed”.

  • bpo-34047: Fixed mousewheel scrolling direction on macOS.

  • bpo-34275: Make IDLE calltips always visible on Mac. Some MacOS-tk combinations need .update_idletasks(). Patch by Kevin Walzer.

  • bpo-34120: Fix unresponsiveness after closing certain windows and dialogs.

  • bpo-33975: Avoid small type when running htests. Since part of the purpose of human-viewed tests is to determine that widgets look right, it is important that they look the same for testing as when running IDLE.

  • bpo-33905: Add test for idlelib.stackview.StackBrowser.

  • bpo-33924: Change mainmenu.menudefs key ‘windows’ to ‘window’. Every other menudef key is lowercase version of main menu entry.

  • bpo-33906: Rename idlelib.windows as window Match Window on the main menu and remove last plural module name.

  • bpo-33917: Fix and document idlelib/idle_test/template.py. The revised file compiles, runs, and tests OK. idle_test/README.txt explains how to use it to create new IDLE test files.

  • bpo-33904: IDLE: In rstrip, rename class RstripExtension as Rstrip

  • bpo-33907: For consistency and clarity, rename an IDLE module and classes. Module calltips and its class CallTips are now calltip and Calltip. In module calltip_w, class CallTip is now CalltipWindow.

  • bpo-33856: Add “help” in the welcome message of IDLE

  • bpo-33839: IDLE: refactor ToolTip and CallTip and add documentation and tests

  • bpo-33855: Minimally test all IDLE modules. Add missing files, import module, instantiate classes, and check coverage. Check existing files.

Tools/Demos

  • bpo-32962: python-gdb now catches UnicodeDecodeError exceptions when calling string().

  • bpo-32962: python-gdb now catches ValueError on read_var(): when Python has no debug symbols for example.

C API

Python 3.6.6 final

Release date: 2018-06-27

There were no new changes in version 3.6.6.

Python 3.6.6 release candidate 1

Release date: 2018-06-11

Core and Builtins

  • bpo-33786: Fix asynchronous generators to handle GeneratorExit in athrow() correctly

  • bpo-30654: Fixed reset of the SIGINT handler to SIG_DFL on interpreter shutdown even when there was a custom handler set previously. Patch by Philipp Kerling.

  • bpo-33622: Fixed a leak when the garbage collector fails to add an object with the __del__ method or referenced by it into the gc.garbage list. PyGC_Collect() can now be called when an exception is set and preserves it.

  • bpo-31849: Fix signed/unsigned comparison warning in pyhash.c.

  • bpo-33391: Fix a leak in set_symmetric_difference().

  • bpo-28055: Fix unaligned accesses in siphash24(). Patch by Rolf Eike Beer.

  • bpo-33231: Fix potential memory leak in normalizestring().

  • bpo-29922: Improved error messages in ‘async with’ when __aenter__() or __aexit__() return non-awaitable object.

  • bpo-33199: Fix ma_version_tag in dict implementation is uninitialized when copying from key-sharing dict.

  • bpo-33041: Fixed jumping when the function contains an async for loop.

  • bpo-32282: Fix an unnecessary ifdef in the include of VersionHelpers.h in socketmodule on Windows.

  • bpo-21983: Fix a crash in ctypes.cast() in case the type argument is a ctypes structured data type. Patch by Eryk Sun and Oren Milman.

Library

  • bpo-30167: Prevent site.main() exception if PYTHONSTARTUP is set. Patch by Steve Weber.

  • bpo-33812: Datetime instance d with non-None tzinfo, but with d.tzinfo.utcoffset(d) returning None is now treated as naive by the astimezone() method.

  • bpo-30805: Avoid race condition with debug logging

  • bpo-33767: The concatenation (+) and repetition (*) sequence operations now raise TypeError instead of SystemError when performed on mmap.mmap objects. Patch by Zackery Spytz.

  • bpo-32684: Fix gather to propagate cancellation of itself even with return_exceptions.

  • bpo-33674: Fix a race condition in SSLProtocol.connection_made() of asyncio.sslproto: start immediately the handshake instead of using call_soon(). Previously, data_received() could be called before the handshake started, causing the handshake to hang or fail.

  • bpo-31647: Fixed bug where calling write_eof() on a _SelectorSocketTransport after it’s already closed raises AttributeError.

  • bpo-33672: Fix Task.__repr__ crash with Cython’s bogus coroutines

  • bpo-33469: Fix RuntimeError after closing loop that used run_in_executor

  • bpo-11874: Use a better regex when breaking usage into wrappable parts. Avoids bogus assertion errors from custom metavar strings.

  • bpo-30877: Fixed a bug in the Python implementation of the JSON decoder that prevented the cache of parsed strings from clearing after finishing the decoding. Based on patch by c-fos.

  • bpo-33548: tempfile._candidate_tempdir_list should consider common TEMP locations

  • bpo-33542: Prevent uuid.get_node from using a DUID instead of a MAC on Windows. Patch by Zvi Effron

  • bpo-26819: Fix race condition with ReadTransport.resume_reading in Windows proactor event loop.

  • bpo-28556: Minor fixes in typing module: add annotations to NamedTuple.__new__, pass *args and **kwds in Generic.__new__. Original PRs by Paulius Šarka and Chad Dombrova.

  • bpo-20087: Updated alias mapping with glibc 2.27 supported locales.

  • bpo-33422: Fix trailing quotation marks getting deleted when looking up byte/string literals on pydoc. Patch by Andrés Delfino.

  • bpo-33197: Update error message when constructing invalid inspect.Parameters Patch by Dong-hee Na.

  • bpo-33383: Fixed crash in the get() method of the dbm.ndbm database object when it is called with a single argument.

  • bpo-33329: Fix multiprocessing regression on newer glibcs

  • bpo-991266: Fix quoting of the Comment attribute of http.cookies.SimpleCookie.

  • bpo-33131: Upgrade bundled version of pip to 10.0.1.

  • bpo-33308: Fixed a crash in the parser module when converting an ST object to a tree of tuples or lists with line_info=False and col_info=True.

  • bpo-33263: Fix FD leak in _SelectorSocketTransport Patch by Vlad Starostin.

  • bpo-33256: Fix display of <module> call in the html produced by cgitb.html(). Patch by Stéphane Blondon.

  • bpo-33203: random.Random.choice() now raises IndexError for empty sequences consistently even when called from subclasses without a getrandbits() implementation.

  • bpo-33224: Update difflib.mdiff() for PEP 479. Convert an uncaught StopIteration in a generator into a return-statement.

  • bpo-33209: End framing at the end of C implementation of pickle.Pickler.dump().

  • bpo-32861: The urllib.robotparser’s __str__ representation now includes wildcard entries and the “Crawl-delay” and “Request-rate” fields. Patch by Michael Lazar.

  • bpo-33096: Allow ttk.Treeview.insert to insert iid that has a false boolean value. Note iid=0 and iid=False would be same. Patch by Garvit Khatri.

  • bpo-33127: The ssl module now compiles with LibreSSL 2.7.1.

  • bpo-33021: Release the GIL during fstat() calls, avoiding hang of all threads when calling mmap.mmap(), os.urandom(), and random.seed(). Patch by Nir Soffer.

  • bpo-27683: Fix a regression in ipaddress that result of hosts() is empty when the network is constructed by a tuple containing an integer mask and only 1 bit left for addresses.

  • bpo-32844: Fix wrong redirection of a low descriptor (0 or 1) to stderr in subprocess if another low descriptor is closed.

  • bpo-31908: Fix output of cover files for trace module command-line tool. Previously emitted cover files only when --missing option was used. Patch by Michael Selik.

  • bpo-31457: If nested log adapters are used, the inner process() methods are no longer omitted.

  • bpo-16865: Support arrays >=2GiB in ctypes. Patch by Segev Finer.

  • bpo-31238: pydoc: the stop() method of the private ServerThread class now waits until DocServer.serve_until_quit() completes and then explicitly sets its docserver attribute to None to break a reference cycle.

Documentation

  • bpo-33503: Fix broken pypi link

  • bpo-33421: Add missing documentation for typing.AsyncContextManager.

  • bpo-33378: Add Korean language switcher for https://docs.python.org/3/

  • bpo-33276: Clarify that the __path__ attribute on modules cannot be just any value.

  • bpo-33201: Modernize documentation for writing C extension types.

  • bpo-33195: Deprecate Py_UNICODE usage in c-api/arg document. Py_UNICODE related APIs are deprecated since Python 3.3, but it is missed in the document.

  • bpo-33126: Document PyBuffer_ToContiguous().

  • bpo-27212: Modify documentation for the islice() recipe to consume initial values up to the start index.

  • bpo-28247: Update zipapp documentation to describe how to make standalone applications.

  • bpo-18802: Documentation changes for ipaddress. Patch by Jon Foster and Berker Peksag.

  • bpo-27428: Update documentation to clarify that WindowsRegistryFinder implements MetaPathFinder. (Patch by Himanshu Lakhara)

  • bpo-8243: Add a note about curses.addch and curses.addstr exception behavior when writing outside a window, or pad.

  • bpo-31432: Clarify meaning of CERT_NONE, CERT_OPTIONAL, and CERT_REQUIRED flags for ssl.SSLContext.verify_mode.

Tests

  • bpo-33655: Ignore test_posix_fallocate failures on BSD platforms that might be due to running on ZFS.

  • bpo-19417: Add test_bdb.py.

Build

  • bpo-5755: Move -Wstrict-prototypes option to CFLAGS_NODIST from OPT. This option emitted annoying warnings when building extension modules written in C++.

  • bpo-33614: Ensures module definition files for the stable ABI on Windows are correctly regenerated.

  • bpo-33522: Enable CI builds on Visual Studio Team Services at https://python.visualstudio.com/cpython

  • bpo-33012: Add -Wno-cast-function-type for gcc 8 for silencing warnings about function casts like casting to PyCFunction in method definition lists.

  • bpo-33394: Enable the verbose build for extension modules, when GNU make is passed macros on the command line.

Windows

  • bpo-33184: Update Windows installer to OpenSSL 1.0.2o.

macOS

  • bpo-33184: Update macOS installer build to use OpenSSL 1.0.2o.

IDLE

  • bpo-33656: On Windows, add API call saying that tk scales for DPI. On Windows 8.1+ or 10, with DPI compatibility properties of the Python binary unchanged, and a monitor resolution greater than 96 DPI, this should make text and lines sharper. It should otherwise have no effect.

  • bpo-33768: Clicking on a context line moves that line to the top of the editor window.

  • bpo-33763: IDLE: Use read-only text widget for code context instead of label widget.

  • bpo-33664: Scroll IDLE editor text by lines. Previously, the mouse wheel and scrollbar slider moved text by a fixed number of pixels, resulting in partial lines at the top of the editor box. The change also applies to the shell and grep output windows, but not to read-only text views.

  • bpo-33679: Enable theme-specific color configuration for Code Context. Use the Highlights tab to see the setting for built-in themes or add settings to custom themes.

  • bpo-33642: Display up to maxlines non-blank lines for Code Context. If there is no current context, show a single blank line.

  • bpo-33628: IDLE: Cleanup codecontext.py and its test.

  • bpo-33564: IDLE’s code context now recognizes async as a block opener.

  • bpo-29706: IDLE now colors async and await as keywords in 3.6. They become full keywords in 3.7.

  • bpo-21474: Update word/identifier definition from ascii to unicode. In text and entry boxes, this affects selection by double-click, movement left/right by control-left/right, and deletion left/right by control-BACKSPACE/DEL.

  • bpo-33204: IDLE: consistently color invalid string prefixes. A ‘u’ string prefix cannot be paired with either ‘r’ or ‘f’. Consistently color as much of the prefix, starting at the right, as is valid. Revise and extend colorizer test.

  • bpo-32831: Add docstrings and tests for codecontext.

Tools/Demos

  • bpo-33189: pygettext.py now recognizes only literal strings as docstrings and translatable strings, and rejects bytes literals and f-string expressions.

  • bpo-31920: Fixed handling directories as arguments in the pygettext script. Based on patch by Oleg Krasnikov.

  • bpo-29673: Fix pystackv and pystack gdbinit macros.

  • bpo-32885: Add an -n flag for Tools/scripts/pathfix.py to disable automatic backup creation (files with ~ suffix).

  • bpo-31583: Fix 2to3 for using with –add-suffix option but without –output-dir option for relative path to files in current directory.

C API

  • bpo-32374: Document that m_traverse for multi-phase initialized modules can be called with m_state=NULL, and add a sanity check

Python 3.6.5 final

Release date: 2018-03-28

Tests

  • bpo-32872: Avoid regrtest compatibility issue with namespace packages.

Build

  • bpo-33163: Upgrade pip to 9.0.3 and setuptools to v39.0.1.

Python 3.6.5 release candidate 1

Release date: 2018-03-13

Security

  • bpo-33001: Minimal fix to prevent buffer overrun in os.symlink on Windows

  • bpo-32981: Regexes in difflib and poplib were vulnerable to catastrophic backtracking. These regexes formed potential DOS vectors (REDOS). They have been refactored. This resolves CVE-2018-1060 and CVE-2018-1061. Patch by Jamie Davis.

Core and Builtins

  • bpo-33026: Fixed jumping out of “with” block by setting f_lineno.

  • bpo-17288: Prevent jumps from ‘return’ and ‘exception’ trace events.

  • bpo-32889: Update Valgrind suppression list to account for the rename of Py_ADDRESS_IN_RANG to address_in_range.

  • bpo-32650: Pdb and other debuggers dependent on bdb.py will correctly step over (next command) native coroutines. Patch by Pablo Galindo.

  • bpo-32685: Improve suggestion when the Python 2 form of print statement is either present on the same line as the header of a compound statement or else terminated by a semi-colon instead of a newline. Patch by Nitish Chandra.

  • bpo-32583: Fix possible crashing in builtin Unicode decoders caused by write out-of-bound errors when using customized decode error handlers.

  • bpo-26163: Improved frozenset() hash to create more distinct hash values when faced with datasets containing many similar values.

  • bpo-27169: The __debug__ constant is now optimized out at compile time. This fixes also bpo-22091.

  • bpo-32329: sys.flags.hash_randomization is now properly set to 0 when hash randomization is turned off by PYTHONHASHSEED=0.

  • bpo-30416: The optimizer is now protected from spending much time doing complex calculations and consuming much memory for creating large constants in constant folding.

  • bpo-18533: repr() on a dict containing its own values() or items() no longer raises RecursionError; OrderedDict similarly. Instead, use ..., as for other recursive structures. Patch by Ben North.

  • bpo-32028: Leading whitespace is now correctly ignored when generating suggestions for converting Py2 print statements to Py3 builtin print function calls. Patch by Sanyam Khurana.

  • bpo-32137: The repr of deeply nested dict now raises a RecursionError instead of crashing due to a stack overflow.

Library

  • bpo-33064: lib2to3 now properly supports trailing commas after *args and **kwargs in function signatures.

  • bpo-31804: Avoid failing in multiprocessing.Process if the standard streams are closed or None at exit.

  • bpo-33037: Skip sending/receiving data after SSL transport closing.

  • bpo-30353: Fix ctypes pass-by-value for structs on 64-bit Cygwin/MinGW.

  • bpo-33009: Fix inspect.signature() for single-parameter partialmethods.

  • bpo-32969: Expose several missing constants in zlib and fix corresponding documentation.

  • bpo-32713: Fixed tarfile.itn handling of out-of-bounds float values. Patch by Joffrey Fuhrer.

  • bpo-30622: The ssl module now detects missing NPN support in LibreSSL.

  • bpo-32922: dbm.open() now encodes filename with the filesystem encoding rather than default encoding.

  • bpo-32859: In os.dup2, don’t check every call whether the dup3 syscall exists or not.

  • bpo-21060: Rewrite confusing message from setup.py upload from “No dist file created in earlier command” to the more helpful “Must create and upload files in one command”.

  • bpo-32857: In tkinter, after_cancel(None) now raises a ValueError instead of canceling the first scheduled function. Patch by Cheryl Sabella.

  • bpo-32852: Make sure sys.argv remains as a list when running trace.

  • bpo-32841: Fixed asyncio.Condition issue which silently ignored cancellation after notifying and cancelling a conditional lock. Patch by Bar Harel.

  • bpo-31787: Fixed refleaks of __init__() methods in various modules. (Contributed by Oren Milman)

  • bpo-30157: Fixed guessing quote and delimiter in csv.Sniffer.sniff() when only the last field is quoted. Patch by Jake Davis.

  • bpo-32394: socket: Remove TCP_FASTOPEN, TCP_KEEPCNT flags on older version Windows during run-time.

  • bpo-32777: Fix a rare but potential pre-exec child process deadlock in subprocess on POSIX systems when marking file descriptors inheritable on exec in the child process. This bug appears to have been introduced in 3.4.

  • bpo-32647: The ctypes module used to depend on indirect linking for dlopen. The shared extension is now explicitly linked against libdl on platforms with dl.

  • bpo-32734: Fixed asyncio.Lock() safety issue which allowed acquiring and locking the same lock multiple times, without it being free. Patch by Bar Harel.

  • bpo-32727: Do not include name field in SMTP envelope from address. Patch by Stéphane Wirtel

  • bpo-27931: Fix email address header parsing error when the username is an empty quoted string. Patch by Xiang Zhang.

  • bpo-32304: distutils’ upload command no longer corrupts tar files ending with a CR byte, and no longer tries to convert CR to CRLF in any of the upload text fields.

  • bpo-32502: uuid.uuid1 no longer raises an exception if a 64-bit hardware address is encountered.

  • bpo-31848: Fix the error handling in Aifc_read.initfp() when the SSND chunk is not found. Patch by Zackery Spytz.

  • bpo-32555: On FreeBSD and Solaris, os.strerror() now always decode the byte string from the current locale encoding, rather than using ASCII/surrogateescape in some cases.

  • bpo-32521: The nis module is now compatible with new libnsl and headers location.

  • bpo-32473: Improve ABCMeta._dump_registry() output readability

  • bpo-32521: glibc has removed Sun RPC. Use replacement libtirpc headers and library in nis module.

  • bpo-32228: Ensure that truncate() preserves the file position (as reported by tell()) after writes longer than the buffer size.

  • bpo-26133: Don’t unsubscribe signals in asyncio UNIX event loop on interpreter shutdown.

  • bpo-32185: The SSL module no longer sends IP addresses in SNI TLS extension on platforms with OpenSSL 1.0.2+ or inet_pton.

  • bpo-32323: urllib.parse.urlsplit() does not convert zone-id (scope) to lower case for scoped IPv6 addresses in hostnames now.

  • bpo-32302: Fix bdist_wininst of distutils for CRT v142: it binary compatible with CRT v140.

  • bpo-32255: A single empty field is now always quoted when written into a CSV file. This allows to distinguish an empty row from a row consisting of a single empty field. Patch by Licht Takeuchi.

  • bpo-32277: Raise NotImplementedError instead of SystemError on platforms where chmod(..., follow_symlinks=False) is not supported. Patch by Anthony Sottile.

  • bpo-32199: The getnode() ip getter now uses ‘ip link’ instead of ‘ip link list’.

  • bpo-27456: Ensure TCP_NODELAY is set on Linux. Tests by Victor Stinner.

  • bpo-31900: The locale.localeconv() function now sets temporarily the LC_CTYPE locale to the LC_NUMERIC locale to decode decimal_point and thousands_sep byte strings if they are non-ASCII or longer than 1 byte, and the LC_NUMERIC locale is different than the LC_CTYPE locale. This temporary change affects other threads.

    Same change for the str.format() method when formatting a number (int, float, float and subclasses) with the n type (ex: '{:n}'.format(1234)).

  • bpo-31802: Importing native path module (posixpath, ntpath) now works even if the os module still is not imported.