* Fri Feb 06 2026 mcepl@cepl.eu
- Update to 3.13.12: Python 3.13.12 final Release date:
2026-02-03
- Tools/Demos
- gh-142095: Make gdb ‘py-bt’ command use frame from thread
local state when available. Patch by Sam Gross and Victor
Stinner.
- Tests
- gh-144415: The Android testbed now distinguishes between
stdout/stderr messages which were triggered by a newline,
and those triggered by a manual call to flush. This fixes
logging of progress indicators and similar content.
- gh-65784: Add support for parametrized resource wantobjects
in regrtests, which allows to run Tkinter tests with the
specified value of tkinter.wantobjects, for example -u
wantobjects=0.
- gh-143553: Add support for parametrized resources, such as
- u xpickle=2.7.
- gh-142836: Accommodated Solaris in
test_pdb.test_script_target_anonymous_pipe.
- gh-129401: Fix a flaky test in test_repr_rlock that checks
the representation of multiprocessing.RLock.
- bpo-31391: Forward-port test_xpickle from Python 2 to
Python 3 and add the resource back to test’s command line.
- Security
- gh-144125: BytesGenerator will now refuse to serialize
(write) headers that are unsafely folded or delimited; see
verify_generated_headers. (Contributed by Bas Bloemsaat and
Petr Viktorin in gh-121650).
- gh-143935: Fixed a bug in the folding of comments when
flattening an email message using a modern email policy.
Comments consisting of a very long sequence of non-foldable
characters could trigger a forced line wrap that omitted
the required leading space on the continuation line,
causing the remainder of the comment to be interpreted as
a new header field. This enabled header injection with
carefully crafted inputs (bsc#1257029, CVE-2025-11468).
- gh-143925: Reject control characters in data: URL media
types (bsc#1257046, CVE-2025-15282).
- gh-143919: Reject control characters in http.cookies.Morsel
fields and values (bsc#1257031, CVE-2026-0672).
- gh-143916: Reject C0 control characters within
wsgiref.headers.Headers fields, values, and parameters
(bsc#1257042, CVE-2026-0865).
- Library
- gh-144380: Improve performance of io.BufferedReader line
iteration by ~49%.
- gh-144169: Fix three crashes when non-string keyword
arguments are supplied to objects in the ast module.
- gh-144100: Fixed a crash in ctypes when using a deprecated
POINTER(str) type in argtypes. Instead of aborting, ctypes
now raises a proper Python exception when the pointer
target type is unresolved.
- gh-144050: Fix stat.filemode() in the pure-Python
implementation to avoid misclassifying invalid mode values
as block devices.
- gh-144023: Fixed validation of file descriptor 0 in posix
functions when used with follow_symlinks parameter.
- gh-143999: Fix an issue where inspect.getgeneratorstate()
and inspect.getcoroutinestate() could fail for generators
wrapped by types.coroutine() in the suspended state.
- gh-143706: Fix multiprocessing forkserver so that sys.argv
is correctly set before __main__ is preloaded. Previously,
sys.argv was empty during main module import in forkserver
child processes. This fixes a regression introduced in
3.13.8 and 3.14.1. Root caused by Aaron Wieczorek, test
provided by Thomas Watson, thanks!
- gh-143638: Forbid reentrant calls of the pickle.Pickler and
pickle.Unpickler methods for the C implementation.
Previously, this could cause crash or data corruption, now
concurrent calls of methods of the same object raise
RuntimeError.
- gh-78724: Raise RuntimeError’s when user attempts to call
methods on half-initialized Struct objects, For example,
created by Struct.__new__(Struct). Patch by Sergey
B Kirpichev.
- gh-143602: Fix a inconsistency issue in write() that leads
to unexpected buffer overwrite by deduplicating the buffer
exports.
- gh-143547: Fix sys.unraisablehook() when the hook raises an
exception and changes sys.unraisablehook(): hold a strong
reference to the old hook. Patch by Victor Stinner.
- gh-143378: Fix use-after-free crashes when a BytesIO object
is concurrently mutated during write() or writelines().
- gh-143346: Fix incorrect wrapping of the Base64 data in
plistlib._PlistWriter when the indent contains a mix of
tabs and spaces.
- gh-143310: tkinter: fix a crash when a Python list is
mutated during the conversion to a Tcl object (e.g., when
setting a Tcl variable). Patch by Bénédikt Tran.
- gh-143309: Fix a crash in os.execve() on non-Windows
platforms when given a custom environment mapping which is
then mutated during parsing. Patch by Bénédikt Tran.
- gh-143308: pickle: fix use-after-free crashes when
a PickleBuffer is concurrently mutated by a custom buffer
callback during pickling. Patch by Bénédikt Tran and Aaron
Wieczorek.
- gh-143237: Fix support of named pipes in the rotating
logging handlers.
- gh-143249: Fix possible buffer leaks in Windows overlapped
I/O on error handling.
- gh-143241: zoneinfo: fix infinite loop in
ZoneInfo.from_file when parsing a malformed TZif file.
Patch by Fatih Celik.
- gh-142830: sqlite3: fix use-after-free crashes when the
connection’s callbacks are mutated during a callback
execution. Patch by Bénédikt Tran.
- gh-143200: xml.etree.ElementTree: fix use-after-free
crashes in __getitem__() and __setitem__() methods of
Element when the element is concurrently mutated. Patch by
Bénédikt Tran.
- gh-142195: Updated timeout evaluation logic in subprocess
to be compatible with deterministic environments like
Shadow where time moves exactly as requested.
- gh-143145: Fixed a possible reference leak in ctypes when
constructing results with multiple output parameters on
error.
- gh-122431: Corrected the error message in
readline.append_history_file() to state that nelements must
be non-negative instead of positive.
- gh-143004: Fix a potential use-after-free in
collections.Counter.update() when user code mutates the
Counter during an update.
- gh-143046: The asyncio REPL no longer prints copyright and
version messages in the quiet mode (-q). Patch by Bartosz
Sławecki.
- gh-140648: The asyncio REPL now respects the -I flag
(isolated mode). Previously, it would load and execute
PYTHONSTARTUP even if the flag was set. Contributed by
Bartosz Sławecki.
- gh-142991: Fixed socket operations such as recvfrom() and
sendto() for FreeBSD divert(4) socket.
- gh-143010: Fixed a bug in mailbox where the precise timing
of an external event could result in the library opening an
existing file instead of a file it expected to create.
- gh-142881: Fix concurrent and reentrant call of
atexit.unregister().
- gh-112127: Fix possible use-after-free in
atexit.unregister() when the callback is unregistered
during comparison.
- gh-142783: Fix zoneinfo use-after-free with descriptor
_weak_cache. a descriptor as _weak_cache could cause
crashes during object creation. The fix ensures proper
reference counting for descriptor-provided objects.
- gh-142754: Add the ownerDocument attribute to
xml.dom.minidom elements and attributes created by directly
instantiating the Element or Attr class. Note that this way
of creating nodes is not supported; creator functions like
xml.dom.Document.documentElement() should be used instead.
- gh-142784: The asyncio REPL now properly closes the loop
upon the end of interactive session. Previously, it could
cause surprising warnings. Contributed by Bartosz Sławecki.
- gh-142555: array: fix a crash in a[i] = v when converting
i to an index via i.__index__ or i.__float__ mutates the
array.
- gh-142594: Fix crash in TextIOWrapper.close() when the
underlying buffer’s closed property calls detach().
- gh-142451: hmac: Ensure that the HMAC.block_size attribute
is correctly copied by HMAC.copy. Patch by Bénédikt Tran.
- gh-142495: collections.defaultdict now prioritizes
__setitem__() when inserting default values from
default_factory. This prevents race conditions where
a default value would overwrite a value set before
default_factory returns.
- gh-142651: unittest.mock: fix a thread safety issue where
Mock.call_count may return inaccurate values when the mock
is called concurrently from multiple threads.
- gh-142595: Added type check during initialization of the
decimal module to prevent a crash in case of broken stdlib.
Patch by Sergey B Kirpichev.
- gh-142517: The non-compat32 email policies now correctly
handle refolding encoded words that contain bytes that can
not be decoded in their specified character set. Previously
this resulted in an encoding exception during folding.
- gh-112527: The help text for required options in argparse
no longer extended with “ (default: None)”.
- gh-142315: Pdb can now run scripts from anonymous pipes
used in process substitution. Patch by Bartosz Sławecki.
- gh-142282: Fix winreg.QueryValueEx() to not accidentally
read garbage buffer under race condition.
- gh-75949: Fix argparse to preserve | separators in mutually
exclusive groups when the usage line wraps due to length.
- gh-68552: MisplacedEnvelopeHeaderDefect and Missing header
name defects are now correctly passed to the handle_defect
method of policy in FeedParser.
- gh-142006: Fix a bug in the email.policy.default folding
algorithm which incorrectly resulted in a doubled newline
when a line ending at exactly max_line_length was followed
by an unfoldable token.
- gh-105836: Fix asyncio.run_coroutine_threadsafe() leaving
underlying cancelled asyncio task running.
- gh-139971: pydoc: Ensure that the link to the online
documentation of a stdlib module is correct.
- gh-139262: Some keystrokes can be swallowed in the new
PyREPL on Windows, especially when used together with the
ALT key. Fix by Chris Eibl.
- gh-138897: Improved license/copyright/credits display in
the REPL: now uses a pager.
- gh-79986: Add parsing for References and In-Reply-To
headers to the email library that parses the header content
as lists of message id tokens. This prevents them from
being folded incorrectly.
- gh-109263: Starting a process from spawn context in
multiprocessing no longer sets the start method globally.
- gh-90871: Fixed an off by one error concerning the backlog
parameter in create_unix_server(). Contributed by Christian
Harries.
- gh-133253: Fix thread-safety issues in linecache.
- gh-132715: Skip writing objects during marshalling once
a failure has occurred.
- gh-127529: Correct behavior of
asyncio.selector_events.BaseSelectorEventLoop._accept_connection()
in handling ConnectionAbortedError in a loop. This improves
performance on OpenBSD.
- IDLE
- gh-143774: Better explain the operation of Format / Format
Paragraph.
- Documentation
- gh-140806: Add documentation for enum.bin().
- Core and Builtins
- gh-144307: Prevent a reference leak in module teardown at
interpreter finalization.
- gh-144194: Fix error handling in perf jitdump
initialization on memory allocation failure.
- gh-141805: Fix crash in set when objects with the same hash
are concurrently added to the set after removing an element
with the same hash while the set still contains elements
with the same hash.
- gh-143670: Fixes a crash in ga_repr_items_list function.
- gh-143377: Fix a crash in _interpreters.capture_exception()
when the exception is incorrectly formatted. Patch by
Bénédikt Tran.
- gh-143189: Fix crash when inserting a non-str key into
a split table dictionary when the key matches an existing
key in the split table but has no corresponding value in
the dict.
- gh-143228: Fix use-after-free in perf trampoline when
toggling profiling while threads are running or during
interpreter finalization with daemon threads active. The
fix uses reference counting to ensure trampolines are not
freed while any code object could still reference them.
Pach by Pablo Galindo
- gh-142664: Fix a use-after-free crash in
memoryview.__hash__ when the __hash__ method of the
referenced object mutates that object or the view. Patch by
Bénédikt Tran.
- gh-142557: Fix a use-after-free crash in bytearray.__mod__
when the bytearray is mutated while formatting the %-style
arguments. Patch by Bénédikt Tran.
- gh-143195: Fix use-after-free crashes in bytearray.hex()
and memoryview.hex() when the separator’s __len__() mutates
the original object. Patch by Bénédikt Tran.
- gh-143135: Set sys.flags.inspect to 1 when PYTHONINSPECT is
0. Previously, it was set to 0 in this case.
- gh-143003: Fix an overflow of the shared empty buffer in
bytearray.extend() when __length_hint__() returns 0 for
non-empty iterator.
- gh-143006: Fix a possible assertion error when comparing
negative non-integer float and int with the same number of
bits in the integer part.
- gh-142776: Fix a file descriptor leak in import.c
- gh-142829: Fix a use-after-free crash in
contextvars.Context comparison when a custom __eq__ method
modifies the context via set().
- gh-142766: Clear the frame of a generator when
generator.close() is called.
- gh-142737: Tracebacks will be displayed in fallback mode
even if io.open() is lost. Previously, this would crash the
interpreter. Patch by Bartosz Sławecki.
- gh-142554: Fix a crash in divmod() when
_pylong.int_divmod() does not return a tuple of length two
exactly. Patch by Bénédikt Tran.
- gh-142560: Fix use-after-free in bytearray search-like
methods (find(), count(), index(), rindex(), and rfind())
by marking the storage as exported which causes
reallocation attempts to raise BufferError. For contains(),
split(), and rsplit() the buffer protocol is used for this.
- gh-142343: Fix SIGILL crash on m68k due to incorrect
assembly constraint.
- gh-141732: Ensure the __repr__() for ExceptionGroup and
BaseExceptionGroup does not change when the exception
sequence that was original passed in to its constructor is
subsequently mutated.
- gh-100964: Fix reference cycle in exhausted generator
frames. Patch by Savannah Ostrowski.
- gh-140373: Correctly emit PY_UNWIND event when generator
object is closed. Patch by Mikhail Efimov.
- gh-138568: Adjusted the built-in help() function so that
empty inputs are ignored in interactive mode.
- gh-127773: Do not use the type attribute cache for types
with incompatible MRO.
- C API
- gh-142571: PyUnstable_CopyPerfMapFile() now checks that
opening the file succeeded before flushing.
- Build
- gh-142454: When calculating the digest of the JIT stencils
input, sort the hashed files by filenames before adding
their content to the hasher. This ensures deterministic
hash input and hence deterministic hash, independent on
filesystem order.
- gh-141808: When running make clean-retain-profile, keep the
generated JIT stencils. That way, the stencils are not
generated twice when Profile-guided optimization (PGO) is
used. It also allows distributors to supply their own
pre-built JIT stencils.
- gh-138061: Ensure reproducible builds by making JIT stencil
header generation deterministic.
- Remove upstreamed patches:
- CVE-2024-6923-follow-up-EOL-email-headers.patch
- gh138131-exclude-pycache-from-digest.patch
* Tue Jan 27 2026 mcepl@cepl.eu
- Add CVE-2024-6923-follow-up-EOL-email-headers.patch which is
a follow-up to the previous fix of CVE-2024-6923 further
encoding EOL possibly hidden in email headers (bsc#1257181).
Version: 3.13.11-160000.1.1
* Thu Dec 11 2025 mcepl@cepl.eu
- Update to 3.13.11:
- gh-142145: Remove quadratic behavior in xml.minidom node ID
cache clearing (CVE-2025-12084, bsc#1254997).
- gh-119451: Fix a potential memory denial of service in the
http.client module. When connecting to a malicious server,
it could cause an arbitrary amount of memory to be
allocated. This could have led to symptoms including
a MemoryError, swapping, out of memory (OOM) killed
processes or containers, or even system crashes
(bsc#1254400, CVE-2025-13836).
- gh-119452: Fix a potential memory denial of service in the
http.server module. When a malicious user is connected to
the CGI server on Windows, it could cause an arbitrary
amount of memory to be allocated. This could have led to
symptoms including a MemoryError, swapping, out of memory
(OOM) killed processes or containers, or even system
crashes.
- Library
- gh-140797: Revert changes to the undocumented re.Scanner
class. Capturing groups are still allowed for backward
compatibility, although using them can lead to incorrect
result. They will be forbidden in future Python versions.
- gh-142206: The resource tracker in the multiprocessing
module now uses the original communication protocol, as in
Python 3.14.0 and below, by default. This avoids issues
with upgrading Python while it is running. (Note that such
‘in-place’ upgrades are not tested.) The tracker remains
compatible with subprocesses that use new protocol (that
is, subprocesses using Python 3.13.10, 3.14.1 and 3.15).
- Core and Builtins
- gh-142218: Fix crash when inserting into a split table
dictionary with a non str key that matches an existing key.
- Update to 3.13.10:
- Tools/Demos
- gh-141442: The iOS testbed now correctly handles test
arguments that contain spaces.
- Tests
- gh-140482: Preserve and restore the state of stty echo as
part of the test environment.
- gh-140082: Update python -m test to set FORCE_COLOR=1 when
being run with color enabled so that unittest which is run
by it with redirected output will output in color.
- gh-136442: Use exitcode 1 instead of 5 if
unittest.TestCase.setUpClass() raises an exception
- Security
- gh-139700: Check consistency of the zip64 end of central
directory record. Support records with “zip64 extensible
data” if there are no bytes prepended to the ZIP file.
(CVE-2025-8291, bsc#1251305)
- gh-137836: Add support of the “plaintext” element, RAWTEXT
elements “xmp”, “iframe”, “noembed” and “noframes”, and
optionally RAWTEXT element “noscript” in
html.parser.HTMLParser.
- gh-136063: email.message: ensure linear complexity for
legacy HTTP parameters parsing. Patch by Bénédikt Tran.
- gh-136065: Fix quadratic complexity in
os.path.expandvars() (CVE-2025-6075, bsc#1252974).
- gh-119342: Fix a potential memory denial of service in the
plistlib module. When reading a Plist file received from
untrusted source, it could cause an arbitrary amount of
memory to be allocated. This could have led to symptoms
including a MemoryError, swapping, out of memory (OOM)
killed processes or containers, or even system crashes
(CVE-2025-13837, bsc#1254401).
- Library
- gh-74389: When the stdin being used by a subprocess.Popen
instance is closed, this is now ignored in
subprocess.Popen.communicate() instead of leaving the class
in an inconsistent state.
- gh-87512: Fix subprocess.Popen.communicate() timeout
handling on Windows when writing large input. Previously,
the timeout was ignored during stdin writing, causing the
method to block indefinitely if the child process did not
consume input quickly. The stdin write is now performed in
a background thread, allowing the timeout to be properly
enforced.
- gh-141473: When subprocess.Popen.communicate() was called
with input and a timeout and is called for a second time
after a TimeoutExpired exception before the process has
died, it should no longer hang.
- gh-59000: Fix pdb breakpoint resolution for class methods
when the module defining the class is not imported.
- gh-141570: Support file-like object raising OSError from
fileno() in color detection (_colorize.can_colorize()).
This can occur when sys.stdout is redirected.
- gh-141659: Fix bad file descriptor errors from
_posixsubprocess on AIX.
- gh-141497: ipaddress: ensure that the methods
IPv4Network.hosts() and IPv6Network.hosts() always return
an iterator.
- gh-140938: The statistics.stdev() and statistics.pstdev()
functions now raise a ValueError when the input contains an
infinity or a NaN.
- gh-124111: Updated Tcl threading configuration in _tkinter
to assume that threads are always available in Tcl 9 and
later.
- gh-137109: The os.fork and related forking APIs will no
longer warn in the common case where Linux or macOS
platform APIs return the number of threads in a process and
find the answer to be 1 even when a os.register_at_fork()
after_in_parent= callback (re)starts a thread.
- gh-141314: Fix assertion failure in io.TextIOWrapper.tell()
when reading files with standalone carriage return (\r)
line endings.
- gh-141311: Fix assertion failure in io.BytesIO.readinto()
and undefined behavior arising when read position is above
capcity in io.BytesIO.
- gh-141141: Fix a thread safety issue with
base64.b85decode(). Contributed by Benel Tayar.
- gh-140911: collections: Ensure that the methods
UserString.rindex() and UserString.index() accept
collections.UserString instances as the sub argument.
- gh-140797: The undocumented re.Scanner class now forbids
regular expressions containing capturing groups in its
lexicon patterns. Patterns using capturing groups could
previously lead to crashes with segmentation fault. Use
non-capturing groups (?:…) instead.
- gh-140815: faulthandler now detects if a frame or a code
object is invalid or freed. Patch by Victor Stinner.
- gh-100218: Correctly set errno when socket.if_nametoindex()
or socket.if_indextoname() raise an OSError. Patch by
Bénédikt Tran.
- gh-140875: Fix handling of unclosed character references
(named and numerical) followed by the end of file in
html.parser.HTMLParser with convert_charrefs=False.
- gh-140734: multiprocessing: fix off-by-one error when
checking the length of a temporary socket file path. Patch
by Bénédikt Tran.
- gh-140874: Bump the version of pip bundled in ensurepip to
version 25.3
- gh-140691: In urllib.request, when opening a FTP URL fails
because a data connection cannot be made, the control
connection’s socket is now closed to avoid
a ResourceWarning.
- gh-103847: Fix hang when cancelling process created by
asyncio.create_subprocess_exec() or
asyncio.create_subprocess_shell(). Patch by Kumar Aditya.
- gh-140590: Fix arguments checking for the
functools.partial.__setstate__() that may lead to internal
state corruption and crash. Patch by Sergey Miryanov.
- gh-140634: Fix a reference counting bug in
os.sched_param.__reduce__().
- gh-140633: Ignore AttributeError when setting a module’s
__file__ attribute when loading an extension module
packaged as Apple Framework.
- gh-140593: xml.parsers.expat: Fix a memory leak that could
affect users with ElementDeclHandler() set to a custom
element declaration handler. Patch by Sebastian Pipping.
- gh-140607: Inside io.RawIOBase.read(), validate that the
count of bytes returned by io.RawIOBase.readinto() is valid
(inside the provided buffer).
- gh-138162: Fix logging.LoggerAdapter with merge_extra=True
and without the extra argument.
- gh-140474: Fix memory leak in array.array when creating
arrays from an empty str and the u type code.
- gh-140272: Fix memory leak in the clear() method of the
dbm.gnu database.
- gh-140041: Fix import of ctypes on Android and Cygwin when
ABI flags are present.
- gh-139905: Add suggestion to error message for
typing.Generic subclasses when cls.__parameters__ is
missing due to a parent class failing to call
super().__init_subclass__() in its __init_subclass__.
- gh-139845: Fix to not print KeyboardInterrupt twice in
default asyncio REPL.
- gh-139783: Fix inspect.getsourcelines() for the case when
a decorator is followed by a comment or an empty line.
- gh-70765: http.server: fix default handling of HTTP/0.9
requests in BaseHTTPRequestHandler. Previously,
BaseHTTPRequestHandler.parse_request() incorrectly waited
for headers in the request although those are not supported
in HTTP/0.9. Patch by Bénédikt Tran.
- gh-139391: Fix an issue when, on non-Windows platforms, it
was not possible to gracefully exit a python -m asyncio
process suspended by Ctrl+Z and later resumed by fg other
than with kill.
- gh-101828: Fix 'shift_jisx0213', 'shift_jis_2004',
'euc_jisx0213' and 'euc_jis_2004' codecs truncating null
chars as they were treated as part of multi-character
sequences.
- gh-139246: fix: paste zero-width in default repl width is
wrong.
- gh-90949: Add SetAllocTrackerActivationThreshold() and
SetAllocTrackerMaximumAmplification() to xmlparser objects
to prevent use of disproportional amounts of dynamic memory
from within an Expat parser. Patch by Bénédikt Tran.
- gh-139065: Fix trailing space before a wrapped long word if
the line length is exactly width in textwrap.
- gh-138993: Dedent credits text.
- gh-138859: Fix generic type parameterization raising
a TypeError when omitting a ParamSpec that has a default
which is not a list of types.
- gh-138775: Use of python -m with base64 has been fixed to
detect input from a terminal so that it properly notices
EOF.
- gh-98896: Fix a failure in multiprocessing resource_tracker
when SharedMemory names contain colons. Patch by Rani
Pinchuk.
- gh-75989: tarfile.TarFile.extractall() and
tarfile.TarFile.extract() now overwrite symlinks when
extracting hardlinks. (Contributed by Alexander Enrique
Urieles Nieto in gh-75989.)
- gh-83424: Allows creating a ctypes.CDLL without name when
passing a handle as an argument.
- gh-136234: Fix asyncio.WriteTransport.writelines() to be
robust to connection failure, by using the same behavior as
write().
- gh-136057: Fixed the bug in pdb and bdb where next and step
can’t go over the line if a loop exists in the line.
- gh-135307: email: Fix exception in set_content() when
encoding text and max_line_length is set to 0 or None
(unlimited).
- gh-134453: Fixed subprocess.Popen.communicate() input=
handling of memoryview instances that were non-byte shaped
on POSIX platforms. Those are now properly cast to a byte
shaped view instead of truncating the input. Windows
platforms did not have this bug.
- gh-102431: Clarify constraints for “logical” arguments in
methods of decimal.Context.
- IDLE
- gh-96491: Deduplicate version number in IDLE shell title
bar after saving to a file.
- Documentation
- gh-141994: xml.sax.handler: Make Documentation of
xml.sax.handler.feature_external_ges warn of opening up to
external entity attacks. Patch by Sebastian Pipping.
- gh-140578: Remove outdated sencence in the documentation
for multiprocessing, that implied that
concurrent.futures.ThreadPoolExecutor did not exist.
- Core and Builtins
- gh-142048: Fix quadratically increasing garbage collection
delays in free-threaded build.
- gh-141930: When importing a module, use Python’s regular
file object to ensure that writes to .pyc files are
complete or an appropriate error is raised.
- gh-120158: Fix inconsistent state when enabling or
disabling monitoring events too many times.
- gh-141579: Fix sys.activate_stack_trampoline() to properly
support the perf_jit backend. Patch by Pablo Galindo.
- gh-141312: Fix the assertion failure in the __setstate__
method of the range iterator when a non-integer argument is
passed. Patch by Sergey Miryanov.
- gh-140939: Fix memory leak when bytearray or bytes is
formated with the
%*b format with a large width that results in
%a MemoryError.
- gh-140530: Fix a reference leak when raise exc from cause
fails. Patch by Bénédikt Tran.
- gh-140576: Fixed crash in tokenize.generate_tokens() in
case of specific incorrect input. Patch by Mikhail Efimov.
- gh-140551: Fixed crash in dict if dict.clear() is called at
the lookup stage. Patch by Mikhail Efimov and Inada Naoki.
- gh-140471: Fix potential buffer overflow in ast.AST node
initialization when encountering malformed _fields
containing non-str.
- gh-140406: Fix memory leak when an object’s __hash__()
method returns an object that isn’t an int.
- gh-140306: Fix memory leaks in cross-interpreter channel
operations and shared namespace handling.
- gh-140301: Fix memory leak of PyConfig in subinterpreters.
- gh-140000: Fix potential memory leak when a reference cycle
exists between an instance of typing.TypeAliasType,
typing.TypeVar, typing.ParamSpec, or typing.TypeVarTuple
and its __name__ attribute. Patch by Mikhail Efimov.
- gh-139748: Fix reference leaks in error branches of
functions accepting path strings or bytes such as compile()
and os.system(). Patch by Bénédikt Tran.
- gh-139516: Fix lambda colon erroneously start format spec
in f-string in tokenizer.
- gh-139640: Fix swallowing some syntax warnings in different
modules if they accidentally have the same message and are
emitted from the same line. Fix duplicated warnings in the
finally block.
- gh-137400: Fix a crash in the free threading build when
disabling profiling or tracing across all threads with
PyEval_SetProfileAllThreads() or
PyEval_SetTraceAllThreads() or their Python equivalents
threading.settrace_all_threads() and
threading.setprofile_all_threads().
- gh-133400: Fixed Ctrl+D (^D) behavior in _pyrepl module to
match old pre-3.13 REPL behavior.
- C API
- gh-140042: Removed the sqlite3_shutdown call that could
cause closing connections for sqlite when used with
multiple sub interpreters.
- gh-140487: Fix Py_RETURN_NOTIMPLEMENTED in limited C API
3.11 and older: don’t treat Py_NotImplemented as immortal.
Patch by Victor Stinner.
- Remove upstreamed patches:
- CVE-2025-13836-http-resp-cont-len.patch
- CVE-2025-8291-consistency-zip64.patch
- CVE-2025-6075-expandvars-perf-degrad.patch
* Wed Nov 19 2025 mcepl@suse.com
- Add pass-test_write_read_limited_history.patch:
Fix readline history truncation when length is reduced
The `readline.set_history_length()` function did not previously
truncate the in-memory history when the new length was set to
a value smaller than the current number of history items. This
could lead to unexpected behavior where `get_history_length()`
would still report the old length and writing the history to a
file would write more entries than the new limit.
This patch modifies `set_history_length()` to explicitly
remove the oldest history entries using `remove_history()`
when the length is decreased, ensuring the in-memory history
is correctly truncated to the new limit. This brings the
function's behavior in line with expectations and fixes
failures in `test_write_read_limited_history`.
* Thu Nov 13 2025 mcepl@cepl.eu
- Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple
quadratic complexity vulnerabilities of os.path.expandvars()
(CVE-2025-6075, bsc#1252974).
* Tue Nov 04 2025 mcepl@cepl.eu
- Add CVE-2025-8291-consistency-zip64.patch which checks
consistency of the zip64 end of central directory record, and
preventing obfuscation of the payload, i.e., you scanning for
malicious content in a ZIP file with one ZIP parser (let's say
a Rust one) then unpack it in production with another (e.g.,
the Python one) and get malicious content that the other parser
did not see (CVE-2025-8291, bsc#1251305)
- Readjust patches while synchronizing between openSUSE and SLE trees:
- F00251-change-user-install-location.patch
- doc-py38-to-py36.patch
- gh126985-mv-pyvenv.cfg2getpath.patch
* Wed Oct 15 2025 daniel.garcia@suse.com
- Update to 3.13.9:
- Library
- gh-139783: Fix inspect.getsourcelines() for the case when a
decorator is followed by a comment or an empty line.
- Update to 3.13.8:
- macOS
- gh-124111: Update macOS installer to use Tcl/Tk 8.6.17.
- gh-139573: Updated bundled version of OpenSSL to 3.0.18.
- Windows
- gh-139573: Updated bundled version of OpenSSL to 3.0.18.
- gh-138896: Fix error installing C runtime on non-updated Windows
machines
- Tools/Demos
- gh-139330: SBOM generation tool didn’t cross-check the version
and checksum values against the Modules/expat/refresh.sh script,
leading to the values becoming out-of-date during routine
updates.
- gh-137873: The iOS test runner has been simplified, resolving
some issues that have been observed using the runner in GitHub
Actions and Azure Pipelines test environments.
- Tests
- gh-139208: Fix regrtest --fast-ci --verbose: don’t ignore the
- -verbose option anymore. Patch by Victor Stinner.
- Security
- gh-139400: xml.parsers.expat: Make sure that parent Expat
parsers are only garbage-collected once they are no longer
referenced by subparsers created by
ExternalEntityParserCreate(). Patch by Sebastian Pipping.
- gh-139283: sqlite3: correctly handle maximum number of rows to
fetch in Cursor.fetchmany and reject negative values for
Cursor.arraysize. Patch by Bénédikt Tran.
- gh-135661: Fix CDATA section parsing in html.parser.HTMLParser
according to the HTML5 standard: ] ]> and ]] > no longer end the
CDATA section. Add private method _set_support_cdata() which can
be used to specify how to parse <[CDATA[ — as a CDATA section in
foreign content (SVG or MathML) or as a bogus comment in the
HTML namespace.
- Library
- gh-139312: Upgrade bundled libexpat to 2.7.3
- gh-139289: Do a real lazy-import on rlcompleter in pdb and
restore the existing completer after importing rlcompleter.
- gh-139210: Fix use-after-free when reporting unknown event in
xml.etree.ElementTree.iterparse(). Patch by Ken Jin.
- gh-138860: Lazy import rlcompleter in pdb to avoid deadlock in
subprocess.
- gh-112729: Fix crash when calling _interpreters.create when the
process is out of memory.
- gh-139076: Fix a bug in the pydoc module that was hiding
functions in a Python module if they were implemented in an
extension module and the module did not have __all__.
- gh-138998: Update bundled libexpat to 2.7.2
- gh-130567: Fix possible crash in locale.strxfrm() due to a
platform bug on macOS.
- gh-138779: Support device numbers larger than 2**63-1 for the
st_rdev field of the os.stat_result structure.
- gh-128636: Fix crash in PyREPL when os.environ is overwritten
with an invalid value for mac
- gh-88375: Fix normalization of the robots.txt rules and URLs in
the urllib.robotparser module. No longer ignore trailing ?.
Distinguish raw special characters ?, = and & from the
percent-encoded ones.
- gh-138515: email is added to Emscripten build.
- gh-111788: Fix parsing errors in the urllib.robotparser module.
Don’t fail trying to parse weird paths. Don’t fail trying to
decode non-UTF-8 robots.txt files.
- gh-138432: zoneinfo.reset_tzpath() will now convert any
os.PathLike objects it receives into strings before adding them
to TZPATH. It will raise TypeError if anything other than a
string is found after this conversion. If given an os.PathLike
object that represents a relative path, it will now raise
ValueError instead of TypeError, and present a more informative
error message.
- gh-138008: Fix segmentation faults in the ctypes module due to
invalid argtypes. Patch by Dung Nguyen.
- gh-60462: Fix locale.strxfrm() on Solaris (and possibly other
platforms).
- gh-138204: Forbid expansion of shared anonymous memory maps on
Linux, which caused a bus error.
- gh-138010: Fix an issue where defining a class with a
@warnings.deprecated-decorated base class may not invoke the
correct __init_subclass__() method in cases involving multiple
inheritance. Patch by Brian Schubert.
- gh-138133: Prevent infinite traceback loop when sending CTRL^C
to Python through strace.
- gh-134869: Fix an issue where pressing Ctrl+C during tab
completion in the REPL would leave the autocompletion menu in a
corrupted state.
- gh-137317: inspect.signature() now correctly handles classes
that use a descriptor on a wrapped __init__() or __new__()
method. Contributed by Yongyu Yan.
- gh-137754: Fix import of the zoneinfo module if the C
implementation of the datetime module is not available.
- gh-137490: Handle ECANCELED in the same way as EINTR in
signal.sigwaitinfo() on NetBSD.
- gh-137477: Fix inspect.getblock(), inspect.getsourcelines() and
inspect.getsource() for generator expressions.
- gh-137017: Fix threading.Thread.is_alive to remain True until
the underlying OS thread is fully cleaned up. This avoids false
negatives in edge cases involving thread monitoring or premature
threading.Thread.is_alive calls.
- gh-136134: SMTP.auth_cram_md5() now raises an SMTPException
instead of a ValueError if Python has been built without MD5
support. In particular, SMTP clients will not attempt to use
this method even if the remote server is assumed to support it.
Patch by Bénédikt Tran.
- gh-136134: IMAP4.login_cram_md5 now raises an IMAP4.error if
CRAM-MD5 authentication is not supported. Patch by Bénédikt
Tran.
- gh-135386: Fix opening a dbm.sqlite3 database for reading from
read-only file or directory.
- gh-126631: Fix multiprocessing forkserver bug which prevented
__main__ from being preloaded.
- gh-123085: In a bare call to importlib.resources.files(), ensure
the caller’s frame is properly detected when importlib.resources
is itself available as a compiled module only (no source).
- gh-118981: Fix potential hang in
multiprocessing.popen_spawn_posix that can happen when the child
proc dies early by closing the child fds right away.
- gh-78319: UTF8 support for the IMAP APPEND command has been made
RFC compliant.
- bpo-38735: Fix failure when importing a module from the root
directory on unix-like platforms with sys.pycache_prefix set.
- bpo-41839: Allow negative priority values from
os.sched_get_priority_min() and os.sched_get_priority_max()
functions.
- Core and Builtins
- gh-134466: Don’t run PyREPL in a degraded environment where
setting termios attributes is not allowed.
- gh-71810: Raise OverflowError for (-1).to_bytes() for signed
conversions when bytes count is zero. Patch by Sergey B
Kirpichev.
- gh-105487: Remove non-existent __copy__(), __deepcopy__(), and
__bases__ from the __dir__() entries of types.GenericAlias.
- gh-134163: Fix a hang when the process is out of memory inside
an exception handler.
- gh-138479: Fix a crash when a generic object’s __typing_subst__
returns an object that isn’t a tuple.
- gh-137576: Fix for incorrect source code being shown in
tracebacks from the Basic REPL when PYTHONSTARTUP is given.
Patch by Adam Hartz.
- gh-132744: Certain calls now check for runaway recursion and
respect the system recursion limit.
- C API
- gh-87135: Attempting to acquire the GIL after runtime
finalization has begun in a different thread now causes the
thread to hang rather than terminate, which avoids potential
crashes or memory corruption caused by attempting to terminate a
thread that is running code not specifically designed to support
termination. In most cases this hanging is harmless since the
process will soon exit anyway.
While not officially marked deprecated until 3.14,
PyThread_exit_thread is no longer called internally and remains
solely for interface compatibility. Its behavior is inconsistent
across platforms, and it can only be used safely in the unlikely
case that every function in the entire call stack has been
designed to support the platform-dependent termination
mechanism. It is recommended that users of this function change
their design to not require thread termination. In the unlikely
case that thread termination is needed and can be done safely,
users may migrate to calling platform-specific APIs such as
pthread_exit (POSIX) or _endthreadex (Windows) directly.
- Build
- gh-135734: Python can correctly be configured and built with
./configure --enable-optimizations --disable-test-modules.
Previously, the profile data generation step failed due to PGO
tests where immortalization couldn’t be properly suppressed.
Patch by Bénédikt Tran.
* Mon Sep 29 2025 daniel.garcia@suse.com
- Add gh139257-Support-docutils-0.22.patch to fix build with latest
docutils (>=0.22) gh#python/cpython#139257
* Mon Sep 22 2025 dimstar@opensuse.org
- Drop AppStream: this results in a different cycle than
appstream-glib. As the appdata.xml is controlled by ourselves, we
can get away with just manually validating it when changing it.
* Thu Sep 18 2025 dimstar@opensuse.org
- Require AppStream to validate appdata file instead of deprecated
appstream-glib.
- Update idle3.appdata.xml to pass the more pedantic appstreamcli.
* Tue Sep 09 2025 daniel.garcia@suse.com
- Add gh138131-exclude-pycache-from-digest.patch fixing reproducible
build for python-nogil.
(bsc#1244680, gh#python/cpython#138131)
* Fri Aug 15 2025 mcepl@cepl.eu
- Update to 3.13.7:
- gh-137583: Fix a deadlock introduced in 3.13.6 when a call
to ssl.SSLSocket.recv was blocked in one thread, and then
another method on the object (such as ssl.SSLSocket.send) was
subsequently called in another thread.
- gh-137044: Return large limit values as positive integers
instead of negative integers in resource.getrlimit().
Accept large values and reject negative values (except
RLIM_INFINITY) for limits in resource.setrlimit().
- gh-136914: Fix retrieval of doctest.DocTest.lineno
for objects decorated with functools.cache() or
functools.cached_property.
- gh-131788: Make ResourceTracker.send from multiprocessing
re-entrant safe
- gh-136155: We are now checking for fatal errors in EPUB
builds in CI.
- gh-137400: Fix a crash in the free threading build when
disabling profiling or tracing across all threads with
PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads()
or their Python equivalents threading.settrace_all_threads()
and threading.setprofile_all_threads().
- Remove upstreamed patch:
- gh137583-only-lock-SSL-context.patch