summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorŁukasz Langa <lukasz@langa.pl>2024-09-06 21:03:56 +0200
committerŁukasz Langa <lukasz@langa.pl>2024-09-06 21:03:56 +0200
commit8c3f7946ec848ec16cf28418c0f984ecaa029541 (patch)
treeb5320c0626beedaee11024f458d4054e29ff8465
parent[3.9] [CVE-2023-27043] gh-102988: Reject malformed addresses in email.parsead... (diff)
downloadcpython-8c3f7946ec848ec16cf28418c0f984ecaa029541.tar.gz
cpython-8c3f7946ec848ec16cf28418c0f984ecaa029541.tar.bz2
cpython-8c3f7946ec848ec16cf28418c0f984ecaa029541.zip
Python 3.9.20v3.9.20
-rw-r--r--Include/patchlevel.h4
-rw-r--r--Misc/NEWS.d/3.9.20.rst203
-rw-r--r--Misc/NEWS.d/next/Core_and_Builtins/2024-09-04-18-20-11.gh-issue-112275.W_iMiB.rst3
-rw-r--r--Misc/NEWS.d/next/Library/2019-08-27-01-16-50.gh-issue-67693.4NIAiy.rst2
-rw-r--r--Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst8
-rw-r--r--Misc/NEWS.d/next/Library/2024-03-14-01-38-44.gh-issue-113171.VFnObz.rst9
-rw-r--r--Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst5
-rw-r--r--Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst1
-rw-r--r--Misc/NEWS.d/next/Library/2024-08-26-13-45-20.gh-issue-123270.gXHvNJ.rst3
-rw-r--r--Misc/NEWS.d/next/Security/2024-03-27-13-50-02.gh-issue-116741.ZoGryG.rst1
-rw-r--r--Misc/NEWS.d/next/Security/2024-04-19-11-21-13.gh-issue-114572.t1QMQD.rst4
-rw-r--r--Misc/NEWS.d/next/Security/2024-05-01-20-57-09.gh-issue-118486.K44KJG.rst4
-rw-r--r--Misc/NEWS.d/next/Security/2024-07-02-13-39-20.gh-issue-121285.hrl-yI.rst2
-rw-r--r--Misc/NEWS.d/next/Security/2024-07-22-13-11-28.gh-issue-122133.0mPeta.rst5
-rw-r--r--Misc/NEWS.d/next/Security/2024-07-22-13-14-38.gh-issue-121957.FYkcOt.rst3
-rw-r--r--Misc/NEWS.d/next/Security/2024-09-04-12-41-35.gh-issue-123678.N41y9n.rst1
-rw-r--r--Misc/NEWS.d/next/Tests/2024-03-24-23-49-25.gh-issue-117187.eMLT5n.rst1
-rw-r--r--Misc/NEWS.d/next/Tests/2024-05-25-17-06-01.gh-issue-112769.kdLJmS.rst3
-rw-r--r--Misc/NEWS.d/next/Windows/2024-03-14-01-58-22.gh-issue-116773.H2UldY.rst1
-rw-r--r--Misc/NEWS.d/next/Windows/2024-05-29-17-05-28.gh-issue-119690.U6RMtm.rst2
-rw-r--r--README.rst2
21 files changed, 206 insertions, 61 deletions
diff --git a/Include/patchlevel.h b/Include/patchlevel.h
index 5a5fadd25a4..7ed78c7b132 100644
--- a/Include/patchlevel.h
+++ b/Include/patchlevel.h
@@ -18,12 +18,12 @@
/*--start constants--*/
#define PY_MAJOR_VERSION 3
#define PY_MINOR_VERSION 9
-#define PY_MICRO_VERSION 19
+#define PY_MICRO_VERSION 20
#define PY_RELEASE_LEVEL PY_RELEASE_LEVEL_FINAL
#define PY_RELEASE_SERIAL 0
/* Version as a string */
-#define PY_VERSION "3.9.19+"
+#define PY_VERSION "3.9.20"
/*--end constants--*/
/* Version as a single 4-byte hex number, e.g. 0x010502B2 == 1.5.2b2.
diff --git a/Misc/NEWS.d/3.9.20.rst b/Misc/NEWS.d/3.9.20.rst
new file mode 100644
index 00000000000..1fb9f18bfb8
--- /dev/null
+++ b/Misc/NEWS.d/3.9.20.rst
@@ -0,0 +1,203 @@
+.. date: 2024-05-29-17-05-28
+.. gh-issue: 119690
+.. nonce: U6RMtm
+.. release date: 2024-09-06
+.. section: Windows
+
+Fixes data type confusion in audit events raised by ``_winapi.CreateFile``
+and ``_winapi.CreateNamedPipe``.
+
+..
+
+.. date: 2024-03-14-01-58-22
+.. gh-issue: 116773
+.. nonce: H2UldY
+.. section: Windows
+
+Fix instances of ``<_overlapped.Overlapped object at 0xXXX> still has
+pending operation at deallocation, the process may crash``.
+
+..
+
+.. date: 2024-05-25-17-06-01
+.. gh-issue: 112769
+.. nonce: kdLJmS
+.. section: Tests
+
+The tests now correctly compare zlib version when
+:const:`zlib.ZLIB_RUNTIME_VERSION` contains non-integer suffixes. For
+example zlib-ng defines the version as ``1.3.0.zlib-ng``.
+
+..
+
+.. date: 2024-03-24-23-49-25
+.. gh-issue: 117187
+.. nonce: eMLT5n
+.. section: Tests
+
+Fix XML tests for vanilla Expat <2.6.0.
+
+..
+
+.. date: 2024-09-04-12-41-35
+.. gh-issue: 123678
+.. nonce: N41y9n
+.. section: Security
+
+Upgrade libexpat to 2.6.3
+
+..
+
+.. date: 2024-07-22-13-14-38
+.. gh-issue: 121957
+.. nonce: FYkcOt
+.. section: Security
+
+Fixed missing audit events around interactive use of Python, now also
+properly firing for ``python -i``, as well as for ``python -m asyncio``. The
+event in question is ``cpython.run_stdin``.
+
+..
+
+.. date: 2024-07-22-13-11-28
+.. gh-issue: 122133
+.. nonce: 0mPeta
+.. section: Security
+
+Authenticate the socket connection for the ``socket.socketpair()`` fallback
+on platforms where ``AF_UNIX`` is not available like Windows.
+
+Patch by Gregory P. Smith <greg@krypto.org> and Seth Larson
+<seth@python.org>. Reported by Ellie <el@horse64.org>
+
+..
+
+.. date: 2024-07-02-13-39-20
+.. gh-issue: 121285
+.. nonce: hrl-yI
+.. section: Security
+
+Remove backtracking from tarfile header parsing for ``hdrcharset``, PAX, and
+GNU sparse headers.
+
+..
+
+.. date: 2024-05-01-20-57-09
+.. gh-issue: 118486
+.. nonce: K44KJG
+.. section: Security
+
+:func:`os.mkdir` on Windows now accepts *mode* of ``0o700`` to restrict the
+new directory to the current user. This fixes CVE-2024-4030 affecting
+:func:`tempfile.mkdtemp` in scenarios where the base temporary directory is
+more permissive than the default.
+
+..
+
+.. date: 2024-04-19-11-21-13
+.. gh-issue: 114572
+.. nonce: t1QMQD
+.. section: Security
+
+:meth:`ssl.SSLContext.cert_store_stats` and
+:meth:`ssl.SSLContext.get_ca_certs` now correctly lock access to the
+certificate store, when the :class:`ssl.SSLContext` is shared across
+multiple threads.
+
+..
+
+.. date: 2024-03-27-13-50-02
+.. gh-issue: 116741
+.. nonce: ZoGryG
+.. section: Security
+
+Update bundled libexpat to 2.6.2
+
+..
+
+.. date: 2024-08-26-13-45-20
+.. gh-issue: 123270
+.. nonce: gXHvNJ
+.. section: Library
+
+Applied a more surgical fix for malformed payloads in :class:`zipfile.Path`
+causing infinite loops (gh-122905) without breaking contents using
+legitimate characters.
+
+..
+
+.. date: 2024-08-16-19-13-21
+.. gh-issue: 123067
+.. nonce: Nx9O4R
+.. section: Library
+
+Fix quadratic complexity in parsing ``"``-quoted cookie values with
+backslashes by :mod:`http.cookies`.
+
+..
+
+.. date: 2024-07-27-16-10-41
+.. gh-issue: 121650
+.. nonce: nf6oc9
+.. section: Library
+
+:mod:`email` headers with embedded newlines are now quoted on output. The
+:mod:`~email.generator` will now refuse to serialize (write) headers that
+are unsafely folded or delimited; see
+:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas
+Bloemsaat and Petr Viktorin in :gh:`121650`.)
+
+..
+
+.. date: 2024-03-14-01-38-44
+.. gh-issue: 113171
+.. nonce: VFnObz
+.. section: Library
+
+Fixed various false positives and false negatives in
+
+* :attr:`ipaddress.IPv4Address.is_private` (see these docs for details)
+* :attr:`ipaddress.IPv4Address.is_global`
+* :attr:`ipaddress.IPv6Address.is_private`
+* :attr:`ipaddress.IPv6Address.is_global`
+
+Also in the corresponding :class:`ipaddress.IPv4Network` and
+:class:`ipaddress.IPv6Network` attributes.
+
+..
+
+.. date: 2023-10-20-15-28-08
+.. gh-issue: 102988
+.. nonce: dStNO7
+.. section: Library
+
+:func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now
+return ``('', '')`` 2-tuples in more situations where invalid email
+addresses are encountered instead of potentially inaccurate values. Add
+optional *strict* parameter to these two functions: use ``strict=False`` to
+get the old behavior, accept malformed inputs. ``getattr(email.utils,
+'supports_strict_parsing', False)`` can be use to check if the *strict*
+paramater is available. Patch by Thomas Dwyer and Victor Stinner to improve
+the CVE-2023-27043 fix.
+
+..
+
+.. date: 2019-08-27-01-16-50
+.. gh-issue: 67693
+.. nonce: 4NIAiy
+.. section: Library
+
+Fix :func:`urllib.parse.urlunparse` and :func:`urllib.parse.urlunsplit` for
+URIs with path starting with multiple slashes and no authority. Based on
+patch by Ashwin Ramaswami.
+
+..
+
+.. date: 2024-09-04-18-20-11
+.. gh-issue: 112275
+.. nonce: W_iMiB
+.. section: Core and Builtins
+
+A deadlock involving ``pystate.c``'s ``HEAD_LOCK`` in ``posixmodule.c`` at
+fork is now fixed. Patch by ChuBoning based on previous Python 3.12 fix by
+Victor Stinner.
diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2024-09-04-18-20-11.gh-issue-112275.W_iMiB.rst b/Misc/NEWS.d/next/Core_and_Builtins/2024-09-04-18-20-11.gh-issue-112275.W_iMiB.rst
deleted file mode 100644
index d663be1867e..00000000000
--- a/Misc/NEWS.d/next/Core_and_Builtins/2024-09-04-18-20-11.gh-issue-112275.W_iMiB.rst
+++ /dev/null
@@ -1,3 +0,0 @@
-A deadlock involving ``pystate.c``'s ``HEAD_LOCK`` in ``posixmodule.c``
-at fork is now fixed. Patch by ChuBoning based on previous Python 3.12
-fix by Victor Stinner.
diff --git a/Misc/NEWS.d/next/Library/2019-08-27-01-16-50.gh-issue-67693.4NIAiy.rst b/Misc/NEWS.d/next/Library/2019-08-27-01-16-50.gh-issue-67693.4NIAiy.rst
deleted file mode 100644
index 22457df03e6..00000000000
--- a/Misc/NEWS.d/next/Library/2019-08-27-01-16-50.gh-issue-67693.4NIAiy.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Fix :func:`urllib.parse.urlunparse` and :func:`urllib.parse.urlunsplit` for URIs with path starting with multiple slashes and no authority.
-Based on patch by Ashwin Ramaswami.
diff --git a/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst b/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
deleted file mode 100644
index 3d0e9e4078c..00000000000
--- a/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
+++ /dev/null
@@ -1,8 +0,0 @@
-:func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now
-return ``('', '')`` 2-tuples in more situations where invalid email
-addresses are encountered instead of potentially inaccurate values. Add
-optional *strict* parameter to these two functions: use ``strict=False`` to
-get the old behavior, accept malformed inputs.
-``getattr(email.utils, 'supports_strict_parsing', False)`` can be use to check
-if the *strict* paramater is available. Patch by Thomas Dwyer and Victor
-Stinner to improve the CVE-2023-27043 fix.
diff --git a/Misc/NEWS.d/next/Library/2024-03-14-01-38-44.gh-issue-113171.VFnObz.rst b/Misc/NEWS.d/next/Library/2024-03-14-01-38-44.gh-issue-113171.VFnObz.rst
deleted file mode 100644
index f9a72473be4..00000000000
--- a/Misc/NEWS.d/next/Library/2024-03-14-01-38-44.gh-issue-113171.VFnObz.rst
+++ /dev/null
@@ -1,9 +0,0 @@
-Fixed various false positives and false negatives in
-
-* :attr:`ipaddress.IPv4Address.is_private` (see these docs for details)
-* :attr:`ipaddress.IPv4Address.is_global`
-* :attr:`ipaddress.IPv6Address.is_private`
-* :attr:`ipaddress.IPv6Address.is_global`
-
-Also in the corresponding :class:`ipaddress.IPv4Network` and :class:`ipaddress.IPv6Network`
-attributes.
diff --git a/Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst b/Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst
deleted file mode 100644
index 83dd28d4ac5..00000000000
--- a/Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst
+++ /dev/null
@@ -1,5 +0,0 @@
-:mod:`email` headers with embedded newlines are now quoted on output. The
-:mod:`~email.generator` will now refuse to serialize (write) headers that
-are unsafely folded or delimited; see
-:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas
-Bloemsaat and Petr Viktorin in :gh:`121650`.)
diff --git a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
deleted file mode 100644
index 6a234561fe3..00000000000
--- a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
+++ /dev/null
@@ -1 +0,0 @@
-Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies`.
diff --git a/Misc/NEWS.d/next/Library/2024-08-26-13-45-20.gh-issue-123270.gXHvNJ.rst b/Misc/NEWS.d/next/Library/2024-08-26-13-45-20.gh-issue-123270.gXHvNJ.rst
deleted file mode 100644
index ee9fde6a9ed..00000000000
--- a/Misc/NEWS.d/next/Library/2024-08-26-13-45-20.gh-issue-123270.gXHvNJ.rst
+++ /dev/null
@@ -1,3 +0,0 @@
-Applied a more surgical fix for malformed payloads in :class:`zipfile.Path`
-causing infinite loops (gh-122905) without breaking contents using
-legitimate characters.
diff --git a/Misc/NEWS.d/next/Security/2024-03-27-13-50-02.gh-issue-116741.ZoGryG.rst b/Misc/NEWS.d/next/Security/2024-03-27-13-50-02.gh-issue-116741.ZoGryG.rst
deleted file mode 100644
index 12a41948066..00000000000
--- a/Misc/NEWS.d/next/Security/2024-03-27-13-50-02.gh-issue-116741.ZoGryG.rst
+++ /dev/null
@@ -1 +0,0 @@
-Update bundled libexpat to 2.6.2
diff --git a/Misc/NEWS.d/next/Security/2024-04-19-11-21-13.gh-issue-114572.t1QMQD.rst b/Misc/NEWS.d/next/Security/2024-04-19-11-21-13.gh-issue-114572.t1QMQD.rst
deleted file mode 100644
index b4f9fe64db0..00000000000
--- a/Misc/NEWS.d/next/Security/2024-04-19-11-21-13.gh-issue-114572.t1QMQD.rst
+++ /dev/null
@@ -1,4 +0,0 @@
-:meth:`ssl.SSLContext.cert_store_stats` and
-:meth:`ssl.SSLContext.get_ca_certs` now correctly lock access to the
-certificate store, when the :class:`ssl.SSLContext` is shared across
-multiple threads.
diff --git a/Misc/NEWS.d/next/Security/2024-05-01-20-57-09.gh-issue-118486.K44KJG.rst b/Misc/NEWS.d/next/Security/2024-05-01-20-57-09.gh-issue-118486.K44KJG.rst
deleted file mode 100644
index a28a4e5cdb6..00000000000
--- a/Misc/NEWS.d/next/Security/2024-05-01-20-57-09.gh-issue-118486.K44KJG.rst
+++ /dev/null
@@ -1,4 +0,0 @@
-:func:`os.mkdir` on Windows now accepts *mode* of ``0o700`` to restrict
-the new directory to the current user. This fixes CVE-2024-4030
-affecting :func:`tempfile.mkdtemp` in scenarios where the base temporary
-directory is more permissive than the default.
diff --git a/Misc/NEWS.d/next/Security/2024-07-02-13-39-20.gh-issue-121285.hrl-yI.rst b/Misc/NEWS.d/next/Security/2024-07-02-13-39-20.gh-issue-121285.hrl-yI.rst
deleted file mode 100644
index 81f918bfe2b..00000000000
--- a/Misc/NEWS.d/next/Security/2024-07-02-13-39-20.gh-issue-121285.hrl-yI.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Remove backtracking from tarfile header parsing for ``hdrcharset``, PAX, and
-GNU sparse headers.
diff --git a/Misc/NEWS.d/next/Security/2024-07-22-13-11-28.gh-issue-122133.0mPeta.rst b/Misc/NEWS.d/next/Security/2024-07-22-13-11-28.gh-issue-122133.0mPeta.rst
deleted file mode 100644
index 3544eb3824d..00000000000
--- a/Misc/NEWS.d/next/Security/2024-07-22-13-11-28.gh-issue-122133.0mPeta.rst
+++ /dev/null
@@ -1,5 +0,0 @@
-Authenticate the socket connection for the ``socket.socketpair()`` fallback
-on platforms where ``AF_UNIX`` is not available like Windows.
-
-Patch by Gregory P. Smith <greg@krypto.org> and Seth Larson <seth@python.org>. Reported by Ellie
-<el@horse64.org>
diff --git a/Misc/NEWS.d/next/Security/2024-07-22-13-14-38.gh-issue-121957.FYkcOt.rst b/Misc/NEWS.d/next/Security/2024-07-22-13-14-38.gh-issue-121957.FYkcOt.rst
deleted file mode 100644
index ff4614b000c..00000000000
--- a/Misc/NEWS.d/next/Security/2024-07-22-13-14-38.gh-issue-121957.FYkcOt.rst
+++ /dev/null
@@ -1,3 +0,0 @@
-Fixed missing audit events around interactive use of Python, now also
-properly firing for ``python -i``, as well as for ``python -m asyncio``. The
-event in question is ``cpython.run_stdin``.
diff --git a/Misc/NEWS.d/next/Security/2024-09-04-12-41-35.gh-issue-123678.N41y9n.rst b/Misc/NEWS.d/next/Security/2024-09-04-12-41-35.gh-issue-123678.N41y9n.rst
deleted file mode 100644
index b70f578415f..00000000000
--- a/Misc/NEWS.d/next/Security/2024-09-04-12-41-35.gh-issue-123678.N41y9n.rst
+++ /dev/null
@@ -1 +0,0 @@
-Upgrade libexpat to 2.6.3
diff --git a/Misc/NEWS.d/next/Tests/2024-03-24-23-49-25.gh-issue-117187.eMLT5n.rst b/Misc/NEWS.d/next/Tests/2024-03-24-23-49-25.gh-issue-117187.eMLT5n.rst
deleted file mode 100644
index 0c0b0e0f443..00000000000
--- a/Misc/NEWS.d/next/Tests/2024-03-24-23-49-25.gh-issue-117187.eMLT5n.rst
+++ /dev/null
@@ -1 +0,0 @@
-Fix XML tests for vanilla Expat <2.6.0.
diff --git a/Misc/NEWS.d/next/Tests/2024-05-25-17-06-01.gh-issue-112769.kdLJmS.rst b/Misc/NEWS.d/next/Tests/2024-05-25-17-06-01.gh-issue-112769.kdLJmS.rst
deleted file mode 100644
index 1bbbb26fc32..00000000000
--- a/Misc/NEWS.d/next/Tests/2024-05-25-17-06-01.gh-issue-112769.kdLJmS.rst
+++ /dev/null
@@ -1,3 +0,0 @@
-The tests now correctly compare zlib version when
-:const:`zlib.ZLIB_RUNTIME_VERSION` contains non-integer suffixes. For
-example zlib-ng defines the version as ``1.3.0.zlib-ng``.
diff --git a/Misc/NEWS.d/next/Windows/2024-03-14-01-58-22.gh-issue-116773.H2UldY.rst b/Misc/NEWS.d/next/Windows/2024-03-14-01-58-22.gh-issue-116773.H2UldY.rst
deleted file mode 100644
index 8fc3fe80041..00000000000
--- a/Misc/NEWS.d/next/Windows/2024-03-14-01-58-22.gh-issue-116773.H2UldY.rst
+++ /dev/null
@@ -1 +0,0 @@
-Fix instances of ``<_overlapped.Overlapped object at 0xXXX> still has pending operation at deallocation, the process may crash``.
diff --git a/Misc/NEWS.d/next/Windows/2024-05-29-17-05-28.gh-issue-119690.U6RMtm.rst b/Misc/NEWS.d/next/Windows/2024-05-29-17-05-28.gh-issue-119690.U6RMtm.rst
deleted file mode 100644
index 44889794d9a..00000000000
--- a/Misc/NEWS.d/next/Windows/2024-05-29-17-05-28.gh-issue-119690.U6RMtm.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Fixes data type confusion in audit events raised by ``_winapi.CreateFile``
-and ``_winapi.CreateNamedPipe``.
diff --git a/README.rst b/README.rst
index 592b98880af..abe33630048 100644
--- a/README.rst
+++ b/README.rst
@@ -1,4 +1,4 @@
-This is Python version 3.9.19
+This is Python version 3.9.20
=============================
.. image:: https://travis-ci.org/python/cpython.svg?branch=3.9