SUSE-SU-2022:2174-1

This update for python39 fixes the following issues:

• CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).

• Update to 3.9.13:

  • Core and Builtins
    • gh-92311: Fixed a bug where setting frame.f_lineno to jump over a list comprehension could misbehave or crash.
    • gh-92112: Fix crash triggered by an evil custom mro() on a metaclass.
    • gh-92036: Fix a crash in subinterpreters related to the garbage collector. When a subinterpreter is deleted, untrack all objects tracked by its GC. To prevent a crash in deallocator functions expecting objects to be tracked by the GC, leak a strong reference to these objects on purpose, so they are never deleted and their deallocator functions are not called. Patch by Victor Stinner.
    • gh-91421: Fix a potential integer overflow in PyDecodeUTF8Ex.
    • bpo-46775: Some Windows system error codes(>= 10000) are now mapped into the correct errno and may now raise a subclass of OSError. Patch by Dong-hee Na.
    • bpo-46962: Classes and functions that unconditionally declared their docstrings ignoring the --without-doc-strings compilation flag no longer do so.
    • The classes affected are pickle.PickleBuffer, testcapi.RecursingInfinitelyError, and types.GenericAlias.
    • The functions affected are 24 methods in ctypes.
    • Patch by Oleg Iarygin.
    • bpo-36819: Fix crashes in built-in encoders with error handlers that return position less or equal than the starting position of non-encodable characters.
  • Library
    • gh-91581: utcfromtimestamp() no longer attempts to resolve fold in the pure Python implementation, since the fold is never 1 in UTC. In addition to being slightly faster in the common case, this also prevents some errors when the timestamp is close to datetime.min. Patch by Paul Ganssle.
    • gh-92530: Fix an issue that occurred after interrupting threading.Condition.notify().
    • gh-92049: Forbid pickling constants re.constants.SUCCESS etc. Previously, pickling did not fail, but the result could not be unpickled.
    • bpo-47029: Always close the read end of the pipe used by multiprocessing.Queue after the last write of buffered data to the write end of the pipe to avoid BrokenPipeError at garbage collection and at multiprocessing.Queue.close() calls. Patch by G�ry Ogam.
    • gh-91910: Add missing f prefix to f-strings in error messages from the multiprocessing and asyncio modules.
    • gh-91810: ElementTree method write() and function tostring() now use the text file''s encoding ('UTF-8' if not available) instead of locale encoding in XML declaration when encoding='unicode' is specified.
    • gh-91832: Add required attribute to argparse.Action repr output.
    • gh-91734: Fix OSS audio support on Solaris.
    • gh-91700: Compilation of regular expression containing a conditional expression (?(group)...) now raises an appropriate re.error if the group number refers to not defined group. Previously an internal RuntimeError was raised.
    • gh-91676: Fix unittest.IsolatedAsyncioTestCase to shutdown the per test event loop executor before returning from its run method so that a not yet stopped or garbage collected executor state does not persist beyond the test.
    • gh-90568: Parsing \N escapes of Unicode Named Character Sequences in a regular expression raises now re.error instead of TypeError.
    • gh-91595: Fix the comparison of character and integer inside Tools.gdb.libpython.writerepr(). Patch by Yu Liu.
    • gh-90622: Worker processes for concurrent.futures.ProcessPoolExecutor are no longer spawned on demand (a feature added in 3.9) when the multiprocessing context start method is 'fork' as that can lead to deadlocks in the child processes due to a fork happening while threads are running.
    • gh-91575: Update case-insensitive matching in the re module to the latest Unicode version.
    • gh-91581: Remove an unhandled error case in the C implementation of calls to datetime.fromtimestamp with no time zone (i.e. getting a local time from an epoch timestamp). This should have no user-facing effect other than giving a possibly more accurate error message when called with timestamps that fall on 10000-01-01 in the local time. Patch by Paul Ganssle.
    • bpo-34480: Fix a bug where markupbase raised an UnboundLocalError when an invalid keyword was found in marked section. Patch by Marek Suscak.
    • bpo-27929: Fix asyncio.loop.sockconnect() to only resolve names for socket.AFINET or socket.AFINET6 families. Resolution may not make sense for other families, like socket.AFBLUETOOTH and socket.AFUNIX.
    • bpo-43323: Fix errors in the email module if the charset itself contains undecodable/unencodable characters.
    • bpo-46787: Fix concurrent.futures.ProcessPoolExecutor exception memory leak
    • bpo-46415: Fix ipaddress.ip{address,interface,network} raising TypeError instead of ValueError if given invalid tuple as address parameter.
    • bpo-44911: IsolatedAsyncioTestCase will no longer throw an exception while cancelling leaked tasks. Patch by Bar Harel.
    • bpo-44493: Add missing terminated NUL in sockaddrun's length
    • This was potentially observable when using non-abstract AF_UNIX datagram sockets to processes written in another programming language.
    • bpo-42627: Fix incorrect parsing of Windows registry proxy settings
    • bpo-36073: Raise ProgrammingError instead of segfaulting on recursive usage of cursors in sqlite3 converters. Patch by Sergey Fedoseev.
  • Documentation
    • gh-91888: Add a new gh role to the documentation to link to GitHub issues.
    • gh-91783: Document security issues concerning the use of the function shutil.unpackarchive()
    • gh-91547: Remove 'Undocumented modules' page.
    • bpo-44347: Clarify the meaning of dirsexistok, a kwarg of shutil.copytree().
    • bpo-38668: Update the introduction to documentation for os.path to remove warnings that became irrelevant after the implementations of PEP 383 and PEP 529.
    • bpo-47138: Pin Jinja to a version compatible with Sphinx version 2.4.4.
    • bpo-46962: All docstrings in code snippets are now wrapped into PyDocSTR() to follow the guideline of PEP 7's Documentation Strings paragraph. Patch by Oleg Iarygin.
    • bpo-26792: Improve the docstrings of runpy.runmodule() and runpy.runpath(). Original patch by Andrew Brezovsky.
    • bpo-45790: Adjust inaccurate phrasing in Defining Extension Types: Tutorial about the ob_base field and the macros used to access its contents.
    • bpo-42340: Document that in some circumstances KeyboardInterrupt may cause the code to enter an inconsistent state. Provided a sample workaround to avoid it if needed.
    • bpo-41233: Link the errnos referenced in Doc/library/exceptions.rst to their respective section in Doc/library/errno.rst, and vice versa. Previously this was only done for EINTR and InterruptedError. Patch by Yan 'yyyyyyyan' Orestes.
    • bpo-38056: Overhaul the Error Handlers documentation in codecs.
    • bpo-13553: Document tkinter.Tk args.
  • Tests
    • gh-91607: Fix testconcurrentfutures to test the correct multiprocessing start method context in several cases where the test logic mixed this up.
    • bpo-47205: Skip test for schedgetaffinity() and schedsetaffinity() error case on FreeBSD.
    • bpo-29890: Add tests for ipaddress.IPv4Interface and ipaddress.IPv6Interface construction with tuple arguments. Original patch and tests by louisom.
  • Build
    • bpo-47103: Windows PGInstrument builds now copy a required DLL into the output directory, making it easier to run the profile stage of a PGO build.
  • Windows
    • bpo-47194: Update zlib to v1.2.12 to resolve CVE-2018-25032.
    • bpo-46785: Fix race condition between os.stat() and unlinking a file on Windows, by using errors codes returned by FindFirstFileW() when appropriate in win32xstatimpl.
    • bpo-40859: Update Windows build to use xz-5.2.5
  • Tools/Demos
    • gh-91583: Fix regression in the code generated by Argument Clinic for functions with the defining_class parameter.

• Update to 3.9.12:

  • bpo-46968: Check for the existence of the 'sys/auxv.h' header in faulthandler to avoid compilation problems in systems where this header doesn't exist. Patch by Pablo Galindo
  • bpo-47101: hashlib.algorithms_available now lists only algorithms that are provided by activated crypto providers on OpenSSL 3.0. Legacy algorithms are not listed unless the legacy provider has been loaded into the default OSSL context.
  • bpo-23691: Protect the re.finditer() iterator from re-entering.
  • bpo-42369: Fix thread safety of zipfile._SharedFile.tell() to avoid a 'zipfile.BadZipFile: Bad CRC-32 for file' exception when reading a ZipFile from multiple threads.
  • bpo-38256: Fix binascii.crc32() when it is compiled to use zlib'c crc32 to work properly on inputs 4+GiB in length instead of returning the wrong result. The workaround prior to this was to always feed the function data in increments smaller than 4GiB or to just call the zlib module function.
  • bpo-39394: A warning about inline flags not at the start of the regular expression now contains the position of the flag.
  • bpo-47061: Deprecate the various modules listed by PEP 594:
  • aifc, asynchat, asyncore, audioop, cgi, cgitb, chunk, crypt, imghdr, msilib, nntplib, nis, ossaudiodev, pipes, smtpd, sndhdr, spwd, sunau, telnetlib, uu, xdrlib
  • bpo-2604: Fix bug where doctests using globals would fail when run multiple times.
  • bpo-45997: Fix asyncio.Semaphore re-aquiring FIFO order.
  • bpo-47022: The asynchat, asyncore and smtpd modules have been deprecated since at least Python 3.6. Their documentation has now been updated to note they will removed in Python 3.12 (PEP 594).
  • bpo-46421: Fix a unittest issue where if the command was invoked as python -m unittest and the filename(s) began with a dot (.), a ValueError is returned.
  • bpo-40296: Fix supporting generic aliases in pydoc.
  • bpo-14156: argparse.FileType now supports an argument of '-'; in binary mode, returning the .buffer attribute of sys.stdin/sys.stdout as appropriate. Modes including 'x' and 'a' are treated equivalently to 'w' when argument is '-'. Patch contributed by Josh Rosenberg
• Update to 3.9.11:
  • bpo-46852: Rename the private undocumented float.setformat() method to float.setformat() to fix a typo introduced in Python 3.7. The method is only used by testfloat. Patch by Victor Stinner.
  • bpo-46794: Bump up the libexpat version into 2.4.6
  • bpo-46762: Fix an assert failure in debug builds when a '<', '>', or '=' is the last character in an f-string that's missing a closing right brace.
  • bpo-46732: Correct the docstring for the bool() method. Patch by Jelle Zijlstra.
  • bpo-40479: Add a missing call to vaend() in Modules/hashopenssl.c.
  • bpo-46615: When iterating over sets internally in setobject.c, acquire strong references to the resulting items from the set. This prevents crashes in corner-cases of various set operations where the set gets mutated.
  • bpo-43721: Fix docstrings of getter, setter, and deleter to clarify that they create a new copy of the property.
  • bpo-46503: Fix an assert when parsing some invalid N escape sequences in f-strings.
  • bpo-46417: Fix a race condition on setting a type bases attribute: the internal function addsubclass() now gets the PyTypeObject.tpsubclasses member after calling PyWeakrefNewRef() which can trigger a garbage collection which can indirectly modify PyTypeObject.tpsubclasses. Patch by Victor Stinner.
  • bpo-46383: Fix invalid signature of zoneinfo's modulefree function to resolve a crash on wasm32-emscripten platform.
  • bpo-43253: Fix a crash when closing transports where the underlying socket handle is already invalid on the Proactor event loop.
  • bpo-47004: Apply bugfixes from importlibmetadata 4.11.3, including bugfix for EntryPoint.extras, which was returning match objects and not the extras strings.
  • bpo-46985: Upgrade pip wheel bundled with ensurepip (pip 22.0.4)
  • bpo-46968: faulthandler: On Linux 5.14 and newer, dynamically determine size of signal handler stack size CPython allocates using getauxval(ATMINSIGSTKSZ). This changes allows for Python extension's request to Linux kernel to use AMXTILE instruction set on Sapphire Rapids Xeon processor to succeed, unblocking use of the ISA in frameworks.
  • bpo-46955: Expose asyncio.baseevents.Server as asyncio.Server. Patch by Stefan Zabka.
  • bpo-46932: Update bundled libexpat to 2.4.7
  • bpo-25707: Fixed a file leak in xml.etree.ElementTree.iterparse() when the iterator is not exhausted. Patch by Jacob Walls.
  • bpo-44886: Inherit asyncio proactor datagram transport from asyncio.DatagramTransport.
  • bpo-46827: Support UDP sockets in asyncio.loop.sockconnect() for selector-based event loops. Patch by Thomas Grainger.
  • bpo-46811: Make test suite support Expat >=2.4.5
  • bpo-46252: Raise TypeError if ssl.SSLSocket is passed to transport-based APIs.
  • bpo-46784: Fix libexpat symbols collisions with user dynamically loaded or statically linked libexpat in embedded Python.
  • bpo-39327: shutil.rmtree() can now work with VirtualBox shared folders when running from the guest operating-system.
  • bpo-46756: Fix a bug in urllib.request.HTTPPasswordMgr.finduserpassword() and urllib.request.HTTPPasswordMgrWithPriorAuth.isauthenticated() which allowed to bypass authorization. For example, access to URI example.org/foobar was allowed if the user was authorized for URI example.org/foo.
  • bpo-45863: When the tarfile module creates a pax format archive, it will put an integer representation of timestamps in the ustar header (if possible) for the benefit of older unarchivers, in addition to the existing full-precision timestamps in the pax extended header.
  • bpo-46672: Fix NameError in asyncio.gather() when initial type check fails.
  • bpo-45948: Fixed a discrepancy in the C implementation of the xml.etree.ElementTree module. Now, instantiating an xml.etree.ElementTree.XMLParser with a target=None keyword provides a default xml.etree.ElementTree.TreeBuilder target as the Python implementation does.
  • bpo-46591: Make the IDLE doc URL on the About IDLE dialog clickable.
  • bpo-46400: expat: Update libexpat from 2.4.1 to 2.4.4
  • bpo-46487: Add the getwritebufferlimits method to asyncio.transports.WriteTransport and to the SSL transport.
  • bpo-46539: In typing.gettypehints(), support evaluating stringified ClassVar and Final annotations inside Annotated. Patch by Gregory Beauregard.
  • bpo-46491: Allow typing.Annotated to wrap typing.Final and typing.ClassVar. Patch by Gregory Beauregard.
  • bpo-46436: Fix command-line option -d/--directory in module http.server which is ignored when combined with command-line option --cgi. Patch by G�ry Ogam.
  • bpo-41403: Make mock.patch() raise a TypeError with a relevant error message on invalid arg. Previously it allowed a cryptic AttributeError to escape.
  • bpo-46474: In importlib.metadata.EntryPoint.pattern, avoid potential REDoS by limiting ambiguity in consecutive whitespace.
  • bpo-46469: asyncio generic classes now return types.GenericAlias in classgetitem instead of the same class.
  • bpo-46434: pdb now gracefully handles help when doc is missing, for example when run with pregenerated optimized .pyc files.
  • bpo-46333: The eq() and hash() methods of typing.ForwardRef now honor the module parameter of typing.ForwardRef. Forward references from different modules are now differentiated.
  • bpo-43118: Fix a bug in inspect.signature() that was causing it to fail on some subclasses of classes with a textsignature referencing module globals. Patch by Weipeng Hong.
  • bpo-21987: Fix an issue with tarfile.TarFile.getmember() getting a directory name with a trailing slash.
  • bpo-20392: Fix inconsistency with uppercase file extensions in MimeTypes.guesstype(). Patch by Kumar Aditya.
  • bpo-46080: Fix exception in argparse help text generation if a argparse.BooleanOptionalAction argument's default is argparse.SUPPRESS and it has help specified. Patch by Felix Fontein.
  • bpo-44439: Fix .write() method of a member file in ZipFile, when the input data is an object that supports the buffer protocol, the file length may be wrong.
  • bpo-45703: When a namespace package is imported before another module from the same namespace is created/installed in a different sys.path location while the program is running, calling the importlib.invalidatecaches() function will now also guarantee the new module is noticed.
  • bpo-24959: Fix bug where unittest sometimes drops frames from tracebacks of exceptions raised in tests.
  • bpo-46463: Fixes escape4chm.py script used when building the CHM documentation file
  • bpo-46913: Fix testfaulthandler.testsigfpe() if Python is built with undefined behavior sanitizer (UBSAN): disable UBSAN on the faulthandlersigfpe() function. Patch by Victor Stinner.
  • bpo-46708: Prevent default asyncio event loop policy modification warning after testasyncio execution.
  • bpo-46616: Ensures testimportlib.testwindows cleans up registry keys after completion.
  • bpo-44359: testftplib now silently ignores socket errors to prevent logging unhandled threading exceptions. Patch by Victor Stinner.
  • bpo-46542: Fix a Python crash in testlib2to3 when using Python built in debug mode: limit the recursion limit. Patch by Victor Stinner.
  • bpo-46576: testpeggenerator now disables compiler optimization when testing compilation of its own C extensions to significantly speed up the testing on non-debug builds of CPython.
  • bpo-46542: Fix testjson tests checking for RecursionError: modify these tests to use support.infiniterecursion(). Patch by Victor Stinner.
  • bpo-13886: Skip testbuiltin PTY tests on non-ASCII characters if the readline module is loaded. The readline module changes input() behavior, but testbuiltin is not intented to test the readline module. Patch by Victor Stinner.
  • bpo-38472: Fix GCC detection in setup.py when cross-compiling. The C compiler is now run with LCALL=C. Previously, the detection failed with a German locale.
  • bpo-46513: configure no longer uses ACCCHARUNSIGNED macro and pyconfig.h no longer defines reserved symbol CHARUNSIGNED.
  • bpo-45925: Update Windows installer to use SQLite 3.37.2.
  • bpo-45296: Clarify close, quit, and exit in IDLE. In the File menu, 'Close' and 'Exit' are now 'Close Window' (the current one) and 'Exit' is now 'Exit IDLE' (by closing all windows). In Shell, 'quit()' and 'exit()' mean 'close Shell'. If there are no other windows, this also exits IDLE.
  • bpo-45447: Apply IDLE syntax highlighting to pyi files. Patch by Alex Waygood and Terry Jan Reedy.