From: Antoine Pitrou Date: Fri, 27 Jan 2012 08:44:08 +0000 (+0100) Subject: Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack... X-Git-Tag: v2.7.3rc1~120 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=374b4ea9da3dfa92641fff91015246a5ef6b27fb;p=python Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure. --- 374b4ea9da3dfa92641fff91015246a5ef6b27fb diff --cc Misc/NEWS index 188a09d306,92e8197691..7b3bebce36 --- a/Misc/NEWS +++ b/Misc/NEWS @@@ -9,609 -10,570 +9,612 @@@ What's New in Python 2.7.3 Core and Builtins ----------------- -Library -------- +- Issue #11235: Fix OverflowError when trying to import a source file whose + modification time doesn't fit in a 32-bit timestamp. -- Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC - IV attack countermeasure. +- Issue #11638: Unicode strings in 'name' and 'version' no longer cause + UnicodeDecodeErrors. +- Fix the fix for issue #12149: it was incorrect, although it had the side + effect of appearing to resolve the issue. Thanks to Mark Shannon for + noticing. -What's New in Python 2.6.7? -=========================== +- Issue #13546: Fixed an overflow issue that could crash the intepreter when + calling sys.setrecursionlimit((1<<31)-1). -*Release date: 2011-06-03* +- Issue #13333: The UTF-7 decoder now accepts lone surrogates (the encoder + already accepts them). -*NOTE: Python 2.6 is in security-fix-only mode. No non-security bug fixes are - allowed. Python 2.6.7 and beyond will be source only releases.* +- Issue #10519: Avoid unnecessary recursive function calls in + setobject.c. -* No changes since 2.6.7rc2. +- Issue #13268: Fix the assert statement when a tuple is passed as the message. +- Issue #13018: Fix reference leaks in error paths in dictobject.c. + Patch by Suman Saha. -What's New in Python 2.6.7 rc 2? -================================ +- Issue #12604: VTRACE macro expanded to no-op in _sre.c to avoid compiler + warnings. Patch by Josh Triplett and Petri Lehtinen. -*Release date: 2011-05-20* +- Issue #7833: Extension modules built using distutils on Windows will no + longer include a "manifest" to prevent them failing at import time in some + embedded situations. -*NOTE: Python 2.6 is in security-fix-only mode. No non-security bug fixes are - allowed. Python 2.6.7 and beyond will be source only releases.* +- Issue #13186: Fix __delitem__ on old-style instances when invoked through + PySequence_DelItem. +- Issue #13156: Revert the patch for issue #10517 (reset TLS upon fork()), + which was only relevant for the native pthread TLS implementation. -Library -------- +- Issue #7732: Fix a crash on importing a module if a directory has the same + name than a Python module (e.g. "__init__.py"): don't close the file twice. -- Issue #11662: Make urllib and urllib2 ignore redirections if the - scheme is not HTTP, HTTPS or FTP (CVE-2011-1521). +- Issue #12973: Fix overflow checks that invoked undefined behaviour in + int.__pow__. These overflow checks were causing int.__pow__ to produce + incorrect results with recent versions of Clang, as a result of the + compiler optimizing the check away. Also fix similar overflow checks + in list_repeat (listobject.c) and islice_next (itertoolsmodule.c). These + bugs caused test failures with recent versions of Clang. -- Issue #11442: Add a charset parameter to the Content-type in SimpleHTTPServer - to avoid XSS attacks. +- Issue #12266: Fix str.capitalize() to correctly uppercase/lowercase + titlecased and cased non-letter characters. +- Issues #12610 and #12609: Verify that user generated AST has correct string + and identifier types before compiling. -What's New in Python 2.6.7 rc 1? -================================ +- Issue #11627: Fix segfault when __new__ on a exception returns a + non-exception class. -*Release date: 2011-05-06* +- Issue #12149: Update the method cache after a type's dictionnary gets + cleared by the garbage collector. This fixes a segfault when an instance + and its type get caught in a reference cycle, and the instance's + deallocator calls one of the methods on the type (e.g. when subclassing + IOBase). Diagnosis and patch by Davide Rizzo. -Library -------- +- Issue #12501: Remove Py3k warning for callable. callable() is supported + again in Python 3.2. -- Issue #9129: smtpd.py is vulnerable to DoS attacks deriving from missing - error handling when accepting a new connection. +- Issue #9611, #9015: FileIO.read(), FileIO.readinto(), FileIO.write() and + os.write() clamp the length to INT_MAX on Windows. +- Issue #1195: my_fgets() now always clears errors before calling fgets(). Fix + the following case: sys.stdin.read() stopped with CTRL+d (end of file), + raw_input() interrupted by CTRL+c. -What's New in Python 2.6.6? -=========================== +- Issue #10860: httplib now correctly handles an empty port after port + delimiter in URLs. -*Release date: 2010-08-24* +- dict_proxy objects now display their contents rather than just the class + name. -* No changes since 2.6.6rc2. +Library +------- ++- Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC ++ IV attack countermeasure. + -What's New in Python 2.6.6 rc 2? -================================ +- Issue #6631: Disallow relative file paths in urllib urlopen methods. -*Release date: 2010-08-16* +- Issue #13781: Prevent gzip.GzipFile from using the dummy filename provided by + file objects opened with os.fdopen(). -Library -------- +- Issue #13589: Fix some serialization primitives in the aifc module. + Patch by Oleg Plakhotnyuk. -- Issue #9600: Don't use relative import for _multiprocessing on Windows. +- Issue #13803: Under Solaris, distutils doesn't include bitness + in the directory name. -- Issue #8688: Revert regression introduced in 2.6.6rc1 (making Distutils - recalculate MANIFEST every time). +- Issue #13642: Unquote before b64encoding user:password during Basic + Authentication. Patch contributed by Joonas Kuorilehto and Michele Orrù. -- Issue #5798: Handle select.poll flag oddities properly on OS X. - This fixes test_asynchat and test_smtplib failures on OS X. +- Issue #13636: Weak ciphers are now disabled by default in the ssl module + (except when SSLv2 is explicitly asked for). -- Issue #9543: Fix regression in socket.py introduced in Python 2.6.6 rc 1 - in r83624. +- Issue #12798: Updated the mimetypes documentation. -Extension Modules ------------------ +- Issue #13639: Accept unicode filenames in tarfile.open(mode="w|gz"). -- Issue #7567: Don't call `setupterm' twice. +- Issue #1785: Fix inspect and pydoc with misbehaving descriptors. -Tests ------ +- Issue #7502: Fix equality comparison for DocTestCase instances. Patch by + Cédric Krier. -- Issue #9568: Fix test_urllib2_localnet on OS X 10.3. +- Issue #11870: threading: Properly reinitialize threads internal locks and + condition variables to avoid deadlocks in child processes. -- Issue #9145: Fix test_coercion failure in refleak runs. +- Issue #8035: urllib: Fix a bug where the client could remain stuck after a + redirection or an error. -- Issue #8433: Fix test_curses failure caused by newer versions of - ncurses returning ERR from getmouse() when there are no mouse - events available. +- Issue #4625: If IDLE cannot write to its recent file or breakpoint + files, display a message popup and continue rather than crash. + (original patch by Roger Serwy) +- tarfile.py: Correctly detect bzip2 compressed streams with blocksizes + other than 900k. -What's New in Python 2.6.6 rc 1? -================================ +- Issue #13573: The csv.writer now uses the repr() for floats rather than str(). + This allows floats to round-trip without loss of precision. -*Release date: 2010-08-03* +- Issue #13439: Fix many errors in turtle docstrings. -Core and Builtins ------------------ +- Issue #12856: Ensure child processes do not inherit the parent's random + seed for filename generation in the tempfile module. Patch by Brian + Harring. -- Issue #6213: Implement getstate() and setstate() methods of utf-8-sig and - utf-16 incremental encoders. +- Issue #13458: Fix a memory leak in the ssl module when decoding a + certificate with a subjectAltName. Patch by Robert Xiao. -- Issue #8271: during the decoding of an invalid UTF-8 byte sequence, only the - start byte and the continuation byte(s) are now considered invalid, instead - of the number of bytes specified by the start byte. - E.g.: '\xf1\x80AB'.decode('utf-8', 'replace') now returns u'\ufffdAB' and - replaces with U+FFFD only the start byte ('\xf1') and the continuation byte - ('\x80') even if '\xf1' is the start byte of a 4-bytes sequence. - Previous versions returned a single u'\ufffd'. +- Issue #13415: os.unsetenv() doesn't ignore errors anymore. -- Issue #9058: Remove assertions about INT_MAX in UnicodeDecodeError. +- Issue #13322: Fix BufferedWriter.write() to ensure that BlockingIOError is + raised when the wrapped raw file is non-blocking and the write would block. + Previous code assumed that the raw write() would raise BlockingIOError, but + RawIOBase.write() is defined to returned None when the call would block. + Patch by sbt. -- Issue #8941: decoding big endian UTF-32 data in UCS-2 builds could crash - the interpreter with characters outside the Basic Multilingual Plane - (higher than 0x10000). +- Issue #13358: HTMLParser now calls handle_data only once for each CDATA. -- Issue #8627: Remove bogus "Overriding __cmp__ blocks inheritance of - __hash__ in 3.x" warning. Also fix "XXX undetected error" that - arises from the "Overriding __eq__ blocks inheritance ..." warning - when turned into an exception: in this case the exception simply - gets ignored. +- Issue #4147: minidom's toprettyxml no longer adds whitespace around a text + node when it is the only child of an element. Initial patch by Dan + Kenigsberg. -- Issue #4108: In urllib.robotparser, if there are multiple 'User-agent: *' - entries, consider the first one. +- Issue #8793: Prevent IDLE crash when given strings with invalid hex escape + sequences. -- Issue #9354: Provide getsockopt() in asyncore's file_wrapper. +- Issues #1745761, #755670, #13357, #12629, #1200313: HTMLParser now correctly + handles non-valid attributes, including adjacent and unquoted attributes. -- In the unicode/str.format(), raise a ValueError when indexes to arguments are - too large. +- Issue #13193: Fix distutils.filelist.FileList under Windows. The + "recursive-include" directive now recognizes both legal path separators. -- Issue #3798: Write sys.exit() message to sys.stderr to use stderr encoding - and error handler, instead of writing to the C stderr file in utf-8 +- Issue #13373: multiprocessing.Queue.get() could sometimes block indefinitely + when called with a timeout. Patch by Arnaud Ysmal. -- Issue #7902: When using explicit relative import syntax, don't try - implicit relative import semantics. +- Issue #3067: Enhance the documentation and docstring of + locale.setlocale(). -- Issue #7079: Fix a possible crash when closing a file object while using - it from another thread. Patch by Daniel Stutzbach. +- Issue #13254: Fix Maildir initialization so that maildir contents + are read correctly. -- Issue #1533: fix inconsistency in range function argument - processing: any non-float non-integer argument is now converted to - an integer (if possible) using its __int__ method. Previously, only - small arguments were treated this way; larger arguments (those whose - __int__ was outside the range of a C long) would produce a TypeError. +- Issue #13140: Fix the daemon_threads attribute of ThreadingMixIn. -- Issue #8417: Raise an OverflowError when an integer larger than sys.maxsize - is passed to bytearray. +- Issue #2892: preserve iterparse events in case of SyntaxError. -- Issue #8329: Don't return the same lists from select.select when no fds are - changed. +- Issue #670664: Fix HTMLParser to correctly handle the content of + ```` and ````. -- Raise a TypeError when trying to delete a T_STRING_INPLACE struct member. +- Issue #10817: Fix urlretrieve function to raise ContentTooShortError even + when reporthook is None. Patch by Jyrki Pulliainen. -- Issue #1583863: An unicode subclass can now override the __unicode__ method. +- Issue #13296: Fix IDLE to clear compile __future__ flags on shell restart. + (Patch by Roger Serwy) -- Issue #7507: Quote "!" in pipes.quote(); it is special to some shells. +- Issue #7334: close source files on ElementTree.parse and iterparse. -- Issue #7544: Preallocate thread memory before creating the thread to avoid - a fatal error in low memory condition. +- Issue #13232: logging: Improved logging of exceptions in the presence of + multiple encodings. -- Issue #7820: The parser tokenizer restores all bytes in the right if - the BOM check fails. +- Issue #10332: multiprocessing: fix a race condition when a Pool is closed + before all tasks have completed. -- Issue #7072: isspace(0xa0) is true on Mac OS X +- Issue #1548891: The cStringIO.StringIO() constructor now encodes unicode + arguments with the system default encoding just like the write() method + does, instead of converting it to a raw buffer. This also fixes handling of + unicode input in the shlex module (#6988, #1170). -C-API ------ +- Issue #9168: now smtpd is able to bind privileged port. -- Issue #5753: A new C API function, :cfunc:`PySys_SetArgvEx`, allows - embedders of the interpreter to set sys.argv without also modifying - sys.path. This helps fix `CVE-2008-5983 - `_. +- Issue #12529: fix cgi.parse_header issue on strings with double-quotes and + semicolons together. Patch by Ben Darnell and Petri Lehtinen. -Library -------- +- Issue #6090: zipfile raises a ValueError when a document with a timestamp + earlier than 1980 is provided. Patch contributed by Petri Lehtinen. -- Issue #8447: Make distutils.sysconfig follow symlinks in the path to - the interpreter executable. This fixes a failure of test_httpservers - on OS X. +- Issue #13194: zlib.compressobj().copy() and zlib.decompressobj().copy() are + now available on Windows. -- Issue #7092: Fix the DeprecationWarnings emitted by the standard library - when using the -3 flag. Patch by Florent Xicluna. +- Issue #13114: Fix the distutils commands check and register when the + long description is a Unicode string with non-ASCII characters. -- Issue #7395: Fix tracebacks in pstats interactive browser. +- Issue #7367: Fix pkgutil.walk_paths to skip directories whose + contents cannot be read. -- Issue #1713: Fix os.path.ismount(), which returned true for symbolic links - across devices. +- Issue #7425: Prevent pydoc -k failures due to module import errors. + (Backport to 2.7 of existing 3.x fix) -- Issue #8826: Properly load old-style "expires" attribute in http.cookies. +- Issue #13099: Fix sqlite3.Cursor.lastrowid under a Turkish locale. + Reported and diagnosed by Thomas Kluyver. -- Issue #1690103: Fix initial namespace for code run with trace.main(). +- Issue #7689: Allow pickling of dynamically created classes when their + metaclass is registered with copy_reg. Patch by Nicolas M. Thiéry and + Craig Citro. -- Issue #5294: Fix the behavior of pdb's "continue" command when called - in the top-level debugged frame. +- Issue #13058: ossaudiodev: fix a file descriptor leak on error. Patch by + Thomas Jarosch. -- Issue #5727: Restore the ability to use readline when calling into pdb - in doctests. +- Issue #12931: xmlrpclib now encodes Unicode URI to ISO-8859-1, instead of + failing with a UnicodeDecodeError. -- Issue #6719: In pdb, do not stop somewhere in the encodings machinery - if the source file to be debugged is in a non-builtin encoding. +- Issue #8933: distutils' PKG-INFO files will now correctly report + Metadata-Version: 1.1 instead of 1.0 if a Classifier or Download-URL field is + present. -- Issue #8048: Prevent doctests from failing when sys.displayhook has - been reassigned. +- Issue #8286: The distutils command sdist will print a warning message instead + of crashing when an invalid path is given in the manifest template. -- Issue #8015: In pdb, do not crash when an empty line is entered as - a breakpoint command. +- Issue #12841: tarfile unnecessarily checked the existence of numerical user + and group ids on extraction. If one of them did not exist the respective id + of the current user (i.e. root) was used for the file and ownership + information was lost. -- Issue #7909: Do not touch paths with the special prefixes ``\\.\`` - or ``\\?\`` in ntpath.normpath(). +- Issue #10946: The distutils commands bdist_dumb, bdist_wininst and bdist_msi + now respect a --skip-build option given to bdist. -- Issue #5146: Handle UID THREAD command correctly in imaplib. +- Issue #12287: Fix a stack corruption in ossaudiodev module when the FD is + greater than FD_SETSIZE. -- Issue #5147: Fix the header generated for cookie files written by - http.cookiejar.MozillaCookieJar. +- Issue #12839: Fix crash in zlib module due to version mismatch. + Fix by Richard M. Tew. -- Issue #8198: In pydoc, output all help text to the correct stream - when sys.stdout is reassigned. +- Issue #12786: Set communication pipes used by subprocess.Popen CLOEXEC to + avoid them being inherited by other subprocesses. -- Issue #1019882: Fix IndexError when loading certain hotshot stats. +- Issue #4106: Fix occasional exceptions printed out by multiprocessing on + interpreter shutdown. -- Issue #8471: In doctest, properly reset the output stream to an empty - string when Unicode was previously output. +- Issue #11657: Fix sending file descriptors over 255 over a multiprocessing + Pipe. -- Issue #8397: Raise an error when attempting to mix iteration and regular - reads on a BZ2File object, rather than returning incorrect results. +- Issue #12213: Fix a buffering bug with interleaved reads and writes that + could appear on io.BufferedRandom streams. -- Issue #8620: when a Cmd is fed input that reaches EOF without a final - newline, it no longer truncates the last character of the last command line. +- Issue #12326: sys.platform is now always 'linux2' on Linux, even if Python + is compiled on Linux 3. -- Issue #7066: archive_util.make_archive now restores the cwd if an error is - raised. Initial patch by Ezio Melotti. +- Issue #13007: whichdb should recognize gdbm 1.9 magic numbers. -- Issue #5006: Better handling of unicode byte-order marks (BOM) in the io - library. This means, for example, that opening an UTF-16 text file in append - mode doesn't add a BOM at the end of the file if the file isn't empty. +- Issue #9173: Let shutil._make_archive work if the logger argument is None. -- Issue #3704: cookielib was not properly handling URLs with a / in the - parameters. +- Issue #12650: Fix a race condition where a subprocess.Popen could leak + resources (FD/zombie) when killed at the wrong time. -- Issue #4629: getopt raises an error if an argument ends with = whereas getopt - doesn't except a value (eg. --help= is rejected if getopt uses ['help='] long - options). +- Issue #12752: Fix regression which prevented locale.normalize() from + accepting unicode strings. -- Issue #7895: platform.mac_ver() no longer crashes after calling os.fork() +- Issue #12683: urlparse updated to include svn as schemes that uses relative + paths. (svn from 1.5 onwards support relative path). -- Issue #5395: array.fromfile() would raise a spurious EOFError when an - I/O error occurred. Now an IOError is raised instead. Patch by chuck - (Jan Hosang). +- Issue #11933: Fix incorrect mtime comparison in distutils. -- Issue #1555570: email no longer inserts extra blank lines when a \r\n - combo crosses an 8192 byte boundary. +- Issues #11104, #8688: Fix the behavior of distutils' sdist command with + manually-maintained MANIFEST files. -- Issue #9164: Ensure sysconfig handles dupblice archs while building on OSX +- Issue #8887: "pydoc somebuiltin.somemethod" (or help('somebuiltin.somemethod') + in Python code) now finds the doc of the method. -- Issue #7646: The fnmatch pattern cache no longer grows without bound. +- Issue #12603: Fix pydoc.synopsis() on files with non-negative st_mtime. -- Issue #9136: Fix 'dictionary changed size during iteration' - RuntimeError produced when profiling the decimal module. This was - due to a dangerous iteration over 'locals()' in Context.__init__. +- Issue #12514: Use try/finally to assure the timeit module restores garbage + collections when it is done. -- Fix extreme speed issue in Decimal.pow when the base is an exact - power of 10 and the exponent is tiny (for example, - Decimal(10) ** Decimal('1e-999999999')). +- Issue #12607: In subprocess, fix issue where if stdin, stdout or stderr is + given as a low fd, it gets overwritten. -- Issue #9130: Fix validation of relative imports in parser module. +- Issue #12102: Document that buffered files must be flushed before being used + with mmap. Patch by Steffen Daode Nurpmeso. -- Issue #9128: Fix validation of class decorators in parser module. +- Issue #12560: Build libpython.so on OpenBSD. Patch by Stefan Sperling. -- Issue #7673: Fix security vulnerability (CVE-2010-2089) in the audioop - module, ensure that the input string length is a multiple of the frame size +- Issue #1813: Fix codec lookup and setting/getting locales under Turkish + locales. -- Issue #6589: cleanup asyncore.socket_map in case smtpd.SMTPServer constructor - raises an exception. +- Issue #10883: Fix socket leaks in urllib when using FTP. -- Issue #9125: Add recognition of 'except ... as ...' syntax to parser module. +- Issue #12592: Make Python build on OpenBSD 5 (and future major releases). -- Issue #9085: email package version number bumped to its correct - value of 4.0.2 (same as it was in 2.5). +- Issue #12372: POSIX semaphores are broken on AIX: don't use them. -- Issue #9075: In the ssl module, remove the setting of a ``debug`` flag - on an OpenSSL structure. +- Issue #12571: Add a plat-linux3 directory mirroring the plat-linux2 + directory, so that "import DLFCN" and other similar imports work on + Linux 3.0. -- Issue #5610: feedparser no longer eats extra characters at the end of - a body part if the body part ends with a \r\n. +- Issue #7484: smtplib no longer puts <> around addresses in VRFY and EXPN + commands; they aren't required and in fact postfix doesn't support that form. -- Issue #8924: logging: Improved error handling for Unicode in exception text. +- Issue #11603: Fix a crash when __str__ is rebound as __repr__. Patch by + Andreas Stührk. -- Fix codecs.escape_encode to return the correct consumed size. +- Issue #12502: asyncore: fix polling loop with AF_UNIX sockets. -- Issue #6470: Drop UNC prefix in FixTk. +- Issue #4376: ctypes now supports nested structures in a endian different than + the parent structure. Patch by Vlad Riscutia. -- Issue #8833: tarfile created hard link entries with a size field != 0 by - mistake. +- Issue #12493: subprocess: Popen.communicate() now also handles EINTR errors + if the process has only one pipe. -- Issue #1368247: set_charset (and therefore MIMEText) now automatically - encodes a unicode _payload to the output_charset. +- Issue #12467: warnings: fix a race condition if a warning is emitted at + shutdown, if globals()['__file__'] is None. -- Issue #7150: Raise OverflowError if the result of adding or subtracting - timedelta from date or datetime falls outside of the MINYEAR:MAXYEAR range. +- Issue #12352: Fix a deadlock in multiprocessing.Heap when a block is freed by + the garbage collector while the Heap lock is held. -- Issue #6662: Fix parsing of malformatted charref (&#bad;), patch written by - Fredrik Håård +- Issue #9516: On Mac OS X, change Distutils to no longer globally attempt to + check or set the MACOSX_DEPLOYMENT_TARGET environment variable for the + interpreter process. This could cause failures in non-Distutils subprocesses + and was unreliable since tests or user programs could modify the interpreter + environment after Distutils set it. Instead, have Distutils set the the + deployment target only in the environment of each build subprocess. It is + still possible to globally override the default by setting + MACOSX_DEPLOYMENT_TARGET before launching the interpreter; its value must be + greater or equal to the default value, the value with which the interpreter + was built. -- Issue #1628205: Socket file objects returned by socket.socket.makefile() now - properly handles EINTR within the read, readline, write & flush methods. - The socket.sendall() method now properly handles interrupted system calls. +- Issue #11802: The cache in filecmp now has a maximum size of 100 so that + it won't grow without bound. -- Issue #3924: Ignore cookies with invalid "version" field in cookielib. +- Issue #12404: Remove C89 incompatible code from mmap module. Patch by Akira + Kitada. -- Issue #6268: Fix seek() method of codecs.open(), don't read or write the BOM - twice after seek(0). Fix also reset() method of codecs, UTF-16, UTF-32 and - StreamWriter classes. +- Issue #11700: mailbox proxy object close methods can now be called multiple + times without error, and _ProxyFile now closes the wrapped file. -- Issue #5640: Fix Shift-JIS incremental encoder for error handlers different - than strict +- Issue #12133: AbstractHTTPHandler.do_open() of urllib.request closes the HTTP + connection if its getresponse() method fails with a socket error. Patch + written by Ezio Melotti. -- Issue #8782: Add a trailing newline in linecache.updatecache to the last line - of files without one. +- Issue #9284: Allow inspect.findsource() to find the source of doctest + functions. -- Issue #8729: Return NotImplemented from collections.Mapping.__eq__ when - comparing to a non-mapping. +- Issue #10694: zipfile now ignores garbage at the end of a zipfile. -- Issue #5918: Fix a crash in the parser module. +- Issue #11583: Speed up os.path.isdir on Windows by using GetFileAttributes + instead of os.stat. -- Issue #8688: Distutils now recalculates MANIFEST everytime. +- Issue #12080: Fix a performance issue in Decimal._power_exact that caused + some corner-case Decimal.__pow__ calls to take an unreasonably long time. -- Issue #7640: In the new `io` module, fix relative seek() for buffered - readable streams when the internal buffer isn't empty. Patch by Pascal - Chambon. +- Named tuples now work correctly with vars(). -- Issue #5099: subprocess.Popen.__del__ no longer references global objects, - leading to issues during interpreter shutdown. +- sys.setcheckinterval() now updates the current ticker count as well as + updating the check interval, so if the user decreases the check interval, + the ticker doesn't have to wind down to zero from the old starting point + before the new interval takes effect. And if the user increases the + interval, it makes sure the new limit takes effect right away rather have an + early task switch before recognizing the new interval. -- Issue #8681: Make the zlib module's error messages more informative when - the zlib itself doesn't give any detailed explanation. +- Issue #12085: Fix an attribute error in subprocess.Popen destructor if the + constructor has failed, e.g. because of an undeclared keyword argument. Patch + written by Oleg Oshmyan. -- Issue #8674: Fixed a number of incorrect or undefined-behaviour-inducing - overflow checks in the audioop module. +Extension Modules +----------------- -- Issue #8571: Fix an internal error when compressing or decompressing a - chunk larger than 1GB with the zlib module's compressor and decompressor - objects. +- bsddb module: Erratic behaviour of "DBEnv->rep_elect()" because a typo. + Possible crash. -- Issue #8573: asyncore _strerror() function might throw ValueError. +- Issue #13774: json: Fix a SystemError when a bogus encoding is passed to + json.loads(). -- Issue #8483: asyncore.dispatcher's __getattr__ method produced confusing - error messages when accessing undefined class attributes because of the cheap - inheritance with the underlying socket object. +- Issue #9975: socket: Fix incorrect use of flowinfo and scope_id. Patch by + Vilmos Nebehaj. -- Issue #4265: shutil.copyfile() was leaking file descriptors when disk fills. - Patch by Tres Seaver. +- Issue #13159: FileIO, BZ2File, and the built-in file class now use a + linear-time buffer growth strategy instead of a quadratic one. -- Issue #8621: uuid.uuid4() returned the same sequence of values in the - parent and any children created using ``os.fork`` on MacOS X 10.6. +- Issue #13070: Fix a crash when a TextIOWrapper caught in a reference cycle + would be finalized after the reference to its underlying BufferedRWPair's + writer got cleared by the GC. -- Issue #8313: traceback.format_exception_only() encodes unicode message to - ASCII with backslashreplace error handler if str(value) failed +- Issue #12881: ctypes: Fix segfault with large structure field names. -- Issue #8567: Fix precedence of signals in Decimal module: when a - Decimal operation raises multiple signals and more than one of those - signals is trapped, the specification determines the order in which - the signals should be handled. In many cases this order wasn't - being followed, leading to the wrong Python exception being raised. +- Issue #13013: ctypes: Fix a reference leak in PyCArrayType_from_ctype. + Thanks to Suman Saha for finding the bug and providing a patch. -- Issue #7865: The close() method of :mod:`io` objects should not swallow - exceptions raised by the implicit flush(). Also ensure that calling - close() several times is supported. Initial patch by Pascal Chambon. +- Issue #13022: Fix: _multiprocessing.recvfd() doesn't check that + file descriptor was actually received. -- Issue #8581: logging: removed errors raised when closing handlers twice. +- Issue #12483: ctypes: Fix a crash when the destruction of a callback + object triggers the garbage collector. -- Issue #4687: Fix accuracy of garbage collection runtimes displayed with - gc.DEBUG_STATS. +- Issue #12950: Fix passing file descriptors in multiprocessing, under + OpenIndiana/Illumos. -- Issue #8354: The siginterrupt setting is now preserved for all signals, - not just SIGCHLD. +- Issue #12764: Fix a crash in ctypes when the name of a Structure field is not + a string. -- Issue #8577: distutils.sysconfig.get_python_inc() now makes a difference - between the build dir and the source dir when looking for "python.h" or - "Include". +- Issue #9651: Fix a crash when ctypes.create_string_buffer(0) was passed to + some functions like file.write(). -- Issue #8464: tarfile no longer creates files with execute permissions set - when mode="w|" is used. +- Issue #10309: Define _GNU_SOURCE so that mremap() gets the proper + signature. Without this, architectures where sizeof void* != sizeof int are + broken. Patch given by Hallvard B Furuseth. -- Issue #7834: Fix connect() of Bluetooth L2CAP sockets with recent versions - of the Linux kernel. Patch by Yaniv Aknin. +Build +----- -- Issue #6312: Fixed http HEAD request when the transfer encoding is chunked. - It should correctly return an empty response now. +- Issue #8746: Correct faulty configure checks so that os.chflags() and + os.lchflags() are once again built on systems that support these + functions (*BSD and OS X). Also add new stat file flags for OS X + (UF_HIDDEN and UF_COMPRESSED). -- Issue #8086: In :func:`ssl.DER_cert_to_PEM_cert()`, fix missing newline - before the certificate footer. Patch by Kyle VanderBeek. +Tools/Demos +----------- -- Issue #8549: Fix compiling the _ssl extension under AIX. Patch by - Sridhar Ratnakumar. +- Issue #10639: reindent.py no longer converts newlines and will raise + an error if attempting to convert a file with mixed newlines. -- Issue #2302: Fix a race condition in SocketServer.BaseServer.shutdown, - where the method could block indefinitely if called just before the - event loop started running. This also fixes the occasional freezes - witnessed in test_httpservers. +Tools/Demos +----------- -- Issue #5103: SSL handshake would ignore the socket timeout and block - indefinitely if the other end didn't respond. +- Issue #13628: python-gdb.py is now able to retrieve more frames in the Python + traceback if Python is optimized. -- The do_handshake() method of SSL objects now adjusts the blocking mode of - the SSL structure if necessary (as other methods already do). +Tests +----- -- Issue #5238: Calling makefile() on an SSL object would prevent the - underlying socket from being closed until all objects get truely destroyed. +- Issue #13304: Skip test case if user site-packages disabled (-s or + PYTHONNOUSERSITE). (Patch by Carl Meyer) -- Issue #7943: Fix circular reference created when instantiating an SSL - socket. Initial patch by Péter Szabó. +- Issue #13218: Fix test_ssl failures on Debian/Ubuntu. -- Issue #8108: Fix the unwrap() method of SSL objects when the socket has - a non-infinite timeout. Also make that method friendlier with applications - wanting to continue using the socket in clear-text mode, by disabling - OpenSSL's internal readahead. Thanks to Darryl Miles for guidance. +- Issue #12821: Fix test_fcntl failures on OpenBSD 5. -- Issue #8484: Load all ciphers and digest algorithms when initializing - the _ssl extension, such that verification of some SSL certificates - doesn't fail because of an "unknown algorithm". +- Issue #12331: The test suite for lib2to3 can now run from an installed + Python. -- Issue #4814: timeout parameter is now applied also for connections resulting - from PORT/EPRT commands. +- Issue #12549: Correct test_platform to not fail when OS X returns 'x86_64' + as the processor type on some Mac systems. -- Issue #3817: ftplib.FTP.abort() method now considers 225 a valid response - code as stated in RFC-959 at chapter 5.4. +- Skip network tests when getaddrinfo() returns EAI_AGAIN, meaning a temporary + failure in name resolution. -- Issue #5277: Fix quote counting when parsing RFC 2231 encoded parameters. +- Issue #11812: Solve transient socket failure to connect to 'localhost' + in test_telnetlib.py. -- Issue #8179: Fix macpath.realpath() on a non-existing path. +- Solved a potential deadlock in test_telnetlib.py. Related to issue #11812. -- Issue #8310: Allow dis to examine new style classes. +- Avoid failing in test_robotparser when mueblesmoraleda.com is flaky and + an overzealous DNS service (e.g. OpenDNS) redirects to a placeholder + Web site. -- Issue #7667: Fix doctest failures with non-ASCII paths. +- Avoid failing in test_urllibnet.test_bad_address when some overzealous + DNS service (e.g. OpenDNS) resolves a non-existent domain name. The test + is now skipped instead. -- Issue #7624: Fix isinstance(foo(), collections.Callable) for old-style - classes. +- Issue #8716: Avoid crashes caused by Aqua Tk on OSX when attempting to run + test_tk or test_ttk_guionly under a username that is not currently logged + in to the console windowserver (as may be the case under buildbot or ssh). -- Issue #7512: shutil.copystat() could raise an OSError when the filesystem - didn't support chflags() (for example ZFS under FreeBSD). The error is - now silenced. +- Issue #12141: Install a copy of template C module file so that + test_build_ext of test_distutils is no longer silently skipped when + run outside of a build directory. -- Issue #3890, #8222: Fix recv() and recv_into() on non-blocking SSL sockets. - Also, enable the SSL_MODE_AUTO_RETRY flag on SSL sockets, so that blocking - reads and writes are always retried by OpenSSL itself. +- Issue #8746: Add additional tests for os.chflags() and os.lchflags(). + Patch by Garrett Cooper. -- Issue #6544: fix a reference leak in the kqueue implementation's error - handling. +- Issue #10736: Fix test_ttk test_widgets failures with Cocoa Tk 8.5.9 + on Mac OS X. (Patch by Ronald Oussoren) -- Issue #7774: Set sys.executable to an empty string if argv[0] has been - set to an non existent program name and Python is unable to retrieve the real - program name +- Issue #12057: Add tests for ISO 2022 codecs (iso2022_jp, iso2022_jp_2, + iso2022_kr). -- Issue #6906: Tk should not set Unicode environment variables on Windows. +Documentation +------------- -- Issue #1054943: Fix unicodedata.normalize('NFC', text) for the Public Review - Issue #29 +- Issue #13883: PYTHONCASEOK also works on OS X, OS/2, and RiscOS. -- Issue #7494: fix a crash in _lsprof (cProfile) after clearing the profiler, - reset also the pointer to the current pointer context. +- Issue #2134: The tokenize documentation has been clarified to explain why + all operator and delimiter tokens are treated as token.OP tokens. -- Issue #4961: Inconsistent/wrong result of askyesno function in tkMessageBox - with Tcl/Tk-8.5. +- Issue #13513: Fix io.IOBase documentation to correctly link to the + io.IOBase.readline method instead of the readline module. -- Issue #7356: ctypes.util: Make parsing of ldconfig output independent of - the locale. +- Issue #13237: Reorganise subprocess documentation to emphasise convenience + functions and the most commonly needed arguments to Popen. -Extension Modules ------------------ +- Issue #13141: Demonstrate recommended style for SocketServer examples. -- Fix memory leak in ssl._ssl._test_decode_cert. -- Issue #9422: Fix memory leak when re-initializing a struct.Struct object. +What's New in Python 2.7.2? +=========================== -- Issue #7900: The getgroups(2) system call on MacOSX behaves rather oddly - compared to other unix systems. In particular, os.getgroups() does - not reflect any changes made using os.setgroups() but basicly always - returns the same information as the id command. +*Release date: 2011-06-11* - os.getgroups() can now return more than 16 groups on MacOSX. +Library +------- -- Issue #9277: Fix bug in struct.pack for bools in standard mode - (e.g., struct.pack('>?')): if conversion to bool raised an exception - then that exception wasn't properly propagated on machines where - char is unsigned. +- Issue #12009: Fixed regression in netrc file comment handling. -- Issue #7384: If the system readline library is linked against - ncurses, do not link the readline module against ncursesw. The - additional restriction of linking the readline and curses modules - against the same curses library is currently not enabled. +Extension Modules +----------------- -- Issue #2810: Fix cases where the Windows registry API returns - ERROR_MORE_DATA, requiring a re-try in order to get the complete result. +- Issue #1221: Make pyexpat.__version__ equal to the Python version. -Build ------ -- Issue #8854: Fix finding Visual Studio 2008 on Windows x64. +What's New in Python 2.7.2 release candidate 1? +=============================================== -- Issue #3928: os.mknod() now available in Solaris, also. +*Release date: 2011-05-29* -- Issue #8175: --with-universal-archs=all works correctly on OSX 10.5 +Core and Builtins +----------------- -- Issue #6716: Quote -x arguments of compileall in MSI installer. +- Issue #9670: Increase the default stack size for secondary threads on + Mac OS X and FreeBSD to reduce the chances of a crash instead of a + "maximum recursion depth" RuntimeError exception. + (patch by Ronald Oussoren) -- Issue #1628484: The Makefile doesn't ignore the CFLAGS environment - variable anymore. It also forwards the LDFLAGS settings to the linker - when building a shared library. +- Correct lookup of __dir__ on objects. This allows old-style classes to have + __dir__. It also causes errors besides AttributeError found on lookup to be + propagated. -Tests ------ +- Issue #1195: Fix input() if it is interrupted by CTRL+d and then CTRL+c, + clear the end-of-file indicator after CTRL+d. -- Issue #7849: Now the utility ``check_warnings`` verifies if the warnings are - effectively raised. A new private utility ``_check_py3k_warnings`` has been - backported to help silencing py3k warnings. +- Issue #8651: PyArg_Parse*() functions raise an OverflowError if the file + doesn't have PY_SSIZE_T_CLEAN define and the size doesn't fit in an int + (length bigger than 2^31-1 bytes). -- Issue #8672: Add a zlib test ensuring that an incomplete stream can be - handled by a decompressor object without errors (it returns incomplete - uncompressed data). +- Issue #8651: Fix "z#" format of PyArg_Parse*() function: the size was not + written if PY_SSIZE_T_CLEAN is defined. -- Issue #8629: Disable some test_ssl tests, since they give different - results with OpenSSL 1.0.0 and higher. +- Issue #9756: When calling a method descriptor or a slot wrapper descriptor, + the check of the object type doesn't read the __class__ attribute anymore. + Fix a crash if a class override its __class__ attribute (e.g. a proxy of the + str type). Patch written by Andreas Stührk. -- Issue #8576: Remove use of find_unused_port() in test_smtplib and - test_multiprocessing. Patch by Paul Moore. +- Issue #10517: After fork(), reinitialize the TLS used by the PyGILState_* + APIs, to avoid a crash with the pthread implementation in RHEL 5. Patch + by Charles-François Natali. -- Issue #7027: regrtest.py keeps a reference to the encodings.ascii module as a - workaround to #7140 bug +- Issue #6780: fix starts/endswith error message to mention that tuples are + accepted too. -- Issue #3864: Skip three test_signal tests on freebsd6 because they fail - if any thread was previously started, most likely due to a platform bug. +- Issue #5057: fix a bug in the peepholer that led to non-portable pyc files + between narrow and wide builds while optimizing BINARY_SUBSCR on non-BMP + chars (e.g. u"\U00012345"[0]). -- Issue #8193: Fix test_zlib failure with zlib 1.2.4. +- Issue #11650: PyOS_StdioReadline() retries fgets() if it was interrupted + (EINTR), for example if the program is stopped with CTRL+z on Mac OS X. Patch + written by Charles-Francois Natali. -Documentation -------------- +- Issue #11144: Ensure that int(a_float) returns an int whenever possible. + Previously, there were some corner cases where a long was returned even + though the result was within the range of an int. -- Issue #9255: Document that the 'test' package is for internal Python use - only. +- Issue #11450: Don't truncate hg version info in Py_GetBuildInfo() when + there are many tags (e.g. when using mq). Patch by Nadeem Vawda. -- Issue #8909: Added the size of the bitmap used in the installer created by - distutils' bdist_wininst. Patch by Anatoly Techtonik. +- Issue #10451: memoryview objects could allow to mutate a readable buffer. + Initial patch by Ross Lagerwall. +- Issue #10892: Don't segfault when trying to delete __abstractmethods__ from a + class. -What's New in Python 2.6.5? -=========================== +- Issue #8020: Avoid a crash where the small objects allocator would read + non-Python managed memory while it is being modified by another thread. + Patch by Matt Bandy. -*Release date: 2010-03-18* +- Issue #11004: Repaired edge case in deque.count(). +- Issue #8278: On Windows and with a NTFS filesystem, os.stat() and os.utime() + can now handle dates after 2038. -What's New in Python 2.6.5 rc 2? -================================ +- Issue #4236: Py_InitModule4 now checks the import machinery directly + rather than the Py_IsInitialized flag, avoiding a Fatal Python + error in certain circumstances when an import is done in __del__. -*Release date: 2010-03-09* +- issue #11828: startswith and endswith don't accept None as slice index. + Patch by Torsten Becker. -Core and Builtins ------------------ +- Issue #10674: Remove unused 'dictmaker' rule from grammar. -- Issue #8089: a OS X framework build with --with-universal-archs=3-way|intel - had no way to select a 32-bit executable. +- Issue #10596: Fix float.__mod__ to have the same behaviour as + float.__divmod__ with respect to signed zeros. -4.0 % 4.0 should be + 0.0, not -0.0. -- Issue #8084: fixes build issues on OSX 10.6 when targetting OSX 10.4. +- Issue #11386: bytearray.pop() now throws IndexError when the bytearray is + empty, instead of OverflowError. Library -------