Python 3.9.5

Include/patchlevel.h

@@ -18,12 +18,12 @@
 /*--start constants--*/
 #define PY_MAJOR_VERSION        3
 #define PY_MINOR_VERSION        9
-#define PY_MICRO_VERSION        4
+#define PY_MICRO_VERSION        5
 #define PY_RELEASE_LEVEL        PY_RELEASE_LEVEL_FINAL
 #define PY_RELEASE_SERIAL       0
 
 /* Version as a string */
-#define PY_VERSION              "3.9.4+"
+#define PY_VERSION              "3.9.5"
 /*--end constants--*/
 
 /* Version as a single 4-byte hex number, e.g. 0x010502B2 == 1.5.2b2.

Misc/NEWS.d/3.9.5.rst

+.. bpo: 43434
+.. date: 2021-05-02-17-50-23
+.. nonce: cy7xz6
+.. release date: 2021-05-03
+.. section: Security
+
+Creating a :class:`sqlite3.Connection` object now also produces a
+``sqlite3.connect`` :ref:`auditing event <auditing>`. Previously this event
+was only produced by :func:`sqlite3.connect` calls. Patch by Erlend E.
+Aasland.
+
+..
+
+.. bpo: 43882
+.. date: 2021-04-25-07-46-37
+.. nonce: Jpwx85
+.. section: Security
+
+The presence of newline or tab characters in parts of a URL could allow some
+forms of attacks.
+
+Following the controlling specification for URLs defined by WHATWG
+:func:`urllib.parse` now removes ASCII newlines and tabs from URLs,
+preventing such attacks.
+
+..
+
+.. bpo: 43472
+.. date: 2021-04-21-22-53-31
+.. nonce: gjLBTb
+.. section: Security
+
+Ensures interpreter-level audit hooks receive the
+``cpython.PyInterpreterState_New`` event when called through the
+``_xxsubinterpreters`` module.
+
+..
+
+.. bpo: 36384
+.. date: 2021-03-30-16-29-51
+.. nonce: sCAmLs
+.. section: Security
+
+:mod:`ipaddress` module no longer accepts any leading zeros in IPv4 address
+strings. Leading zeros are ambiguous and interpreted as octal notation by
+some libraries. For example the legacy function :func:`socket.inet_aton`
+treats leading zeros as octal notatation. glibc implementation of modern
+:func:`~socket.inet_pton` does not accept any leading zeros. For a while the
+:mod:`ipaddress` module used to accept ambiguous leading zeros.
+
+..
+
+.. bpo: 43075
+.. date: 2021-01-31-05-28-14
+.. nonce: DoAXqO
+.. section: Security
+
+Fix Regular Expression Denial of Service (ReDoS) vulnerability in
+:class:`urllib.request.AbstractBasicAuthHandler`.  The ReDoS-vulnerable
+regex has quadratic worst-case complexity and it allows cause a denial of
+service when identifying crafted invalid RFCs. This ReDoS issue is on the
+client side and needs remote attackers to control the HTTP server.
+
+..
+
+.. bpo: 42800
+.. date: 2021-01-09-17-07-36
+.. nonce: _dtZvW
+.. section: Security
+
+Audit hooks are now fired for frame.f_code, traceback.tb_frame, and
+generator code/frame attribute access.
+
+..
+
+.. bpo: 43105
+.. date: 2021-03-31-20-35-11
+.. nonce: PBVmHm
+.. section: Core and Builtins
+
+Importlib now resolves relative paths when creating module spec objects from
+file locations.
+
+..
+
+.. bpo: 42924
+.. date: 2021-01-13-14-06-01
+.. nonce: _WS1Ok
+.. section: Core and Builtins
+
+Fix ``bytearray`` repetition incorrectly copying data from the start of the
+buffer, even if the data is offset within the buffer (e.g. after reassigning
+a slice at the start of the ``bytearray`` to a shorter byte string).
+
+..
+
+.. bpo: 43993
+.. date: 2021-04-30-19-23-45
+.. nonce: T7_yoq
+.. section: Library
+
+Update bundled pip to 21.1.1.
+
+..
+
+.. bpo: 43937
+.. date: 2021-04-25-13-34-13
+.. nonce: isx95l
+.. section: Library
+
+Fixed the :mod:`turtle` module working with non-default root window.
+
+..
+
+.. bpo: 43930
+.. date: 2021-04-24-14-23-07
+.. nonce: R7ah0m
+.. section: Library
+
+Update bundled pip to 21.1 and setuptools to 56.0.0
+
+..
+
+.. bpo: 43920
+.. date: 2021-04-23-11-54-38
+.. nonce: cJMQ2D
+.. section: Library
+
+OpenSSL 3.0.0: :meth:`~ssl.SSLContext.load_verify_locations` now returns a
+consistent error message when cadata contains no valid certificate.
+
+..
+
+.. bpo: 43607
+.. date: 2021-04-22-22-39-58
+.. nonce: 7IYDkG
+.. section: Library
+
+:mod:`urllib` can now convert Windows paths with ``\\?\`` prefixes into URL
+paths.
+
+..
+
+.. bpo: 43284
+.. date: 2021-04-21-14-50-57
+.. nonce: 2QZn2T
+.. section: Library
+
+platform.win32_ver derives the windows version from
+sys.getwindowsversion().platform_version which in turn derives the version
+from kernel32.dll (which can be of a different version than Windows itself).
+Therefore change the platform.win32_ver to determine the version using the
+platform module's _syscmd_ver private function to return an accurate
+version.
+
+..
+
+.. bpo: 42248
+.. date: 2021-04-11-21-10-57
+.. nonce: pedB1E
+.. section: Library
+
+[Enum] ensure exceptions raised in ``_missing__`` are released
+
+..
+
+.. bpo: 43799
+.. date: 2021-04-10-11-35-50
+.. nonce: 1iV4pX
+.. section: Library
+
+OpenSSL 3.0.0: define ``OPENSSL_API_COMPAT`` 1.1.1 to suppress deprecation
+warnings. Python requires OpenSSL 1.1.1 APIs.
+
+..
+
+.. bpo: 43794
+.. date: 2021-04-09-16-14-22
+.. nonce: -1XPDH
+.. section: Library
+
+Add :data:`ssl.OP_IGNORE_UNEXPECTED_EOF` constants (OpenSSL 3.0.0)
+
+..
+
+.. bpo: 43789
+.. date: 2021-04-09-14-08-03
+.. nonce: eaHlAm
+.. section: Library
+
+OpenSSL 3.0.0: Don't call the password callback function a second time when
+first call has signaled an error condition.
+
+..
+
+.. bpo: 43788
+.. date: 2021-04-09-12-08-01
+.. nonce: YsvInM
+.. section: Library
+
+The header files for :mod:`ssl` error codes are now OpenSSL
+version-specific. Exceptions will now show correct reason and library codes.
+The ``make_ssl_data.py`` script has been rewritten to use OpenSSL's text
+file with error codes.
+
+..
+
+.. bpo: 43655
+.. date: 2021-04-04-20-51-19
+.. nonce: LwGy8R
+.. section: Library
+
+:mod:`tkinter` dialog windows are now recognized as dialogs by window
+managers on macOS and X Window.
+
+..
+
+.. bpo: 43534
+.. date: 2021-03-18-15-46-08
+.. nonce: vPE9Us
+.. section: Library
+
+:func:`turtle.textinput` and :func:`turtle.numinput` create now a transient
+window working on behalf of the canvas window.
+
+..
+
+.. bpo: 43522
+.. date: 2021-03-16-22-37-32
+.. nonce: dhNwOu
+.. section: Library
+
+Fix problem with :attr:`~ssl.SSLContext.hostname_checks_common_name`.
+OpenSSL does not copy hostflags from *struct SSL_CTX* to *struct SSL*.
+
+..
+
+.. bpo: 42967
+.. date: 2021-03-11-00-31-41
+.. nonce: 2PeQRw
+.. section: Library
+
+Allow :class:`bytes` ``separator`` argument in ``urllib.parse.parse_qs`` and
+``urllib.parse.parse_qsl`` when parsing :class:`str` query strings.
+Previously, this raised a ``TypeError``.
+
+..
+
+.. bpo: 43176
+.. date: 2021-02-09-07-24-29
+.. nonce: bocNQn
+.. section: Library
+
+Fixed processing of a dataclass that inherits from a frozen dataclass with
+no fields.  It is now correctly detected as an error.
+
+..
+
+.. bpo: 41735
+.. date: 2020-09-07-21-40-07
+.. nonce: NKqGKy
+.. section: Library
+
+Fix thread locks in zlib module may go wrong in rare case. Patch by Ma Lin.
+
+..
+
+.. bpo: 36470
+.. date: 2020-06-13-23-33-32
+.. nonce: oi6Kdb
+.. section: Library
+
+Fix dataclasses with ``InitVar``\s and :func:`~dataclasses.replace()`. Patch
+by Claudiu Popa.
+
+..
+
+.. bpo: 32745
+.. date: 2018-08-09-23-47-10
+.. nonce: iQi9hI
+.. section: Library
+
+Fix a regression in the handling of ctypes' :data:`ctypes.c_wchar_p` type:
+embedded null characters would cause a :exc:`ValueError` to be raised. Patch
+by Zackery Spytz.
+
+..
+
+.. bpo: 43959
+.. date: 2021-04-27-22-22-22
+.. nonce: n2261q
+.. section: Documentation
+
+The documentation on the PyContextVar C-API was clarified.
+
+..
+
+.. bpo: 43938
+.. date: 2021-04-25-22-44-27
+.. nonce: nC660q
+.. section: Documentation
+
+Update dataclasses documentation to express that FrozenInstanceError is
+derived from AttributeError.
+
+..
+
+.. bpo: 43755
+.. date: 2021-04-06-14-55-45
+.. nonce: 1m0fGq
+.. section: Documentation
+
+Update documentation to reflect that unparenthesized lambda expressions can
+no longer be the expression part in an ``if`` clause in comprehensions and
+generator expressions since Python 3.9.
+
+..
+
+.. bpo: 43739
+.. date: 2021-04-06-07-05-49
+.. nonce: L4HjiX
+.. section: Documentation
+
+Fixing the example code in Doc/extending/extending.rst to declare and
+initialize the pmodule variable to be of the right type.
+
+..
+
+.. bpo: 43961
+.. date: 2021-04-28-13-21-52
+.. nonce: gNchls
+.. section: Tests
+
+Fix test_logging.test_namer_rotator_inheritance() on Windows: use
+:func:`os.replace` rather than :func:`os.rename`. Patch by Victor Stinner.
+
+..
+
+.. bpo: 43842
+.. date: 2021-04-16-14-07-40
+.. nonce: w60GAH
+.. section: Tests
+
+Fix a race condition in the SMTP test of test_logging. Don't close a file
+descriptor (socket) from a different thread while asyncore.loop() is polling
+the file descriptor. Patch by Victor Stinner.
+
+..
+
+.. bpo: 43811
+.. date: 2021-04-12-11-14-28
+.. nonce: vGNbnD
+.. section: Tests
+
+Tests multiple OpenSSL versions on GitHub Actions. Use ccache to speed up
+testing.
+
+..
+
+.. bpo: 43791
+.. date: 2021-04-09-15-10-38
+.. nonce: 4KxiXK
+.. section: Tests
+
+OpenSSL 3.0.0: Disable testing of legacy protocols TLS 1.0 and 1.1. Tests
+are failing with TLSV1_ALERT_INTERNAL_ERROR.
+
+..
+
+.. bpo: 35306
+.. date: 2021-04-22-20-39-49
+.. nonce: F0Cg6X
+.. section: Windows
+
+Avoid raising errors from :meth:`pathlib.Path.exists()` when passed an
+invalid filename.
+
+..
+
+.. bpo: 38822
+.. date: 2021-04-22-19-49-20
+.. nonce: jgdPmq
+.. section: Windows
+
+Fixed :func:`os.stat` failing on inaccessible directories with a trailing
+slash, rather than falling back to the parent directory's metadata. This
+implicitly affected :func:`os.path.exists` and :func:`os.path.isdir`.
+
+..
+
+.. bpo: 26227
+.. date: 2021-04-21-23-37-34
+.. nonce: QMY_eA
+.. section: Windows
+
+Fixed decoding of host names in :func:`socket.gethostbyaddr` and
+:func:`socket.gethostbyname_ex`.
+
+..
+
+.. bpo: 40432
+.. date: 2021-04-20-23-07-22
+.. nonce: 9OFpoq
+.. section: Windows
+
+Updated pegen regeneration script on Windows to find and use Python 3.8 or
+higher.  Prior to this, pegen regeneration already required 3.8 or higher,
+but the script may have used lower versions of Python.
+
+..
+
+.. bpo: 43745
+.. date: 2021-04-06-12-27-33
+.. nonce: rdKNda
+.. section: Windows
+
+Actually updates Windows release to OpenSSL 1.1.1k. Earlier releases were
+mislabelled and actually included 1.1.1i again.
+
+..
+
+.. bpo: 43492
+.. date: 2021-03-15-11-34-33
+.. nonce: AsYnVX
+.. section: Windows
+
+Upgrade Windows installer to use SQLite 3.35.5.
+
+..
+
+.. bpo: 42119
+.. date: 2021-05-02-21-03-27
+.. nonce: Y7BSX_
+.. section: macOS
+
+Fix check for macOS SDK paths when building Python. Narrow search to match
+contents of SDKs, namely only files in ``/System/Library``,
+``/System/IOSSupport``, and ``/usr`` other than ``/usr/local``. Previously,
+anything under ``/System`` was assumed to be in an SDK which causes problems
+with the new file system layout in 10.15+ where user file systems may appear
+to be mounted under ``/System``.  Paths in ``/Library`` were also
+incorrectly treated as SDK locations.
+
+..
+
+.. bpo: 44009
+.. date: 2021-05-02-03-45-30
+.. nonce: uvhmlh
+.. section: macOS
+
+Provide "python3.x-intel64" executable to allow reliably forcing macOS
+universal2 framework builds to run under Rosetta 2 Intel-64 emulation on
+Apple Silicon Macs.  This can be useful for testing or when universal2
+wheels are not yet available.
+
+..
+
+.. bpo: 43492
+.. date: 2021-03-15-11-32-23
+.. nonce: 1ZRcV9
+.. section: macOS
+
+Update macOS installer to use SQLite 3.35.4.
+
+..
+
+.. bpo: 43655
+.. date: 2021-04-04-20-52-07
+.. nonce: HSyaKH
+.. section: IDLE
+
+IDLE dialog windows are now recognized as dialogs by window managers on
+macOS and X Window.

Misc/NEWS.d/next/Core and Builtins/2021-01-13-14-06-01.bpo-42924._WS1Ok.rst

-Fix ``bytearray`` repetition incorrectly copying data from the start of the buffer, even if the data is offset within the buffer (e.g. after reassigning a slice at the start of the ``bytearray`` to a shorter byte string).

Misc/NEWS.d/next/Core and Builtins/2021-03-31-20-35-11.bpo-43105.PBVmHm.rst

-Importlib now resolves relative paths when creating module spec objects from
-file locations.

Misc/NEWS.d/next/Documentation/2021-04-06-07-05-49.bpo-43739.L4HjiX.rst

-Fixing the example code in Doc/extending/extending.rst to declare and initialize the pmodule variable to be of the right type.
\ No newline at end of file

Misc/NEWS.d/next/Documentation/2021-04-06-14-55-45.bpo-43755.1m0fGq.rst

-Update documentation to reflect that unparenthesized lambda expressions can
-no longer be the expression part in an ``if`` clause in comprehensions and
-generator expressions since Python 3.9.

Misc/NEWS.d/next/Documentation/2021-04-25-22-44-27.bpo-43938.nC660q.rst

-Update dataclasses documentation to express that FrozenInstanceError is
-derived from AttributeError.

Misc/NEWS.d/next/Documentation/2021-04-27-22-22-22.bpo-43959.n2261q.rst

-The documentation on the PyContextVar C-API was clarified.

Misc/NEWS.d/next/IDLE/2021-04-04-20-52-07.bpo-43655.HSyaKH.rst

-IDLE dialog windows are now recognized as dialogs by window managers on
-macOS and X Window.

Misc/NEWS.d/next/Library/2018-08-09-23-47-10.bpo-32745.iQi9hI.rst

-Fix a regression in the handling of ctypes' :data:`ctypes.c_wchar_p` type:
-embedded null characters would cause a :exc:`ValueError` to be raised. Patch
-by Zackery Spytz.

Misc/NEWS.d/next/Library/2020-06-13-23-33-32.bpo-36470.oi6Kdb.rst

-Fix dataclasses with ``InitVar``\s and :func:`~dataclasses.replace()`. Patch
-by Claudiu Popa.

Misc/NEWS.d/next/Library/2020-09-07-21-40-07.bpo-41735.NKqGKy.rst

-Fix thread locks in zlib module may go wrong in rare case. Patch by Ma Lin.

Misc/NEWS.d/next/Library/2021-02-09-07-24-29.bpo-43176.bocNQn.rst

-Fixed processing of a dataclass that inherits from a frozen dataclass with no fields.  It is now correctly detected as an error.

Misc/NEWS.d/next/Library/2021-03-11-00-31-41.bpo-42967.2PeQRw.rst

-Allow :class:`bytes` ``separator`` argument in ``urllib.parse.parse_qs`` and
-``urllib.parse.parse_qsl`` when parsing :class:`str` query strings.  Previously,
-this raised a ``TypeError``.

Misc/NEWS.d/next/Library/2021-03-16-22-37-32.bpo-43522.dhNwOu.rst

-Fix problem with :attr:`~ssl.SSLContext.hostname_checks_common_name`. OpenSSL does not copy hostflags from *struct SSL_CTX* to *struct SSL*.

Misc/NEWS.d/next/Library/2021-03-18-15-46-08.bpo-43534.vPE9Us.rst

-:func:`turtle.textinput` and :func:`turtle.numinput` create now a transient
-window working on behalf of the canvas window.

Misc/NEWS.d/next/Library/2021-04-04-20-51-19.bpo-43655.LwGy8R.rst

-:mod:`tkinter` dialog windows are now recognized as dialogs by window
-managers on macOS and X Window.

Misc/NEWS.d/next/Library/2021-04-09-12-08-01.bpo-43788.YsvInM.rst

-The header files for :mod:`ssl` error codes are now OpenSSL
-version-specific. Exceptions will now show correct reason and library
-codes. The ``make_ssl_data.py`` script has been rewritten to use OpenSSL's
-text file with error codes.

Misc/NEWS.d/next/Library/2021-04-09-14-08-03.bpo-43789.eaHlAm.rst

-OpenSSL 3.0.0: Don't call the password callback function a second time when
-first call has signaled an error condition.