[3.8] gh-95778: Mention sys.set_int_max_str_digits() in error message (GH-96874) (GH-96877) (GH-97835)

[3.9] gh-95778: Mention sys.set_int_max_str_digits() in error message (GH-96874) (GH-96877)

When ValueError is raised if an integer is larger than the limit,
mention sys.set_int_max_str_digits() in the error message.

(cherry picked from commit e841ffc9)

Co-authored-by: Ned Deily <nad@python.org>
(cherry picked from commit 41188134)

Co-authored-by: Victor Stinner <vstinner@python.org>

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.
(cherry picked from commit 41351662)

Co-authored-by: Victor Stinner <vstinner@python.org>

gh-96577: Fixes buffer overrun in _msi module (GH-96633)
(cherry picked from commit 4114bcc9)

Co-authored-by: Steve Dower <steve.dower@python.org>

gh-97005: Update libexpat from 2.4.7 to 2.4.9 (gh-97006)

Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
(cherry picked from commit 10e3d398)

Co-authored-by: Dong-hee Na <donghee.na@python.org>

gh-97616: list_resize() checks for integer overflow (GH-97617)

Fix multiplying a list by an integer (list *= int): detect the
integer overflow when the new allocated length is close to the
maximum size.  Issue reported by Jordan Limor.

list_resize() now checks for integer overflow before multiplying the
new allocated length by the list item size (sizeof(PyObject*)).
(cherry picked from commit a5f092f3)

Co-authored-by: Victor Stinner <vstinner@python.org>

Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.

Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.

Co-authored-by: Caleb Shortt <caleb@rgauge.com>
(cherry picked from commit 83a0f44f)

Co-authored-by: Victor Stinner <vstinner@python.org>

Co-authored-by: roy reznik <royreznik@gmail.com>
Co-authored-by: Inada Naoki <songofacandy@gmail.com>
Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>

* Correctly pre-check for int-to-str conversion

Converting a large enough `int` to a decimal string raises `ValueError` as expected. However, the raise comes _after_ the quadratic-time base-conversion algorithm has run to completion. For effective DOS prevention, we need some kind of check before entering the quadratic-time loop. Oops! =)

The quick fix: essentially we catch _most_ values that exceed the threshold up front. Those that slip through will still be on the small side (read: sufficiently fast), and will get caught by the existing check so that the limit remains exact.

The justification for the current check. The C code check is:
```c
max_str_digits / (3 * PyLong_SHIFT) <= (size_a - 11) / 10
```

In GitHub markdown math-speak, writing $M$ for `max_str_digits`, $L$ for `PyLong_SHIFT` and $s$ for `size_a`, that check is:
$$\left\lfloor\frac{M}{3L}\right\rfloor \le \left\lfloor\frac{s - 11}{10}\right\rfloor$$

From this it follows that
$$\frac{M}{3L} < \frac{s-1}{10}$$
hence that
$$\frac{L(s-1)}{M} > \frac{10}{3} > \log_2(10).$$
So
$$2^{L(s-1)} > 10^M.$$
But our input integer $a$ satisfies $|a| \ge 2^{L(s-1)}$, so $|a|$ is larger than $10^M$. This shows that we don't accidentally capture anything _below_ the intended limit in the check.

<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->

Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
Co-authored-by: Christian Heimes <christian@python.org>
Co-authored-by: Mark Dickinson <dickinsm@gmail.com>

(cherry picked from commit 07374cce)

Co-authored-by: Dong-hee Na <donghee.na@python.org>

Three test cases were failing on FreeBSD with latest OpenSSL.
(cherry picked from commit 1bc86c26)

Co-authored-by: Christian Heimes <christian@python.org>

Co-authored-by: Carter Dodd <carter.dodd@gmail.com>
Co-authored-by: Éric <merwok@netwok.org>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit c8556bcf)

(cherry picked from commit 80aaeabb)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>

Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
(cherry picked from commit d36954b7)

Co-authored-by: Illia Volochii <illia.volochii@gmail.com>

Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target.  Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b6)

Co-authored-by: Gregory P. Smith <greg@krypto.org>

(cherry picked from commit 56b5daf1)

Co-authored-by: Stanley <46876382+slateny@users.noreply.github.com>

(cherry picked from commit 2985feac)

Co-authored-by: Christian Heimes <christian@python.org>

Also while there, clarify a few things about why we reduce the hash to 32 bits.

Co-authored-by: Eli Libman <eli@hyro.ai>
Co-authored-by: Yury Selivanov <yury@edgedb.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>

(cherry picked from commit c1f5c903)

(cherry picked from commit c908dc5b4798c311981bd7e1f7d92fb623ee448b)

Co-authored-by: Sergey Fedoseev <fedoseev.sergey@gmail.com>
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>

(cherry picked from commit 6066739f)

Co-authored-by: Zachary Ware <zach@python.org>

(cherry picked from commit 45e1721d)

Co-authored-by: Dong-hee Na <donghee.na@python.org>

* Update Sphinx bpo role to use redirect URI. (GH-32342)

* [3.8] Update Sphinx bpo role to use redirect URI. (GH-32342).
(cherry picked from commit 08cfe079)

Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>

(cherry picked from commit 17dbb6bc)

Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>

Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>

* gh-91888: Add a  role to the documentation (GH-91889).

* [3.8] gh-91888: add a `` role to the documentation (GH-91889)

* Add a new `...` role for GitHub issues.

* Fix a GitHub id to use the 

 role.

* Add Misc/NEWS entry.

* Refactoring and rephrasing.

Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com&gt;.>
(cherry picked from commit f7641a2f)

Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>

* Fix use of the default role in NEWS entry

bpo-47138: Ensure Windows docs build uses the same pinned version as other platforms (GH-32161) (#32183)

Co-authored-by: Ned Deily <nad@python.org>

Co-authored-by: Ned Deily <nad@python.org>

This reverts commit e5f711f5.

As per the comments, this mirrors the [datetime documentation](https://docs.python.org/3/library/datetime.htmlGH-datetime.datetime.fromtimestamp

).

```
>>> import time
>>> time.localtime(999999999999999999999)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OverflowError: timestamp out of range for platform time_t
>>> time.localtime(-3600)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OSError: [Errno 22] Invalid argument
```
(cherry picked from commit c83fc9c0)

Co-authored-by: slateny <46876382+slateny@users.noreply.github.com>

(cherry picked from commit 70881208)

Co-authored-by: Steve Dower <steve.dower@python.org>

* bpo-47024: Update Windows builds and macOS installer build to use OpenSSL 1.1.1n.

* Revert inadvertent sqlite downgrade

(cherry picked from commit d87f1b78)

Co-authored-by: Pradyun Gedam <pgedam@bloomberg.net>

bpo-45405: Prevent internal configure error when running configure with recent versions of clang. (GH-28845) (GH-31889)

Change the configure logic to function properly on macOS when the compiler
outputs a platform triplet for option --print-multiarch.
The Apple Clang included with Xcode 13.3 now supports --print-multiarch
causing configure to fail without this change.

Co-authored-by: Ned Deily <nad@python.org>
(cherry picked from commit 9c476677)

Co-authored-by: David Bohman <debohman@gmail.com>

Automerge-Triggered-By: GH:ned-deily
(cherry picked from commit 9901d153)

Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>

The libexpat 2.4.1 upgrade from  introduced the following new exported symbols:

* `testingAccountingGetCountBytesDirect`
* `testingAccountingGetCountBytesIndirect`
* `unsignedCharToPrintable`
* `XML_SetBillionLaughsAttackProtectionActivationThreshold`
* `XML_SetBillionLaughsAttackProtectionMaximumAmplification`

We need to adjust [Modules/expat/pyexpatns.h](https://github.com/python/cpython/blob/master/Modules/expat/pyexpatns.h

)

(The newer libexpat upgrade  has no new symbols).

Automerge-Triggered-By: GH:gpshead
(cherry picked from commit 6312c105)

Co-authored-by: Yilei "Dolee" Yang <yileiyang@google.com>

Automerge-Triggered-By: GH:benjaminp
(cherry picked from commit ba00f0d9)

Co-authored-by: Benjamin Peterson <benjamin@python.org>

bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and CVE-2019-12900 (GH-31732) (GH-31734)