Rocksolid Light

News from da outaworlds

mail  files  register  groups  login

Message-ID:  

Generosity and perfection are your everlasting goals.

comp / comp.lang.python / [RELEASE] Python 3.13.0RC2, 3.12.6, 3.11.10, 3.10.15, 3.9.20, and 3.8.20 are now available!

Subject: [RELEASE] Python 3.13.0RC2, 3.12.6, 3.11.10, 3.10.15, 3.9.20, and 3.8.20 are now available!
From: Łukasz Langa
Newsgroups: comp.lang.python
Date: Sat, 7 Sep 2024 14:26 UTC
References: 1
Attachments: signature.asc (application/pgp-signature)
Path: eternal-september.org!news.eternal-september.org!feeder3.eternal-september.org!fu-berlin.de!uni-berlin.de!not-for-mail
From: lukasz@langa.pl (Łukasz Langa)
Newsgroups: comp.lang.python
Subject: [RELEASE] Python 3.13.0RC2, 3.12.6, 3.11.10, 3.10.15, 3.9.20, and
3.8.20 are now available!
Date: Sat, 7 Sep 2024 16:26:06 +0200
Lines: 271
Message-ID: <mailman.41.1725719183.2917.python-list@python.org>
References: <81BAD7AA-08FF-4E55-B52D-161B92A5D385@langa.pl>
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51\))
Content-Type: multipart/signed;
boundary="Apple-Mail=_7D5DA0F5-8132-4DCE-85A1-1BC5DB75D78B";
protocol="application/pgp-signature"; micalg=pgp-sha256
X-Trace: news.uni-berlin.de 7Hb/halrrbxNnfYxyM5sBgpZnmz//t+3mK56kD96fRTg==
Cancel-Lock: sha1:XxbgFgA45+ovInuifb/qmrNX1fM= sha256:hJibb42FPBI9x659eRQgTZYRoJP1FgZp9MnSWpEF3Wg=
Return-Path: <lukasz@langa.pl>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
Authentication-Results: mail.python.org; dkim=pass
reason="2048-bit key; unprotected key"
header.d=langa.pl header.i=@langa.pl header.b=FCb5jkGK;
dkim-adsp=pass; dkim-atps=neutral
X-Spam-Status: OK 0.000
X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; 'url-ip:140.82/16': 0.03;
'(most': 0.05; '3.8': 0.05; 'content-type:multipart/signed': 0.05;
'parameter': 0.05; 'pypi': 0.05; 'volunteers': 0.05;
'maintainers': 0.07; 'url:downloads': 0.07; '<>,': 0.09;
'always,': 0.09; 'backend': 0.09; 'content-type:application/pgp-
signature': 0.09; 'difficult.': 0.09; 'enabled': 0.09;
'filename:fname piece:asc': 0.09; 'filename:fname
piece:signature': 0.09; 'filename:fname:signature.asc': 0.09;
'fork': 0.09; 'included,': 0.09; 'infinite': 0.09; 'instances':
0.09; 'macos': 0.09; 'ned': 0.09; 'pablo': 0.09; 'pushed': 0.09;
'situations': 0.09; 'skip:_ 20': 0.09; 'support,': 0.09;
'threads': 0.09; 'tier': 0.09; 'upgrading': 0.09; 'url-
ip:151.101.0.223/32': 0.09; 'url-ip:151.101.128.223/32': 0.09;
'url-ip:151.101.192.223/32': 0.09; 'url-ip:151.101.64.223/32':
0.09; 'url-ip:184.105/16': 0.09; 'url:discuss': 0.09; 'url:pypy':
0.09; 'url:release': 0.09; 'user.': 0.09; 'values.': 0.09;
'subject:Python': 0.12; 'url:github': 0.14; 'memory': 0.15;
'supported': 0.15; 'url-ip:140/8': 0.15; '<>:': 0.16; '<>?': 0.16;
'authenticate': 0.16; 'bugs': 0.16; 'builtin': 0.16;
'characters.': 0.16; 'confusion': 0.16; 'default.': 0.16; 'deily':
0.16; 'drops': 0.16; 'fixes': 0.16; 'forward.': 0.16; 'galindo':
0.16; 'headers.': 0.16; 'improves': 0.16; 'indentation': 0.16;
'insufficient': 0.16; 'interpreter': 0.16; 'involving': 0.16;
'loops': 0.16; 'notable': 0.16; 'objects.': 0.16; 'october.':
0.16; 'parsing': 0.16; 'possible!': 0.16; 'received:10.202': 0.16;
'received:10.202.2': 0.16; 'received:internal': 0.16;
'received:messagingengine.com': 0.16; 'refuse': 0.16; 'releases':
0.16; 'salgado': 0.16; 'semantics': 0.16; 'shorter': 0.16; 'third-
party': 0.16; 'tracebacks': 0.16; 'url:cpython': 0.16; 'url:os':
0.16; 'url:pep-0569': 0.16; 'url:peps': 0.16; 'well-defined':
0.16; 'windows.': 0.16; 'wouters': 0.16; '\xc5\x81ukasz': 0.16;
'python': 0.16; 'october': 0.17; 'values': 0.17; 'instead': 0.17;
'addresses': 0.19; 'bug': 0.19; 'gnu': 0.19; 'to:addr:python-
list': 0.20; 'subject:] ': 0.21; 'exception': 0.22; 'returns':
0.22; 'skip:_ 10': 0.22; 'to:no real name:2**1': 0.22; 'version':
0.23; '2019,': 0.23; 'header': 0.23; 'skip:p 30': 0.23; 'run':
0.23; '(and': 0.25; 'subject:!': 0.76; 'audit': 0.76; 'club':
0.76; 'ground': 0.76; 'mode,': 0.76; 'potentially': 0.76;
'we\xe2\x80\x99ll': 0.76; 'life': 0.77; 'breaking': 0.78;
'highly': 0.78; 'significant': 0.78; 'returned': 0.81; 'editing':
0.84; 'publish': 0.84; 'up,': 0.84; '(high': 0.84; '1st.': 0.84;
'<>).': 0.84; 'asyncio.': 0.84; 'bless': 0.84; 'collector': 0.84;
'experimental': 0.84; 'featuring': 0.84; 'garbage': 0.84;
'legitimate': 0.84; 'preview': 0.84; 'quadratic': 0.84;
'reducing': 0.84; 'subject: \n ': 0.84; 'that!': 0.84;
'url:generator': 0.84; 'wheels': 0.84; 'mode.': 0.89; 'url:http':
0.90; 'fixed.': 0.91; 'haven\xe2\x80\x99t': 0.91; 'incremental':
0.91; 'received:103': 0.91; '(all': 0.93; 'to:addr:python-
announce': 0.97
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=langa.pl; h=cc
:content-type:content-type:date:date:from:from:in-reply-to
:message-id:mime-version:reply-to:subject:subject:to:to; s=fm3;
t=1725719179; x=1725805579; bh=hCw02RoicgRoTXQvkpWnEQEpz92LUV5y
pRcvF0bVDPw=; b=FCb5jkGKwPfF3AzYSTPSj3h05eJaBmdjirMl41LA3i9G/bdK
r0BKWvDSbZuY+jrXX43mUbnhJ+J+09/XNZOyu6MgkzpQdKLBYLQIgYohfuutcm7Q
oEMZoWkesNvyPgoUgwxURvPk9zw5khOfnXvSiLkMy5xUXi71oIazkIyu9S6PFJPi
QUbXKnfeDr41gPURPff1DYHE2e9YKD7YjDw6qukQKOW/a4TxSemsyEixCYTBN09R
6qCZnFWiwrEfQaV8ETFfP42IZ2u1oOYJZbqKUqlO/Eqe3B2HBJaJbC4MBclRrMSn
4wg/wmEugSOLzWDvmL8X2aN9fHe2GQIBpodOIw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
messagingengine.com; h=cc:content-type:content-type:date:date
:feedback-id:feedback-id:from:from:in-reply-to:message-id
:mime-version:reply-to:subject:subject:to:to:x-me-proxy
:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=
1725719179; x=1725805579; bh=hCw02RoicgRoTXQvkpWnEQEpz92LUV5ypRc
vF0bVDPw=; b=AzZznPFJyQUTHad7Bd1aCVO0Yjgqv3TupOyAiWBMxxz/lVguUB5
aZYGKa9wtFd1yoV7GIdD0L2yYYUkq9C5ghvL0bKkWT3xv3C2FW6bKKMBX5BVJkHH
a7THoQzSt6klxCrLJ4r6WJ6DZX5Hp3Gzcv1V1Dlfed6YZpIvFYpqa1qGIM9P370n
aFSOi5K1AKvqjQJ31DEC4VmejvWT391MqQaja6e6zenuu72szYYNpnqNjSZw3XWs
0vUQOXVgxoaDJS+S8WISPqllLXcI8QK+5pPnL3bi2sUeYa4waFYP07slDF7wa7Yq
tMKILiDjwFBw8tLiaU4KMWwGb83OIOojh6A==
X-ME-Sender: <xms:i2LcZgM5hcAlh9qGup5HPiOi-TC0cq6E23c8NMI-4Z8lLXH5bNlO2w>
<xme:i2LcZm8UrBqdJRuP5T0nbOTutLuKtzGZ82OHXiCJXUYoJ9NmlO5nhL_T3qYYa8UXY
bnTe2cAbIrz3uI>
X-ME-Received: <xmr:i2LcZnTFVAXiRB4aCFZsI4osBUBFJsjiwHbtpoV8NGEIEjy03LnLuNI13a-M7HPvHbaNMwWKFZXtGg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrudeifedgjeekucetufdoteggodetrfdotf
fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu
rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefhtggguf
fkfffvofesghdtmherhhdtjeenucfhrhhomhepnfhukhgrshiiucfnrghnghgruceolhhu
khgrshiisehlrghnghgrrdhplheqnecuggftrfgrthhtvghrnhepleejleevheeuffeffe
ehvedtfeeuueeguefgvdegledvteetudehleelgfetgeetnecuffhomhgrihhnpehphiht
hhhonhdrohhrghdpghhithhhuhgsrdgtohhmpdhphihphidrohhrghdpphihohguihguvg
drohhrghdpfhhigigvshgtvhgvqddvtddvgedqjeehledvrdhghhdprhhunhgpshhtughi
nhdrghhhpdgtrhgvrghtvghnrghmvgguphhiphgvrdhghhenucevlhhushhtvghrufhiii
gvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehluhhkrghsiieslhgrnhhgrgdrphhl
pdhnsggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehphi
hthhhonhdqlhhishhtsehphihthhhonhdrohhrghdprhgtphhtthhopehphihthhhonhdq
rghnnhhouhhntggvsehphihthhhonhdrohhrgh
X-ME-Proxy: <xmx:i2LcZou2UVLafFnYOKT0IO0xNxiOXdJgq2bFMDkrdW49fdAQiKIglA>
<xmx:i2LcZodfM4XqoQ8enhTe-HdYGsZzB8WwhG1ufUNqGV6BCtuq50e0Rw>
<xmx:i2LcZs2SDYL6UxgLfu9opFYxkdwd0GGsfaY8uzTBLbMrCPoWkxg7zQ>
<xmx:i2LcZs9ARR9J1p-DNxpeABqkMKbyxNWYLWXup8TQK1-KpwcFgrph0g>
<xmx:i2LcZpo2QnhamKvQKHeEbP7oWDiN1ul8MlCpPqrkbYzRLAZfj72xDP6M>
Feedback-ID: i8e7440be:Fastmail
X-Mailer: Apple Mail (2.3776.700.51)
X-Content-Filtered-By: Mailman/MimeDel 2.1.39
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: General discussion list for the Python programming language
<python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>,
<mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <https://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>,
<mailto:python-list-request@python.org?subject=subscribe>
X-Mailman-Original-Message-ID: <81BAD7AA-08FF-4E55-B52D-161B92A5D385@langa.pl>
View all headers

Hi there!
A big joint release today. Mostly security fixes but we also have the final release candidate of 3.13 so let’s start with that!
Python 3.13.0RC2

Final opportunity to test and find any show-stopper bugs before we bless and release 3.13.0 final on October 1st.

Get it here: Python Release Python 3.13.0rc2 | Python.org <https://www.python.org/downloads/release/python-3130rc2/>
Call to action

We strongly encourage maintainers of third-party Python projects to prepare their projects for 3.13 compatibilities during this phase, and where necessary publish Python 3.13 wheels on PyPI to be ready for the final release of 3.13.0. Any binary wheels built against Python 3.13.0rc2 will work with future versions of Python 3.13. As always, report any issues to the Python bug tracker <https://github.com/python/cpython/issues>.

Please keep in mind that this is a preview release and while it’s as close to the final release as we can get it, its use is notrecommended for production environments.

Core developers: time to work on documentation now

Are all your changes properly documented?
Are they mentioned in What’s New <https://docs.python.org/3.13/whatsnew/3.13.html>?
Did you notice other changes you know of to have insufficient documentation?
As a reminder, until the final release of 3.13.0, the 3.13 branch is set up so that the Release Manager (@thomas <https://discuss.python.org/u/thomas>) has to merge the changes. Please add him (@Yhg1s on GitHub) to any changes you think should go into 3.13.0. At this point, unless something critical comes up, it should really be documentation only. Other changes (including tests) will be pushed to 3.13.1.

New features in Python 3.13

A new and improved interactive interpreter <https://docs.python.org/3.13/whatsnew/3.13.html#a-better-interactive-interpreter>, based on PyPy <https://pypy.org/>’s, featuring multi-line editing and color support, as well as colorized exception tracebacks <https://docs.python.org/3.13/whatsnew/3.13.html#improved-error-messages>.
An experimental free-threaded build mode <https://docs.python.org/3.13/whatsnew/3.13.html#free-threaded-cpython>, which disables the Global Interpreter Lock, allowing threads to run more concurrently. The build mode is available as an experimental feature in the Windows and macOS installers as well.
A preliminary, experimental JIT <https://docs.python.org/3.13/whatsnew/3.13.html#experimental-jit-compiler>, providing the ground work for significant performance improvements.
The locals() builtin function (and its C equivalent) now has well-defined semantics when mutating the returned mapping <https://docs.python.org/3.13/whatsnew/3.13.html#defined-mutation-semantics-for-locals>, which allows debuggers to operate more consistently.
The (cyclic) garbage collector is now incremental <https://docs.python.org/3.13/whatsnew/3.13.html#incremental-garbage-collection>, which should mean shorter pauses for collection in programs with a lot of objects.
A modified version of mimalloc <https://github.com/microsoft/mimalloc> is now included, optional but enabled by default if supported by the platform, and required for the free-threaded build mode.
Docstrings now have their leading indentation stripped <https://docs.python.org/3.13/whatsnew/3.13.html#other-language-changes>, reducing memory use and the size of .pyc files. (Most tools handling docstrings already strip leading indentation.)
The dbm module <https://docs.python.org/3.13/library/dbm.html> has a new dbm.sqlite3 backend <https://docs.python.org/3.13/whatsnew/3.13.html#dbm> that is used by default when creating new files.
The minimum supported macOS version was changed from 10.9 to 10.13 (High Sierra). Older macOS versions will not be supported going forward.
WASI is now a Tier 2 supported platform <https://peps.python.org/pep-0011/#tier-2>. Emscripten is no longer an officially supported platform <https://peps.python.org/pep-0011/#no-longer-supported-platforms> (but Pyodide <https://pyodide.org/>continues to support Emscripten).
iOS is now a Tier 3 supported platform <https://peps.python.org/pep-0730/>, with Android on the way as well <https://peps.python.org/pep-0738/>.
Python 3.12.6

This is an expedited release for 3.12 due to security content. The schedule returns back to regular programming in October.

One notable change for macOS users: as mentioned in the previous release of 3.12, this release drops support for macOS versions 10.9 through 10.12. Versions of macOS older than 10.13 haven’t been supported by Apple since 2019, and maintaining support for them has become too difficult. (All versions of Python 3.13 have already dropped support for them.)

Get it here: Python Release Python 3.12.6 | Python.org <https://www.python.org/downloads/release/python-3126/>
92 commits.

Python 3.11.10

Python 3.11 joins the elite club of security-only versions with no binary installers.

Get it here: Python Release Python 3.11.10 | Python.org <https://www.python.org/downloads/release/python-31110/>
28 commits.

Python 3.10.15

Get it here: Python Release Python 3.10.15 | Python.org <https://www.python.org/downloads/release/python-31015/>
24 commits.

Python 3.9.20

Get it here: Python Release Python 3.9.20 | Python.org <https://www.python.org/downloads/release/python-3920/>
22 commits.

Python 3.8.20

Python 3.8 is very close to End of Life (see the Release Schedule <https://peps.python.org/pep-0569/>). Will this be the last release of 3.8 ever? We’ll see… but now I think I jinxed it.

Get it here: Python Release Python 3.8.20 | Python.org <https://www.python.org/downloads/release/python-3820/>
22 commits.

Security content in today’s releases

gh-123678 <https://github.com/python/cpython/issues/123678> and gh-116741 <https://github.com/python/cpython/issues/116741>: Upgrade bundled libexpat to 2.6.3 to fix CVE-2024-28757 <https://github.com/advisories/GHSA-ch5v-h69f-mxc8>, CVE-2024-45490 <https://github.com/advisories/GHSA-4hvh-m426-wv8w>, CVE-2024-45491 <https://github.com/advisories/GHSA-784x-7qm2-gp97> and CVE-2024-45492 <https://github.com/advisories/GHSA-5qxm-qvmj-8v79>.
gh-118486 <https://github.com/python/cpython/issues/118486>: os.mkdir() <https://docs.python.org/3/library/os.html#os.mkdir> on Windows now accepts mode of 0o700 to restrict the new directory to the current user. This fixes CVE-2024-4030 affecting tempfile.mkdtemp() <https://docs.python.org/3/library/tempfile.html#tempfile.mkdtemp> in scenarios where the base temporary directory is more permissive than the default.
gh-123067 <https://github.com/python/cpython/issues/123067>: Fix quadratic complexity in parsing "-quoted cookie values with backslashes by http.cookies <https://docs.python.org/3/library/http.cookies.html#module-http.cookies>. Fixes CVE-2024-7592.
gh-113171 <https://github.com/python/cpython/issues/113171>: Fixed various false positives and false negatives in IPv4Address.is_private, IPv4Address.is_global, IPv6Address.is_private, IPv6Address.is_global. Fixes CVE-2024-4032.
gh-67693 <https://github.com/python/cpython/issues/67693>: Fix urllib.parse.urlunparse() <https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlunparse> and urllib.parse.urlunsplit() <https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlunsplit> for URIs with path starting with multiple slashes and no authority. Fixes CVE-2015-2104.
gh-121957 <https://github.com/python/cpython/issues/121957>: Fixed missing audit events around interactive use of Python, now also properly firing for python -i, as well as for python -m asyncio. The event in question is cpython.run_stdin.
gh-122133 <https://github.com/python/cpython/issues/122133>: Authenticate the socket connection for the socket.socketpair() fallback on platforms where AF_UNIXis not available like Windows.
gh-121285 <https://github.com/python/cpython/issues/121285>: Remove backtracking from tarfile header parsing for hdrcharset, PAX, and GNU sparse headers. That’s CVE-2024-6232.
gh-114572 <https://github.com/python/cpython/issues/114572>: ssl.SSLContext.cert_store_stats() <https://docs.python.org/3/library/ssl.html#ssl.SSLContext.cert_store_stats> and ssl.SSLContext.get_ca_certs() <https://docs.python.org/3/library/ssl.html#ssl.SSLContext.get_ca_certs> now correctly lock access to the certificate store, when the ssl.SSLContext <https://docs.python.org/3/library/ssl.html#ssl.SSLContext> is shared across multiple threads.
gh-102988 <https://github.com/python/cpython/issues/102988>: email.utils.getaddresses() <https://docs.python.org/3/library/email.utils.html#email.utils.getaddresses> and email.utils.parseaddr() <https://docs.python.org/3/library/email.utils.html#email.utils.parseaddr> now return ('', '') 2-tuples in more situations where invalid email addresses are encountered instead of potentially inaccurate values. Add optional strict parameter to these two functions: use strict=False to get the old behavior, accept malformed inputs. getattr(email.utils, 'supports_strict_parsing', False) can be use to check if the strict paramater is available. This improves the CVE-2023-27043 fix.
gh-123270 <https://github.com/python/cpython/issues/123270>: Sanitize names in zipfile.Path <https://docs.python.org/3/library/zipfile.html#zipfile.Path> to avoid infinite loops (gh-122905 <https://github.com/python/cpython/issues/122905>) without breaking contents using legitimate characters. That’s CVE-2024-8088.
gh-121650 <https://github.com/python/cpython/issues/121650>: email <https://docs.python.org/3/library/email.html#module-email> headers with embedded newlines are now quoted on output. The generator <https://docs.python.org/3/library/email.generator.html#module-email.generator> will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers <https://docs.python.org/3/library/email.policy.html#email.policy.Policy.verify_generated_headers>. That’s CVE-2024-6923.
gh-119690 <https://github.com/python/cpython/issues/119690>: Fixes data type confusion in audit events raised by _winapi.CreateFile and _winapi.CreateNamedPipe.
gh-116773 <https://github.com/python/cpython/issues/116773>: Fix instances of <_overlapped.Overlapped object at 0xXXX> still has pending operation at deallocation, the process may crash.
gh-112275 <https://github.com/python/cpython/issues/112275>: A deadlock involving pystate.c’s HEAD_LOCK in posixmodule.c at fork is now fixed.
Stay safe and upgrade!

Upgrading is highly recommended to all users of affected versions.

Thank you for your support

Thanks to all of the many volunteers who help make Python Development and these releases possible! Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.

--
Łukasz Langa @ambv <https://discuss.python.org/u/ambv>
on behalf of your friendly release team,

Ned Deily @nad <https://discuss.python.org/u/nad>
Steve Dower @steve.dower <https://discuss.python.org/u/steve.dower>
Pablo Galindo Salgado @pablogsal <https://discuss.python.org/u/pablogsal>
Łukasz Langa @ambv <https://discuss.python.org/u/ambv>
Thomas Wouters @thomas <https://discuss.python.org/u/thomas>

Attachments: signature.asc (application/pgp-signature)
SubjectRepliesAuthor
o [RELEASE] Python 3.13.0RC2, 3.12.6, 3.11.10, 3.10.15, 3.9.20, and 3.8.20 are now

By: Łukasz Langa on Sat, 7 Sep 2024

0Łukasz Langa

rocksolid light 0.9.8
clearnet tor