Python (64-bit)

What's new in this version:

Core and Builtins:
- Update Windows builds to use OpenSSL 1.0.2h.

Tests:
- Ubuntu’s openssl OP_NO_SSLv3 is forced on by default; fix test.

IDLE:
- Allow non-ascii in idlelib/NEWS.txt - minimal part for 3.5.2.

Core and Builtins:
- Fixed SystemError if a custom opener (for open()) returns a negative number without setting an exception.
- Fixed TypeError when frame.f_trace is set to None. Patch by Xavier de Gaye.
- Fixed possible refleaks in failing Py_BuildValue() with the “N” format unit.
- Fix possible refleak when creating a function with annotations.
- Fixed bytearray.remove() for values greater than 127. Patch by Joe Jevnik.
- int.from_bytes() no longer bypasses constructors for subclasses.
- gc.get_objects() no longer contains a broken tuple with NULL pointer.
- Use RawConfigParser for .pypirc parsing, removing support for interpolation unintentionally added with move to Python 3. Behavior no longer does any interpolation in .pypirc files, matching behavior in Python 2.7 and Setuptools 19.0.
- Make the builtin slice type support cycle collection.
- super.__init__ no longer leaks memory if called multiple times. NOTE: A direct call of super.__init__ is not endorsed!
- PYTHONIOENCODING now has priority over locale in setting the error handler for stdin and stdout.
- Fixed crash on iterating exhausting iterators. Affected classes are generic sequence iterators, iterators of str, bytes, bytearray, list, tuple, set, frozenset, dict, OrderedDict, corresponding views and os.scandir() iterator.
- If coding cookie is specified multiple times on a line in Python source code file, only the first one is taken to account.
- Fix str.translate() when string is ASCII and first replacements removes character, but next replacement uses a non-ASCII character or a string longer than 1 character. Regression introduced in Python 3.5.0.
- Ensure exception reports from PyErr_Display() and PyErr_WriteUnraisable() are sensible even when formatting them produces secondary errors. This affects the reports produced by sys.__excepthook__() and when __del__() raises an exception.
- Correct behavior to reject comma as a legal character for cookie names.
- Avoid masking the original TypeError exception when using star (*) unpacking in function calls. Based on patch by Hagen Fürstenau and Daniel Urban.
- Fix the doc comment for FileFinder.find_spec().
- Add a new private _PyThreadState_UncheckedGet() function to get the current Python thread state, but don’t issue a fatal error if it is NULL. This new function must be used instead of accessing directly the _PyThreadState_Current variable. The variable is no more exposed since Python 3.5.1 to hide the exact implementation of atomic C types, to avoid compiler issues.
- Deque.insert() gave odd results for bounded deques that had reached their maximum size. Now an IndexError will be raised when attempting to insert into a full deque.
- When compiling code, don’t merge constants if they are equal but have a different types. For example, f1, f2 = lambda: 1, lambda: 1.0 is now correctly compiled to two different functions: f1() returns 1 (int) and f2() returns 1.0 (int), even if 1 and 1.0 are equal.
- [UPDATE] Comment out the one of the pickleability tests in _PyObject_GetState() due to regressions observed in Cython-based projects.
- Disallowed null characters in the type name.
- Fix segfault when an invalid nonlocal statement binds a name starting with two underscores.
- Instances of extension types with a state that aren’t subclasses of list or dict and haven’t implemented any pickle-related methods (__reduce__, __reduce_ex__, __getnewargs__, __getnewargs_ex__, or __getstate__), can no longer be pickled. Including memoryview.
- Massive replacing unsafe attribute setting code with special macro Py_SETREF.
- Special method __bytes__() now works in str subclasses.
- __sizeof__ methods of builtin types now use dynamic basic size. This allows sys.getsize() to work correctly with their subclasses with __slots__ defined.
- Fixed problem with in-place string concatenation and utf-8 cache.
- Mention PEP 420 in the importlib docs.
- Fixed crash in object.__reduce__() if slot name is freed inside __getattr__.
- Fixed crash on converting objects with special methods __bytes__, __trunc__, and __float__ returning instances of subclasses of bytes, int, and float to subclasses of bytes, int, and float correspondingly.
- Fix semantic bugs when using binary operators with dictionary views and tuples.
- Fix possible integer overflow and heap corruption in zipimporter.get_data().
- Fix TAB key behaviour in REPL with readline.
- Raise a RuntimeError when a coroutine object is awaited more than once.
- Update the __aiter__ protocol: instead of returning an awaitable that resolves to an asynchronous iterator, the asynchronous iterator should be returned directly. Doing the former will trigger a PendingDeprecationWarning.

Library:
- Update expat to 2.1.1, fixes CVE-2015-1283.
- Fix TLS stripping vulnerability in smptlib, CVE-2016-0772. Reported by Team

Oststrom:
- Implement missing IPv4Address.is_global property. It was documented since 07a5610bae9d. Initial patch by Roger Luethi.
- distutils register command now decodes HTTP responses correctly.

Initial patch by ingrid.
- A new version of typing.py provides several new classes and features: @overload outside stubs, Reversible, DefaultDict, Text, ContextManager, Type[], NewType(), TYPE_CHECKING, and numerous bug fixes (note that some of the new features are not yet implemented in mypy or other static analyzers). Also classes for PEP 492 (Awaitable, AsyncIterable, AsyncIterator) have been added (in fact they made it into 3.5.1 but were never mentioned).
- Stop http.server.BaseHTTPRequestHandler.send_error() from sending a message body for 205 Reset Content. Also, don’t send Content header fields in responses that don’t have a body. Patch by Susumu Koshiba.
- Fix the “platform” module to tolerate when sys.version contains truncated build information.
- On Linux, os.urandom() now calls getrandom() with GRND_NONBLOCK to fall back on reading /dev/urandom if the urandom entropy pool is not initialized yet. Patch written by Colm Buckley.
- In the zlib module, allow decompressing raw Deflate streams with a predefined zdict. Based on patch by Xiang Zhang.
- Fix wsgiref.simple_server.WSGIRequestHandler to completely write data to the client. Previously it could do partial writes and truncate data. Also, wsgiref.handler.ServerHandler can now handle stdout doing partial writes, but this is deprecated.
- Add __all__ to string. Patch by Emanuel Barry.
- subprocess.Popen.communicate now correctly ignores BrokenPipeError when the child process dies before .communicate() is called in more/all circumstances.
- distutils.upload now correctly handles HTTPError. Initial patch by Claudiu Popa.
- Fix SSLContext._load_windows_store_certs fails with PermissionError
- Avoid creating duplicate filters when using filterwarnings and simplefilter. Based on patch by Alex Shkop.
- Fix os.set_inheritable() on Android, ioctl() is blocked by SELinux and fails with EACCESS. The function now falls back to fcntl(). Patch written by Michal Bednarski.
- Fix infinite recursion using typing.py. Thanks to Kalle Tuure!
- Fix urllib.request redirect handling when the target only has a query string. Original fix by Ján Janech.
- The “urllib.request” module now percent-encodes non-ASCII bytes found in redirect target URLs. Some servers send Location header fields with non-ASCII bytes, but “http.client” requires the request target to be ASCII-encodable, otherwise a UnicodeEncodeError is raised. Based on patch by Christian Heimes.
- Honor debuglevel flag in urllib.request.HTTPHandler. Patch contributed by Chi Hsuan Yen.
- In the subprocess module, allow stderr to be redirected to stdout even when stdout is not redirected. Patch by Akira Li.
- mock_open ‘files’ no longer error on readline at end of file. Patch from Yolanda Robla.
- Fixed leaking a userptr in curses panel destructor.
- Removed unnecessary, and ignored, call to sum of squares helper in statistics.pvariance.
- The modulefinder module now supports extended opcode arguments.
- Fixed crashes related to directly created instances of types in _tkinter and curses.panel modules.
- weakref.ref() no longer silently ignores keyword arguments. Patch by Georg Brandl.
- xmlrpc now raises ResponseError on unsupported type tags instead of silently return incorrect result.
- Fixed the comparison of plistlib.Data with other types.
- Fix an uninitialized variable in ctypes.util.
- The bug only occurs on SunOS when the ctypes implementation searches for the crle program. Patch by Xiang Zhang. Tested on SunOS by Kees Bos.
- In urllib.request, change the proxy bypass host checking against no_proxy to be case-insensitive, and to not match unrelated host names that happen to have a bypassed hostname as a suffix. Patch by Xiang Zhang.
- recursive_repr() now sets __qualname__ of wrapper. Patch by Xiang Zhang.
- urllib.request will prefer lower_case proxy environment variables over UPPER_CASE or Mixed_Case ones. Patch contributed by Hans-Peter Jansen.
- assertSequenceEqual() now correctly outputs non-stringified differing items (like bytes in the -b mode). This affects assertListEqual() and assertTupleEqual().
- Remove “will be removed in Python 3.7” from deprecation messages of platform.dist() and platform.linux_distribution(). Patch by Kumaripaba Miyurusara Athukorala.
- itemgetter, attrgetter and methodcaller objects no longer silently ignore keyword arguments.
- Disassembling a class now disassembles class and static methods. Patch by Xiang Zhang.
- Fix error handling in shutil.get_terminal_size(), catch AttributeError instead of NameError. Patch written by Emanuel Barry.
- tarfile’s ustar and gnu formats now correctly calculate name and link field limits for multibyte character encodings like utf-8.
- Fix directory traversal vulnerability with http.server on Windows. This fixes a regression that was introduced in 3.3.4rc1 and 3.4.0rc1. Based on patch by Philipp Hagemeister.
- Stop encoding Latin-1-ized WSGI paths with UTF-8. Patch by Anthony Sottile.
- Fix os.urandom() on Solaris 11.3 and newer when reading more than 1,024 bytes: call getrandom() multiple times with a limit of 1024 bytes per call.
- Add .webm to mimetypes.types_map. Patch by Giampaolo Rodola’.
- Add .csv to mimetypes.types_map. Patch by Geoff Wilson.
- Fixed Y2038 problem in loading binary PLists.
- Handle terminal resizing with Readline 6.3+ by installing our own SIGWINCH handler. Patch by Eric Price.
- In http.server, respond with “413 Request header fields too large” if there are too many header fields to parse, rather than killing the connection and raising an unhandled exception. Patch by Xiang Zhang.
- Change BufferedReader.writable() and BufferedWriter.readable() to always return False.
- Fix a regression in mock.MagicMock. _Call is a subclass of tuple (changeset 3603bae63c13 only works for classes) so we need to implement __ne__ ourselves. Patch by Andrew Plummer.
- Raise ValueError rather than SystemError when a negative length is passed to SSLSocket.recv() or read().
- Fix SSL recv(0) and read(0) methods to return zero bytes instead of up to 1024.
- Fixed a bug in datetime.astimezone() method.
- warnings.formatwarning() now catches exceptions on linecache.getline(...) to be able to log ResourceWarning emitted late during the Python shutdown process.
- Ctrl+C during Readline history search now cancels the search mode when compiled with Readline 7.
- Avoid potential ValueError in BaseHandler.start_response. Initial patch by Peter Inglesby.
- ssl.py _load_windows_store_certs fails if windows cert store is empty. Patch by Baji.
- Fix pyclbr.readmodule() and pyclbr.readmodule_ex() to support importing packages.
- Account for remaining Content-Length in HTTPResponse.readline() and read1(). Based on patch by Silent Ghost. Also document that HTTPResponse now supports these methods.
- Handle sockets in directories unittest discovery is scanning. Patch from Victor van den Elzen.
- cookiejar.http2time() now returns None if year is higher than datetime.MAXYEAR.
- Fixes platform module detection of Windows Server
- Fixed parsing time in week 0 before Jan 1. Original patch by Tamás Bence Gedai.
- Invoking Path.owner() and Path.group() on Windows now raise NotImplementedError instead of ImportError.
- Fixed the keys() method for Canvas and Scrollbar widgets.
- Got rid of excessive buffering in the fileinput module. The bufsize parameter is no longer used.
- Fix UnboundLocalError in AbstractDigestAuthHandler.get_algorithm_impls. Initial patch by Mathieu Dupuy.
- Fixed pickling and copying the accumulate() iterator with total is None.
- Fixed debugging output for regular expressions with the (?x) flag.
- Fixed the subnets() methods in IP network classes for the case when resulting prefix length is equal to maximal prefix length. Based on patch by Xiang Zhang.
- Remove the file if the internal open() call in NamedTemporaryFile() fails. Patch by Silent Ghost.
- Fix XML-RPC client to retry when the server shuts down a persistent connection. This was a regression related to the new http.client.RemoteDisconnected exception in 3.5.0a4.
- Leading