Python (64-bit) 歷史版本列表
更新時間:2021-05-04
更新細節:
What's new in this version:
Security:
- Creating a sqlite3.Connection object now also produces a sqlite3.connect auditing event. Previously this event was only produced by sqlite3.connect() calls. Patch by Erlend E. Aasland.
- The presence of newline or tab characters in parts of a URL could allow some forms of attacks
- Following the controlling specification for URLs defined by WHATWG urllib.parse() now removes ASCII newlines and tabs from URLs, preventing such attacks
- Ensures interpreter-level audit hooks receive the cpython.PyInterpreterState_New event when called through the _xxsubinterpreters module
- ipaddress module no longer accepts any leading zeros in IPv4 address strings. Leading zeros are ambiguous and interpreted as octal notation by some libraries. For example the legacy function socket.inet_aton() treats leading zeros as octal notatation. glibc implementation of modern inet_pton() does not accept any leading zeros. For a while the ipaddress module used to accept ambiguous leading zeros.
- Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.
- Audit hooks are now fired for frame.f_code, traceback.tb_frame, and generator code/frame attribute access
Core and Builtins:
- Importlib now resolves relative paths when creating module spec objects from file locations
- Fix bytearray repetition incorrectly copying data from the start of the buffer, even if the data is offset within the buffer (e.g. after reassigning a slice at the start of the bytearray to a shorter byte string).
Library:
- Update bundled pip to 21.1.1
- Fixed the turtle module working with non-default root window
- Update bundled pip to 21.1 and setuptools to 56.0.0
- OpenSSL 3.0.0: load_verify_locations() now returns a consistent error message when cadata contains no valid certificate
- urllib can now convert Windows paths with ? prefixes into URL paths
- platform.win32_ver derives the windows version from sys.getwindowsversion().platform_version which in turn derives the version from kernel32.dll (which can be of a different version than Windows itself). Therefore change the platform.win32_ver to determine the version using the platform module’s _syscmd_ver private function to return an accurate version.
- [Enum] ensure exceptions raised in _missing__ are released
- OpenSSL 3.0.0: define OPENSSL_API_COMPAT 1.1.1 to suppress deprecation warnings. Python requires OpenSSL 1.1.1 APIs
- Add ssl.OP_IGNORE_UNEXPECTED_EOF constants (OpenSSL 3.0.0)
- OpenSSL 3.0.0: Don’t call the password callback function a second time when first call has signaled an error condition
- The header files for ssl error codes are now OpenSSL version-specific. Exceptions will now show correct reason and library codes. The make_ssl_data.py script has been rewritten to use OpenSSL’s text file with error codes.
- tkinter dialog windows are now recognized as dialogs by window managers on macOS and X Window
- turtle.textinput() and turtle.numinput() create now a transient window working on behalf of the canvas window
- Fix problem with hostname_checks_common_name. OpenSSL does not copy hostflags from struct SSL_CTX to struct SSL
- Allow bytes separator argument in urllib.parse.parse_qs and urllib.parse.parse_qsl when parsing str query strings. Previously, this raised a TypeError.
- Fixed processing of a dataclass that inherits from a frozen dataclass with no fields. It is now correctly detected as an error
- Fix thread locks in zlib module may go wrong in rare case. Patch by Ma Lin
- Fix dataclasses with InitVars and replace(). Patch by Claudiu Popa
- Fix a regression in the handling of ctypes’ ctypes.c_wchar_p type: embedded null characters would cause a ValueError to be raised. Patch by Zackery Spytz
Documentation:
- The documentation on the PyContextVar C-API was clarified
- Update dataclasses documentation to express that FrozenInstanceError is derived from AttributeError
- Update documentation to reflect that unparenthesized lambda expressions can no longer be the expression part in an if clause in comprehensions and generator expressions since Python 3.9.
- Fixing the example code in Doc/extending/extending.rst to declare and initialize the pmodule variable to be of the right type
Tests:
- Fix test_logging.test_namer_rotator_inheritance() on Windows: use os.replace() rather than os.rename(). Patch by Victor Stinner
- Fix a race condition in the SMTP test of test_logging. Don’t close a file descriptor (socket) from a different thread while asyncore.loop() is polling the file descriptor. Patch by Victor Stinner.
- Tests multiple OpenSSL versions on GitHub Actions. Use ccache to speed up testing
- OpenSSL 3.0.0: Disable testing of legacy protocols TLS 1.0 and 1.1. Tests are failing with TLSV1_ALERT_INTERNAL_ERROR
Windows:
- Avoid raising errors from pathlib.Path.exists() when passed an invalid filename
- Fixed os.stat() failing on inaccessible directories with a trailing slash, rather than falling back to the parent directory’s metadata. This implicitly affected os.path.exists() and os.path.isdir().
- Fixed decoding of host names in socket.gethostbyaddr() and socket.gethostbyname_ex()
- Updated pegen regeneration script on Windows to find and use Python 3.8 or higher. Prior to this, pegen regeneration already required 3.8 or higher, but the script may have used lower versions of Python
- Actually updates Windows release to OpenSSL 1.1.1k. Earlier releases were mislabelled and actually included 1.1.1i again
- Upgrade Windows installer to use SQLite 3.35.5
IDLE:
- IDLE dialog windows are now recognized as dialogs by window managers on macOS and X Window
更新時間:2021-04-06
更新細節:
更新時間:2021-04-05
更新細節:
What's new in this version:
Core and Builtins:
- bpo-43710: Reverted the fix as it changed the PyThreadState struct size and broke the 3.9.x ABI in the 3.9.3 release (visible on 32-bit platforms using binaries compiled using an earlier version of Python 3.9.x headers).
Library:
- bpo-26053: Fixed bug where the pdb interactive run command echoed the args from the shell command line, even if those have been overridden at the pdb prompt
更新時間:2021-04-05
更新細節:
What's new in this version:
Fixed:
- a security issue that may occur when decompressing archives in some formats
- a bug that some split-compressed RAR archives cannot be decompressed
- buffer overflow and buffer overrun vulnerabilities that may occur when handling ALZ, ARJ, EGG, RAR, TAR, and ZIP archives
- a bug that the program may crash when handling ACE, ALZ, BH, and RAR archives
- a bug that some data remain in the registry even after the program's uninstallation
- a bug that symbolic links in a ZIP archive are incorrectly processed
- an issue that the program may crash when used with some antivirus software supporting AMSI
- some bugs that occur in the "Snap Window" feature
- a bug that the program may crash if the dialog box closes in the midst of opening an archive
Improved:
- the feature undoing file associations
- the "New Folder" on the right-click menu to create a folder at the point of the Desktop where the user right-clicks (System restart required)
- the program's stability
- Added support for the split-archive formats created by HaoZip (.haozip01.zip, .haozip02.zip, ...)
- Other modifications
更新時間:2021-04-05
更新細節:
What's new in this version:
Fixed:
- Improve error message when blocked repository defined in build POM
New Feature:
- Add support for mirror selector on external:http:*
- Add support for blocking mirrors
- Block external HTTP repositories by default
Dependency upgrade:
- Upgrade Maven Wagon to 3.4.3
- Upgrade Maven Resolver to 1.6.2
更新時間:2021-04-02
更新細節:
What's new in this version:
Security:
- CVE-2021-3426: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer.
- ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network.
- Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it.
- Add audit hooks for gc.get_objects(), gc.get_referrers() and gc.get_referents(). Patch by Pablo Galindo.
Core and Builtins:
- Fix crash that happens when replacing sys.stderr with a callable that can remove the object while an exception is being printed. Patch by Pablo Galindo.
- Report the column offset for SyntaxError for invalid line continuation characters. Patch by Pablo Galindo.
- Fix misdetection of circular imports when using from pkg.mod import attr, which caused false positives in non-trivial multi-threaded code.
- Python no longer fails at startup with a fatal error if a command line argument contains an invalid Unicode character. The Py_DecodeLocale() function now escapes byte sequences which would be decoded as Unicode characters outside the [U+0000; U+10ffff] range.
- Fix a possible race condition where PyErr_CheckSignals tries to execute a non-Python signal handler.
- Improve handling of exceptions near recursion limit. Converts a number of Fatal Errors in RecursionErrors.
Library:
- xmlrpc.client.ServerProxy no longer ignores query and fragment in the URL of the server.
- Raising an exception raised in a “future” instance will create reference cycles.
- Fix deadlock when using ssl.SSLContext debug callback with ssl.SSLContext.sni_callback().
- ast.unparse can now render NaNs and empty sets.
- subprocess.communicate() no longer raises an IndexError when there is an empty stdout or stderr IO buffer during a timeout on Windows.
- Fixed long-standing bug of smtplib.SMTP where doing AUTH LOGIN with initial_response_ok=False will fail.
- The cause is that SMTP.auth_login _always_ returns a password if provided with a challenge string, thus non-compliant with the standard for AUTH LOGIN.
- Also fixes bug with the test for smtpd.
- Improves the networking efficiency of http.client when using a proxy via set_tunnel(). Fewer small send calls are made during connection setup.
- Fix ElementTree.extend not working on iterators when using the Python implementation
- The python -m gzip command line application now properly fails when detecting an unsupported extension. It exits with a non-zero exit code and prints an error message to stderr.
- Fix TextIOWrapper can not flush internal buffer forever after very large text is written.
- Fail fast in shutil.move() to avoid creating destination directories on failure.
- Fixed memory leak in socketserver.ThreadingMixIn introduced in Python 3.7.
Documentation:
- Answer “Why is there no goto?” in the Design and History FAQ.
- Clarified that a result from time.monotonic(), time.perf_counter(), time.process_time(), or time.thread_time() can be compared with the result from any following call to the same function - not just the next immediate call.
- Clarify that ‘yield from <expr>’ works with any iterable, not just iterators.
- Update some deprecated unicode APIs which are documented as “will be removed in 4.0” to “3.12”. See PEP 623 for detail.
Tests:
- Fix test_getsetlocale_issue1813() of test_locale: skip the test if setlocale() fails. Patch by Victor Stinner.
- Add workaround for Ubuntu’s custom OpenSSL security level policy.
- Fix test_importlib to correctly skip Unicode file tests if the fileystem does not support them.
Build:
- Update macOS, Windows, and CI to OpenSSL 1.1.1k.
- Improve configure.ac: Check for presence of autoconf-archive package and remove our copies of M4 macros.
macOS:
- Update macOS installer build to use OpenSSL 1.1.1j.
IDLE:
- Document that IDLE can fail on Unix either from misconfigured IP masquerage rules or failure displaying complex colored (non-ascii) characters.
- Document why printing to IDLE’s Shell is often slower than printing to a system terminal and that it can be made faster by pre-formatting a single string before printing.
更新時間:2021-03-26
更新細節:
What's new in this version:
- Fixed minor bugs
更新時間:2021-03-24
更新細節:
更新時間:2021-03-20
更新細節:
更新時間:2021-03-19
更新細節: