gh-100734: What's New in 3.x: Add missing detail from 3.x branch (#114689)

2024-02-15 17:32:33 +02:00 · 2024-02-15 17:32:33 +02:00 · cfb26401f6
parent 298bcdc185
commit cfb26401f6
8 changed files with 327 additions and 0 deletions
--- a/Doc/whatsnew/2.6.rst
+++ b/Doc/whatsnew/2.6.rst
@ -2992,6 +2992,33 @@ Changes to Python's build process and to the C API include:
  architectures (x86, PowerPC), 64-bit (x86-64 and PPC-64), or both.
  (Contributed by Ronald Oussoren.)
 * A new function added in Python 2.6.6, :c:func:`!PySys_SetArgvEx`, sets
  the value of ``sys.argv`` and can optionally update ``sys.path`` to
  include the directory containing the script named by ``sys.argv[0]``
  depending on the value of an *updatepath* parameter.
  This function was added to close a security hole for applications
  that embed Python.  The old function, :c:func:`!PySys_SetArgv`, would
  always update ``sys.path``, and sometimes it would add the current
  directory.  This meant that, if you ran an application embedding
  Python in a directory controlled by someone else, attackers could
  put a Trojan-horse module in the directory (say, a file named
  :file:`os.py`) that your application would then import and run.
  If you maintain a C/C++ application that embeds Python, check
  whether you're calling :c:func:`!PySys_SetArgv` and carefully consider
  whether the application should be using :c:func:`!PySys_SetArgvEx`
  with *updatepath* set to false.  Note that using this function will
  break compatibility with Python versions 2.6.5 and earlier; if you
  have to continue working with earlier versions, you can leave
  the call to :c:func:`!PySys_SetArgv` alone and call
  ``PyRun_SimpleString("sys.path.pop(0)\n")`` afterwards to discard
  the first ``sys.path`` component.
  Security issue reported as `CVE-2008-5983
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5983>`_;
  discussed in :gh:`50003`, and fixed by Antoine Pitrou.
 * The BerkeleyDB module now has a C API object, available as
  ``bsddb.db.api``.   This object can be used by other C extensions
  that wish to use the :mod:`bsddb` module for their own purposes.
@ -3294,6 +3321,15 @@ that may require changes to your code:
  scoping rules, also cause warnings because such comparisons are forbidden
  entirely in 3.0.
 For applications that embed Python:
 * The :c:func:`!PySys_SetArgvEx` function was added in Python 2.6.6,
  letting applications close a security hole when the existing
  :c:func:`!PySys_SetArgv` function was used.  Check whether you're
  calling :c:func:`!PySys_SetArgv` and carefully consider whether the
  application should be using :c:func:`!PySys_SetArgvEx` with
  *updatepath* set to false.
 .. ======================================================================
--- a/Doc/whatsnew/3.1.rst
+++ b/Doc/whatsnew/3.1.rst
@ -80,6 +80,28 @@ Support was also added for third-party tools like `PyYAML <https://pyyaml.org/>`
      PEP written by Armin Ronacher and Raymond Hettinger.  Implementation
      written by Raymond Hettinger.
 Since an ordered dictionary remembers its insertion order, it can be used
 in conjuction with sorting to make a sorted dictionary::
    >>> # regular unsorted dictionary
    >>> d = {'banana': 3, 'apple':4, 'pear': 1, 'orange': 2}
    >>> # dictionary sorted by key
    >>> OrderedDict(sorted(d.items(), key=lambda t: t[0]))
    OrderedDict([('apple', 4), ('banana', 3), ('orange', 2), ('pear', 1)])
    >>> # dictionary sorted by value
    >>> OrderedDict(sorted(d.items(), key=lambda t: t[1]))
    OrderedDict([('pear', 1), ('orange', 2), ('banana', 3), ('apple', 4)])
    >>> # dictionary sorted by length of the key string
    >>> OrderedDict(sorted(d.items(), key=lambda t: len(t[0])))
    OrderedDict([('pear', 1), ('apple', 4), ('orange', 2), ('banana', 3)])
 The new sorted dictionaries maintain their sort order when entries
 are deleted.  But when new keys are added, the keys are appended
 to the end and the sort is not maintained.
 PEP 378: Format Specifier for Thousands Separator
 =================================================
--- a/Doc/whatsnew/3.10.rst
+++ b/Doc/whatsnew/3.10.rst
@ -1517,6 +1517,13 @@ functions internally.  For more details, please see their respective
 documentation.
 (Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)
 The presence of newline or tab characters in parts of a URL allows for some
 forms of attacks. Following the WHATWG specification that updates :rfc:`3986`,
 ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the
 URL by the parser in :mod:`urllib.parse` preventing such attacks. The removal
 characters are controlled by a new module level variable
 ``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :gh:`88048`)
 xml
 ---
@ -2315,3 +2322,43 @@ Removed
 * The ``PyThreadState.use_tracing`` member has been removed to optimize Python.
  (Contributed by Mark Shannon in :issue:`43760`.)
 Notable security feature in 3.10.7
 ==================================
 Converting between :class:`int` and :class:`str` in bases other than 2
 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal)
 now raises a :exc:`ValueError` if the number of digits in string form is
 above a limit to avoid potential denial of service attacks due to the
 algorithmic complexity. This is a mitigation for `CVE-2020-10735
 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735>`_.
 This limit can be configured or disabled by environment variable, command
 line flag, or :mod:`sys` APIs. See the :ref:`integer string conversion
 length limitation <int_max_str_digits>` documentation.  The default limit
 is 4300 digits in string form.
 Notable security feature in 3.10.8
 ==================================
 The deprecated :mod:`!mailcap` module now refuses to inject unsafe text
 (filenames, MIME types, parameters) into shell commands. Instead of using such
 text, it will warn and act as if a match was not found (or for test commands,
 as if the test failed).
 (Contributed by Petr Viktorin in :gh:`98966`.)
 Notable changes in 3.10.12
 ==========================
 tarfile
 -------
 * The extraction methods in :mod:`tarfile`, and :func:`shutil.unpack_archive`,
  have a new a *filter* argument that allows limiting tar features than may be
  surprising or dangerous, such as creating files outside the destination
  directory.
  See :ref:`tarfile-extraction-filter` for details.
  In Python 3.12, use without the *filter* argument will show a
  :exc:`DeprecationWarning`.
  In Python 3.14, the default will switch to ``'data'``.
  (Contributed by Petr Viktorin in :pep:`706`.)
--- a/Doc/whatsnew/3.12.rst
+++ b/Doc/whatsnew/3.12.rst
@ -1956,6 +1956,8 @@ Build Changes
  :file:`!configure`.
  (Contributed by Christian Heimes in :gh:`89886`.)
 * Windows builds and macOS installers from python.org now use OpenSSL 3.0.
 C API Changes
 =============
--- a/Doc/whatsnew/3.6.rst
+++ b/Doc/whatsnew/3.6.rst
@ -1472,6 +1472,10 @@ Server and client-side specific TLS protocols for :class:`~ssl.SSLContext`
 were added.
 (Contributed by Christian Heimes in :issue:`28085`.)
 Added :attr:`ssl.SSLContext.post_handshake_auth` to enable and
 :meth:`ssl.SSLSocket.verify_client_post_handshake` to initiate TLS 1.3
 post-handshake authentication.
 (Contributed by Christian Heimes in :gh:`78851`.)
 statistics
 ----------
@ -2063,6 +2067,15 @@ connected to and thus what Python interpreter will be used by the virtual
 environment.  (Contributed by Brett Cannon in :issue:`25154`.)
 xml
 ---
 * As mitigation against DTD and external entity retrieval, the
  :mod:`xml.dom.minidom` and :mod:`xml.sax` modules no longer process
  external entities by default.
  (Contributed by Christian Heimes in :gh:`61441`.)
 Deprecated functions and types of the C API
 -------------------------------------------
@ -2430,9 +2443,13 @@ The :func:`locale.localeconv` function now sets temporarily the ``LC_CTYPE``
 locale to the ``LC_NUMERIC`` locale in some cases.
 (Contributed by Victor Stinner in :issue:`31900`.)
 Notable changes in Python 3.6.7
 ===============================
 :mod:`xml.dom.minidom` and :mod:`xml.sax` modules no longer process
 external entities by default. See also :gh:`61441`.
 In 3.6.7 the :mod:`tokenize` module now implicitly emits a ``NEWLINE`` token
 when provided with input that does not have a trailing new line.  This behavior
 now matches what the C tokenizer does internally.
@ -2460,3 +2477,19 @@ separator key, with ``&`` as the default.  This change also affects
 functions internally. For more details, please see their respective
 documentation.
 (Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)
 Notable changes in Python 3.6.14
 ================================
 A security fix alters the :class:`ftplib.FTP` behavior to not trust the
 IPv4 address sent from the remote server when setting up a passive data
 channel.  We reuse the ftp server IP address instead.  For unusual code
 requiring the old behavior, set a ``trust_server_pasv_ipv4_address``
 attribute on your FTP instance to ``True``.  (See :gh:`87451`)
 The presence of newline or tab characters in parts of a URL allows for some
 forms of attacks. Following the WHATWG specification that updates RFC 3986,
 ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the
 URL by the parser :func:`urllib.parse` preventing such attacks. The removal
 characters are controlled by a new module level variable
 ``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :gh:`88048`)
--- a/Doc/whatsnew/3.7.rst
+++ b/Doc/whatsnew/3.7.rst
@ -1380,6 +1380,10 @@ Supported protocols are indicated by several new flags, such as
 :data:`~ssl.HAS_TLSv1_1`.
 (Contributed by Christian Heimes in :issue:`32609`.)
 Added :attr:`ssl.SSLContext.post_handshake_auth` to enable and
 :meth:`ssl.SSLSocket.verify_client_post_handshake` to initiate TLS 1.3
 post-handshake authentication.
 (Contributed by Christian Heimes in :gh:`78851`.)
 string
 ------
@ -1599,6 +1603,15 @@ at the interactive prompt.  See :ref:`whatsnew37-pep565` for details.
 (Contributed by Nick Coghlan in :issue:`31975`.)
 xml
 ---
 As mitigation against DTD and external entity retrieval, the
 :mod:`xml.dom.minidom` and :mod:`xml.sax` modules no longer process
 external entities by default.
 (Contributed by Christian Heimes in :gh:`61441`.)
 xml.etree
 ---------
@ -2571,3 +2584,34 @@ separator key, with ``&`` as the default.  This change also affects
 functions internally. For more details, please see their respective
 documentation.
 (Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)
 Notable changes in Python 3.7.11
 ================================
 A security fix alters the :class:`ftplib.FTP` behavior to not trust the
 IPv4 address sent from the remote server when setting up a passive data
 channel.  We reuse the ftp server IP address instead.  For unusual code
 requiring the old behavior, set a ``trust_server_pasv_ipv4_address``
 attribute on your FTP instance to ``True``.  (See :gh:`87451`)
 The presence of newline or tab characters in parts of a URL allows for some
 forms of attacks. Following the WHATWG specification that updates RFC 3986,
 ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the
 URL by the parser :func:`urllib.parse` preventing such attacks. The removal
 characters are controlled by a new module level variable
 ``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :gh:`88048`)
 Notable security feature in 3.7.14
 ==================================
 Converting between :class:`int` and :class:`str` in bases other than 2
 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal)
 now raises a :exc:`ValueError` if the number of digits in string form is
 above a limit to avoid potential denial of service attacks due to the
 algorithmic complexity. This is a mitigation for `CVE-2020-10735
 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735>`_.
 This limit can be configured or disabled by environment variable, command
 line flag, or :mod:`sys` APIs. See the :ref:`integer string conversion
 length limitation <int_max_str_digits>` documentation.  The default limit
 is 4300 digits in string form.
--- a/Doc/whatsnew/3.8.rst
+++ b/Doc/whatsnew/3.8.rst
@ -2243,6 +2243,21 @@ details, see the documentation for ``loop.create_datagram_endpoint()``.
 (Contributed by Kyle Stanley, Antoine Pitrou, and Yury Selivanov in
 :issue:`37228`.)
 Notable changes in Python 3.8.2
 ===============================
 Fixed a regression with the ``ignore`` callback of :func:`shutil.copytree`.
 The argument types are now str and List[str] again.
 (Contributed by Manuel Barkhau and Giampaolo Rodola in :gh:`83571`.)
 Notable changes in Python 3.8.3
 ===============================
 The constant values of future flags in the :mod:`__future__` module
 are updated in order to prevent collision with compiler flags. Previously
 ``PyCF_ALLOW_TOP_LEVEL_AWAIT`` was clashing with ``CO_FUTURE_DIVISION``.
 (Contributed by Batuhan Taskaya in :gh:`83743`)
 Notable changes in Python 3.8.8
 ===============================
@ -2256,9 +2271,55 @@ functions internally. For more details, please see their respective
 documentation.
 (Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)
 Notable changes in Python 3.8.9
 ===============================
 A security fix alters the :class:`ftplib.FTP` behavior to not trust the
 IPv4 address sent from the remote server when setting up a passive data
 channel.  We reuse the ftp server IP address instead.  For unusual code
 requiring the old behavior, set a ``trust_server_pasv_ipv4_address``
 attribute on your FTP instance to ``True``.  (See :gh:`87451`)
 Notable changes in Python 3.8.10
 ================================
 macOS 11.0 (Big Sur) and Apple Silicon Mac support
 --------------------------------------------------
 As of 3.8.10, Python now supports building and running on macOS 11
 (Big Sur) and on Apple Silicon Macs (based on the ``ARM64`` architecture).
 A new universal build variant, ``universal2``, is now available to natively
 support both ``ARM64`` and ``Intel 64`` in one set of executables.
 Note that support for "weaklinking", building binaries targeted for newer
 versions of macOS that will also run correctly on older versions by
 testing at runtime for missing features, is not included in this backport
 from Python 3.9; to support a range of macOS versions, continue to target
 for and build on the oldest version in the range.
 (Originally contributed by Ronald Oussoren and Lawrence D'Anna in :gh:`85272`,
 with fixes by FX Coudert and Eli Rykoff, and backported to 3.8 by Maxime Bélanger
 and Ned Deily)
 Notable changes in Python 3.8.10
 ================================
 urllib.parse
 ------------
 The presence of newline or tab characters in parts of a URL allows for some
 forms of attacks. Following the WHATWG specification that updates :rfc:`3986`,
 ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the
 URL by the parser in :mod:`urllib.parse` preventing such attacks. The removal
 characters are controlled by a new module level variable
 ``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`)
 Notable changes in Python 3.8.12
 ================================
 Changes in the Python API
 -------------------------
 Starting with Python 3.8.12 the :mod:`ipaddress` module no longer accepts
 any leading zeros in IPv4 address strings. Leading zeros are ambiguous and
 interpreted as octal notation by some libraries. For example the legacy
@ -2268,3 +2329,33 @@ any leading zeros.
 (Originally contributed by Christian Heimes in :issue:`36384`, and backported
 to 3.8 by Achraf Merzouki.)
 Notable security feature in 3.8.14
 ==================================
 Converting between :class:`int` and :class:`str` in bases other than 2
 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal)
 now raises a :exc:`ValueError` if the number of digits in string form is
 above a limit to avoid potential denial of service attacks due to the
 algorithmic complexity. This is a mitigation for `CVE-2020-10735
 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735>`_.
 This limit can be configured or disabled by environment variable, command
 line flag, or :mod:`sys` APIs. See the :ref:`integer string conversion
 length limitation <int_max_str_digits>` documentation.  The default limit
 is 4300 digits in string form.
 Notable changes in 3.8.17
 =========================
 tarfile
 -------
 * The extraction methods in :mod:`tarfile`, and :func:`shutil.unpack_archive`,
  have a new a *filter* argument that allows limiting tar features than may be
  surprising or dangerous, such as creating files outside the destination
  directory.
  See :ref:`tarfile-extraction-filter` for details.
  In Python 3.12, use without the *filter* argument will show a
  :exc:`DeprecationWarning`.
  In Python 3.14, the default will switch to ``'data'``.
  (Contributed by Petr Viktorin in :pep:`706`.)
--- a/Doc/whatsnew/3.9.rst
+++ b/Doc/whatsnew/3.9.rst
@ -1562,3 +1562,55 @@ separator key, with ``&`` as the default.  This change also affects
 functions internally. For more details, please see their respective
 documentation.
 (Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)
 Notable changes in Python 3.9.3
 ===============================
 A security fix alters the :class:`ftplib.FTP` behavior to not trust the
 IPv4 address sent from the remote server when setting up a passive data
 channel.  We reuse the ftp server IP address instead.  For unusual code
 requiring the old behavior, set a ``trust_server_pasv_ipv4_address``
 attribute on your FTP instance to ``True``.  (See :gh:`87451`)
 Notable changes in Python 3.9.5
 ===============================
 urllib.parse
 ------------
 The presence of newline or tab characters in parts of a URL allows for some
 forms of attacks. Following the WHATWG specification that updates :rfc:`3986`,
 ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the
 URL by the parser in :mod:`urllib.parse` preventing such attacks. The removal
 characters are controlled by a new module level variable
 ``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :gh:`88048`)
 Notable security feature in 3.9.14
 ==================================
 Converting between :class:`int` and :class:`str` in bases other than 2
 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal)
 now raises a :exc:`ValueError` if the number of digits in string form is
 above a limit to avoid potential denial of service attacks due to the
 algorithmic complexity. This is a mitigation for `CVE-2020-10735
 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735>`_.
 This limit can be configured or disabled by environment variable, command
 line flag, or :mod:`sys` APIs. See the :ref:`integer string conversion
 length limitation <int_max_str_digits>` documentation.  The default limit
 is 4300 digits in string form.
 Notable changes in 3.9.17
 =========================
 tarfile
 -------
 * The extraction methods in :mod:`tarfile`, and :func:`shutil.unpack_archive`,
  have a new a *filter* argument that allows limiting tar features than may be
  surprising or dangerous, such as creating files outside the destination
  directory.
  See :ref:`tarfile-extraction-filter` for details.
  In Python 3.12, use without the *filter* argument will show a
  :exc:`DeprecationWarning`.
  In Python 3.14, the default will switch to ``'data'``.
  (Contributed by Petr Viktorin in :pep:`706`.)