lib-python/3/test/test_os.py | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 tests: skip fsync tests when building with eatmydata

lib-python/3/test/_test_multiprocessing.py | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 tests: disable test_multiprocessing

It leaves stray processes.

pypy/module/thread/test/test_lock.py | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 tests: skip test that deadlocks on gnu hurd

Per Samuel Thibault:

> That's probably because pypy uses pthread_mutexes (which per POSIX aren't
> interrupted by signals) instead of semaphores, and I guess that's
> because sem_open isn't supported on Hurd yet.

pypy/pytest-A.cfg | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 tests: use the python2 binary

Debian doesn't ship a /usr/bin/python any more

lib-python/3/test/test_readline.py | 11 9 + 2 - 0 !
1 file changed, 9 insertions(+), 2 deletions(-)

 tests: skip readline tests raising invalidterminal

We run the tests under TERM=dumb.
PyPy doesn't emulate the readline module perfectly and throws an
exception here.

pypy/module/fcntl/test/test_fcntl.py | 9 7 + 2 - 0 !
1 file changed, 7 insertions(+), 2 deletions(-)

 tests: ignore lease failure in fcntl tests

Fail on tmpfs on Linux 4.19. Fixed in 5.7 possibly earlier (5.3?).

lib-python/3/ctypes/util.py | 15 13 + 2 - 0 !
1 file changed, 13 insertions(+), 2 deletions(-)

 arch: armhf support
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Workaround the presence of hard-float in ldconfig -p output.
Also, handle the wide variety of ARM unames.

lib-python/3/plat-gnukfreebsd10/DLFCN.py | 118 118 + 0 - 0 !
lib-python/3/plat-gnukfreebsd10/IN.py | 809 809 + 0 - 0 !
lib-python/3/plat-gnukfreebsd10/TYPES.py | 303 303 + 0 - 0 !
lib-python/3/plat-gnukfreebsd11/DLFCN.py | 118 118 + 0 - 0 !
lib-python/3/plat-gnukfreebsd11/IN.py | 809 809 + 0 - 0 !
lib-python/3/plat-gnukfreebsd11/TYPES.py | 303 303 + 0 - 0 !
lib-python/3/plat-gnukfreebsd8/DLFCN.py | 118 118 + 0 - 0 !
lib-python/3/plat-gnukfreebsd8/IN.py | 809 809 + 0 - 0 !
lib-python/3/plat-gnukfreebsd8/TYPES.py | 303 303 + 0 - 0 !
lib-python/3/plat-gnukfreebsd9/DLFCN.py | 118 118 + 0 - 0 !
lib-python/3/plat-gnukfreebsd9/IN.py | 809 809 + 0 - 0 !
lib-python/3/plat-gnukfreebsd9/TYPES.py | 303 303 + 0 - 0 !
12 files changed, 4920 insertions(+)

 arch: dlfcn.py for kfreebsd

lib-python/3/distutils/unixccompiler.py | 7 6 + 1 - 0 !
1 file changed, 6 insertions(+), 1 deletion(-)

 stdlib: don't add standard library dirs to library_dirs and
 runtime_library_dirs.

lib-python/3/locale.py | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 stdlib: don't map 'utf8', 'utf-8' to 'utf'

'utf' is not a known encoding for glibc.

lib-python/3/rlcompleter.py | 13 8 + 5 - 0 !
1 file changed, 8 insertions(+), 5 deletions(-)

 stdlib: handle invalidterminal in rlcompleter

Pypy's readline module can throw InvalidTerminal if the terminal doesn't
support "clear". This is the case for TERM=dumb, which we use for tests.

pypy/module/sys/version.py | 1 1 + 0 - 0 !
rpython/tool/version.py | 10 10 + 0 - 0 !
2 files changed, 11 insertions(+)

 debian: get version details from the debian source package

Rather than VCS.

Return the Debian package version in sys.version.
Return null strings in sys._mercurial.

lib-python/3/ensurepip/__init__.py | 76 55 + 21 - 0 !
1 file changed, 55 insertions(+), 21 deletions(-)

 debian: let ensurepip use the system wheels

Not the ones from the python source.

lib-python/3/ensurepip/__init__.py | 34 34 + 0 - 0 !
lib-python/3/venv/__init__.py | 23 22 + 1 - 0 !
2 files changed, 56 insertions(+), 1 deletion(-)

 debian: disable ensurepip in debian for now

lib-python/3/_distutils_system_mod.py | 180 180 + 0 - 0 !
lib-python/3/distutils/command/install.py | 43 41 + 2 - 0 !
lib-python/3/distutils/command/install_egg_info.py | 30 25 + 5 - 0 !
lib-python/3/distutils/sysconfig_cpython.py | 4 4 + 0 - 0 !
lib-python/3/distutils/sysconfig_pypy.py | 11 10 + 1 - 0 !
lib-python/3/pydoc.py | 1 1 + 0 - 0 !
lib-python/3/site.py | 25 18 + 7 - 0 !
lib-python/3/sysconfig.py | 40 36 + 4 - 0 !
lib-python/3/test/test_sysconfig.py | 4 2 + 2 - 0 !
9 files changed, 317 insertions(+), 21 deletions(-)

 debian: add a distutils option --install-layout=deb

This option:
 - installs into $prefix/dist-packages instead of $prefix/site-packages.
 - doesn't encode the python version into the egg name.

Based on cpython Debian packaging

lib-python/3/gettext.py | 15 15 + 0 - 0 !
1 file changed, 15 insertions(+)

 debian: support ubuntu langpacks

Support alternative gettext tree in /usr/share/locale-langpack; if a
file is present in both trees, prefer the newer one

lib-python/3/distutils/command/bdist_wininst.py | 7 6 + 1 - 0 !
1 file changed, 6 insertions(+), 1 deletion(-)

 debian: explain that wininst files are not included in debian

The wininst-* files cannot be built within Debian, needing a zlib mingw
build, which the zlib maintainer isn't going to provide.

lib-python/3/tkinter/__init__.py | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 debian: suggest installation of pypy3-tk package

On failing _tkinter import.

rpython/tool/ansi_print.py | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 debian: always output the mandelbrot

So that our buildds see progress

pypy/doc/conf.py | 11 3 + 8 - 0 !
pypy/doc/config/index.rst | 11 5 + 6 - 0 !
pypy/doc/cpython_differences.rst | 2 1 + 1 - 0 !
pypy/doc/objspace.rst | 12 10 + 2 - 0 !
4 files changed, 19 insertions(+), 17 deletions(-)

 debian: disable some extensions to support python 3 sphinx

Stop building any autodoc and configuration sections, that require
parsing the Python 2 source code.

This supports building the Sphinx docs with Python 3.

lib-python/3/distutils/util.py | 9 9 + 0 - 0 !
1 file changed, 9 insertions(+)

 debian: fix editable installs with setuptools < 60.0.1

Work-around a setuptools bug, where it failed to configure all necessary
substitution variables in easy_install.

Bug-setuptools: https://github.com/pypa/setuptools/issues/2938

rpython/jit/metainterp/optimizeopt/intutils.py | 8 7 + 1 - 0 !
rpython/jit/metainterp/optimizeopt/test/test_intbound.py | 5 2 + 3 - 0 !
rpython/jit/metainterp/test/test_ajit.py | 33 33 + 0 - 0 !
3 files changed, 42 insertions(+), 4 deletions(-)

 upstream: #3892: fix wrong assert in intutils,
 it should be an InvalidLoop instead

I introduced the assert in 5909f5e0a75c. before that, inconsistent intersects
would just do nothing, which I am not sure is a better solution than raising
InvalidLoop

Bug-Debian: https://bugs.debian.org/1062460

lib-python/3/test/test_urlparse.py | 61 60 + 1 - 0 !
lib-python/3/urllib/parse.py | 12 12 + 0 - 0 !
2 files changed, 72 insertions(+), 1 deletion(-)

 gh-102153: start stripping c0 control and space chars in `urlsplit`
 (GH-102508) (GH-104575) (GH-104592) (#104593)

gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508)

`urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595.

This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).

I simplified the docs by eliding the state of the world explanatory
paragraph in this security release only backport.  (people will see
that in the mainline /3/ docs)

(cherry picked from commit 2f630e1ce18ad2e07428296532a68b11dc66ad10)
(cherry picked from commit 610cc0ab1b760b2abaac92bd256b96191c46b941)
(cherry picked from commit f48a96a28012d28ae37a2f4587a780a5eb779946)

Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>

lib-python/3/ssl.py | 31 30 + 1 - 0 !
lib-python/3/test/test_ssl.py | 215 215 + 0 - 0 !
2 files changed, 245 insertions(+), 1 deletion(-)

 gh-108310: fix cve-2023-40217: check for & avoid the ssl pre-close
 flaw (#108320)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw

Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake
and included protections (like certificate verification) and treating sent
unencrypted data as if it were post-handshake TLS encrypted data.

The vulnerability is caused when a socket is connected, data is sent by the
malicious peer and stored in a buffer, and then the malicious peer closes the
socket within a small timing window before the other peers TLS handshake can
begin. After this sequence of events the closed socket will not immediately
attempt a TLS handshake due to not being connected but will also allow the
buffered data to be read as if a successful TLS handshake had occurred.

Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>

lib-python/3/ssl.py | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 gh-108342: break ref cycle in sslsocket._create() exc (gh-108344)
 (#108351)

Explicitly break a reference cycle when SSLSocket._create() raises an
exception. Clear the variable storing the exception, since the
exception traceback contains the variables and so creates a reference
cycle.

This test leak was introduced by the test added for the fix of GH-108310.
(cherry picked from commit 64f99350351bc46e016b2286f36ba7cd669b79e3)

Co-authored-by: Victor Stinner <vstinner@python.org>

lib-python/3/test/test_ssl.py | 102 71 + 31 - 0 !
1 file changed, 71 insertions(+), 31 deletions(-)

 gh-108342: make ssl testprehandshakeclose more reliable (gh-108370)
 (#108407)

* In preauth tests of test_ssl, explicitly break reference cycles
  invoving SingleConnectionTestServerThread to make sure that the
  thread is deleted. Otherwise, the test marks the environment as
  altered because the threading module sees a "dangling thread"
  (SingleConnectionTestServerThread). This test leak was introduced
  by the test added for the fix of issue gh-108310.
* Use support.SHORT_TIMEOUT instead of hardcoded 1.0 or 2.0 seconds
  timeout.
* SingleConnectionTestServerThread.run() catchs TimeoutError
* Fix a race condition (missing synchronization) in
  test_preauth_data_to_tls_client(): the server now waits until the
  client connect() completed in call_after_accept().
* test_https_client_non_tls_response_ignored() calls server.join()
  explicitly.
* Replace "localhost" with server.listener.getsockname()[0].
(cherry picked from commit 592bacb6fc0833336c0453e818e9b95016e9fd47)

Co-authored-by: Victor Stinner <vstinner@python.org>

lib-python/3/tempfile.py | 27 18 + 9 - 0 !
lib-python/3/test/test_tempfile.py | 117 116 + 1 - 0 !
2 files changed, 134 insertions(+), 10 deletions(-)

 gh-91133: tempfile.temporarydirectory: fix symlink bug in cleanup
 (GH-99930) (GH-112842)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

(cherry picked from commit 81c16cd94ec38d61aa478b9a452436dc3b1b524d)

Co-authored-by: Sren Lvborg <sorenl@unity3d.com>

lib-python/3/test/test_zipfile.py | 60 60 + 0 - 0 !
lib-python/3/zipfile.py | 12 12 + 0 - 0 !
2 files changed, 72 insertions(+)

 gh-109858: protect zipfile from "quoted-overlap" zipbomb (gh-110016)
 (GH-113915)

Raise BadZipFile when try to read an entry that overlaps with other entry or
central directory.
(cherry picked from commit 66363b9a7b9fe7c99eba3a185b74c5fdbf842eba)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

lib-python/3/email/utils.py | 151 142 + 9 - 0 !
lib-python/3/test/test_email/test_email.py | 204 196 + 8 - 0 !
2 files changed, 338 insertions(+), 17 deletions(-)

 gh-102988: reject malformed addresses in email.parseaddr()
 (GH-111116) (#123768)

Detect email address parsing errors and return empty tuple to
indicate the parsing error (old API). Add an optional 'strict'
parameter to getaddresses() and parseaddr() functions. Patch by
Thomas Dwyer.

(cherry picked from commit 4a153a1d3b18803a684cd1bcc2cdf3ede3dbae19)

Co-authored-by: Victor Stinner <vstinner@python.org>
Co-Authored-By: Thomas Dwyer <github@tomd.tel>

lib-python/3/test/test_venv.py | 81 81 + 0 - 0 !
lib-python/3/venv/__init__.py | 42 37 + 5 - 0 !
lib-python/3/venv/scripts/common/activate | 6 3 + 3 - 0 !
lib-python/3/venv/scripts/nt/activate.bat | 4 2 + 2 - 0 !
lib-python/3/venv/scripts/posix/activate.csh | 6 3 + 3 - 0 !
lib-python/3/venv/scripts/posix/activate.fish | 6 3 + 3 - 0 !
6 files changed, 129 insertions(+), 16 deletions(-)

 gh-124651: quote template strings in `venv` activation scripts
 (GH-124712) (GH-126185) (GH-126269) (GH-126300)

(cherry picked from commit ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97)

lib-python/3/ipaddress.py | 95 78 + 17 - 0 !
lib-python/3/test/test_ipaddress.py | 52 52 + 0 - 0 !
2 files changed, 130 insertions(+), 17 deletions(-)

 gh-113171: gh-65056: fix "private" (non-global) ip address ranges
 (GH-113179) (GH-113186) (GH-118177) (GH-118472)

The _private_networks variables, used by various is_private
implementations, were missing some ranges and at the same time had
overly strict ranges (where there are more specific ranges considered
globally reachable by the IANA registries).

This patch updates the ranges with what was missing or otherwise
incorrect.

100.64.0.0/10 is left alone, for now, as it's been made special in [1].

The _address_exclude_many() call returns 8 networks for IPv4, 121
networks for IPv6.

[1] https://github.com/python/cpython/issues/61602

In 3.10 and below, is_private checks whether the network and broadcast
address are both private.
In later versions (where the test wss backported from), it checks
whether they both are in the same private network.

For 0.0.0.0/0, both 0.0.0.0 and 255.225.255.255 are private,
but one is in 0.0.0.0/8 ("This network") and the other in
255.255.255.255/32 ("Limited broadcast").

lib-python/3/tarfile.py | 105 67 + 38 - 0 !
lib-python/3/test/test_tarfile.py | 42 42 + 0 - 0 !
2 files changed, 109 insertions(+), 38 deletions(-)

 gh-121285: remove backtracking when parsing tarfile headers
 (GH-121286) (#123641)

* Remove backtracking when parsing tarfile headers
* Rewrite PAX header parsing to be stricter
* Optimize parsing of GNU extended sparse headers v0.0

(cherry picked from commit 34ddb64d088dd7ccc321f6103d23153256caa5d4)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru>
Co-authored-by: Gregory P. Smith <greg@krypto.org>

lib-python/3/test/test_zipfile.py | 77 77 + 0 - 0 !
lib-python/3/zipfile.py | 9 7 + 2 - 0 !
2 files changed, 84 insertions(+), 2 deletions(-)

 gh-123270: replaced sanitizednames with a more surgical fix.
 (GH-123354) (#123432)

Applies changes from zipp 3.20.1 and jaraco/zippGH-124
(cherry picked from commit 2231286d78d328c2f575e0b05b16fe447d1656d6)
(cherry picked from commit 17b77bb41409259bad1cd6c74761c18b6ab1e860)

Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>

lib-python/3/email/_header_value_parser.py | 12 9 + 3 - 0 !
lib-python/3/email/_policybase.py | 8 8 + 0 - 0 !
lib-python/3/email/errors.py | 4 4 + 0 - 0 !
lib-python/3/email/generator.py | 13 12 + 1 - 0 !
lib-python/3/test/test_email/test_generator.py | 62 62 + 0 - 0 !
lib-python/3/test/test_email/test_policy.py | 26 26 + 0 - 0 !
6 files changed, 121 insertions(+), 4 deletions(-)

 gh-121650: encode newlines in headers,
 and verify headers are sound (GH-122233) (#122610)

Per RFC 2047:

> [...] these encoding schemes allow the
> encoding of arbitrary octet values, mail readers that implement this
> decoding should also ensure that display of the decoded data on the
> recipient's terminal will not cause unwanted side-effects

It seems that the "quoted-word" scheme is a valid way to include
a newline character in a header value, just like we already allow
undecodable bytes or control characters.
They do need to be properly quoted when serialized to text, though.

This should fail for custom fold() implementations that aren't careful
about newlines.

(cherry picked from commit 097633981879b3c9de9a1dd120d3aa585ecc2384)

Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Bas Bloemsaat <bas@bloemsaat.org>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

lib-python/3/http/cookies.py | 34 8 + 26 - 0 !
lib-python/3/test/test_http_cookies.py | 38 38 + 0 - 0 !
2 files changed, 46 insertions(+), 26 deletions(-)

 gh-123067: fix quadratic complexity in parsing "-quoted cookie
 values with backslashes (GH-123075) (#123107)

This fixes CVE-2024-7592.
(cherry picked from commit 44e458357fca05ca0ae2658d62c8c595b048b5ef)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

lib-python/3/test/test_urlparse.py | 26 26 + 0 - 0 !
lib-python/3/urllib/parse.py | 16 15 + 1 - 0 !
2 files changed, 41 insertions(+), 1 deletion(-)

 gh-103848: adds checks to ensure that bracketed hosts found by
 urlsplit are of IPv6 or IPvFuture format (#103849) (#126976)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
(cherry picked from commit 29f348e232e82938ba2165843c448c2b291504c5)

Co-authored-by: JohnJamesUtley <81572567+JohnJamesUtley@users.noreply.github.com>