<div class="container">
<h1>Security update for python313</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2025:02074-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-06-24T07:26:36Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1228165">bsc#1228165</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1232241">bsc#1232241</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1234290">bsc#1234290</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1236705">bsc#1236705</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1238450">bsc#1238450</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1239210">bsc#1239210</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1243273">bsc#1243273</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244032">bsc#1244032</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244056">bsc#1244056</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244059">bsc#1244059</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244060">bsc#1244060</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-12254.html">CVE-2024-12254</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-12718.html">CVE-2024-12718</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-9287.html">CVE-2024-9287</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-0938.html">CVE-2025-0938</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-1795.html">CVE-2025-1795</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-4138.html">CVE-2025-4138</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-4330.html">CVE-2025-4330</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-4516.html">CVE-2025-4516</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-4517.html">CVE-2025-4517</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-12254</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.7</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-12254</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-12254</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">8.7</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-12254</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-12718</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-12718</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">10.0</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-12718</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-9287</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-9287</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-9287</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-9287</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.8</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-0938</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.3</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-0938</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">4.0</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-0938</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.3</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-1795</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">2.3</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-1795</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">3.1</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-1795</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">2.3</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-4138</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.2</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-4138</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-4330</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.2</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-4330</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-4516</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.9</span>
<span class="cvss-vector">CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-4516</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.1</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-4516</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.9</span>
<span class="cvss-vector">CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-4517</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-4517</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.4</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-4517</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">9.4</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">Python 3 Module 15-SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP7</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves nine vulnerabilities and has two security fixes can now be installed.</p>
<h2>Description:</h2>
<p>This update for python313 fixes the following issues:</p>
<p>Update to version 3.13.5.</p>
<p>Security issues fixed:</p>
<ul>
<li>CVE-2025-4517: arbitrary filesystem writes outside the extraction directory during extraction with filter="data" (bsc#1244032)</li>
<li>CVE-2025-4516: use-after-free in the unicode-escape decoder when using the error handler (bsc#1243273).</li>
<li>CVE-2025-4330: extraction filter bypass for linking outside extraction directory (bsc#1244060)</li>
<li>CVE-2025-4138: may allow symlink targets to point outside the destination directory, and the modification of some file metadata.
(bsc#1244059)</li>
<li>CVE-2025-0938: domain names containing square brackets are not identified as incorrect by urlparse (bsc#1236705).</li>
<li>CVE-2024-12718: bypass extraction filter to modify file metadata outside extraction directory (bsc#1244056)</li>
<li>CVE-2024-12254: memory exhaustion due to unbounded memory buffering in <code>SelectorSocketTransport.writelines()</code>
(bsc#1234290).</li>
</ul>
<p>Other changes and issues fixed:</p>
<p>Changes from 3.13.5:</p>
<ul>
<li>
<p>Tests</p>
<ul>
<li>gh-135120: Add test.support.subTests().</li>
</ul>
</li>
<li>
<p>Library</p>
<ul>
<li>gh-133967: Do not normalize locale name ‘C.UTF-8’ to
‘en_US.UTF-8’.</li>
<li>gh-135326: Restore support of integer-like objects with
<strong>index</strong>() in random.getrandbits().</li>
<li>gh-135321: Raise a correct exception for values greater
than 0x7fffffff for the BINSTRING opcode in the C
implementation of pickle.</li>
<li>gh-135276: Backported bugfixes in zipfile.Path from
zipp 3.23. Fixed .name, .stem and other basename-based
properties on Windows when working with a zipfile on disk.</li>
<li>gh-134151: email: Fix TypeError in
email.utils.decode_params() when sorting RFC 2231
continuations that contain an unnumbered section.</li>
<li>gh-134152: email: Fix parsing of email message ID with
invalid domain.</li>
<li>gh-127081: Fix libc thread safety issues with os by
replacing getlogin with getlogin_r re-entrant version.</li>
<li>gh-131884: Fix formatting issues in json.dump() when both
indent and skipkeys are used.</li>
<li>Core and Builtins</li>
<li>gh-135171: Roll back changes to generator and list
comprehensions that went into 3.13.4 to fix gh-127682,
but which involved semantic and bytecode changes not
appropriate for a bugfix release.</li>
<li>C API</li>
<li>gh-134989: Fix Py_RETURN_NONE, Py_RETURN_TRUE and
Py_RETURN_FALSE macros in the limited C API 3.11 and
older: don’t treat Py_None, Py_True and Py_False as
immortal. Patch by Victor Stinner.</li>
<li>gh-134989: Implement PyObject_DelAttr() and
PyObject_DelAttrString() as macros in the limited C API
3.12 and older. Patch by Victor Stinner.</li>
</ul>
</li>
</ul>
<p>Changes from 3.13.4:</p>
<ul>
<li>
<p>Security</p>
<ul>
<li>gh-135034: Fixes multiple issues that allowed tarfile
extraction filters (filter="data" and filter="tar") to be
bypassed using crafted symlinks and hard links.
Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
(bsc#1244059), CVE-2025-4330 (bsc#1244060), and
CVE-2025-4517 (bsc#1244032).</li>
<li>gh-133767: Fix use-after-free in the “unicode-escape”
decoder with a non-“strict” error handler (CVE-2025-4516,
bsc#1243273).</li>
<li>gh-128840: Short-circuit the processing of long IPv6
addresses early in ipaddress to prevent excessive memory
consumption and a minor denial-of-service.</li>
<li>Library</li>
<li>gh-134718: ast.dump() now only omits None and [] values if
they are default values.</li>
<li>gh-128840: Fix parsing long IPv6 addresses with embedded
IPv4 address.</li>
<li>gh-134696: Built-in HACL* and OpenSSL implementations of
hash function constructors now correctly accept the same
documented named arguments. For instance, md5() could be
previously invoked as md5(data=data) or md5(string=string)
depending on the underlying implementation but these calls
were not compatible. Patch by Bénédikt Tran.</li>
<li>gh-134210: curses.window.getch() now correctly handles
signals. Patch by Bénédikt Tran.</li>
<li>gh-80334: multiprocessing.freeze_support() now checks for
work on any “spawn” start method platform rather than only
on Windows.</li>
<li>gh-114177: Fix asyncio to not close subprocess pipes which
would otherwise error out when the event loop is already
closed.</li>
<li>gh-134152: Fixed UnboundLocalError that could occur during
email header parsing if an expected trailing delimiter is
missing in some contexts.</li>
<li>gh-62184: Remove import of C implementation of io.FileIO
from Python implementation which has its own implementation</li>
<li>gh-133982: Emit RuntimeWarning in the Python implementation
of io when the file-like object is not closed explicitly in
the presence of multiple I/O layers.</li>
<li>gh-133890: The tarfile module now handles
UnicodeEncodeError in the same way as OSError when cannot
extract a member.</li>
<li>gh-134097: Fix interaction of the new REPL and -X
showrefcount command line option.</li>
<li>gh-133889: The generated directory listing page in
http.server.SimpleHTTPRequestHandler now only shows the
decoded path component of the requested URL, and not the
query and fragment.</li>
<li>gh-134098: Fix handling paths that end with
a percent-encoded slash (%2f or %2F) in
http.server.SimpleHTTPRequestHandler.</li>
<li>gh-134062: ipaddress: fix collisions in <strong>hash</strong>() for
IPv4Network and IPv6Network objects.</li>
<li>gh-133745: In 3.13.3 we accidentally changed the signature
of the asyncio create_task() family of methods and how it
calls a custom task factory in a backwards incompatible
way. Since some 3rd party libraries have already made
changes to work around the issue that might break if
we simply reverted the changes, we’re instead changing
things to be backwards compatible with 3.13.2 while still
supporting those workarounds for 3.13.3. In particular, the
special-casing of name and context is back (until 3.14) and
consequently eager tasks may still find that their name
hasn’t been set before they execute their first yielding
await.</li>
<li>gh-71253: Raise ValueError in open() if opener returns a
negative file-descriptor in the Python implementation of io
to match the C implementation.</li>
<li>gh-77057: Fix handling of invalid markup declarations in
html.parser.HTMLParser.</li>
<li>gh-133489: random.getrandbits() can now generate more that
231 bits. random.randbytes() can now generate more that 256
MiB.</li>
<li>gh-133290: Fix attribute caching issue when setting
ctypes.<em>Pointer._type</em> in the undocumented and deprecated
ctypes.SetPointerType() function and the undocumented
set_type() method.</li>
<li>gh-132876: ldexp() on Windows doesn’t round subnormal
results before Windows 11, but should. Python’s
math.ldexp() wrapper now does round them, so results may
change slightly, in rare cases of very small results, on
Windows versions before 11.</li>
<li>gh-133089: Use original timeout value for
subprocess.TimeoutExpired when the func subprocess.run()
is called with a timeout instead of sometimes a confusing
partial remaining time out value used internally on the
final wait().</li>
<li>gh-133009: xml.etree.ElementTree: Fix a crash in
Element.<strong>deepcopy</strong> when the element is concurrently
mutated. Patch by Bénédikt Tran.</li>
<li>gh-132995: Bump the version of pip bundled in ensurepip to
version 25.1.1</li>
<li>gh-132017: Fix error when pyrepl is suspended, then resumed
and terminated.</li>
<li>gh-132673: Fix a crash when using <em>align</em> = 0 and <em>fields</em>
= [] in a ctypes.Structure.</li>
<li>gh-132527: Include the valid typecode ‘w’ in the error
message when an invalid typecode is passed to array.array.</li>
<li>gh-132439: Fix PyREPL on Windows: characters entered via
AltGr are swallowed. Patch by Chris Eibl.</li>
<li>gh-132429: Fix support of Bluetooth sockets on NetBSD and
DragonFly BSD.</li>
<li>gh-132106: QueueListener.start now raises a RuntimeError if
the listener is already started.</li>
<li>gh-132417: Fix a NULL pointer dereference when a C function
called using ctypes with restype py_object returns NULL.</li>
<li>gh-132385: Fix instance error suggestions trigger potential
exceptions in object.<strong>getattr</strong>() in traceback.</li>
<li>gh-132308: A traceback.TracebackException now correctly
renders the <strong>context</strong> and <strong>cause</strong> attributes from
falsey Exception, and the exceptions attribute from falsey
ExceptionGroup.</li>
<li>gh-132250: Fixed the SystemError in cProfile when locating
the actual C function of a method raises an exception.</li>
<li>gh-132063: Prevent exceptions that evaluate as
falsey (namely, when their <strong>bool</strong> method returns
False or their <strong>len</strong> method returns 0) from being
ignored by concurrent.futures.ProcessPoolExecutor and
concurrent.futures.ThreadPoolExecutor.</li>
<li>gh-119605: Respect follow_wrapped for <strong>init</strong>() and
<strong>new</strong>() methods when getting the class signature for a
class with inspect.signature(). Preserve class signature
after wrapping with warnings.deprecated(). Patch by Xuehai
Pan.</li>
<li>gh-91555: Ignore log messages generated during handling of
log messages, to avoid deadlock or infinite recursion.</li>
<li>gh-131434: Improve error reporting for incorrect format in
time.strptime().</li>
<li>gh-131127: Systems using LibreSSL now successfully build.</li>
<li>gh-130999: Avoid exiting the new REPL and offer suggestions
even if there are non-string candidates when errors occur.</li>
<li>gh-130941: Fix configparser.ConfigParser parsing empty
interpolation with allow_no_value set to True.</li>
<li>gh-129098: Fix REPL traceback reporting when using
compile() with an inexisting file. Patch by Bénédikt Tran.</li>
<li>gh-130631: http.cookiejar.join_header_words() is now more
similar to the original Perl version. It now quotes the
same set of characters and always quote values that end
with "\n".</li>
<li>gh-129719: Fix missing socket.CAN_RAW_ERR_FILTER constant
in the socket module on Linux systems. It was missing since
Python 3.11.</li>
<li>gh-124096: Turn on virtual terminal mode and enable
bracketed paste in REPL on Windows console. (If the
terminal does not support bracketed paste, enabling it does
nothing.)</li>
<li>gh-122559: Remove <strong>reduce</strong>() and <strong>reduce_ex</strong>() methods
that always raise TypeError in the C implementation
of io.FileIO, io.BufferedReader, io.BufferedWriter
and io.BufferedRandom and replace them with default
<strong>getstate</strong>() methods that raise TypeError. This restores
fine details of behavior of Python 3.11 and older versions.</li>
<li>gh-122179: hashlib.file_digest() now raises BlockingIOError
when no data is available during non-blocking I/O. Before,
it added spurious null bytes to the digest.</li>
<li>gh-86155: html.parser.HTMLParser.close() no longer loses
data when the <script> tag is not closed. Patch by Waylan
Limberg.</li>
<li>gh-69426: Fix html.parser.HTMLParser to not unescape
character entities in attribute values if they are followed
by an ASCII alphanumeric or an equals sign.</li>
<li>bpo-44172: Keep a reference to original curses windows in
subwindows so that the original window does not get deleted
before subwindows.</li>
<li>Tests</li>
<li>gh-133744: Fix multiprocessing interrupt test. Add an event
to synchronize the parent process with the child process:
wait until the child process starts sleeping. Patch by
Victor Stinner.</li>
<li>gh-133639: Fix
TestPyReplAutoindent.test_auto_indent_default() doesn’t run
input_code.</li>
<li>gh-133131: The iOS testbed will now select the most
recently released “SE-class” device for testing if a device
isn’t explicitly specified.</li>
<li>gh-109981: The test helper that counts the list of open
file descriptors now uses the optimised /dev/fd approach on
all Apple platforms, not just macOS. This avoids crashes
caused by guarded file descriptors.</li>
<li>IDLE</li>
<li>gh-112936: fix IDLE: no Shell menu item in single-process
mode.</li>
<li>Documentation</li>
<li>gh-107006: Move documentation and example code for
threading.local from its docstring to the official docs.</li>
<li>Core and Builtins</li>
<li>gh-134908: Fix crash when iterating over lines in a text
file on the free threaded build.</li>
<li>gh-127682: No longer call <strong>iter</strong> twice in list
comprehensions. This brings the behavior of list
comprehensions in line with other forms of iteration</li>
<li>gh-134381: Fix RuntimeError when using a not-started
threading.Thread after calling os.fork()</li>
<li>gh-128066: Fixes an edge case where PyREPL improperly threw
an error when Python is invoked on a read only filesystem
while trying to write history file entries.</li>
<li>gh-134100: Fix a use-after-free bug that occurs when an
imported module isn’t in sys.modules after its initial
import. Patch by Nico-Posada.</li>
<li>gh-133703: Fix hashtable in dict can be bigger than
intended in some situations.</li>
<li>gh-132869: Fix crash in the free threading build when
accessing an object attribute that may be concurrently
inserted or deleted.</li>
<li>gh-132762: fromkeys() no longer loops forever when adding
a small set of keys to a large base dict. Patch by Angela
Liss.</li>
<li>gh-133543: Fix a possible memory leak that could occur when
directly accessing instance dictionaries (<strong>dict</strong>) that
later become part of a reference cycle.</li>
<li>gh-133516: Raise ValueError when constants True, False or
None are used as an identifier after NFKC normalization.</li>
<li>gh-133441: Fix crash upon setting an attribute with a dict
subclass. Patch by Victor Stinner.</li>
<li>gh-132942: Fix two races in the type lookup cache. This
affected the free-threaded build and could cause crashes
(apparently quite difficult to trigger).</li>
<li>gh-132713: Fix repr(list) race condition: hold a strong
reference to the item while calling repr(item). Patch by
Victor Stinner.</li>
<li>gh-132747: Fix a crash when calling <strong>get</strong>() of a method
with a None second argument.</li>
<li>gh-132542: Update Thread.native_id after fork(2) to ensure
accuracy. Patch by Noam Cohen.</li>
<li>gh-124476: Fix decoding from the locale encoding in the
C.UTF-8 locale.</li>
<li>gh-131927: Compiler warnings originating from the same
module and line number are now only emitted once, matching
the behaviour of warnings emitted from user code. This can
also be configured with warnings filters.</li>
<li>gh-127682: No longer call <strong>iter</strong> twice when creating and
executing a generator expression. Creating a generator
expression from a non-interable will raise only when the
generator expression is executed. This brings the behavior
of generator expressions in line with other generators.</li>
<li>gh-131878: Handle uncaught exceptions in the main input
loop for the new REPL.</li>
<li>gh-131878: Fix support of unicode characters with two or
more codepoints on Windows in the new REPL.</li>
<li>gh-130804: Fix support of unicode characters on Windows in
the new REPL.</li>
<li>gh-130070: Fixed an assertion error for exec() passed a
string source and a non-None closure. Patch by Bartosz
Sławecki.</li>
<li>gh-129958: Fix a bug that was allowing newlines
inconsitently in format specifiers for single-quoted
f-strings. Patch by Pablo Galindo.</li>
<li>C API</li>
<li>gh-132909: Fix an overflow when handling the K format in
Py_BuildValue(). Patch by Bénédikt Tran.</li>
</ul>
</li>
<li>
<p>Changes from version 3.13.3</p>
</li>
<li>
<p>Tools/Demos</p>
<ul>
<li>gh-131852: msgfmt no longer adds the POT-Creation-Date to
generated .mo files for consistency with GNU msgfmt.</li>
<li>gh-85012: Correctly reset msgctxt when compiling messages
in msgfmt.</li>
<li>gh-130025: The iOS testbed now correctly handles symlinks
used as Python framework references.</li>
</ul>
</li>
<li>Tests<ul>
<li>gh-131050: test_ssl.test_dh_params is skipped if the
underlying TLS library does not support finite-field
ephemeral Diffie-Hellman.</li>
<li>gh-129200: Multiple iOS testbed runners can now be started
at the same time without introducing an ambiguity over
simulator ownership.</li>
<li>gh-130292: The iOS testbed will now run successfully on a
machine that has not previously run Xcode tests (such as CI
configurations).</li>
<li>gh-130293: The tests of terminal colorization are no longer
sensitive to the value of the TERM variable in the testing
environment.</li>
<li>gh-126332: Add unit tests for pyrepl.</li>
</ul>
</li>
<li>Security<ul>
<li>gh-131809: Update bundled libexpat to 2.7.1</li>
<li>gh-131261: Upgrade to libexpat 2.7.0</li>
<li>gh-127371: Avoid unbounded buffering for
tempfile.SpooledTemporaryFile.writelines(). Previously,
disk spillover was only checked after the lines iterator
had been exhausted. This is now done after each line is
written.</li>
<li>gh-121284: Fix bug in the folding of rfc2047 encoded-words
when flattening an email message using a modern email
policy. Previously when an encoded-word was too long for
a line, it would be decoded, split across lines, and
re-encoded. But commas and other special characters in the
original text could be left unencoded and unquoted. This
could theoretically be used to spoof header lines using
a carefully constructed encoded-word if the resulting
rendered email was transmitted or re-parsed.</li>
</ul>
</li>
<li>Library<ul>
<li>gh-132174: Fix function name in error message of
_interpreters.run_string.</li>
<li>gh-132171: Fix crash of _interpreters.run_string on string
subclasses.</li>
<li>gh-129204: Introduce new _PYTHON_SUBPROCESS_USE_POSIX_SPAWN
environment variable knob in subprocess to control the use
of os.posix_spawn().</li>
<li>gh-132159: Do not shadow user arguments in generated
<strong>new</strong>() by decorator warnings.deprecated. Patch by Xuehai
Pan.</li>
<li>gh-132075: Fix possible use of socket address structures
with uninitialized members. Now all structure members are
initialized with zeroes by default.</li>
<li>gh-132002: Fix crash when deallocating
contextvars.ContextVar with weird unahashable string names.</li>
<li>gh-131668: socket: Fix code parsing AF_BLUETOOTH socket
addresses.</li>
<li>gh-131492: Fix a resource leak when constructing a
gzip.GzipFile with a filename fails, for example when
passing an invalid compresslevel.</li>
<li>gh-131325: Fix sendfile fallback implementation to drain
data after writing to transport in asyncio.</li>
<li>gh-129843: Fix incorrect argument passing in
warnings.warn_explicit().</li>
<li>gh-131204: Use monospace font from System Font Stack for
cross-platform support in difflib.HtmlDiff.</li>
<li>gh-130940: The PyConfig.use_system_logger attribute,
introduced in Python 3.13.2, has been removed. The
introduction of this attribute inadvertently introduced an
ABI breakage on macOS and iOS. The use of the system logger
is now enabled by default on iOS, and disabled by default
on macOS.</li>
<li>gh-131045: Fix issue with <strong>contains</strong>, values, and
pseudo-members for enum.Flag.</li>
<li>gh-130959: Fix pure-Python implementation of
datetime.time.fromisoformat() to reject times with spaces
in fractional part (for example, 12:34:56.400 +02:00),
matching the C implementation. Patch by Michał Gorny.</li>
<li>gh-130637: Add validation for numeric response data in
poplib.POP3.stat() method</li>
<li>gh-130461: Remove .. index:: directives from the uuid
module documentation. These directives previously created
entries in the general index for getnode() as well as
the uuid1(), uuid3(), uuid4(), and uuid5() constructor
functions.</li>
<li>gh-130379: The zipapp module now calculates the list of
files to be added to the archive before creating the
archive. This avoids accidentally including the target when
it is being created in the source directory.</li>
<li>gh-130285: Fix corner case for random.sample() allowing the
counts parameter to specify an empty population. So now,
sample([], 0, counts=[]) and sample('abc', k=0, counts=[0,
0, 0]) both give the same result as sample([], 0).</li>
<li>gh-130250: Fix regression in traceback.print_last().</li>
<li>gh-130230: Fix crash in pow() with only Decimal third
argument.</li>
<li>gh-118761: Reverts a change in the previous release
attempting to make some stdlib imports used within the
subprocess module lazy as this was causing errors during
<strong>del</strong> finalizers calling methods such as terminate, or
kill, or send_signal.</li>
<li>gh-130164: Fixed failure to raise TypeError in
inspect.Signature.bind() for positional-only arguments
provided by keyword when a variadic keyword argument (e.g.
--kwargs) is present.</li>
<li>gh-130151: Fix reference leaks in _hashlib.hmac_new() and
_hashlib.hmac_digest(). Patch by Bénédikt Tran.</li>
<li>gh-130145: Fix asyncio.AbstractEventloop.run_forever() when
another loop is already running.</li>
<li>gh-129726: Fix gzip.GzipFile raising an unraisable
exception during garbage collection when referring to
a temporary object by breaking the reference loop with
weakref.</li>
<li>gh-127750: Remove broken functools.singledispatchmethod()
caching introduced in gh-85160.</li>
<li>gh-129583: Update bundled pip to 25.0.1</li>
<li>gh-97850: Update the deprecation warning of
importlib.abc.Loader.load_module().</li>
<li>gh-129646: Update the locale alias mapping in the locale
module to match the latest X Org locale alias mapping and
support new locales in Glibc 2.41.</li>
<li>gh-129603: Fix bugs where sqlite3.Row objects could
segfault if their inherited description was set to
None. Patch by Erlend Aasland.</li>
<li>gh-128231: Execution of multiple statements in the new
REPL now stops immediately upon the first exception
encountered. Patch by Bartosz Sławecki.</li>
<li>gh-117779: Fix reading duplicated entries in zipfile by
name. Reading duplicated entries (except the last one)
by ZipInfo now emits a warning instead of raising an
exception.</li>
<li>gh-128772: Fix pydoc for methods with the <strong>module</strong>
attribute equal to None.</li>
<li>gh-92897: Scheduled the deprecation of the check_home
argument of sysconfig.is_python_build() to Python 3.15.</li>
<li>gh-128657: Fix possible extra reference when using objects
returned by hashlib.sha256() under free threading.</li>
<li>gh-128703: Fix mimetypes.guess_type() to use default
mapping for empty Content-Type in registry.</li>
<li>gh-128308: Support the name keyword argument
for eager tasks in asyncio.loop.create_task(),
asyncio.create_task() and asyncio.TaskGroup.create_task(),
by passing on all kwargs to the task factory set by
asyncio.loop.set_task_factory().</li>
<li>gh-128388: Fix PyREPL on Windows to support more
keybindings, like the Control-← and Control-→ word-skipping
keybindings and those with meta (i.e. Alt), e.g. Alt-d to
kill-word or Alt-Backspace backward-kill-word.</li>
<li>gh-126037: xml.etree.ElementTree: Fix a crash in
Element.find, Element.findtext and Element.findall when
the tag to find implements an <strong>eq</strong>() method mutating the
element being queried. Patch by Bénédikt Tran.</li>
<li>gh-127712: Fix handling of the secure argument of
logging.handlers.SMTPHandler.</li>
<li>gh-126033: xml.etree.ElementTree: Fix a crash in
Element.remove when the element is concurrently
mutated. Patch by Bénédikt Tran.</li>
<li>gh-118201: Fixed intermittent failures of os.confstr,
os.pathconf and os.sysconf on iOS and Android.</li>
<li>gh-124927: Non-printing characters are now properly handled
in the new REPL.</li>
</ul>
</li>
<li>IDLE<ul>
<li>gh-129873: Simplify displaying the IDLE doc by only copying
the text section of idle.html to idlelib/help.html. Patch
by Stan Ulbrych.</li>
</ul>
</li>
<li>Documentation<ul>
<li>gh-131417: Mention asyncio.Future and asyncio.Task in
generic classes list.</li>
<li>gh-125722: Require Sphinx 8.2.0 or later to build the
Python documentation. Patch by Adam Turner.</li>
<li>gh-129712: The wheel tags supported by each macOS universal
SDK option are now documented.</li>
<li>gh-46236: C API: Document PyUnicode_RSplit(),
PyUnicode_Partition() and PyUnicode_RPartition().</li>
</ul>
</li>
<li>Core and Builtins<ul>
<li>gh-132011: Fix crash when calling list.append() as an
unbound method.</li>
<li>gh-131998: Fix a crash when using an unbound method
descriptor object in a function where a bound method
descriptor was used.</li>
<li>gh-131988: Fix a performance regression that caused scaling
bottlenecks in the free threaded build in 3.13.1 and
3.13.2.</li>
<li>gh-131719: Fix missing NULL check in _PyMem_FreeDelayed in
free-threaded build.</li>
<li>gh-131670: Fix anext() failing on sync <strong>anext</strong>() raising
an exception.</li>
<li>gh-131141: Fix data race in sys.monitoring instrumentation
while registering callback.</li>
<li>gh-130932: Fix incorrect exception handling in
_PyModule_IsPossiblyShadowing</li>
<li>gh-130851: Fix a crash in the free threading build when
constructing a code object with co_consts that contains
instances of types that are not otherwise generated by the
bytecode compiler.</li>
<li>gh-130794: Fix memory leak in the free threaded build
when resizing a shared list or dictionary from multiple
short-lived threads.</li>
<li>gh-130775: Do not crash on negative column and end_column
in ast locations.</li>
<li>gh-130382: Fix PyRefTracer_DESTROY not being sent from
Python/ceval.c Py_DECREF().</li>
<li>gh-130618: Fix a bug that was causing UnicodeDecodeError or
SystemError to be raised when using f-strings with lambda
expressions with non-ASCII characters. Patch by Pablo
Galindo</li>
<li>gh-130163: Fix possible crashes related to concurrent
change and use of the sys module attributes.</li>
<li>gh-88887: Fixing multiprocessing Resource Tracker process
leaking, usually observed when running Python as PID 1.</li>
<li>gh-130115: Fix an issue with thread identifiers being
sign-extended on some platforms.</li>
<li>gh-128396: Fix a crash that occurs when calling locals()
inside an inline comprehension that uses the same local
variable as the outer frame scope where the variable is a
free or cell var.</li>
<li>gh-116042: Fix location for SyntaxErrors of invalid escapes
in the tokenizer. Patch by Pablo Galindo</li>
<li>gh-129983: Fix data race in compile_template in sre.c.</li>
<li>gh-129967: Fix a race condition in the free threading build
when repr(set) is called concurrently with set.clear().</li>
<li>gh-129900: Fix return codes inside SystemExit not getting
returned by the REPL.</li>
<li>gh-129732: Fixed a race in _Py_qsbr_reserve in the free
threading build.</li>
<li>gh-129643: Fix thread safety of PyList_Insert() in
free-threading builds.</li>
<li>gh-129668: Fix race condition when raising MemoryError in
the free threaded build.</li>
<li>gh-129643: Fix thread safety of PyList_SetItem() in
free-threading builds. Patch by Kumar Aditya.</li>
<li>gh-128714: Fix the potential races in get/set dunder
methods <strong>annotations</strong>, <strong>annotate</strong> and <strong>type_params</strong>
for function object, and add related tests.</li>
<li>gh-128632: Disallow <strong>classdict</strong> as the name of a type
parameter. Using this name would previously crash the
interpreter in some circumstances.</li>
<li>gh-127953: The time to handle a LINE event in
sys.monitoring (and sys.settrace) is now independent of the
number of lines in the code object.</li>
<li>gh-125331: from <strong>future</strong> import barry_as_FLUFL now works
in more contexts, including when it is used in files,
with the -c flag, and in the REPL when there are multiple
statements on the same line. Previously, it worked only
on subsequent lines in the REPL, and when the appropriate
flags were passed directly to compile(). Patch by Pablo
Galindo.</li>
</ul>
</li>
<li>C API<ul>
<li>gh-131740: Update PyUnstable_GC_VisitObjects to traverse
perm gen.</li>
<li>gh-129533: Update PyGC_Enable(), PyGC_Disable(),
PyGC_IsEnabled() to use atomic operation for thread-safety
at free-threading build. Patch by Donghee Na.</li>
</ul>
</li>
<li>
<p>Build</p>
<ul>
<li>gh-131865: The DTrace build now properly passes the CC
and CFLAGS variables to the dtrace command when utilizing
SystemTap on Linux.</li>
<li>gh-131675: Fix mimalloc library builds for 32-bit ARM
targets.</li>
<li>gh-130673: Fix potential KeyError when handling object
sections during JIT building process.</li>
<li>gh-130740: Ensure that Python.h is included before
stdbool.h unless pyconfig.h is included before or in some
platform-specific contexts.</li>
<li>gh-129838: Don’t redefine _Py_NO_SANITIZE_UNDEFINED when
compiling with a recent GCC version and undefined sanitizer
enabled.</li>
<li>gh-129660: Drop test_embed from PGO training, whose
contribution in recent versions is considered to be
ignorable.</li>
</ul>
</li>
<li>
<p>Changes from version 3.13.2:</p>
</li>
<li>
<p>Tools/Demos</p>
<ul>
<li>gh-128152: Fix a bug where Argument Clinic’s C
pre-processor parser tried to parse pre-processor
directives inside C comments. Patch by Erlend Aasland.</li>
</ul>
</li>
<li>Tests<ul>
<li>gh-127906: Test the limited C API in test_cppext. Patch by
Victor Stinner.</li>
<li>gh-127637: Add tests for the dis command-line
interface. Patch by Bénédikt Tran.</li>
<li>gh-126925: iOS test results are now streamed during test
execution, and the deprecated xcresulttool is no longer
used.</li>
</ul>
</li>
<li>Security<ul>
<li>gh-105704: When using urllib.parse.urlsplit() and
urllib.parse.urlparse() host parsing would not reject
domain names containing square brackets ([ and ]). Square
brackets are only valid for IPv6 and IPvFuture hosts
according to RFC 3986 Section 3.2.2. (CVE-2025-0938,
bsc#1236705)</li>
<li>gh-127655: Fixed the
asyncio.selector_events._SelectorSocketTransport
transport not pausing writes for the protocol when
the buffer reaches the high water mark when using
asyncio.WriteTransport.writelines() (CVE-2024-12254,
bsc#1234290).</li>
<li>gh-126108: Fix a possible NULL pointer dereference in
PySys_AddWarnOptionUnicode().</li>
<li>gh-80222: Fix bug in the folding of quoted strings
when flattening an email message using a modern email
policy. Previously when a quoted string was folded so
that it spanned more than one line, the surrounding
quotes and internal escapes would be omitted. This could
theoretically be used to spoof header lines using a
carefully constructed quoted string if the resulting
rendered email was transmitted or re-parsed.</li>
<li>gh-119511: Fix a potential denial of service in the imaplib
module. When connecting to a malicious server, it could
cause an arbitrary amount of memory to be allocated. On
many systems this is harmless as unused virtual memory is
only a mapping, but if this hit a virtual address size
limit it could lead to a MemoryError or other process
crash. On unusual systems or builds where all allocated
memory is touched and backed by actual ram or storage
it could’ve consumed resources doing so until similarly
crashing.</li>
</ul>
</li>
<li>Library<ul>
<li>gh-129502: Unlikely errors in preparing arguments for
ctypes callback are now handled in the same way as errors
raised in the callback of in converting the result of
the callback – using sys.unraisablehook() instead of
sys.excepthook() and not setting sys.last_exc and other
variables.</li>
<li>gh-129403: Corrected ValueError message for asyncio.Barrier
and threading.Barrier.</li>
<li>gh-129409: Fix an integer overflow in the csv module when
writing a data field larger than 2GB.</li>
<li>gh-118761: Improve import time of subprocess by lazy
importing locale and signal. Patch by Taneli Hukkinen.</li>
<li>gh-129346: In sqlite3, handle out-of-memory when creating
user-defined SQL functions.</li>
<li>gh-129061: Fix FORCE_COLOR and NO_COLOR when empty
strings. Patch by Hugo van Kemenade.</li>
<li>gh-128550: Removed an incorrect optimization relating
to eager tasks in asyncio.TaskGroup that resulted in
cancellations being missed.</li>
<li>gh-128991: Release the enter frame reference within bdb
callback</li>
<li>gh-128978: Fix a NameError in
sysconfig.expand_makefile_vars(). Patch by Bénédikt Tran.</li>
<li>gh-128961: Fix a crash when setting state on an exhausted
array.array iterator.</li>
<li>gh-128894: Fix
traceback.TracebackException._format_syntax_error not to
fail on exceptions with custom metadata.</li>
<li>gh-128916: Do not attempt to set SO_REUSEPORT on sockets of
address families other than AF_INET and AF_INET6, as it is
meaningless with these address families, and the call with
fail with Linux kernel 6.12.9 and newer.</li>
<li>gh-128679: Fix tracemalloc.stop() race condition. Fix
tracemalloc to support calling tracemalloc.stop() in
one thread, while another thread is tracing memory
allocations. Patch by Victor Stinner.</li>
<li>gh-128636: Fix PyREPL failure when os.environ is
overwritten with an invalid value.</li>
<li>gh-128562: Fix possible conflicts in generated tkinter
widget names if the widget class name ends with a digit.</li>
<li>gh-128498: Default to stdout isatty for color detection
instead of stderr. Patch by Hugo van Kemenade.</li>
<li>gh-128552: Fix cyclic garbage introduced
by asyncio.loop.create_task() and
asyncio.TaskGroup.create_task() holding a reference to the
created task if it is eager.</li>
<li>gh-128479: Fix asyncio.staggered.staggered_race() leaking
tasks and issuing an unhandled exception.</li>
<li>gh-128400: Fix crash when using
faulthandler.dump_traceback() while other threads are
active on the free threaded build.</li>
<li>gh-88834: Unify the instance check for typing.Union and
types.UnionType: Union now uses the instance checks against
its parameters instead of the subclass checks.</li>
<li>gh-128302: Fix
xml.dom.xmlbuilder.DOMEntityResolver.resolveEntity(), which
was broken by the Python 3.0 transition.</li>
<li>gh-128302: Allow xml.dom.xmlbuilder.DOMParser.parse()
to correctly handle xml.dom.xmlbuilder.DOMInputSource
instances that only have a systemId attribute set.</li>
<li>gh-112064: Fix incorrect handling of negative read sizes in
HTTPResponse.read. Patch by Yury Manushkin.</li>
<li>gh-58956: Fixed a frame reference leak in bdb.</li>
<li>gh-128131: Completely support random access of uncompressed
unencrypted read-only zip files obtained by ZipFile.open.</li>
<li>gh-112328: enum.EnumDict can now be used without resorting
to private API.</li>
<li>gh-127975: Avoid reusing quote types in ast.unparse() if
not needed.</li>
<li>gh-128062: Revert the font of turtledemo’s menu bar to its
default value and display the shortcut keys in the correct
position.</li>
<li>gh-128014: Fix resetting the default window icon by passing
default='' to the tkinter method wm_iconbitmap().</li>
<li>gh-115514: Fix exceptions and incomplete writes after
asyncio._SelectorTransport is closed before writes are
completed.</li>
<li>gh-41872: Fix quick extraction of module docstrings from
a file in pydoc. It now supports docstrings with single
quotes, escape sequences, raw string literals, and other
Python syntax.</li>
<li>gh-127060: Set TERM environment variable to “dumb” to
disable traceback colors in IDLE, since IDLE doesn’t
understand ANSI escape sequences. Patch by Victor Stinner.</li>
<li>gh-126742: Fix support of localized error messages reported
by dlerror(3) and gdbm_strerror in ctypes and dbm.gnu
functions respectively. Patch by Bénédikt Tran.</li>
<li>gh-127873: When -E is set, only ignore PYTHON_COLORS
and not FORCE_COLOR/NO_COLOR/TERM when colourising
output. Patch by Hugo van Kemenade.</li>
<li>gh-127870: Detect recursive calls in ctypes <em>as_parameter</em>
handling. Patch by Victor Stinner.</li>
<li>gh-127847: Fix the position when doing interleaved seeks
and reads in uncompressed, unencrypted zip files returned
by zipfile.ZipFile.open().</li>
<li>gh-127732: The platform module now correctly detects
Windows Server 2025.</li>
<li>gh-126821: macOS and iOS apps can now choose to redirect
stdout and stderr to the system log during interpreter
configuration.</li>
<li>gh-93312: Include <sys/pidfd.h> to get os.PIDFD_NONBLOCK
constant. Patch by Victor Stinner.</li>
<li>gh-83662: Add missing <strong>class_getitem</strong> method to the
Python implementation of functools.partial(), to make it
compatible with the C version. This is mainly relevant for
alternative Python implementations like PyPy and GraalPy,
because CPython will usually use the C-implementation of
that function.</li>
<li>gh-127586: multiprocessing.pool.Pool now properly restores
blocked signal handlers of the parent thread when creating
processes via either spawn or forkserver.</li>
<li>gh-98188: Fix an issue in
email.message.Message.get_payload() where data cannot be
decoded if the Content Transfer Encoding mechanism contains
trailing whitespaces or additional junk text. Patch by Hui
Liu.</li>
<li>gh-127257: In ssl, system call failures that OpenSSL
reports using ERR_LIB_SYS are now raised as OSError.</li>
<li>gh-127096: Do not recreate unnamed section on every read in
configparser.ConfigParser. Patch by Andrey Efremov.</li>
<li>gh-127196: Fix crash when dict with keys in invalid
encoding were passed to several functions in _interpreters
module.</li>
<li>gh-126775: Make linecache.checkcache() thread safe and GC
re-entrancy safe.</li>
<li>gh-126332: Fix _pyrepl crash when entering a double CTRL-Z
on an overflowing line.</li>
<li>gh-126225: getopt and optparse are no longer marked as
deprecated. There are legitimate reasons to use one of
these modules in preference to argparse, and none of these
modules are at risk of being removed from the standard
library. Of the three, argparse remains the recommended
default choice, unless one of the concerns noted at the top
of the optparse module documentation applies.</li>
<li>gh-125553: Fix round-trip invariance for backslash
continuations in tokenize.untokenize().</li>
<li>gh-123987: Fixed issue in NamespaceReader where a non-path
item in a namespace path, such as a sentinel added by an
editable installer, would break resource loading.</li>
<li>gh-123401: The http.cookies module now supports parsing
obsolete RFC 850 date formats, in accordance with RFC 9110
requirements. Patch by Nano Zheng.</li>
<li>gh-122431: readline.append_history_file() now raises a
ValueError when given a negative value.</li>
<li>gh-119257: Show tab completions menu below the current
line, which results in less janky behaviour, and fixes a
cursor movement bug. Patch by Daniel Hollas</li>
</ul>
</li>
<li>Documentation<ul>
<li>gh-125722: Require Sphinx 8.1.3 or later to build the
Python documentation. Patch by Adam Turner.</li>
<li>gh-67206: Document that string.printable is not
printable in the POSIX sense. In particular,
string.printable.isprintable() returns False. Patch by
Bénédikt Tran.</li>
</ul>
</li>
<li>Core and Builtins<ul>
<li>gh-129345: Fix null pointer dereference in syslog.openlog()
when an audit hook raises an exception.</li>
<li>gh-129093: Fix f-strings such as f'{expr=}' sometimes not
displaying the full expression when the expression contains
!=.</li>
<li>gh-124363: Treat debug expressions in f-string as raw
strings. Patch by Pablo Galindo</li>
<li>gh-128799: Add frame of except* to traceback when it wraps
a naked exception.</li>
<li>gh-128078: Fix a SystemError when using anext() with a
default tuple value. Patch by Bénédikt Tran.</li>
<li>gh-128717: Fix a crash when setting the recursion limit
while other threads are active on the free threaded build.</li>
<li>gh-128330: Restore terminal control characters on REPL
exit.</li>
<li>gh-128079: Fix a bug where except<em> does not properly check
the return value of an ExceptionGroup’s split() function,
leading to a crash in some cases. Now when split() returns
an invalid object, except</em> raises a TypeError with the
original raised ExceptionGroup object chained to it.</li>
<li>gh-128030: Avoid error from calling
PyModule_GetFilenameObject on a non-module object when
importing a non-existent symbol from a non-module object.</li>
<li>gh-127903: Objects/unicodeobject.c: fix a crash on DEBUG
builds in _copy_characters when there is nothing to copy.</li>
<li>gh-127599: Fix statistics for increments of object
reference counts (in particular, when a reference count was
increased by more than 1 in a single operation).</li>
<li>gh-127651: When raising ImportError for missing symbols
in from imports, use <strong>file</strong> in the error message if
<strong>spec</strong>.origin is not a location</li>
<li>gh-127582: Fix non-thread-safe object resurrection when
calling finalizers and watcher callbacks in the free
threading build.</li>
<li>gh-127434: The iOS compiler shims can now accept arguments
with spaces.</li>
<li>gh-127536: Add missing locks around some list assignment
operations in the free threading build.</li>
<li>gh-126862: Fix a possible overflow when a class inherits
from an absurd number of super-classes. Reported by Valery
Fedorenko. Patch by Bénédikt Tran.</li>
<li>gh-127349: Fixed the error when resizing terminal in Python
REPL. Patch by Semyon Moroz.</li>
<li>gh-126076: Relocated objects such as tuple, bytes and
str objects are properly tracked by tracemalloc and its
associated hooks. Patch by Pablo Galindo.</li>
</ul>
</li>
<li>C API<ul>
<li>gh-127791: Fix loss of callbacks after more than one call
to PyUnstable_AtExit().</li>
</ul>
</li>
<li>
<p>Build</p>
<ul>
<li>gh-129539: Don’t redefine EX_OK when the system has the
sysexits.h header.</li>
<li>gh-128472: Skip BOLT optimization of functions using
computed gotos, fixing errors on build with LLVM 19.</li>
<li>gh-123925: Fix building the curses module on platforms with
libncurses but without libncursesw.</li>
<li>gh-128321: Set LIBS instead of LDFLAGS when checking if
sqlite3 library functions are available. This fixes the
ordering of linked libraries during checks, which was
incorrect when using a statically linked libsqlite3.</li>
<li>gh-127865: Fix build failure on systems without
thread-locals support.</li>
</ul>
</li>
<li>
<p>Changes from version 3.13.1:</p>
</li>
<li>Tools/Demos<ul>
<li>gh-126807: Fix extraction warnings in pygettext.py caused
by mistaking function definitions for function calls.</li>
<li>gh-126167: The iOS testbed was modified so that it can be
used by third-party projects for testing purposes.</li>
</ul>
</li>
<li>Tests<ul>
<li>gh-126909: Fix test_os extended attribute tests to work on
filesystems with 1 KiB xattr size limit.</li>
<li>gh-125041: Re-enable skipped tests for zlib on the
s390x architecture: only skip checks of the compressed
bytes, which can be different between zlib’s software
implementation and the hardware-accelerated implementation.</li>
<li>gh-124295: Add translation tests to the argparse module.</li>
</ul>
</li>
<li>Security<ul>
<li>gh-126623: Upgrade libexpat to 2.6.4</li>
<li>gh-125140: Remove the current directory from sys.path when
using PyREPL.</li>
<li>gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to
consistently use the mapped IPv4 address value for deciding
properties. Properties which have their behavior fixed are
is_multicast, is_reserved, is_link_local, is_global, and
is_unspecified.</li>
</ul>
</li>
<li>Library<ul>
<li>gh-127321: pdb.set_trace() will not stop at an opcode that
does not have an associated line number anymore.</li>
<li>gh-127303: Publicly expose EXACT_TOKEN_TYPES in
token.<strong>all</strong>.</li>
<li>gh-123967: Fix faulthandler for trampoline frames. If the
top-most frame is a trampoline frame, skip it. Patch by
Victor Stinner.</li>
<li>gh-127182: Fix io.StringIO.<strong>setstate</strong>() crash, when None
was passed as the first value.</li>
<li>gh-127217: Fix urllib.request.pathname2url() for paths
starting with multiple slashes on Posix.</li>
<li>gh-127035: Fix shutil.which on Windows. Now it looks at
direct match if and only if the command ends with a PATHEXT
extension or X_OK is not in mode. Support extensionless
files if “.” is in PATHEXT. Support PATHEXT extensions that
end with a dot.</li>
<li>gh-122273: Support PyREPL history on Windows. Patch by
devdanzin and Victor Stinner.</li>
<li>gh-127078: Fix issue where urllib.request.url2pathname()
failed to discard an extra slash before a UNC drive in the
URL path on Windows.</li>
<li>gh-126766: Fix issue where urllib.request.url2pathname()
failed to discard any ‘localhost’ authority present in the
URL.</li>
<li>gh-127065: Fix crash when calling a operator.methodcaller()
instance from multiple threads in the free threading build.</li>
<li>gh-126997: Fix support of STRING and GLOBAL opcodes with
non-ASCII arguments in pickletools. pickletools.dis()
now outputs non-ASCII bytes in STRING, BINSTRING and
SHORT_BINSTRING arguments as escaped (\xXX).</li>
<li>gh-126316: grp: Make grp.getgrall() thread-safe by adding a
mutex. Patch by Victor Stinner.</li>
<li>gh-126618: Fix the representation of itertools.count
objects when the count value is sys.maxsize.</li>
<li>gh-85168: Fix issue where urllib.request.url2pathname() and
pathname2url() always used UTF-8 when quoting and unquoting
file URIs. They now use the filesystem encoding and error
handler.</li>
<li>gh-67877: Fix memory leaks when regular expression matching
terminates abruptly, either because of a signal or because
memory allocation fails.</li>
<li>gh-126789: Fixed the values of sysconfig.get_config_vars(),
sysconfig.get_paths(), and their siblings when the site
initialization happens after sysconfig has built a cache
for sysconfig.get_config_vars().</li>
<li>gh-126188: Update bundled pip to 24.3.1</li>
<li>gh-126780: Fix os.path.normpath() for drive-relative paths
on Windows.</li>
<li>gh-126766: Fix issue where urllib.request.url2pathname()
failed to discard two leading slashes introducing an empty
authority section.</li>
<li>gh-126727: locale.nl_langinfo(locale.ERA) now returns
multiple era description segments separated by
semicolons. Previously it only returned the first segment
on platforms with Glibc.</li>
<li>gh-126699: Allow collections.abc.AsyncIterator to be a base
for Protocols.</li>
<li>gh-126654: Fix crash when non-dict was passed to several
functions in _interpreters module.</li>
<li>gh-104745: Limit starting a patcher (from
unittest.mock.patch() or unittest.mock.patch.object()) more
than once without stopping it</li>
<li>gh-126595: Fix a crash when instantiating itertools.count
with an initial count of sys.maxsize on debug builds. Patch
by Bénédikt Tran.</li>
<li>gh-120423: Fix issue where urllib.request.pathname2url()
mishandled Windows paths with embedded forward slashes.</li>
<li>gh-126565: Improve performances of zipfile.Path.open() for
non-reading modes.</li>
<li>gh-126505: Fix bugs in compiling case-insensitive regular
expressions with character classes containing non-BMP
characters: upper-case non-BMP character did was ignored
and the ASCII flag was ignored when matching a character
range whose upper bound is beyond the BMP region.</li>
<li>gh-117378: Fixed the multiprocessing "forkserver"
start method forkserver process to correctly inherit
the parent’s sys.path during the importing of
multiprocessing.set_forkserver_preload() modules in the
same manner as sys.path is configured in workers before
executing work items.</li>
<li>This bug caused some forkserver module preloading to
silently fail to preload. This manifested as a performance
degration in child processes when the sys.path was required
due to additional repeated work in every worker.</li>
<li>It could also have a side effect of "" remaining in
sys.path during forkserver preload imports instead of the
absolute path from os.getcwd() at multiprocessing import
time used in the worker sys.path.</li>
<li>The sys.path differences between phases in the child
process could potentially have caused preload to import
incorrect things from the wrong location. We are unaware of
that actually having happened in practice.</li>
<li>gh-125679: The multiprocessing.Lock and
multiprocessing.RLock repr values no longer say “unknown”
on macOS.</li>
<li>gh-126476: Raise calendar.IllegalMonthError (now a subclass
of IndexError) for calendar.month() when the input month is
not correct.</li>
<li>gh-126489: The Python implementation of pickle no longer
calls pickle.Pickler.persistent_id() for the result of
persistent_id().</li>
<li>gh-126313: Fix an issue in curses.napms() when
curses.initscr() has not yet been called. Patch by Bénédikt
Tran.</li>
<li>gh-126303: Fix pickling and copying of os.sched_param
objects.</li>
<li>gh-126138: Fix a use-after-free crash on asyncio.Task
objects whose underlying coroutine yields an object that
implements an evil <strong>getattribute</strong>(). Patch by Nico
Posada.</li>
<li>gh-126220: Fix crash in cProfile.Profile and
_lsprof.Profiler when their callbacks were directly called
with 0 arguments.</li>
<li>gh-126212: Fix issue where urllib.request.pathname2url()
and url2pathname() removed slashes from Windows DOS drive
paths and URLs.</li>
<li>gh-126223: Raise a UnicodeEncodeError instead of a
SystemError upon calling _interpreters.create() with an
invalid Unicode character.</li>
<li>gh-126205: Fix issue where urllib.request.pathname2url()
generated URLs beginning with four slashes (rather than
two) when given a Windows UNC path.</li>
<li>gh-126105: Fix a crash in ast when the ast.AST._fields
attribute is deleted.</li>
<li>gh-126106: Fixes a possible NULL pointer dereference in
ssl.</li>
<li>gh-126080: Fix a use-after-free crash on asyncio.Task
objects for which the underlying event loop implements an
evil <strong>getattribute</strong>(). Reported by Nico-Posada. Patch by
Bénédikt Tran.</li>
<li>gh-126083: Fixed a reference leak in asyncio.Task objects
when reinitializing the same object with a non-None
context. Patch by Nico Posada.</li>
<li>gh-125984: Fix use-after-free crashes on asyncio.Future
objects for which the underlying event loop implements an
evil <strong>getattribute</strong>(). Reported by Nico-Posada. Patch by
Bénédikt Tran.</li>
<li>gh-125969: Fix an out-of-bounds crash when an evil
asyncio.loop.call_soon() mutates the length of the internal
callbacks list. Patch by Bénédikt Tran.</li>
<li>gh-125966: Fix a use-after-free crash in
asyncio.Future.remove_done_callback(). Patch by Bénédikt
Tran.</li>
<li>gh-125789: Fix possible crash when mutating list of
callbacks returned by asyncio.Future._callbacks. It
now always returns a new copy in C implementation
_asyncio. Patch by Kumar Aditya.</li>
<li>gh-124452: Fix an issue in
email.policy.EmailPolicy.header_source_parse() and
email.policy.Compat32.header_source_parse() that introduced
spurious leading whitespaces into header values when the
header includes a newline character after the header name
delimiter (:) and before the value.</li>
<li>gh-125884: Fixed the bug for pdb where it can’t set
breakpoints on functions with certain annotations.</li>
<li>gh-125355: Fix several bugs in
argparse.ArgumentParser.parse_intermixed_args().<ul>
<li>The parser no longer changes temporarily during
parsing.</li>
<li>Default values are not processed twice.</li>
<li>Required mutually exclusive groups containing
positional arguments are now supported.</li>
<li>The missing arguments report now includes the names of
all required optional and positional arguments.</li>
<li>Unknown options can be intermixed with positional
arguments in parse_known_intermixed_args().</li>
</ul>
</li>
<li>gh-125666: Avoid the exiting the interpreter if a null byte
is given as input in the new REPL.</li>
<li>gh-125710: [Enum] fix hashable<->nonhashable comparisons
for member values</li>
<li>gh-125631: Restore ability to set persistent_id and
persistent_load attributes of instances of the Pickler and
Unpickler classes in the pickle module.</li>
<li>gh-125378: Fixed the bug in pdb where after a multi-line
command, an empty line repeats the first line of the
multi-line command, instead of the full command.</li>
<li>gh-125682: Reject non-ASCII digits in the Python
implementation of json.loads() conforming to the JSON
specification.</li>
<li>gh-125660: Reject invalid unicode escapes for Python
implementation of json.loads().</li>
<li>gh-125259: Fix the notes removal logic for errors thrown in
enum initialization.</li>
<li>gh-125590: Allow FrameLocalsProxy to delete and pop if the
key is not a fast variable.</li>
<li>gh-125519: Improve traceback if importlib.reload() is
called with an object that is not a module. Patch by Alex
Waygood.</li>
<li>gh-125451: Fix deadlock when
concurrent.futures.ProcessPoolExecutor shuts down
concurrently with an error when feeding a job to a worker
process.</li>
<li>gh-125422: Fixed the bug where pdb and bdb can step into
the bottom caller frame.</li>
<li>gh-100141: Fixed the bug where pdb will be stuck in an
infinite loop when debugging an empty file.</li>
<li>gh-125115: Fixed a bug in pdb where arguments starting with</li>
<li>can’t be passed to the debugged script.</li>
<li>gh-53203: Fix time.strptime() for %c, %x and %X formats
in many locales that use non-ASCII digits, like Persian,
Burmese, Odia and Shan.</li>
<li>gh-125398: Fix the conversion of the VIRTUAL_ENV path in
the activate script in venv when running in Git Bash for
Windows.</li>
<li>gh-125316: Fix using functools.partial() as enum.Enum
member. A FutureWarning with suggestion to use
enum.member() is now emitted when the partial instance is
used as an enum member.</li>
<li>gh-125245: Fix race condition when importing
collections.abc, which could incorrectly return an empty
module.</li>
<li>gh-125243: Fix data race when creating zoneinfo.ZoneInfo
objects in the free threading build.</li>
<li>gh-125254: Fix a bug where ArgumentError includes the
incorrect ambiguous option in argparse.</li>
<li>gh-125235: Keep tkinter TCL paths in venv pointing to base
installation on Windows.</li>
<li>gh-61011: Fix inheritance of nested mutually
exclusive groups from parent parser in
argparse.ArgumentParser. Previously, all nested mutually
exclusive groups lost their connection to the group
containing them and were displayed as belonging directly to
the parser.</li>
<li>gh-52551: Fix encoding issues in time.strftime(), the
strftime() method of the datetime classes datetime, date
and time and formatting of these classes. Characters
not encodable in the current locale are now acceptable
in the format string. Surrogate pairs and sequence
of surrogatescape-encoded bytes are no longer
recombinated. Embedded null character no longer terminates
the format string.</li>
<li>gh-125118: Don’t copy arbitrary values to _Bool in the
struct module.</li>
<li>gh-125069: Fix an issue where providing a pathlib.PurePath
object as an initializer argument to a second PurePath
object with a different parser resulted in arguments to
the former object’s initializer being joined by the latter
object’s parser.</li>
<li>gh-125096: If the PYTHON_BASIC_REPL environment variable
is set, the site module no longer imports the _pyrepl
module. Moreover, the site module now respects -E and -I
command line options: ignore PYTHON_BASIC_REPL in this
case. Patch by Victor Stinner.</li>
<li>gh-124969: Fix locale.nl_langinfo(locale.ALT_DIGITS) on
platforms with glibc. Now it returns a string consisting of
up to 100 semicolon-separated symbols (an empty string in
most locales) on all Posix platforms. Previously it only
returned the first symbol or an empty string.</li>
<li>gh-124960: Fix support for the barry_as_FLUFL future flag
in the new REPL.</li>
<li>gh-124984: Fixed thread safety in ssl in the free-threaded
build. OpenSSL operations are now protected by a per-object
lock.</li>
<li>gh-124958: Fix refcycles in exceptions raised from
asyncio.TaskGroup and the python implementation of
asyncio.Future</li>
<li>gh-53203: Fix time.strptime() for %c and %x formats in many
locales: Arabic, Bislama, Breton, Bodo, Kashubian, Chuvash,
Estonian, French, Irish, Ge’ez, Gurajati, Manx Gaelic,
Hebrew, Hindi, Chhattisgarhi, Haitian Kreyol, Japanese,
Kannada, Korean, Marathi, Malay, Norwegian, Nynorsk,
Punjabi, Rajasthani, Tok Pisin, Yoruba, Yue Chinese,
Yau/Nungon and Chinese.</li>
<li>gh-124917: Allow calling os.path.exists() and
os.path.lexists() with keyword arguments on Windows. Fixes
a regression in 3.13.0.</li>
<li>gh-124653: Fix detection of the minimal Queue API needed by
the logging module. Patch by Bénédikt Tran.</li>
<li>gh-124858: Fix reference cycles left in tracebacks
in asyncio.open_connection() when used with
happy_eyeballs_delay</li>
<li>gh-124390: Fixed AssertionError when using
asyncio.staggered.staggered_race() with
asyncio.eager_task_factory.</li>
<li>gh-124651: Properly quote template strings in venv
activation scripts (bsc#1232241, CVE-2024-9287).</li>
<li>gh-116850: Fix argparse for namespaces with not directly
writable dict (e.g. classes).</li>
<li>gh-58573: Fix conflicts between abbreviated long options in
the parent parser and subparsers in argparse.</li>
<li>gh-124594: All asyncio REPL prompts run in the same
context. Contributed by Bartosz Sławecki.</li>
<li>gh-61181: Fix support of choices with string value in
argparse. Substrings of the specified string no longer
considered valid values.</li>
<li>gh-80259: Fix argparse support of positional arguments with
nargs='?', default=argparse.SUPPRESS and specified type.</li>
<li>gh-120378: Fix a crash related to an integer overflow in
curses.resizeterm() and curses.resize_term().</li>
<li>gh-123884: Fixed bug in itertools.tee() handling of other
tee inputs (a tee in a tee). The output now has the
promised n independent new iterators. Formerly, the first
iterator was identical (not independent) to the input
iterator. This would sometimes give surprising results.</li>
<li>gh-58956: Fixed a bug in pdb where sometimes the breakpoint
won’t trigger if it was set on a function which is already
in the call stack.</li>
<li>gh-124345: argparse vim supports abbreviated single-dash
long options separated by = from its value.</li>
<li>gh-104860: Fix disallowing abbreviation of single-dash long
options in argparse with allow_abbrev=False.</li>
<li>gh-63143: Fix parsing mutually exclusive arguments in
argparse. Arguments with the value identical to the default
value (e.g. booleans, small integers, empty or 1-character
strings) are no longer considered “not present”.</li>
<li>gh-72795: Positional arguments with nargs equal to '<em>' or
argparse.REMAINDER are no longer required. This allows to
use positional argument with nargs='</em>' and without default
in mutually exclusive group and improves error message
about required arguments.</li>
<li>gh-59317: Fix parsing positional argument with nargs equal
to '?' or '*' if it is preceded by an option and another
positional argument.</li>
<li>gh-53780: argparse now ignores the first "--" (double dash)
between an option and command.</li>
<li>gh-124217: Add RFC 9637 reserved IPv6 block 3fff::/20 in
ipaddress module.</li>
<li>gh-81691: Fix handling of multiple "--" (double dashes)
in argparse. Only the first one has now been removed, all
subsequent ones are now taken literally.</li>
<li>gh-123978: Remove broken time.thread_time() and
time.thread_time_ns() on NetBSD.</li>
<li>gh-124008: Fix possible crash (in debug build), incorrect
output or returning incorrect value from raw binary write()
when writing to console on Windows.</li>
<li>gh-123935: Fix parent slots detection for dataclasses that
inherit from classes with <strong>dictoffset</strong>.</li>
<li>gh-122765: Fix unbalanced quote errors occurring when
activate.csh in venv was sourced with a custom prompt
containing unpaired quotes or newlines.</li>
<li>gh-123370: Fix the canvas not clearing after running
turtledemo clock.</li>
<li>gh-116810: Resolve a memory leak introduced in CPython
3.10’s ssl when the ssl.SSLSocket.session property was
accessed. Speeds up read and write access to said property
by no longer unnecessarily cloning session objects via
serialization.</li>
<li>gh-120754: Update unbounded read calls in zipfile to
specify an explicit size putting a limit on how much data
they may read. This also updates handling around ZIP max
comment size to match the standard instead of reading
comments that are one byte too long.</li>
<li>gh-70764: Fixed an issue where inspect.getclosurevars()
would incorrectly classify an attribute name as a global
variable when the name exists both as an attribute name and
a global variable.</li>
<li>gh-118289: posixpath.realpath() now raises
NotADirectoryError when strict mode is enabled and a
non-directory path with a trailing slash is supplied.</li>
<li>gh-119826: Always return an absolute path for
os.path.abspath() on Windows.</li>
<li>gh-117766: Always use str() to print choices in argparse.</li>
<li>gh-101955: Fix SystemError when match regular expression
pattern containing some combination of possessive
quantifier, alternative and capture group.</li>
<li>gh-88110: Fixed multiprocessing.Process reporting a
.exitcode of 1 even on success when using the "fork" start
method while using a concurrent.futures.ThreadPoolExecutor.</li>
<li>gh-71936: Fix a race condition in
multiprocessing.pool.Pool.</li>
<li>bpo-46128: Strip unittest.IsolatedAsyncioTestCase stack
frames from reported stacktraces.</li>
<li>bpo-14074: Fix argparse metavar processing to allow
positional arguments to have a tuple metavar.</li>
</ul>
</li>
<li>IDLE<ul>
<li>gh-122392: Increase currently inadequate vertical spacing
for the IDLE browsers (path, module, and stack) on
high-resolution monitors.</li>
</ul>
</li>
<li>Documentation<ul>
<li>gh-126622: Added stub pages for removed modules explaining
their removal, where to find replacements, and linking to
the last Python version that supported them. Contributed by
Ned Batchelder.</li>
<li>gh-125277: Require Sphinx 7.2.6 or later to build the
Python documentation. Patch by Adam Turner.</li>
<li>gh-124872: Added definitions for context, current
context, and context management protocol, updated
related definitions to be consistent, and expanded the
documentation for contextvars.Context.</li>
<li>gh-125018: The importlib.metadata documentation now
includes semantic cross-reference targets for the
significant documented APIs. This means intersphinx
references like importlib.metadata.version() will now work
as expected.</li>
<li>gh-70870: Clarified the dual usage of the term “free
variable” (both the formal meaning of any reference
to names defined outside the local scope, and the
narrower pragmatic meaning of nonlocal variables named in
co_freevars).</li>
<li>gh-121277: Writers of CPython’s documentation can now use
next as the version for the versionchanged, versionadded,
deprecated directives.</li>
<li>gh-60712: Include the object type in the lists of
documented types. Change by Furkan Onder and Martin Panter.</li>
<li>bpo-34008: The Py_Main() documentation moved from the
“Very High Level API” section to the “Initialization and
Finalization” section.</li>
<li>Also make it explicit that we expect Py_Main to
typically be called instead of Py_Initialize rather
than after it (since Py_Main makes its own call to
Py_Initialize). Document that calling both is supported
but is version dependent on which settings will be applied
correctly.</li>
</ul>
</li>
<li>Core and Builtins<ul>
<li>gh-113841: Fix possible undefined behavior division by zero
in complex’s _Py_c_pow().</li>
<li>gh-127020: Fix a crash in the free threading build
when PyCode_GetCode(), PyCode_GetVarnames(),
PyCode_GetCellvars(), or PyCode_GetFreevars() were called
from multiple threads at the same time.</li>
<li>gh-126980: Fix <strong>buffer</strong>() of bytearray crashing when READ
or WRITE are passed as flags.</li>
<li>gh-126881: Fix crash in finalization of dtoa state. Patch
by Kumar Aditya.</li>
<li>gh-126341: Now ValueError is raised instead of SystemError
when trying to iterate over a released memoryview object.</li>
<li>gh-126688: Fix a crash when calling os.fork() on some
operating systems, including SerenityOS.</li>
<li>gh-126066: Fix importlib to not write an incomplete
.pyc files when a ulimit or some other operating system
mechanism is preventing the write to go through fully.</li>
<li>gh-126312: Fix crash during garbage collection on an object
frozen by gc.freeze() on the free-threaded build.</li>
<li>gh-126139: Provide better error location when attempting to
use a future statement with an unknown future feature.</li>
<li>gh-126018: Fix a crash in sys.audit() when passing a
non-string as first argument and Python was compiled in
debug mode.</li>
<li>gh-125942: On Android, the errors setting of sys.stdout was
changed from surrogateescape to backslashreplace.</li>
<li>gh-125859: Fix a crash in the free threading build when
gc.get_objects() or gc.get_referrers() is called during an
in-progress garbage collection.</li>
<li>gh-125703: Correctly honour tracemalloc hooks in
specialized Py_DECREF paths. Patch by Pablo Galindo</li>
<li>gh-125593: Use color to highlight error locations in
traceback from exception group</li>
<li>gh-125444: Fix illegal instruction for older Arm
architectures. Patch by Diego Russo, testing by Ross
Burton.</li>
<li>gh-124375: Fix a crash in the free threading build when the
GC runs concurrently with a new thread starting.</li>
<li>gh-125221: Fix possible race condition when calling
<strong>reduce_ex</strong>() for the first time in the free threading
build.</li>
<li>gh-125038: Fix crash when iterating over a generator
expression after direct changes on gi_frame.f_locals. Patch
by Mikhail Efimov.</li>
<li>gh-123378: Fix a crash in the <strong>str</strong>() method of
UnicodeError objects when the UnicodeError.start and
UnicodeError.end values are invalid or out-of-range. Patch
by Bénédikt Tran.</li>
<li>gh-116510: Fix a crash caused by immortal interned strings
being shared between sub-interpreters that use basic
single-phase init. In that case, the string can be used
by an interpreter that outlives the interpreter that
created and interned it. For interpreters that share
obmalloc state, also share the interned dict with the main
interpreter.</li>
<li>gh-122878: Use the pager binary, if available (e.g. on
Debian and derivatives), to display REPL help().</li>
<li>gh-124188: Fix reading and decoding a line from the source
file witn non-UTF-8 encoding for syntax errors raised in
the compiler.</li>
<li>gh-123930: Improve the error message when a script
shadowing a module from the standard library causes
ImportError to be raised during a “from” import. Similarly,
improve the error message when a script shadowing a third
party module attempts to “from” import an attribute from
that third party module while still initialising.</li>
<li>gh-122907: Building with HAVE_DYNAMIC_LOADING
now works as well as it did in 3.12. Existing
deficiences will be addressed separately. (See
https://github.com/python/cpython/issues/122950.)</li>
<li>gh-118950: Fix bug where SSLProtocol.connection_lost wasn’t
getting called when OSError was thrown on writing to
socket.</li>
<li>gh-113570: Fixed a bug in reprlib.repr where it incorrectly
called the repr method on shadowed Python built-in types.</li>
<li>gh-109746: If _thread.start_new_thread() fails to start a
new thread, it deletes its state from interpreter and thus
avoids its repeated cleanup on finalization.</li>
</ul>
</li>
<li>C API<ul>
<li>gh-126554: Fix error handling in ctypes.CDLL objects which
could result in a crash in rare situations.</li>
<li>gh-125608: Fix a bug where dictionary watchers
(e.g., PyDict_Watch()) on an object’s attribute dictionary
(<strong>dict</strong>) were not triggered when the object’s attributes
were modified.</li>
<li>bpo-34008: Added Py_IsInitialized to the list of APIs that
are safe to call before the interpreter is initialized, and
updated the embedding tests to cover it.</li>
</ul>
</li>
<li>
<p>Build</p>
<ul>
<li>gh-123877: Set wasm32-wasip1 as the WASI target. The old
wasm32-wasi target is deprecated so it can be used for an
eventual WASI 1.0.</li>
<li>gh-89640: Hard-code float word ordering as little endian on
WASM.</li>
<li>gh-125940: The Android build now supports 16 KB page sizes.</li>
<li>gh-89640: Improve detection of float word ordering on Linux
when link-time optimizations are enabled.</li>
<li>gh-125269: Fix detection of whether -latomic is needed when
cross-compiling CPython using the configure script.</li>
<li>gh-121634: Allow for specifying the target compile triple
for WASI.</li>
<li>gh-122578: Use WASI SDK 24 for testing.</li>
<li>gh-115382: Fix cross compile failures when the host and
target SOABIs match.</li>
</ul>
</li>
<li>
<p>Skip PGO with %want_reproducible_builds (bsc#1239210).</p>
</li>
<li>Configure externally_managed with a bcond https://en.opensuse.org/openSUSE:Python:Externally_managed (bsc#1228165).</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
Python 3 Module 15-SP7
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Python3-15-SP7-2025-2074=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
Python 3 Module 15-SP7 (aarch64 ppc64le s390x x86_64)
<ul>
<li>libpython3_13-1_0-3.13.5-150700.4.11.1</li>
<li>python313-base-3.13.5-150700.4.11.1</li>
<li>python313-curses-3.13.5-150700.4.11.1</li>
<li>python313-debuginfo-3.13.5-150700.4.11.1</li>
<li>python313-idle-3.13.5-150700.4.11.1</li>
<li>python313-tk-3.13.5-150700.4.11.1</li>
<li>python313-debugsource-3.13.5-150700.4.11.1</li>
<li>python313-tools-3.13.5-150700.4.11.1</li>
<li>python313-dbm-3.13.5-150700.4.11.1</li>
<li>libpython3_13-1_0-debuginfo-3.13.5-150700.4.11.1</li>
<li>python313-core-debugsource-3.13.5-150700.4.11.1</li>
<li>python313-curses-debuginfo-3.13.5-150700.4.11.1</li>
<li>python313-tk-debuginfo-3.13.5-150700.4.11.1</li>
<li>python313-dbm-debuginfo-3.13.5-150700.4.11.1</li>
<li>python313-3.13.5-150700.4.11.1</li>
<li>python313-base-debuginfo-3.13.5-150700.4.11.1</li>
<li>python313-devel-3.13.5-150700.4.11.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-12254.html">https://www.suse.com/security/cve/CVE-2024-12254.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-12718.html">https://www.suse.com/security/cve/CVE-2024-12718.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-9287.html">https://www.suse.com/security/cve/CVE-2024-9287.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-0938.html">https://www.suse.com/security/cve/CVE-2025-0938.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-1795.html">https://www.suse.com/security/cve/CVE-2025-1795.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-4138.html">https://www.suse.com/security/cve/CVE-2025-4138.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-4330.html">https://www.suse.com/security/cve/CVE-2025-4330.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-4516.html">https://www.suse.com/security/cve/CVE-2025-4516.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-4517.html">https://www.suse.com/security/cve/CVE-2025-4517.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1228165">https://bugzilla.suse.com/show_bug.cgi?id=1228165</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1232241">https://bugzilla.suse.com/show_bug.cgi?id=1232241</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1234290">https://bugzilla.suse.com/show_bug.cgi?id=1234290</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1236705">https://bugzilla.suse.com/show_bug.cgi?id=1236705</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1238450">https://bugzilla.suse.com/show_bug.cgi?id=1238450</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1239210">https://bugzilla.suse.com/show_bug.cgi?id=1239210</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1243273">https://bugzilla.suse.com/show_bug.cgi?id=1243273</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244032">https://bugzilla.suse.com/show_bug.cgi?id=1244032</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244056">https://bugzilla.suse.com/show_bug.cgi?id=1244056</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244059">https://bugzilla.suse.com/show_bug.cgi?id=1244059</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244060">https://bugzilla.suse.com/show_bug.cgi?id=1244060</a>
</li>
</ul>
</div>