Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1670414038126030"
MIME-Version: 1.0
Date: Wed, 7 Dec 2022 11:53:58 +0000
From: "Adam Ciarcinski" <adam@netbsd.org>
Subject: CVS commit: pkgsrc/lang
To: pkgsrc-changes@NetBSD.org
Reply-To: adam@netbsd.org
Message-Id: <20221207115358.222D9FA90@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
Precedence: bulk

This is a multi-part message in MIME format.

--_----------=_1670414038126030
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"

Module Name:	pkgsrc
Committed By:	adam
Date:		Wed Dec  7 11:53:58 UTC 2022

Modified Files:
	pkgsrc/lang/py310-html-docs: Makefile distinfo
	pkgsrc/lang/python310: PLIST dist.mk distinfo

Log Message:
python310 py310-html-docs: updated to 3.10.9

Python 3.10.9 final

Security

gh-100001: python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log.

This is done by changing the http.server BaseHTTPRequestHandler .log_message method to replace control characters with a \xHH hex escape before printing.

gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module

gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related name resolution functions no longer involves a quadratic algorithm. This prevents a potential CPU denial of service if an out-of-spec excessive length hostname involving bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects potentially allow for an attacker to supply such a name.

gh-98739: Update bundled libexpat to 2.5.0

gh-98517: Port XKCP’s fix for the buffer overflows in SHA-3 (CVE-2022-37454).

gh-97514: On Linux the multiprocessing module returns to using filesystem backed unix domain sockets for communication with the forkserver process instead of the Linux abstract socket namespace. Only code that chooses to use the “forkserver” start method is affected.

Abstract sockets have no permissions and could allow any user on the system in the same network namespace (often the whole system) to inject code into the multiprocessing forkserver process. This was a potential privilege escalation. Filesystem based socket permissions restrict this to the forkserver process user as was the default in Python 3.8 and earlier.

This prevents Linux CVE-2022-42919.

Core and Builtins

gh-99578: Fix a reference bug in _imp.create_builtin() after the creation of the first sub-interpreter for modules builtins and sys. Patch by Victor Stinner.
gh-99581: Fixed a bug that was causing a buffer overflow if the tokenizer copies a line missing the newline caracter from a file that is as long as the available tokenizer buffer. Patch by Pablo galindo
gh-96055: Update faulthandler to emit an error message with the proper unexpected signal number. Patch by Dong-hee Na.
gh-98852: Fix subscription of types.GenericAlias instances containing bare generic types: for example tuple[A, T][int], where A is a generic type, and T is a type variable.
gh-98415: Fix detection of MAC addresses for uuid on certain OSs. Patch by Chaim Sanders
gh-92119: Print exception class name instead of its string representation when raising errors from ctypes calls.
gh-93696: Allow pdb to locate source for frozen modules in the standard library.
bpo-31718: Raise ValueError instead of SystemError when methods of uninitialized io.IncrementalNewlineDecoder objects are called. Patch by Oren Milman.
bpo-38031: Fix a possible assertion failure in io.FileIO when the opener returns an invalid file descriptor.

Library

gh-100001: Also escape s in the http.server BaseHTTPRequestHandler.log_message so that it is technically possible to parse the line and reconstruct what the original data was. Without this a xHH is ambiguious as to if it is a hex replacement we put in or the characters r”x” came through in the original request line.
gh-93453: asyncio.get_event_loop() now only emits a deprecation warning when a new event loop was created implicitly. It no longer emits a deprecation warning if the current event loop was set.
gh-51524: Fix bug when calling trace.CoverageResults with valid infile.
gh-99645: Fix a bug in handling class cleanups in unittest.TestCase. Now addClassCleanup() uses separate lists for different TestCase subclasses, and doClassCleanups() only cleans up the particular class.
gh-97001: Release the GIL when calling termios APIs to avoid blocking threads.
gh-99341: Fix ast.increment_lineno() to also cover ast.TypeIgnore when changing line numbers.
gh-74044: Fixed bug where inspect.signature() reported incorrect arguments for decorated methods.
gh-99275: Fix SystemError in ctypes when exception was not set during __initsubclass__.
gh-99155: Fix statistics.NormalDist pickle with 0 and 1 protocols.
gh-99134: Update the bundled copy of pip to version 22.3.1.
gh-99130: Apply bugfixes from importlib_metadata 4.11.4, namely: In PathDistribution._name_from_stem, avoid including parts of the extension in the result. In PathDistribution._normalized_name, ensure names loaded from the stem of the filename are also normalized, ensuring duplicate entry points by packages varying only by non-normalized name are hidden.
gh-83004: Clean up refleak on failed module initialisation in _zoneinfo
gh-83004: Clean up refleaks on failed module initialisation in in _pickle
gh-83004: Clean up refleak on failed module initialisation in _io.
gh-98897: Fix memory leak in math.dist() when both points don’t have the same dimension. Patch by Kumar Aditya.
gh-98793: Fix argument typechecks in _overlapped.WSAConnect() and _overlapped.Overlapped.WSASendTo() functions.
gh-98740: Fix internal error in the re module which in very rare circumstances prevented compilation of a regular expression containing a conditional expression without the “else” branch.
gh-98703: Fix asyncio.StreamWriter.drain() to call protocol.connection_lost callback only once on Windows.
gh-98624: Add a mutex to unittest.mock.NonCallableMock to protect concurrent access to mock attributes.
gh-89237: Fix hang on Windows in subprocess.wait_closed() in asyncio with ProactorEventLoop. Patch by Kumar Aditya.
gh-98458: Fix infinite loop in unittest when a self-referencing chained exception is raised
gh-97928: tkinter.Text.count() raises now an exception for options starting with “-” instead of silently ignoring them.
gh-97966: On uname_result, restored expectation that _fields and _asdict would include all six properties including processor.
gh-98331: Update the bundled copies of pip and setuptools to versions 22.3 and 65.5.0 respectively.
gh-96035: Fix bug in urllib.parse.urlparse() that causes certain port numbers containing whitespace, underscores, plus and minus signs, or non-ASCII digits to be incorrectly accepted.
gh-98251: Allow venv to pass along PYTHON* variables to ensurepip and pip when they do not impact path resolution
gh-98178: On macOS, fix a crash in syslog.syslog() in multi-threaded applications. On macOS, the libc syslog() function is not thread-safe, so syslog.syslog() no longer releases the GIL to call it. Patch by Victor Stinner.
gh-96151: Allow BUILTINS to be a valid field name for frozen dataclasses.
gh-98086: Make sure patch.dict() can be applied on async functions.
gh-88863: To avoid apparent memory leaks when asyncio.open_connection() raises, break reference cycles generated by local exception and future instances (which has exception instance as its member var). Patch by Dong Uk, Kang.
gh-93858: Prevent error when activating venv in nested fish instances.
bpo-46364: Restrict use of sockets instead of pipes for stdin of subprocesses created by asyncio to AIX platform only.
bpo-38523: shutil.copytree() now applies the ignore_dangling_symlinks argument recursively.
bpo-36267: Fix IndexError in argparse.ArgumentParser when a store_true action is given an explicit argument.

Documentation

gh-92892: Document that calling variadic functions with ctypes requires special care on macOS/arm64 (and possibly other platforms).

Tests

gh-99892: Skip test_normalization() of test_unicodedata if it fails to download NormalizationTest.txt file from pythontest.net. Patch by Victor Stinner.
bpo-34272: Some C API tests were moved into the new Lib/test/test_capi/ directory.

Build

gh-99086: Fix -Wimplicit-int, -Wstrict-prototypes, and -Wimplicit-function-declaration compiler warnings in configure checks.
gh-99086: Fix -Wimplicit-int compiler warning in configure check for PTHREAD_SCOPE_SYSTEM.
gh-97731: Specify the full path to the source location for make docclean (needed for cross-builds).
gh-98671: Fix NO_MISALIGNED_ACCESSES being not defined for the SHA3 extension when HAVE_ALIGNED_REQUIRED is set. Allowing builds on hardware that unaligned memory accesses are not allowed.

Windows

gh-99345: Use faster initialization functions to detect install location for Windows Store package
gh-98689: Update Windows builds to zlib v1.2.13. v1.2.12 has CVE-2022-37434, but the vulnerable inflateGetHeader API is not used by Python.
gh-94328: Update Windows installer to use SQLite 3.39.4.
bpo-40882: Fix a memory leak in multiprocessing.shared_memory.SharedMemory on Windows.

macOS

gh-94328: Update macOS installer to SQLite 3.39.4.

IDLE

gh-97527: Fix a bug in the previous bugfix that caused IDLE to not start when run with 3.10.8, 3.12.0a1, and at least Microsoft Python 3.10.2288.0 installed without the Lib/test package. 3.11.0 was never affected.

Tools/Demos

gh-95731: Fix handling of module docstrings in Tools/i18n/pygettext.py.


To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 pkgsrc/lang/py310-html-docs/Makefile
cvs rdiff -u -r1.11 -r1.12 pkgsrc/lang/py310-html-docs/distinfo
cvs rdiff -u -r1.9 -r1.10 pkgsrc/lang/python310/PLIST \
    pkgsrc/lang/python310/dist.mk
cvs rdiff -u -r1.20 -r1.21 pkgsrc/lang/python310/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1670414038126030
Content-Disposition: inline
Content-Length: 6090
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/lang/py310-html-docs/Makefile
diff -u pkgsrc/lang/py310-html-docs/Makefile:1.9 pkgsrc/lang/py310-html-docs/Makefile:1.10
--- pkgsrc/lang/py310-html-docs/Makefile:1.9	Wed Oct 12 08:02:25 2022
+++ pkgsrc/lang/py310-html-docs/Makefile	Wed Dec  7 11:53:57 2022
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.9 2022/10/12 08:02:25 adam Exp $
+# $NetBSD: Makefile,v 1.10 2022/12/07 11:53:57 adam Exp $
 
-VERS=		3.10.8
+VERS=		3.10.9
 DISTNAME=	python-${VERS}-docs-html
 PKGNAME=	py310-html-docs-${VERS}
 CATEGORIES=	lang python

Index: pkgsrc/lang/py310-html-docs/distinfo
diff -u pkgsrc/lang/py310-html-docs/distinfo:1.11 pkgsrc/lang/py310-html-docs/distinfo:1.12
--- pkgsrc/lang/py310-html-docs/distinfo:1.11	Wed Oct 12 08:02:25 2022
+++ pkgsrc/lang/py310-html-docs/distinfo	Wed Dec  7 11:53:57 2022
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.11 2022/10/12 08:02:25 adam Exp $
+$NetBSD: distinfo,v 1.12 2022/12/07 11:53:57 adam Exp $
 
-BLAKE2s (python-3.10.8-docs-html.tar.bz2) = 602f813b059d58b88000abadbf97355a0a23421c7e89f1fe822904b39c4efb45
-SHA512 (python-3.10.8-docs-html.tar.bz2) = 20640ddad52fa18704942cef8469d750ef60f830d8380c39943af13705b99fc697629c8ee6a12d827bc8b9758a30773811fb0e37dd960e7a81f118cd3e8d4f02
-Size (python-3.10.8-docs-html.tar.bz2) = 7362386 bytes
+BLAKE2s (python-3.10.9-docs-html.tar.bz2) = 6f767c5206a2481c7a77be00c6b112be470737b7c7b985ece7a8388b9edd2d90
+SHA512 (python-3.10.9-docs-html.tar.bz2) = 06677a0c5d841833e590979cc174dc4dc7d7b67c277e5af680afc205d913e11987985e1a17d8f90538ca96fae4a9940c922c7f538dea222b7ffcd446a7168b4e
+Size (python-3.10.9-docs-html.tar.bz2) = 7379489 bytes

Index: pkgsrc/lang/python310/PLIST
diff -u pkgsrc/lang/python310/PLIST:1.9 pkgsrc/lang/python310/PLIST:1.10
--- pkgsrc/lang/python310/PLIST:1.9	Wed Oct 12 08:02:25 2022
+++ pkgsrc/lang/python310/PLIST	Wed Dec  7 11:53:57 2022
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.9 2022/10/12 08:02:25 adam Exp $
+@comment $NetBSD: PLIST,v 1.10 2022/12/07 11:53:57 adam Exp $
 bin/2to3-${PY_VER_SUFFIX}
 bin/pydoc${PY_VER_SUFFIX}
 bin/python${PY_VER_SUFFIX}
@@ -1420,8 +1420,8 @@ lib/python${PY_VER_SUFFIX}/ensurepip/__m
 lib/python${PY_VER_SUFFIX}/ensurepip/_bundled/__init__.py
 lib/python${PY_VER_SUFFIX}/ensurepip/_bundled/__init__.pyc
 lib/python${PY_VER_SUFFIX}/ensurepip/_bundled/__init__.pyo
-lib/python${PY_VER_SUFFIX}/ensurepip/_bundled/pip-22.2.2-py3-none-any.whl
-lib/python${PY_VER_SUFFIX}/ensurepip/_bundled/setuptools-63.2.0-py3-none-any.whl
+lib/python${PY_VER_SUFFIX}/ensurepip/_bundled/pip-22.3.1-py3-none-any.whl
+lib/python${PY_VER_SUFFIX}/ensurepip/_bundled/setuptools-65.5.0-py3-none-any.whl
 lib/python${PY_VER_SUFFIX}/ensurepip/_uninstall.py
 lib/python${PY_VER_SUFFIX}/ensurepip/_uninstall.pyc
 lib/python${PY_VER_SUFFIX}/ensurepip/_uninstall.pyo
@@ -3503,9 +3503,6 @@ lib/python${PY_VER_SUFFIX}/test/test_cal
 lib/python${PY_VER_SUFFIX}/test/test_call.py
 lib/python${PY_VER_SUFFIX}/test/test_call.pyc
 lib/python${PY_VER_SUFFIX}/test/test_call.pyo
-lib/python${PY_VER_SUFFIX}/test/test_capi.py
-lib/python${PY_VER_SUFFIX}/test/test_capi.pyc
-lib/python${PY_VER_SUFFIX}/test/test_capi.pyo
 lib/python${PY_VER_SUFFIX}/test/test_cgi.py
 lib/python${PY_VER_SUFFIX}/test/test_cgi.pyc
 lib/python${PY_VER_SUFFIX}/test/test_cgi.pyo
@@ -3962,9 +3959,6 @@ lib/python${PY_VER_SUFFIX}/test/test_gen
 lib/python${PY_VER_SUFFIX}/test/test_genexps.py
 lib/python${PY_VER_SUFFIX}/test/test_genexps.pyc
 lib/python${PY_VER_SUFFIX}/test/test_genexps.pyo
-lib/python${PY_VER_SUFFIX}/test/test_getargs2.py
-lib/python${PY_VER_SUFFIX}/test/test_getargs2.pyc
-lib/python${PY_VER_SUFFIX}/test/test_getargs2.pyo
 lib/python${PY_VER_SUFFIX}/test/test_getopt.py
 lib/python${PY_VER_SUFFIX}/test/test_getopt.pyc
 lib/python${PY_VER_SUFFIX}/test/test_getopt.pyo
@@ -4865,9 +4859,6 @@ lib/python${PY_VER_SUFFIX}/test/test_str
 lib/python${PY_VER_SUFFIX}/test/test_struct.py
 lib/python${PY_VER_SUFFIX}/test/test_struct.pyc
 lib/python${PY_VER_SUFFIX}/test/test_struct.pyo
-lib/python${PY_VER_SUFFIX}/test/test_structmembers.py
-lib/python${PY_VER_SUFFIX}/test/test_structmembers.pyc
-lib/python${PY_VER_SUFFIX}/test/test_structmembers.pyo
 lib/python${PY_VER_SUFFIX}/test/test_structseq.py
 lib/python${PY_VER_SUFFIX}/test/test_structseq.pyc
 lib/python${PY_VER_SUFFIX}/test/test_structseq.pyo
Index: pkgsrc/lang/python310/dist.mk
diff -u pkgsrc/lang/python310/dist.mk:1.9 pkgsrc/lang/python310/dist.mk:1.10
--- pkgsrc/lang/python310/dist.mk:1.9	Wed Oct 12 08:02:25 2022
+++ pkgsrc/lang/python310/dist.mk	Wed Dec  7 11:53:57 2022
@@ -1,6 +1,6 @@
-# $NetBSD: dist.mk,v 1.9 2022/10/12 08:02:25 adam Exp $
+# $NetBSD: dist.mk,v 1.10 2022/12/07 11:53:57 adam Exp $
 
-PY_DISTVERSION=	3.10.8
+PY_DISTVERSION=	3.10.9
 DISTNAME=	Python-${PY_DISTVERSION}
 EXTRACT_SUFX=	.tar.xz
 DISTINFO_FILE=	${.CURDIR}/../../lang/python310/distinfo

Index: pkgsrc/lang/python310/distinfo
diff -u pkgsrc/lang/python310/distinfo:1.20 pkgsrc/lang/python310/distinfo:1.21
--- pkgsrc/lang/python310/distinfo:1.20	Wed Oct 12 08:02:25 2022
+++ pkgsrc/lang/python310/distinfo	Wed Dec  7 11:53:57 2022
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.20 2022/10/12 08:02:25 adam Exp $
+$NetBSD: distinfo,v 1.21 2022/12/07 11:53:57 adam Exp $
 
-BLAKE2s (Python-3.10.8.tar.xz) = d6f72731fd8d2a16cd29fe90bd19d1b9d18a7ac1b32298259c3367dd1bb4370a
-SHA512 (Python-3.10.8.tar.xz) = 40e3e77d79618c81d6fc57c5d119b99c2959dcf932f40aad6b26f2ec39c5e713e6ff298f7597b4fad2ab94680db3732483b5ca0a45e6ae58c14580b3ea44cb0f
-Size (Python-3.10.8.tar.xz) = 19619508 bytes
+BLAKE2s (Python-3.10.9.tar.xz) = 7fb50609c7a21741c4540454a086e644267e9d75b86ac3508fbb496ecee5ac7c
+SHA512 (Python-3.10.9.tar.xz) = d66ea8adeb6dc4951e612175f8838b3092967ff275b7a3470f2d86f470036aa2221e722c3144d90bcd230b88efd53dde204213f72f703e524e4b833e2ccc68e2
+Size (Python-3.10.9.tar.xz) = 19612112 bytes
 SHA1 (patch-Lib_ctypes_util.py) = 3dec1b6b7a36e46cbfa0dfcd71c5e7fac9f60764
 SHA1 (patch-Lib_distutils_unixccompiler.py) = 8a91e8f4f86517a62408c3a10ed5eb50c4091fbf
 SHA1 (patch-Lib_lib2to3_pgen2_driver.py) = 593c4e93c5653ab400f0a98b91db92630c0a7390


--_----------=_1670414038126030--