SUSE-SU-2025:3706-1

This update for python313 fixes the following issues:

Update to version 3.13.7.

• Fixes in 3.13.7:

  • gh-137583: Fix a deadlock introduced in 3.13.6 when a call to ssl.SSLSocket.recv was blocked in one thread, and then another method on the object (such as ssl.SSLSocket.send) was subsequently called in another thread.
  • gh-137044: Return large limit values as positive integers instead of negative integers in resource.getrlimit(). Accept large values and reject negative values (except RLIM_INFINITY) for limits in resource.setrlimit().
  • gh-136914: Fix retrieval of doctest.DocTest.lineno for objects decorated with functools.cache() or functools.cached_property.
  • gh-131788: Make ResourceTracker.send from multiprocessing re-entrant safe
  • gh-136155: We are now checking for fatal errors in EPUB builds in CI.
  • gh-137400: Fix a crash in the free threading build when disabling profiling or tracing across all threads with PyEvalSetProfileAllThreads() or PyEvalSetTraceAllThreads() or their Python equivalents threading.settraceallthreads() and threading.setprofileallthreads().

• Fixes in 3.13.6:

  • Security
    • gh-135661: Fix parsing start and end tags in html.parser.HTMLParser according to the HTML5 standard.
      • Whitespaces no longer accepted between does not end the script section.
      • Vertical tabulation (\v) and non-ASCII whitespaces no longer recognized as whitespaces. The only whitespaces are \t\n\r\f and space.
      • Null character (U+0000) no longer ends the tag name.
      • Attributes and slashes after the tag name in end tags are now ignored, instead of terminating after the first > in quoted attribute value. E.g. </script/foo='>'/>.
      • Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. <a foo=bar/ //>.
      • Multiple = between attribute name and value are no longer collapsed. E.g. <a foo==bar> produces attribute “foo” with value “=bar”.
    • gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->.
    • gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored (CVE-2025-6069, bsc#1244705).
    • gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser.
  • Core and Builtins
    • gh-58124: Fix name of the Python encoding in Unicode errors of the code page codec: use “cp65000” and “cp65001” instead of “CPUTF7” and “CPUTF8” which are not valid Python code names. Patch by Victor Stinner.
    • gh-137314: Fixed a regression where raw f-strings incorrectly interpreted escape sequences in format specifications. Raw f-strings now properly preserve literal backslashes in format specs, matching the behavior from Python 3.11. For example, rf'{obj:\xFF}' now correctly produces '\xFF' instead of 'ÿ'. Patch by Pablo Galindo.
    • gh-136541: Fix some issues with the perf trampolines on x86-64 and aarch64. The trampolines were not being generated correctly for some cases, which could lead to the perf integration not working correctly. Patch by Pablo Galindo.
    • gh-109700: Fix memory error handling in PyDictSetDefault().
    • gh-78465: Fix error message for cls.new(cls, ...) where cls is not instantiable builtin or extension type (with tpnew set to NULL).
    • gh-135871: Non-blocking mutex lock attempts now return immediately when the lock is busy instead of briefly spinning in the free threading build.
    • gh-135607: Fix potential weakref races in an object’s destructor on the free threaded build.
    • gh-135496: Fix typo in the f-string conversion type error (“exclamanation” -> “exclamation”).
    • gh-130077: Properly raise custom syntax errors when incorrect syntax containing names that are prefixes of soft keywords is encountered. Patch by Pablo Galindo.
    • gh-135148: Fixed a bug where f-string debug expressions (using =) would incorrectly strip out parts of strings containing escaped quotes and # characters. Patch by Pablo Galindo.
    • gh-133136: Limit excess memory usage in the free threading build when a large dictionary or list is resized and accessed by multiple threads.
    • gh-132617: Fix dict.update() modification check that could incorrectly raise a “dict mutated during update” error when a different dictionary was modified that happens to share the same underlying keys object.
    • gh-91153: Fix a crash when a bytearray is concurrently mutated during item assignment.
    • gh-127971: Fix off-by-one read beyond the end of a string in string search.
    • gh-125723: Fix crash with giframe.flocals when generator frames outlive their generator. Patch by Mikhail Efimov.
  • Library
    • gh-132710: If possible, ensure that uuid.getnode() returns the same result even across different processes. Previously, the result was constant only within the same process. Patch by Bénédikt Tran.
    • gh-137273: Fix debug assertion failure in locale.setlocale() on Windows.
    • gh-137257: Bump the version of pip bundled in ensurepip to version 25.2
    • gh-81325: tarfile.TarFile now accepts a path-like when working on a tar archive. (Contributed by Alexander Enrique Urieles Nieto in gh-81325.)
    • gh-130522: Fix unraisable TypeError raised during interpreter shutdown in the threading module.
    • gh-130577: tarfile now validates archives to ensure member offsets are non-negative. (Contributed by Alexander Enrique Urieles Nieto in gh-130577; CVE-2025-8194, bsc#1247249).
    • gh-136549: Fix signature of threading.excepthook().
    • gh-136523: Fix wave.Wavewrite emitting an unraisable when open raises.
    • gh-52876: Add missing keepends (default True) parameter to codecs.StreamReaderWriter.readline() and codecs.StreamReaderWriter.readlines().
    • gh-85702: If zoneinfo.common.loadtzdata is given a package without a resource a zoneinfo.ZoneInfoNotFoundError is raised rather than a PermissionError. Patch by Victor Stinner.
    • gh-134759: Fix UnboundLocalError in email.message.Message.getpayload() when the payload to decode is a bytes object. Patch by Kliment Lamonov.
    • gh-136028: Fix parsing month names containing “İ” (U+0130, LATIN CAPITAL LETTER I WITH DOT ABOVE) in time.strptime(). This affects locales azAZ, berDZ, berMA and crhUA.
    • gh-135995: In the palmos encoding, make byte 0x9b decode to › (U+203A - SINGLE RIGHT-POINTING ANGLE QUOTATION MARK).
    • gh-53203: Fix time.strptime() for %c and %x formats on locales bynER, walET and lzhTW, and for %X format on locales arSA, bgBG and lzhTW.
    • gh-91555: An earlier change, which was introduced in 3.13.4, has been reverted. It disabled logging for a logger during handling of log messages for that logger. Since the reversion, the behaviour should be as it was before 3.13.4.
    • gh-135878: Fixes a crash of types.SimpleNamespace on free threading builds, when several threads were calling its repr() method at the same time.
    • gh-135836: Fix IndexError in asyncio.loop.createconnection() that could occur when non-OSError exception is raised during connection and socket’s close() raises OSError.
    • gh-135836: Fix IndexError in asyncio.loop.createconnection() that could occur when the Happy Eyeballs algorithm resulted in an empty exceptions list during connection attempts.
    • gh-135855: Raise TypeError instead of SystemError when interpreters.setmainattrs() is passed a non-dict object. Patch by Brian Schubert.
    • gh-135815: netrc: skip security checks if os.getuid() is missing. Patch by Bénédikt Tran.
    • gh-135640: Address bug where it was possible to call xml.etree.ElementTree.ElementTree.write() on an ElementTree object with an invalid root element. This behavior blanked the file passed to write if it already existed.
    • gh-135444: Fix asyncio.DatagramTransport.sendto() to account for datagram header size when data cannot be sent.
    • gh-135497: Fix os.getlogin() failing for longer usernames on BSD-based platforms.
    • gh-135487: Fix reprlib.Repr.reprint() when given integers with more than sys.getintmaxstrdigits() digits. Patch by Bénédikt Tran.
    • gh-135335: multiprocessing: Flush stdout and stderr after preloading modules in the forkserver.
    • gh-135244: uuid: when the MAC address cannot be determined, the 48-bit node ID is now generated with a cryptographically-secure pseudo-random number generator (CSPRNG) as per RFC 9562, §6.10.3. This affects uuid1().
    • gh-135069: Fix the “Invalid error handling” exception in encodings.idna.IncrementalDecoder to correctly replace the ‘errors’ parameter.
    • gh-134698: Fix a crash when calling methods of ssl.SSLContext or ssl.SSLSocket across multiple threads.
    • gh-132124: On POSIX-compliant systems, multiprocessing.util.gettempdir() now ignores TMPDIR (and similar environment variables) if the path length of AFUNIX socket files exceeds the platform-specific maximum length when using the forkserver start method. Patch by Bénédikt Tran.
    • gh-133439: Fix dot commands with trailing spaces are mistaken for multi-line SQL statements in the sqlite3 command-line interface.
    • gh-132969: Prevent the ProcessPoolExecutor executor thread, which remains running when shutdown(wait=False), from attempting to adjust the pool’s worker processes after the object state has already been reset during shutdown. A combination of conditions, including a worker process having terminated abormally, resulted in an exception and a potential hang when the still-running executor thread attempted to replace dead workers within the pool.
    • gh-130664: Support the '' digit separator in formatting of the integral part of Decimal’s. Patch by Sergey B Kirpichev.
    • gh-85702: If zoneinfo.common.loadtzdata is given a package without a resource a ZoneInfoNotFoundError is raised rather than a IsADirectoryError.
    • gh-130664: Handle corner-case for Fraction’s formatting: treat zero-padding (preceding the width field by a zero ('0') character) as an equivalent to a fill character of '0' with an alignment type of '=', just as in case of float’s.
  • Tools/Demos
    • gh-135968: Stubs for strip are now provided as part of an iOS install.
  • Tests
    • gh-135966: The iOS testbed now handles the app_packages folder as a site directory.
    • gh-135494: Fix regrtest to support excluding tests from --pgo tests. Patch by Victor Stinner.
    • gh-135489: Show verbose output for failing tests during PGO profiling step with –enable-optimizations.
  • Documentation
    • gh-135171: Document that the iterator for the leftmost for clause in the generator expression is created immediately.
  • Build
    • gh-135497: Fix the detection of MAXLOGNAME in the configure.ac script.