Python is an interpreted, object-oriented programming language, and is
often compared to Tcl, Perl, Scheme, or Java. You can find an overview
of Python in the documentation and tutorials included in the python-doc
(HTML) or python-doc-pdf (PDF) packages.
This package contains libpython3.2 shared library for embedding in
other applications.
Provides
Requires
License
Python-2.0
Changelog
* Thu Jan 29 2026 Matej Cepl <mcepl@cepl.eu>
- Add CVE-2024-6923-follow-up-EOL-email-headers.patch which is
a follow-up to the previous fix of CVE-2024-6923 further
encoding EOL possibly hidden in email headers (bsc#1257181).
- Add CVE-2025-11468-email-hdr-fold-comment.patch preserving
parens when folding comments in email headers (bsc#1257029,
CVE-2025-11468).
* Thu Dec 11 2025 Matej Cepl <mcepl@cepl.eu>
* Update to 3.14.2:
- Security
- gh-142145: Remove quadratic behavior in xml.minidom node ID
cache clearing (CVE-2025-12084, bsc#1254997).
- gh-119452: Fix a potential memory denial of service in the
http.server module. When a malicious user is connected to the
CGI server on Windows, it could cause an arbitrary amount of
memory to be allocated. This could have led to symptoms
including a MemoryError, swapping, out of memory (OOM) killed
processes or containers, or even system crashes.
- Library
- gh-140797: Revert changes to the undocumented re.Scanner
class. Capturing groups are still allowed for backward
compatibility, although using them can lead to incorrect
result. They will be forbidden in future Python versions.
- gh-142206: The resource tracker in the multiprocessing module
now uses the original communication protocol, as in Python
3.14.0 and below, by default. This avoids issues with
upgrading Python while it is running. (Note that such
‘in-place’ upgrades are not tested.) The tracker remains
compatible with subprocesses that use new protocol (that is,
subprocesses using Python 3.13.10, 3.14.1 and 3.15).
- gh-142214: Fix two regressions in dataclasses in Python
3.14.1 related to annotations. An exception is no longer
raised if slots=True is used and the __init__ method does not
have an __annotate__ attribute (likely because init=False was
used). An exception is no longer raised if annotations are
requested on the __init__ method and one of the fields is not
present in the class annotations. This can occur in certain
dynamic scenarios. Patch by Jelle Zijlstra.
- Core and Builtins
- gh-142218: Fix crash when inserting into a split table
dictionary with a non str key that matches an existing key.
- gh-116738: Fix cmath data race when initializing
trigonometric tables with subinterpreters.
* Update to 3.14.1:
- Tools/Demos
- gh-141692: Each slice of an iOS XCframework now contains
a lib folder that contains a symlink to the libpython dylib.
This allows binary modules to be compiled for iOS using
dynamic libreary linking, rather than Framework linking.
- gh-141442: The iOS testbed now correctly handles test
arguments that contain spaces.
- gh-140702: The iOS testbed app will now expose the
GITHUB_ACTIONS environment variable to iOS apps being tested.
- gh-137484: Have Tools/wasm/wasi put the build Python into
a directory named after the build triple instead of “build”.
- gh-137248: Add a --logdir option to Tools/wasm/wasi for
specifying where to write log files.
- gh-137243: Have Tools/wasm/wasi detect a WASI SDK install in
/opt when it was directly extracted from a release tarball.
- Tests
- gh-140482: Preserve and restore the state of stty echo as
part of the test environment.
- gh-140082: Update python -m test to set FORCE_COLOR=1 when
being run with color enabled so that unittest which is run by
it with redirected output will output in color.
- gh-139208: Fix regrtest --fast-ci --verbose: don’t ignore the
- -verbose option anymore. Patch by Victor Stinner.
- gh-136442: Use exitcode 1 instead of 5 if
unittest.TestCase.setUpClass() raises an exception
- Security
- gh-139700: Check consistency of the zip64 end of central
directory record. Support records with “zip64 extensible
data” if there are no bytes prepended to the ZIP file.
(CVE-2025-8291, bsc#1251305)
- gh-139283: sqlite3: correctly handle maximum number of rows
to fetch in Cursor.fetchmany and reject negative values for
Cursor.arraysize. Patch by Bénédikt Tran.
- gh-137836: Add support of the “plaintext” element, RAWTEXT
elements “xmp”, “iframe”, “noembed” and “noframes”, and
optionally RAWTEXT element “noscript” in
html.parser.HTMLParser.
- gh-136063: email.message: ensure linear complexity for legacy
HTTP parameters parsing. Patch by Bénédikt Tran.
- gh-136065: Fix quadratic complexity in os.path.expandvars()
(CVE-2025-6075, bsc#1252974)
- gh-119451: Fix a potential memory denial of service in the
http.client module. When connecting to a malicious server, it
could cause an arbitrary amount of memory to be allocated.
This could have led to symptoms including a MemoryError,
swapping, out of memory (OOM) killed processes or containers,
or even system crashes (CVE-2025-13836, bsc#1254400)
- gh-119342: Fix a potential memory denial of service in the
plistlib module. When reading a Plist file received from
untrusted source, it could cause an arbitrary amount of
memory to be allocated. This could have led to symptoms
including a MemoryError, swapping, out of memory (OOM) killed
processes or containers, or even system crashes
(CVE-2025-13837, bsc#1254401).
- Library
- gh-74389: When the stdin being used by a subprocess.Popen
instance is closed, this is now ignored in
subprocess.Popen.communicate() instead of leaving the class
in an inconsistent state.
- gh-87512: Fix subprocess.Popen.communicate() timeout handling
on Windows when writing large input. Previously, the timeout
was ignored during stdin writing, causing the method to block
indefinitely if the child process did not consume input
quickly. The stdin write is now performed in a background
thread, allowing the timeout to be properly enforced.
- gh-141473: When subprocess.Popen.communicate() was called
with input and a timeout and is called for a second time
after a TimeoutExpired exception before the process has died,
it should no longer hang.
- gh-59000: Fix pdb breakpoint resolution for class methods
when the module defining the class is not imported.
- gh-141570: Support file-like object raising OSError from
fileno() in color detection (_colorize.can_colorize()). This
can occur when sys.stdout is redirected.
- gh-141659: Fix bad file descriptor errors from
_posixsubprocess on AIX.
- gh-141600: Fix musl version detection on Void Linux.
- gh-141497: ipaddress: ensure that the methods
IPv4Network.hosts() and IPv6Network.hosts() always return an
iterator.
- gh-140938: The statistics.stdev() and statistics.pstdev()
functions now raise a ValueError when the input contains an
infinity or a NaN.
- gh-124111: Updated Tcl threading configuration in _tkinter to
assume that threads are always available in Tcl 9 and later.
- gh-137109: The os.fork and related forking APIs will no
longer warn in the common case where Linux or macOS platform
APIs return the number of threads in a process and find the
answer to be 1 even when a os.register_at_fork()
after_in_parent= callback (re)starts a thread.
- gh-141314: Fix assertion failure in io.TextIOWrapper.tell()
when reading files with standalone carriage return (\r) line
endings.
- gh-141311: Fix assertion failure in io.BytesIO.readinto() and
undefined behavior arising when read position is above
capcity in io.BytesIO.
- gh-141141: Fix a thread safety issue with base64.b85decode().
Contributed by Benel Tayar.
- gh-137969: Fix annotationlib.ForwardRef.evaluate() returning
ForwardRef objects which don’t update with new globals.
- gh-140911: collections: Ensure that the methods
UserString.rindex() and UserString.index() accept
collections.UserString instances as the sub argument.
- gh-140797: The undocumented re.Scanner class now forbids
regular expressions containing capturing groups in its
lexicon patterns. Patterns using capturing groups could
previously lead to crashes with segmentation fault. Use
non-capturing groups (?:…) instead.
- gh-125115: Refactor the pdb parsing issue so positional
arguments can pass through intuitively.
- gh-140815: faulthandler now detects if a frame or a code
object is invalid or freed. Patch by Victor Stinner.
- gh-100218: Correctly set errno when socket.if_nametoindex()
or socket.if_indextoname() raise an OSError. Patch by
Bénédikt Tran.
- gh-140875: Fix handling of unclosed character references
(named and numerical) followed by the end of file in
html.parser.HTMLParser with convert_charrefs=False.
- gh-140734: multiprocessing: fix off-by-one error when
checking the length of a temporary socket file path. Patch by
Bénédikt Tran.
- gh-140874: Bump the version of pip bundled in ensurepip to
version 25.3
- gh-140691: In urllib.request, when opening a FTP URL fails
because a data connection cannot be made, the control
connection’s socket is now closed to avoid a ResourceWarning.
- gh-103847: Fix hang when cancelling process created by
asyncio.create_subprocess_exec() or
asyncio.create_subprocess_shell(). Patch by Kumar Aditya.
- gh-120057: Add os.reload_environ() to os.__all__.
- gh-140228: Avoid making unnecessary filesystem calls for
frozen modules in linecache when the global module cache is
not present.
- gh-140590: Fix arguments checking for the
functools.partial.__setstate__() that may lead to internal
state corruption and crash. Patch by Sergey Miryanov.
- gh-125434: Display thread name in faulthandler on Windows.
Patch by Victor Stinner.
- gh-140634: Fix a reference counting bug in
os.sched_param.__reduce__().
- gh-140633: Ignore AttributeError when setting a module’s
__file__ attribute when loading an extension module packaged
as Apple Framework.
- gh-140593: xml.parsers.expat: Fix a memory leak that could
affect users with ElementDeclHandler() set to a custom
element declaration handler. Patch by Sebastian Pipping.
- gh-140607: Inside io.RawIOBase.read(), validate that the
count of bytes returned by io.RawIOBase.readinto() is valid
(inside the provided buffer).
- gh-138162: Fix logging.LoggerAdapter with merge_extra=True
and without the extra argument.
- gh-138774: ast.unparse() now generates full source code when
handling ast.Interpolation nodes that do not have a specified
source.
- gh-140474: Fix memory leak in array.array when creating
arrays from an empty str and the u type code.
- gh-137530: dataclasses Fix annotations for generated __init__
methods by replacing the annotations that were in-line in the
generated source code with __annotate__ functions attached to
the methods.
- gh-140348: Fix regression in Python 3.14.0 where using the
| operator on a typing.Union object combined with an object
that is not a type would raise an error.
- gh-140272: Fix memory leak in the clear() method of the
dbm.gnu database.
- gh-140041: Fix import of ctypes on Android and Cygwin when
ABI flags are present.
- gh-140120: Fixed a memory leak in hmac when it was using the
hacl-star backend. Discovered by @ashm-dev using
AddressSanitizer.
- gh-139905: Add suggestion to error message for typing.Generic
subclasses when cls.__parameters__ is missing due to a parent
class failing to call super().__init_subclass__() in its
__init_subclass__.
- gh-139894: Fix incorrect sharing of current task with the
child process while forking in asyncio. Patch by Kumar
Aditya.
- gh-139845: Fix to not print KeyboardInterrupt twice in
default asyncio REPL.
- gh-139783: Fix inspect.getsourcelines() for the case when
a decorator is followed by a comment or an empty line.
- gh-139809: Prevent premature colorization of subparser prog
in argparse.ArgumentParser.add_subparsers() to respect color
environment variable changes after parser creation.
- gh-139736: Fix excessive indentation in the default argparse
HelpFormatter. Patch by Alexander Edland.
- gh-70765: http.server: fix default handling of HTTP/0.9
requests in BaseHTTPRequestHandler. Previously,
BaseHTTPRequestHandler.parse_request() incorrectly waited for
headers in the request although those are not supported in
HTTP/0.9. Patch by Bénédikt Tran.
- gh-63161: Fix tokenize.detect_encoding(). Support non-UTF-8
shebang and comments if non-UTF-8 encoding is specified.
Detect decoding error for non-UTF-8 encoding. Detect null
bytes in source code.
- gh-139391: Fix an issue when, on non-Windows platforms, it
was not possible to gracefully exit a python -m asyncio
process suspended by Ctrl+Z and later resumed by fg other
than with kill.
- gh-101828: Fix 'shift_jisx0213', 'shift_jis_2004',
'euc_jisx0213' and 'euc_jis_2004' codecs truncating null
chars as they were treated as part of multi-character
sequences.
- gh-139289: Do a real lazy-import on rlcompleter in pdb and
restore the existing completer after importing rlcompleter.
- gh-139246: fix: paste zero-width in default repl width is
wrong.
- gh-90949: Add SetAllocTrackerActivationThreshold() and
SetAllocTrackerMaximumAmplification() to xmlparser objects to
prevent use of disproportional amounts of dynamic memory from
within an Expat parser. Patch by Bénédikt Tran.
- gh-139210: Fix use-after-free when reporting unknown event in
xml.etree.ElementTree.iterparse(). Patch by Ken Jin.
- gh-138860: Lazy import rlcompleter in pdb to avoid deadlock
in subprocess.
- gh-112729: Fix crash when calling
concurrent.interpreters.create() when the process is out of
memory.
- gh-135729: Fix unraisable exception during finalization when
using concurrent.interpreters in the REPL.
- gh-139076: Fix a bug in the pydoc module that was hiding
functions in a Python module if they were implemented in an
extension module and the module did not have __all__.
- gh-139065: Fix trailing space before a wrapped long word if
the line length is exactly width in textwrap.
- gh-139001: Fix race condition in pathlib.Path on the internal
_raw_paths field.
- gh-138813: multiprocessing.BaseProcess defaults kwargs to
None instead of a shared dictionary.
- gh-138993: Dedent credits text.
- gh-138891: Fix SyntaxError when inspect.get_annotations(f,
eval_str=True) is called on a function annotated with a PEP
646 star_expression
- gh-130567: Fix possible crash in locale.strxfrm() due to
a platform bug on macOS.
- gh-138859: Fix generic type parameterization raising
a TypeError when omitting a ParamSpec that has a default
which is not a list of types.
- gh-138764: Prevent anno