Log message:
*: recursive bump for icu 78.1

Log message:
python310 py310-html-docs: updated to 3.10.19

Python 3.10.19

Security

gh-139700: Check consistency of the zip64 end of central directory record. \ 
Support records with “zip64 extensible data” if there are no bytes prepended \ 
to the ZIP file.
gh-139400: xml.parsers.expat: Make sure that parent Expat parsers are only \ 
garbage-collected once they are no longer referenced by subparsers created by \ 
ExternalEntityParserCreate(). Patch by Sebastian Pipping.
gh-135661: Fix parsing start and end tags in html.parser.HTMLParser according to \ 
the HTML5 standard.
Whitespaces no longer accepted between </ and the tag name. E.g. </ \ 
script> does not end the script section.
Vertical tabulation (\v) and non-ASCII whitespaces no longer recognized as \ 
whitespaces. The only whitespaces are \t\n\r\f and space.
Null character (U+0000) no longer ends the tag name.
Attributes and slashes after the tag name in end tags are now ignored, instead \ 
of terminating after the first > in quoted attribute value. E.g. \ 
</script/foo=">"/>.
Multiple slashes and whitespaces between the last attribute and closing > are \ 
now ignored in both start and end tags. E.g. <a foo=bar/ //>.
Multiple = between attribute name and value are no longer collapsed. E.g. <a \ 
foo==bar> produces attribute “foo” with value “=bar”.
gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the \ 
HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private \ 
method _set_support_cdata() which can be used to specify how to parse \ 
<[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a \ 
bogus comment in the HTML namespace.
gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 \ 
standard. --!> now ends the comment. -- > no longer ends the comment. \ 
Support abnormally ended empty comments <--> and <--->.
gh-135462: Fix quadratic complexity in processing specially crafted input in \ 
html.parser.HTMLParser. End-of-file errors are now handled according to the \ 
HTML5 specs – comments and declarations are automatically closed, tags are \ 
ignored.
gh-118350: Fix support of escapable raw text mode (elements “textarea” and \ 
“title”) in html.parser.HTMLParser.
gh-86155: html.parser.HTMLParser.close() no longer loses data when the \ 
<script> tag is not closed. Patch by Waylan Limberg.

Library

gh-139312: Upgrade bundled libexpat to 2.7.3
gh-138998: Update bundled libexpat to 2.7.2
gh-130577: tarfile now validates archives to ensure member offsets are \ 
non-negative. (Contributed by Alexander Enrique Urieles Nieto in gh-130577.)
gh-135374: Update the bundled copy of setuptools to 79.0.1.

Log message:
python310 py310-html-docs: updated to 3.10.18

Python 3.10.18 final

Security

gh-135034: Fixes multiple issues that allowed tarfile extraction filters \ 
(filter="data" and filter="tar") to be bypassed using \ 
crafted symlinks and hard links.

Addresses CVE 2024-12718, CVE 2025-4138, CVE 2025-4330, and CVE 2025-4517.

gh-133767: Fix use-after-free in the “unicode-escape” decoder with a \ 
non-“strict” error handler.

gh-128840: Short-circuit the processing of long IPv6 addresses early in \ 
ipaddress to prevent excessive memory consumption and a minor denial-of-service.

Library

gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address.
gh-134062: ipaddress: fix collisions in __hash__() for IPv4Network and \ 
IPv6Network objects.
gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output according to RFC \ 
3596, §2.5. Patch by Bénédikt Tran.
bpo-43633: Improve the textual representation of IPv4-mapped IPv6 addresses (RFC \ 
4291 Sections 2.2, 2.5.5.2) in ipaddress. Patch by Oleksandr Pavliuk.

Log message:
*: recursive bump for icu 77 and libxml2 2.14

Log message:
python310 py310-html-docs: updated to 3.10.17

Python 3.10.17 final

Security

gh-131809: Update bundled libexpat to 2.7.1
gh-131261: Upgrade to libexpat 2.7.0
gh-105704: When using urllib.parse.urlsplit() and urllib.parse.urlparse() host \ 
parsing would not reject domain names containing square brackets ([ and ]). \ 
Square brackets are only valid for IPv6 and IPvFuture hosts according to RFC \ 
3986 Section 3.2.2.
gh-121284: Fix bug in the folding of rfc2047 encoded-words when flattening an \ 
email message using a modern email policy. Previously when an encoded-word was \ 
too long for a line, it would be decoded, split across lines, and re-encoded. \ 
But commas and other special characters in the original text could be left \ 
unencoded and unquoted. This could theoretically be used to spoof header lines \ 
using a carefully constructed encoded-word if the resulting rendered email was \ 
transmitted or re-parsed.
gh-80222: Fix bug in the folding of quoted strings when flattening an email \ 
message using a modern email policy. Previously when a quoted string was folded \ 
so that it spanned more than one line, the surrounding quotes and internal \ 
escapes would be omitted. This could theoretically be used to spoof header lines \ 
using a carefully constructed quoted string if the resulting rendered email was \ 
transmitted or re-parsed.
gh-119511: Fix a potential denial of service in the imaplib module. When \ 
connecting to a malicious server, it could cause an arbitrary amount of memory \ 
to be allocated. On many systems this is harmless as unused virtual memory is \ 
only a mapping, but if this hit a virtual address size limit it could lead to a \ 
MemoryError or other process crash. On unusual systems or builds where all \ 
allocated memory is touched and backed by actual ram or storage it could’ve \ 
consumed resources doing so until similarly crashing.

Library

gh-127257: In ssl, system call failures that OpenSSL reports using ERR_LIB_SYS \ 
are now raised as OSError.

Documentation

gh-121277: Writers of CPython’s documentation can now use next as the version \ 
for the versionchanged, versionadded, deprecated directives.

Log message:
lang/python*: No need for :U with USE_CROSS_COMPILE.

After including bsd.prefs.mk or bsd.fast.prefs.mk, this is guaranteed
to be defined.  If it isn't, there's a bug (like misspelling it),
which we should flag early rather than quietly suppress.

Log message:
lang/python3*: Use PY_VER_SUFFIX instead of copying & pasting it.

Change is limited to cross-builds.

No change to generated package; CONFIGURE_ARGS should be unchanged by
this.

Log message:
python310 py310-html-docs: updated to 3.10.16

Python 3.10.16

Tests

gh-125041: Re-enable skipped tests for zlib on the s390x architecture: only skip \ 
checks of the compressed bytes, which can be different between zlib’s software \ 
implementation and the hardware-accelerated implementation.
gh-109396: Fix test_socket.test_hmac_sha1() in FIPS mode. Use a longer key: FIPS \ 
mode requires at least of at least 112 bits. The previous key was only 32 bits. \ 
Patch by Victor Stinner.

Security

gh-126623: Upgrade libexpat to 2.6.4
gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to consistently use the \ 
mapped IPv4 address value for deciding properties. Properties which have their \ 
behavior fixed are is_multicast, is_reserved, is_link_local, is_global, and \ 
is_unspecified.

Library

gh-124651: Properly quote template strings in venv activation scripts.
gh-103848: Add checks to ensure that [ bracketed ] hosts found by \ 
urllib.parse.urlsplit() are of IPv6 or IPvFuture format.