Python 3.11.5

What's new in this version:

Security:
- Fixed an issue where instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data

Core and Builtins:
- Fix potential unaligned memory access on C APIs involving returned sequences of char * pointers within the grp and socket modules. These were revealed using a - fsaniziter=alignment build on ARM macOS
- Ensure that multiprocessing synchronization objects created in a fork context are not sent to a different process created in a spawn context. This changes a segfault into an actionable RuntimeError in the parent process.
- Fix a segmentation fault caused by a use-after-free bug in frame_dealloc when the trashcan delays the deallocation of a PyFrameObject.
- No longer suppress arbitrary errors in the __annotations__ getter and setter in the type and module types.
- Propagate frozen_modules to multiprocessing spawned process interpreters.
- Fix crash in _imp.get_frozen_object() due to improper exception handling.
- Fix possible crashes when specializing function calls with too many __defaults__.
- Fix an issue that could result in crashes when compiling malformed ast nodes.
- Fix bugs in the builtins module where exceptions could end up being overwritten.
- Fix bug in the compiler where an exception could end up being overwritten.
- Improve error handling in PyUnicode_BuildEncodingMap() where an exception could end up being overwritten.
- Prevent out-of-bounds memory access during mmap.find() calls.
- Improve error handling when read marshal data.

Library:
- Harmonized the pure Python version of OrderedDict with the C version. Now, both versions set up their internal state in __new__. Formerly, the pure Python version did the set up in __init__.
- Fix multiprocessing.set_forkserver_preload() to check the given list of modules names
- Fixes os.path.normpath() to handle embedded null characters without truncating the path.
- tarfile.data_filter() now takes the location of symlinks into account when determining their target, so it will no longer reject some valid tarballs with LinkOutsideDestinationError.
- Fix doctest.DocTestFinder.find() in presence of class names with special characters
- Passing a callable object as an option value to a Tkinter image now raises the expected TclError instead of an AttributeError.
- Close asyncio.StreamWriter when it is not closed by application leading to memory leaks
- Seems that in some conditions, OpenSSL will return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL when a certification verification has failed, but the error parameters will still contain ERR_LIB_SSL and SSL_R_CERTIFICATE_VERIFY_FAILED. We are now detecting this situation and raising the appropiate ssl.SSLCertVerificationError
- tarfiles; Fixed use before assignment of self.exception for gzip decompression
- Make gettext.pgettext() search plural definitions when translation is not found.
- Document behavior of shutil.disk_usage() for non-mounted filesystems on Unix.
- Do not report MultipartInvariantViolationDefect defect when the email.parser.Parser class is used to parse emails with headersonly=True.
- Fix potential missing NULL check of d2i_SSL_SESSION result in _ssl.c.
- Update the bundled copy of pip to version 23.2.1.
- Fixed several bug in zipfile.Path in name/suffix/suffixes/stem operations when no filename is present and the Path is not at the root of the zipfile.
- Add __copy__ and __deepcopy__ in enum
- Revert a change to colorsys.rgb_to_hls() that caused division by zero for certain almost-white inputs
- re module: fix the matching of possessive quantifiers in the case of a subpattern containing backtracking
- Improve debug output for atomic groups in regular expressions
- Fix flag mask inversion when unnamed flags exist
-Prevent multiprocessing.spawn from failing to import in environments where sys.executable is None. This regressed in 3.11 with the addition of support for path-like objects in multiprocessing.
- Detect possible memory allocation failure in the libtommath function mp_init() used by the _tkinter module
- Make pydoc.doc catch bad module ImportError when output stream is not None
- Fix crash when calling repr with a manually constructed SignalDict object
- Fix a bug in _Unpickler_SetInputStream() where an exception could end up being overwritten in case of failure
- Fix bugs in sys where exceptions could end up being overwritten because of deferred error handling
- Harden pyexpat error handling during module initialisation to prevent exceptions from possibly being overwritten, and objects from being dereferenced twice
- Fix bug in decimal where an exception could end up being overwritten
- Fix bugs in _datetime where exceptions could be overwritten in case of module initialisation failure
- Fix bugs in _ssl initialisation which could lead to leaked references and overwritten exceptions
- Fix a bug in array.array where an exception could end up being overwritten
- Fix bugs in _ctypes where exceptions could end up being overwritten
- Fix a bug in the posix module where an exception could be overwritten
- Fix bugs in _elementtree where exceptions could be overwritten
- Fix bugs in zoneinfo where exceptions could be overwritten
- Fix bugs in pickle where exceptions could be overwritten
- Fix flag inversion when alias/mask members exist
- Fix bugs in pickle where exceptions could be overwritten
- Revert undocumented behaviour change with runtime-checkable protocols decorated with typing.final() in Python 3.11. The behaviour change had meant that objects would not be considered instances of these protocols at runtime unless they had a __final__ attribute
- Fix a bug in sqlite3 where an exception could be overwritten in the collation callback.
- Revert pickling method from by-name back to by-value.
- Add RTSPS scheme support in urllib.parse
- Fix a bug that causes wrong matches for regular expressions with possessive qualifier.
- Hide traceback in help() prompt, when import failed.
- Restore following CPython <= 3.10.5 behavior of shutil.make_archive(): do not create an empty archive if root_dir is not a directory, and, in that case, raise FileNotFoundError or NotADirectoryError regardless of format choice. Beyond the brought-back behavior, the function may now also raise these exceptions in dry_run mode.
- Fix hanging multiprocessing ProcessPoolExecutor when a child process crashes while data is being written in the call queue
- bpo-18319: Ensure gettext(msg) retrieve translations even if a plural form exists. In other words: gettext(msg) == ngettext(msg, '', 1).

Documentation:
- Document the curses module variables LINES and COLS
- Add a number of standard external names to nitpick_ignore
-Add documentation on how to localize the argparse module

Tests:
- Fix test_cppext when the C compiler command -std=c11 option: remove -std= options from the compiler command
- test_logging: Fix test_udp_reconnection() by increasing the timeout from 100 ms to 5 minutes (LONG_TIMEOUT)
- When running the Python test suite with -jN option, if a worker stdout cannot be decoded from the locale encoding report a failed testn so the exitcode is non-zero

Build:
- When calling find_python.bat with -q it did not properly silence the output of nuget. That is now fixed.
- Check for linux/limits.h before including it in Modules/posixmodule.c.
- Include commoninstall as a prerequisite for bininstall
- This ensures that commoninstall is completed before bininstall is started when parallel builds are used (make -j install), and so the python3 symlink is only installed after all standard library modules are installed.
- Allows -Wno-int-conversion for wasm-sdk 17 and onwards, thus enables building WASI builds once against the latest sdk

Windows:
- Fixes realpath() to behave consistently when passed a path containing an embedded null character on Windows. In strict mode, it now raises OSError instead of the unexpected ValueError, and in non-strict mode will make the path absolute.
- Fix integer overflow in _winapi.LCMapStringEx() which affects ntpath.normcase().
- Update Windows build to use OpenSSL 3.0.9
- Ensure that an empty environment block is terminated by two null characters, as is required by Windows.

macOS:
- Update macOS installer to use OpenSSL 3.0.10.
- Update macOS installer to use OpenSSL 3.0.9.
- Tools/Demos
- Update multissltests and GitHub CI workflows to use OpenSSL 1.1.1v, 3.0.10, and 3.1.2.
-Argument Clinic now supports overriding automatically generated signature by using directive @text_signature. See How to override the generated signature.
- Fix bugs in the Argument Clinic destination <name> clear command; the destination buffers would never be cleared, and the destination directive parser would simply continue to the fault handler after processing the command

C API:
- C API functions PyErr_SetFromErrnoWithFilename(), PyErr_SetExcFromWindowsErrWithFilename() and PyErr_SetFromWindowsErrWithFilename() save now the error code before calling PyUnicode_DecodeFSDefault()
- Such C API functions as PyErr_SetString(), PyErr_Format(), PyErr_SetFromErrnoWithFilename() and many others no longer crash or ignore errors if it failed to format the error message or decode the filename. Instead, they keep a corresponding error.
- PyModule_AddObjectRef() is now only available in the limited API version 3.10 or later.
- Fix a bug in PyErr_WarnExplicit() where an exception could end up being overwritten if the API failed internally.
- Fix PyUnicode_DecodeUTF8Stateful() for ASCII-only data: *consumed was not set