The regex to decode a number in fpformat is susceptible to catastrophic backtracking. This is a potential DOS vector if a server is using fpformat on untrusted number strings.

Replace it with an equivalent non-vulnerable regex. The match behavior of the new regex is slightly different. It captures the whole integer part of the number in one group, Leading zeros are stripped off later.

* Prevent low-grade poplib REDOS (CVE-2018-1060)

The regex to test a mail server's timestamp is susceptible to
catastrophic backtracking on long evil responses from the server.

Happily, the maximum length of malicious inputs is 2K thanks
to a limit introduced in the fix for CVE-2013-1752.

A 2KB evil response from the mail server would result in small slowdowns
(milliseconds vs. microseconds) accumulated over many apop calls.
This is a potential DOS vector via accumulated slowdowns.

Replace it with a similar non-vulnerable regex.

The new regex is RFC compliant.
The old regex was non-compliant in edge cases.

* Prevent difflib REDOS (CVE-2018-1061)

The default regex for IS_LINE_JUNK is susceptible to
catastrophic backtracking.
This is a potential DOS vector.

Replace it with an equivalent non-vulnerable regex.

Also introduce unit and REDOS tests for difflib.
Co-authored-by: Tim Peters <tim.peters@gmail.com>
Co-authored-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 0e6c8ee2)

(cherry picked from commit 3e197c7a)
Co-authored-by: Alexey Izbyshev <izbyshev@users.noreply.github.com>

(cherry picked from commit d7773d92)

Dropped the part that says: "For objects that do not provide sequence protocol".
(cherry picked from commit 7a1e1786)
Co-authored-by: Zackery Spytz <zspytz@gmail.com>

By default `print` adds spaces between its arguments.

(cherry picked from commit 84c4b0cc)

(cherry picked from commit fbee8824)
Co-authored-by: Mario Corchero <mariocj89@gmail.com>

This code never did anything correct or useful. The class attribute will never be affected, and the condition will never be true.
(cherry picked from commit 5fb632e8)
Co-authored-by: Aaron Gallagher <habnabit@users.noreply.github.com>

Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 29eab553)
Co-authored-by: Christian Heimes <christian@python.org>

Signed-off-by: Christian Heimes <christian@python.org>

The ctypes module used to depend on indirect linking for dlopen. The shared
extension is now explicitly linked against libdl on platforms with dl.

Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 5bb96925)
Co-authored-by: Christian Heimes <christian@python.org>

The ssl module now detects missing NPN support in LibreSSL.
Co-Authored-By: Bernard Spil <brnrd@FreeBSD.org>
Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 6cdb7954)
Co-authored-by: Christian Heimes <christian@python.org>

The SSL module no longer sends IP addresses in SNI TLS extension on
platforms with OpenSSL 1.0.2+ or inet_pton.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit e9370a47389903bb72badc95032ec84a0ebbf8cc)
Co-authored-by: Christian Heimes <christian@python.org>

SSLContext.load_dh_params() now supports non-ASCII path.
Signed-off-by: Christian Heimes <christian@python.org>

Debian Unstable has disabled TLS 1.0 and 1.1 for SSLv23_METHOD(). Change
TLS/SSL protocol of some tests to PROTOCOL_TLS or PROTOCOL_TLSv1_2 to
make them pass on Debian.
Signed-off-by: Christian Heimes <christian@python.org>

`whilst` and `while` are both english words, `whilst` is not as commonly used.
This can be confusing to readers whose primary language is not english.
(cherry picked from commit 98f42aac)
Co-authored-by: Mariatta <Mariatta@users.noreply.github.com>

Make test.support.temp_cwd() fork-safe. The context manager test.support.temp_cwd() no longer removes the temporary directory when executing in a process other than the parent it entered from.
If a forked child exits the context manager it won't do the cleanup..
(cherry picked from commit 33dddac0)
Co-authored-by: Anselm Kruis <a.kruis@science-computing.de>

[2.7] bpo-31848: Fix broken error handling in Aifc_read.initfp() when the SSND chunk is not found (GH-5240) (GH-5781)

Initialize self._ssnd_chunk so that aifc.Error is raised as intended,
not AttributeError.
(cherry picked from commit 80d20b91)
Co-authored-by: Zackery Spytz <zspytz@gmail.com>

It's bad form to pin to an old version of TLS. ssl.SSLContext has the right
protocol default, so let's not pass anyway..
(cherry picked from commit e9edee0b)

(cherry picked from commit 08a6926b)
Co-authored-by: Éric Araujo <merwok@netwok.org>

(cherry picked from commit 7eb3f822)

Adapt documentation for `copyright` and `credits` to reality.  Previously, the documentation implied that all each of `copyright`,
`credits`, and `license`, would print a message to call the object in order to see the full text.  In reality, only `license` exhibits this
behaviour, and `copyright` and `credit` print their full text either when printed, displayed, or called.
(cherry picked from commit 243d6d71)
Co-authored-by: Gerrit Holl <gerrit.holl@gmail.com>

A closing parentheses was missing.
Signed-off-by: Ngie Cooper <yaneurabeya@gmail.com>
(cherry picked from commit 7745ec4e)
Co-authored-by: ngie-eign <1574099+ngie-eign@users.noreply.github.com>

Remove pkg_add -r python from FreeBSD installation section.
Moved to OpenBSD.
(cherry picked from commit 3384d38d)
Co-authored-by: Eitan Adler <grimreaper@users.noreply.github.com>

(cherry picked from commit 2b86f4cb)

It now processes files as binary streams.

This also fixes "make reindent".

It now reads: ...be aware that Python has no control over...
(cherry picked from commit 517da1e5)
Co-authored-by: Alexey <forestbiiird@gmail.com>

(cherry picked from commit 6ea20fc7)

(cherry picked from commit 28607e0d)

The new link is given in a red box on the old page.
(cherry picked from commit 8d1f2f40)
Co-authored-by: sblondon <sblondon@users.noreply.github.com>

Co-authored-by: Jake Davis <jcdavis@awedge.net>.
(cherry picked from commit 2411292b)

Use `f` as the name of the first parameter of `csv.DictReader` and
`csv.DictWriter` classes.

strop is highly legacy and can be safely compiled out in most installations. Let's not fail the test suite for its absence.

Manual backport of GH-5485

Clarify that the level argument is used to determine whether to
perform absolute or relative imports: 0 is absolute, while a positive number
is the number of parent directories to search relative to the current module..
(cherry picked from commit 461d225b)
Co-authored-by: oldk <oldk1331@users.noreply.github.com>