In fact, we now require a newer Sphinx version because APIs have moved around..
(cherry picked from commit acfb087f)

closes https://github.com/python/cpython/pull/6474

(cherry picked from commit 76215a4481191b648de522a4e2120f60822f6b9c)
Co-authored-by: Ned Deily <nad@python.org>

These include:

- bpo-32726: Provide an additional, more modern macOS installer variant that
  supports macOS 10.9+ systems in 64-bit mode only. Upgrade the supplied
  third-party libraries to OpenSSL 1.0.2n and SQLite 3.22.0. The 10.9+
  installer now supplies its own private copy of Tcl/Tk 8.6.8.

- bpo-24414: Default macOS deployment target is now set by ``configure`` to
  the build system's OS version (as is done by Python 3), not ``10.4``;
  override with, for example, ``./configure MACOSX_DEPLOYMENT_TARGET=10.4``.

- bpo-19019: All 2.7 macOS installer variants now supply their own version
  of ``OpenSSL 1.0.2``; the Apple-supplied SSL libraries and root
  certificates are not longer used.  The ``Installer Certificate`` command
  in ``/Applications/Python 2.7`` may be used to download and install a
  default set of root certificates from the third-party ``certifi`` package.

- bpo-11485: python.org macOS Pythons no longer supply a default SDK value
  (e.g. ``-isysroot /``) or specific compiler version default (e.g.
  ``gcc-4.2``) when building extension modules.  Use ``CC``, ``SDKROOT``,
  and ``DEVELOPER_DIR`` environment variables to override compilers or to
  use an SDK.  See Apple's ``xcrun`` man page for more info.

- prepare for pending Apple removal of 32-bit support in future macOS release

[2.7] bpo-31920: Fixed handling directories as arguments in the ``pygettext`` script. (GH-6259) (GH-6436)

Based on patch by Oleg Krasnikov.
(cherry picked from commit c93938b5)

(cherry picked from commit ef5ce884)
Co-authored-by: Jay Crotts <crotts.jay@gmail.com>

(cherry picked from commit da1734c5)

(cherry picked from commit a95d9860)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

gmon.out is generated when profiling turned on

Full Configuration:
./configure --prefix=$PWD/install --enable-profiling  --enable-big-digits=30
--with-pydebug --with-assertions  --with-valgrind.
(cherry picked from commit 95ad3822)
Co-authored-by: Neeraj Badlani <neerajbadlani@gmail.com>

Allow ttk.Treeview.insert to insert iid that has a false boolean value.
Note iid=0 and iid=False would be same.
(cherry picked from commit 3ab44c07)
Co-authored-by: Garvit Khatri <garvitdelhi@gmail.com>

(cherry picked from commit 030345c0)
Co-authored-by: Takuya Akiba <469803+iwiwi@users.noreply.github.com>

This change generally splits the xmlparser creation code into an unsafe part with "rollback" error handling and a safe "object initialisation done" part with normal decref cleanup.

(cherry picked from commit c0518cde)
Co-authored-by: Ned Deily <nad@python.org>

Passing True as the `bind_and_activate` *do* immediately opening and binding to their socket.
(cherry picked from commit e6223579)
Co-authored-by: cocoatomo <cocoatomo77@gmail.com>

(cherry picked from commit 0301c9bd)
Co-authored-by: Stefano Taschini <taschini@users.noreply.github.com>

LibreSSL 2.7 introduced OpenSSL 1.1.0 API. The ssl module now detects
LibreSSL 2.7 and only provides API shims for OpenSSL < 1.1.0 and
LibreSSL < 2.7.

Documentation updates and fixes for failing tests will be provided in
another patch set.

Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 4ca0739c)
Co-authored-by: Christian Heimes <christian@python.org>

bpo-31544: Avoid calling "PyObject_GetAttrString()" (and potentially executing user code) with a live exception set. (GH-3992)

(cherry picked from commit d93b5161)
Co-authored-by: Donald Stufft <donald@stufft.io>

(cherry picked from commit 9308dea3)
Co-authored-by: Zackery Spytz <zspytz@gmail.com>

(cherry picked from commit 7f81bb2a)
Co-authored-by: Donald Stufft <donald@stufft.io>

(cherry picked from commit e32bbaf376a09c149fa7c7f2919d7c9ce4e2a055)

[2.7] bpo-33026: Fix jumping out of "with" block by setting f_lineno. (GH-6026). (GH-6074) (GH-6076)

(cherry picked from commit 26c9f565)
(cherry picked from commit 04aadf23eac51fec2e436c5960c1362bbb7d03de)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

The regex to decode a number in fpformat is susceptible to catastrophic backtracking. This is a potential DOS vector if a server is using fpformat on untrusted number strings.

Replace it with an equivalent non-vulnerable regex. The match behavior of the new regex is slightly different. It captures the whole integer part of the number in one group, Leading zeros are stripped off later.

* Prevent low-grade poplib REDOS (CVE-2018-1060)

The regex to test a mail server's timestamp is susceptible to
catastrophic backtracking on long evil responses from the server.

Happily, the maximum length of malicious inputs is 2K thanks
to a limit introduced in the fix for CVE-2013-1752.

A 2KB evil response from the mail server would result in small slowdowns
(milliseconds vs. microseconds) accumulated over many apop calls.
This is a potential DOS vector via accumulated slowdowns.

Replace it with a similar non-vulnerable regex.

The new regex is RFC compliant.
The old regex was non-compliant in edge cases.

* Prevent difflib REDOS (CVE-2018-1061)

The default regex for IS_LINE_JUNK is susceptible to
catastrophic backtracking.
This is a potential DOS vector.

Replace it with an equivalent non-vulnerable regex.

Also introduce unit and REDOS tests for difflib.
Co-authored-by: Tim Peters <tim.peters@gmail.com>
Co-authored-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 0e6c8ee2)

(cherry picked from commit 3e197c7a)
Co-authored-by: Alexey Izbyshev <izbyshev@users.noreply.github.com>

(cherry picked from commit d7773d92)

Dropped the part that says: "For objects that do not provide sequence protocol".
(cherry picked from commit 7a1e1786)
Co-authored-by: Zackery Spytz <zspytz@gmail.com>

By default `print` adds spaces between its arguments.

(cherry picked from commit 84c4b0cc)

(cherry picked from commit fbee8824)
Co-authored-by: Mario Corchero <mariocj89@gmail.com>

This code never did anything correct or useful. The class attribute will never be affected, and the condition will never be true.
(cherry picked from commit 5fb632e8)
Co-authored-by: Aaron Gallagher <habnabit@users.noreply.github.com>

Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 29eab553)
Co-authored-by: Christian Heimes <christian@python.org>

Signed-off-by: Christian Heimes <christian@python.org>

The ctypes module used to depend on indirect linking for dlopen. The shared
extension is now explicitly linked against libdl on platforms with dl.

Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 5bb96925)
Co-authored-by: Christian Heimes <christian@python.org>

The ssl module now detects missing NPN support in LibreSSL.
Co-Authored-By: Bernard Spil <brnrd@FreeBSD.org>
Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 6cdb7954)
Co-authored-by: Christian Heimes <christian@python.org>

The SSL module no longer sends IP addresses in SNI TLS extension on
platforms with OpenSSL 1.0.2+ or inet_pton.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit e9370a47389903bb72badc95032ec84a0ebbf8cc)
Co-authored-by: Christian Heimes <christian@python.org>