python
diff --git a/‎Doc/c-api/code.rst
Lines changed: 6 additions & 2 deletions b/‎Doc/c-api/code.rst
Lines changed: 6 additions & 2 deletions
diff --git a/‎Doc/library/socket.rst
Lines changed: 5 additions & 0 deletions b/‎Doc/library/socket.rst
Lines changed: 5 additions & 0 deletions
diff --git a/‎Doc/library/xml.rst
Lines changed: 13 additions & 0 deletions b/‎Doc/library/xml.rst
Lines changed: 13 additions & 0 deletions
diff --git a/‎Include/cpython/pyatomic.h
Lines changed: 6 additions & 0 deletions b/‎Include/cpython/pyatomic.h
Lines changed: 6 additions & 0 deletions
diff --git a/‎Include/cpython/pyatomic_gcc.h
Lines changed: 8 additions & 0 deletions b/‎Include/cpython/pyatomic_gcc.h
Lines changed: 8 additions & 0 deletions
diff --git a/‎Include/cpython/pyatomic_msc.h
Lines changed: 24 additions & 0 deletions b/‎Include/cpython/pyatomic_msc.h
Lines changed: 24 additions & 0 deletions
diff --git a/‎Include/cpython/pyatomic_std.h
Lines changed: 15 additions & 1 deletion b/‎Include/cpython/pyatomic_std.h
Lines changed: 15 additions & 1 deletion
diff --git a/‎Include/internal/pycore_dict.h
Lines changed: 9 additions & 1 deletion b/‎Include/internal/pycore_dict.h
Lines changed: 9 additions & 1 deletion
diff --git a/‎Include/internal/pycore_import.h
Lines changed: 0 additions & 1 deletion b/‎Include/internal/pycore_import.h
Lines changed: 0 additions & 1 deletion
diff --git a/‎Include/internal/pycore_interp.h
Lines changed: 1 addition & 0 deletions b/‎Include/internal/pycore_interp.h
Lines changed: 1 addition & 0 deletions
@@ -30,9 +30,13 @@ bound into a function.
    Return true if *co* is a :ref:`code object <code-objects>`.
    This function always succeeds.
 
-.. c:function:: int PyCode_GetNumFree(PyCodeObject *co)
+.. c:function:: Py_ssize_t PyCode_GetNumFree(PyCodeObject *co)
 
-   Return the number of free variables in *co*.
+   Return the number of free variables in a code object.
+
+.. c:function:: int PyCode_GetFirstFree(PyCodeObject *co)
+
+   Return the position of the first free variable in a code object.
 
 .. c:function:: PyCodeObject* PyUnstable_Code_New(int argcount, int kwonlyargcount, int nlocals, int stacksize, int flags, PyObject *code, PyObject *consts, PyObject *names, PyObject *varnames, PyObject *freevars, PyObject *cellvars, PyObject *filename, PyObject *name, PyObject *qualname, int firstlineno, PyObject *linetable, PyObject *exceptiontable)
 
 
@@ -445,6 +445,11 @@ Constants
       Added ``IP_PKTINFO``, ``IP_UNBLOCK_SOURCE``, ``IP_BLOCK_SOURCE``,
       ``IP_ADD_SOURCE_MEMBERSHIP``, ``IP_DROP_SOURCE_MEMBERSHIP``.
 
+   .. versionchanged:: 3.13
+      Added ``SO_BINDTOIFINDEX``. On Linux this constant can be used in the
+      same way that ``SO_BINDTODEVICE`` is used, but with the index of a
+      network interface instead of its name.
+
 .. data:: AF_CAN
           PF_CAN
           SOL_CAN_*
 
@@ -68,6 +68,7 @@ quadratic blowup           **Vulnerable** (1)  **Vulnerable** (1)  **Vulnerable*
 external entity expansion  Safe (5)            Safe (2)            Safe (3)            Safe (5)            Safe (4)
 `DTD`_ retrieval           Safe (5)            Safe                Safe                Safe (5)            Safe
 decompression bomb         Safe                Safe                Safe                Safe                **Vulnerable**
+large tokens               **Vulnerable** (6)  **Vulnerable** (6)  **Vulnerable** (6)  **Vulnerable** (6)  **Vulnerable** (6)
 =========================  ==================  ==================  ==================  ==================  ==================
 
 1. Expat 2.4.1 and newer is not vulnerable to the "billion laughs" and
@@ -81,6 +82,11 @@ decompression bomb         Safe                Safe                Safe
 4. :mod:`xmlrpc.client` doesn't expand external entities and omits them.
 5. Since Python 3.7.1, external general entities are no longer processed by
    default.
+6. Expat 2.6.0 and newer is not vulnerable to denial of service
+   through quadratic runtime caused by parsing large tokens.
+   Items still listed as vulnerable due to
+   potential reliance on system-provided libraries. Check
+   :const:`!pyexpat.EXPAT_VERSION`.
 
 
 billion laughs / exponential entity expansion
@@ -114,6 +120,13 @@ decompression bomb
   files. For an attacker it can reduce the amount of transmitted data by three
   magnitudes or more.
 
+large tokens
+  Expat needs to re-parse unfinished tokens; without the protection
+  introduced in Expat 2.6.0, this can lead to quadratic runtime that can
+  be used to cause denial of service in the application parsing XML.
+  The issue is known as
+  `CVE-2023-52425 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52425>`_.
+
 The documentation for `defusedxml`_ on PyPI has further information about
 all known attack vectors with examples and references.
 
 
@@ -469,6 +469,9 @@ _Py_atomic_load_ptr_acquire(const void *obj);
 static inline void
 _Py_atomic_store_ptr_release(void *obj, void *value);
 
+static inline void
+_Py_atomic_store_ssize_release(Py_ssize_t *obj, Py_ssize_t value);
+
 static inline void
 _Py_atomic_store_int_release(int *obj, int value);
 
@@ -484,6 +487,9 @@ _Py_atomic_load_uint64_acquire(const uint64_t *obj);
 static inline uint32_t
 _Py_atomic_load_uint32_acquire(const uint32_t *obj);
 
+static inline Py_ssize_t
+_Py_atomic_load_ssize_acquire(const Py_ssize_t *obj);
+
 
 // --- _Py_atomic_fence ------------------------------------------------------
 
 
@@ -500,6 +500,10 @@ static inline void
 _Py_atomic_store_int_release(int *obj, int value)
 { __atomic_store_n(obj, value, __ATOMIC_RELEASE); }
 
+static inline void
+_Py_atomic_store_ssize_release(Py_ssize_t *obj, Py_ssize_t value)
+{ __atomic_store_n(obj, value, __ATOMIC_RELEASE); }
+
 static inline int
 _Py_atomic_load_int_acquire(const int *obj)
 { return __atomic_load_n(obj, __ATOMIC_ACQUIRE); }
@@ -516,6 +520,10 @@ static inline uint32_t
 _Py_atomic_load_uint32_acquire(const uint32_t *obj)
 { return __atomic_load_n(obj, __ATOMIC_ACQUIRE); }
 
+static inline Py_ssize_t
+_Py_atomic_load_ssize_acquire(const Py_ssize_t *obj)
+{ return __atomic_load_n(obj, __ATOMIC_ACQUIRE); }
+
 // --- _Py_atomic_fence ------------------------------------------------------
 
 static inline void
 
@@ -939,6 +939,18 @@ _Py_atomic_store_int_release(int *obj, int value)
 #endif
 }
 
+static inline void
+_Py_atomic_store_ssize_release(Py_ssize_t *obj, Py_ssize_t value)
+{
+#if defined(_M_X64) || defined(_M_IX86)
+    *(Py_ssize_t volatile *)obj = value;
+#elif defined(_M_ARM64)
+    __stlr64((unsigned __int64 volatile *)obj, (unsigned __int64)value);
+#else
+#  error "no implementation of _Py_atomic_store_ssize_release"
+#endif
+}
+
 static inline int
 _Py_atomic_load_int_acquire(const int *obj)
 {
@@ -990,6 +1002,18 @@ _Py_atomic_load_uint32_acquire(const uint32_t *obj)
 #endif
 }
 
+static inline Py_ssize_t
+_Py_atomic_load_ssize_acquire(const Py_ssize_t *obj)
+{
+#if defined(_M_X64) || defined(_M_IX86)
+    return *(Py_ssize_t volatile *)obj;
+#elif defined(_M_ARM64)
+    return (Py_ssize_t)__ldar64((unsigned __int64 volatile *)obj);
+#else
+#  error "no implementation of _Py_atomic_load_ssize_acquire"
+#endif
+}
+
 // --- _Py_atomic_fence ------------------------------------------------------
 
  static inline void
 
@@ -879,6 +879,14 @@ _Py_atomic_store_int_release(int *obj, int value)
                           memory_order_release);
 }
 
+static inline void
+_Py_atomic_store_ssize_release(Py_ssize_t *obj, Py_ssize_t value)
+{
+    _Py_USING_STD;
+    atomic_store_explicit((_Atomic(Py_ssize_t)*)obj, value,
+                          memory_order_release);
+}
+
 static inline int
 _Py_atomic_load_int_acquire(const int *obj)
 {
@@ -908,7 +916,13 @@ _Py_atomic_load_uint32_acquire(const uint32_t *obj)
 {
     _Py_USING_STD;
     return atomic_load_explicit((const _Atomic(uint32_t)*)obj,
-                                memory_order_acquire);
+}
+
+static inline Py_ssize_t
+_Py_atomic_load_ssize_acquire(const Py_ssize_t *obj)
+{
+    _Py_USING_STD;
+    return atomic_load_explicit((const _Atomic(Py_ssize_t)*)obj,
 }
 
 
 
@@ -136,6 +136,11 @@ struct _dictkeysobject {
     /* Kind of keys */
     uint8_t dk_kind;
 
+#ifdef Py_GIL_DISABLED
+    /* Lock used to protect shared keys */
+    PyMutex dk_mutex;
+#endif
+
     /* Version number -- Reset to 0 by any modification to keys */
     uint32_t dk_version;
 
@@ -145,6 +150,7 @@ struct _dictkeysobject {
     /* Number of used entries in dk_entries. */
     Py_ssize_t dk_nentries;
 
+
     /* Actual hash table of dk_size entries. It holds indices in dk_entries,
        or DKIX_EMPTY(-1) or DKIX_DUMMY(-2).
 
@@ -205,6 +211,8 @@ static inline PyDictUnicodeEntry* DK_UNICODE_ENTRIES(PyDictKeysObject *dk) {
 #define DICT_WATCHER_MASK ((1 << DICT_MAX_WATCHERS) - 1)
 #define DICT_WATCHER_AND_MODIFICATION_MASK ((1 << (DICT_MAX_WATCHERS + DICT_WATCHED_MUTATION_BITS)) - 1)
 
+#define DICT_VALUES_SIZE(values) ((uint8_t *)values)[-1]
+
 #ifdef Py_GIL_DISABLED
 #define DICT_NEXT_VERSION(INTERP) \
     (_Py_atomic_add_uint64(&(INTERP)->dict_state.global_version, DICT_VERSION_INCREMENT) + DICT_VERSION_INCREMENT)
@@ -250,7 +258,7 @@ _PyDictValues_AddToInsertionOrder(PyDictValues *values, Py_ssize_t ix)
     assert(ix < SHARED_KEYS_MAX_SIZE);
     uint8_t *size_ptr = ((uint8_t *)values)-2;
     int size = *size_ptr;
-    assert(size+2 < ((uint8_t *)values)[-1]);
+    assert(size+2 < DICT_VALUES_SIZE(values));
     size++;
     size_ptr[-size] = (uint8_t)ix;
     *size_ptr = size;
 
@@ -11,7 +11,6 @@ extern "C" {
 
 #include "pycore_lock.h"          // PyMutex
 #include "pycore_hashtable.h"     // _Py_hashtable_t
-#include "pycore_time.h"          // PyTime_t
 
 extern int _PyImport_IsInitialized(PyInterpreterState *);
 
 
@@ -231,6 +231,7 @@ struct _is {
 
     struct _Py_dict_state dict_state;
     struct _Py_exc_state exc_state;
+    struct _Py_mem_interp_free_queue mem_free_queue;
 
     struct ast_state ast;
     struct types_state types;