It was only meant to be release day for 3.13.4 today, but poor number 13 looked so lonely… And hey, we had a couple of tarfile CVEs that we had to fix. So most of the Release Managers and all the Developers-in-Residence (including Security Developer-in-Residence @sethmlarson) came together to make it a full release party.
gh-133767: Fix use-after-free in the “unicode-escape” decoder with a non-“strict” error handler.
gh-128840: Short-circuit the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service.
In addition to the security fixes mentioned above, a few additional changes to the ipaddress were backported to make the security fixes feasible. (See the full changelogs for each release for more details.)
Python 3.13.4
In addition to the security fixes, the fourth maintenance release of Python 3.13 contains more than 300 bugfixes, build improvements and documentation changes.
Python 3.12.11
Python 3.11.13
Python 3.10.18
Python 3.9.23
Additional security content in this release (already fixed in older releases for the other versions):
gh-80222: Fix bug in the folding of quoted strings when flattening an email message using a modern email policy. Previously when a quoted string was folded so that it spanned more than one line, the surrounding quotes and internal escapes would be omitted. This could theoretically be used to spoof header lines using a carefully constructed quoted string if the resulting rendered email was transmitted or re-parsed.
Stay safe and upgrade!
As always, upgrading is highly recommended to all users of affected versions.
Enjoy the new releases
Thanks to all of the many volunteers who help make Python Development and these releases possible! Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.
Regards from your very tired tireless release team,
Thomas Wouters @thomas
Pablo Galindo Salgado @pablogsal
Łukasz Langa @ambv
Ned Deily @nad
Steve Dower @steve.dower
With PEP 706 (the tarfile filters), I put the heavy burden of securely unpacking tarballs on the CPython team.
I still stand by what I said in the PEP – Python and its docs are the best place to improve things. Asking every individual user to review tarballs before unpacking was not the right thing to do. But doing this right is not easy, and as I feared, I didn’t get it right, leading to this expensive fix-up.
Thank you for putting in the work – especially to the volunteers on the team.
When the installers for MacOS and so on are expected to be posted for the v3.12.11? The version 3.12.11 for MacOS is inaccessible (e.g., uv python install 3.12.11 results in “error: No download found for request: cpython-3.12.11-macos-x86_64-none”).
Sorry if my question should not be here, a first-timer.
According to the release calendar specified in PEP 693, Python 3.12 is now in the “security fixes only” stage of its life cycle: the 3.12 branch only accepts security fixes, and releases of those are made irregularly in source-only form until October 2028. Python 3.12 isn’t receiving regular bug fixes anymore, and binary installers are no longer provided for it. Python 3.12.10 was the last full bugfix release of Python 3.12 with binary installers.
But uv keeps an internal mapping of available Python releases, so to get new versions of Python you must use new versions of uv. New versions available are included in their release notes: Release 0.7.11 · astral-sh/uv · GitHub
Hi, I just noticed that with the version 3.13.4, the venv modules Activate.ps1 signature block has been removed. But I wasn’t able to find anything about it. Was this an intentional change?