Greetings! We bring you a slew of releases this fine Saint Nicholas / 
Sinterklaas day. Six simultaneous releases has got to be some record. There’s 
one more record we broke this time, you’ll see below.

In any case, updating is recommended due to security content:

3.7 - 3.12: gh-98739 <>: Updated 
bundled libexpat to 2.5.0 to fix CVE-2022-43680 
<> (heap use-after-free).
3.7 - 3.12: gh-98433 <>: The IDNA 
codec decoder used on DNS hostnames by socket or asyncio related name 
resolution functions no longer involves a quadratic algorithm to fix 
CVE-2022-45061 <>. This prevents 
a potential CPU denial of service if an out-of-spec excessive length hostname 
involving bidirectional characters were decoded. Some protocols such as urllib 
http 3xx redirects potentially allow for an attacker to supply such a name.
3.7 - 3.12: gh-100001 <>: python 
-m http.server no longer allows terminal control characters sent within a 
garbage request to be printed to the stderr server log.
3.8 - 3.12: gh-87604 <>: Avoid 
publishing list of active per-interpreter audit hooks via the gc module.
3.9 - 3.10 (already released in 3.11+ before): gh-97514 
<>: On Linux the multiprocessing 
module returns to using filesystem backed unix domain sockets for communication 
with the forkserver process instead of the Linux abstract socket namespace. 
Only code that chooses to use the “forkserver” start method is affected. This 
prevents Linux CVE-2022-42919 <> 
(potential privilege escalation) as abstract sockets have no permissions and 
could allow any user on the system in the same network namespace (often the 
whole system) to inject code into the multiprocessing forkserver process. This 
was a potential privilege escalation. Filesystem based socket permissions 
restrict this to the forkserver process user as was the default in Python 3.8 
and earlier.
3.7 - 3.10: gh-98517 <>: Port 
XKCP’s fix for the buffer overflows in SHA-3 to fix CVE-2022-37454 
3.7 - 3.9 (already released in 3.10+ before): gh-68966 
<>: The deprecated mailcap module 
now refuses to inject unsafe text (filenames, MIME types, parameters) into 
shell commands to address CVE-2015-20107 
<>. Instead of using such text, 
it will warn and act as if a match was not found (or for test commands, as if 
the test failed).
 3.12.0 alpha 3

Get it here, read the change log, sing a GPT-3-generated Sinterklaas song: 

216 new commits since 3.12.0 alpha 2 last month.


Get it here, see the change log, read the recipe for quark soup: 

A whopping 495 new commits since 3.11.0. This is a massive increase of changes 
comparing to 3.10 at the same stage in the release cycle: there were “only” 339 
commits between 3.10.0 and 3.10.1.


Get it here, read the change log, see circular patterns: 

165 new commits.


Get it here, read the change log, consider upgrading to a newer version: 

Security-only release with no binaries. 10 commits.


Get it here, see the change log, definitely upgrade to a newer version: 

Security-only release with no binaries. 9 commits.


Get it here, read the change log, check PEP 537  
<>to confirm EOL is coming to this version in 
June 2023: 

Security-only release with no binaries. 8 commits.

 hope you enjoy the new releases!

Thanks to all of the many volunteers who help make Python Development and these 
releases possible! Please consider supporting our efforts by volunteering 
yourself or through organization contributions to the Python Software 
Foundation.  <>
Your friendly release team,

Ned Deily @nad <>
Steve Dower @steve.dower <>
Pablo Galindo Salgado @pablogsal <>
Łukasz Langa @ambv <>
Thomas Wouters @thomas <>

Attachment: signature.asc
Description: Message signed with OpenPGP

Python-announce-list mailing list --
To unsubscribe send an email to
Member address:

Reply via email to