[Python-checkins] Python 3.12.13

Yhg1s Tue, 03 Mar 2026 05:29:20 -0800

https://github.com/python/cpython/commit/3bb231a6a5dc02b95658877318bf61501a7209e9
commit: 3bb231a6a5dc02b95658877318bf61501a7209e9
branch: 3.12
author: Thomas Wouters <[email protected]>
committer: Yhg1s <[email protected]>
date: 2026-03-03T13:39:30+01:00
summary:


Python 3.12.13

files:
A Misc/NEWS.d/3.12.13.rst
D Misc/NEWS.d/next/Library/2025-09-22-14-40-11.gh-issue-90949.UM35nb.rst
D Misc/NEWS.d/next/Library/2026-01-31-17-15-49.gh-issue-144363.X9f0sU.rst
D Misc/NEWS.d/next/Library/2026-02-15-00-00-00.gh-issue-144833.TUelo1.rst
D Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst
D Misc/NEWS.d/next/Security/2024-05-23-11-44-41.gh-issue-119452.PRfsSv.rst
D Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst
D Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
D Misc/NEWS.d/next/Security/2025-06-28-13-23-53.gh-issue-136063.aGk0Jv.rst
D Misc/NEWS.d/next/Security/2025-08-15-23-08-44.gh-issue-137836.b55rhh.rst
D Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
D Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst
D Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst
D Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst
D Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst
D Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst
M Doc/library/pyexpat.rst
M Include/patchlevel.h
M Lib/pydoc_data/topics.py
M README.rst

diff --git a/Doc/library/pyexpat.rst b/Doc/library/pyexpat.rst
index fba1449cd20c36..c806a21aeea6f8 100644
--- a/Doc/library/pyexpat.rst
+++ b/Doc/library/pyexpat.rst
@@ -255,7 +255,7 @@ common XML vulnerabilities.
    The corresponding :attr:`~ExpatError.lineno` and :attr:`~ExpatError.offset`
    should not be used as they may have no special meaning.
 
-   .. versionadded:: next
+   .. versionadded:: 3.12.13
 
 .. method:: xmlparser.SetAllocTrackerMaximumAmplification(max_factor, /)
 
@@ -285,7 +285,7 @@ common XML vulnerabilities.
       that can be adjusted by :meth:`.SetAllocTrackerActivationThreshold`
       is exceeded.
 
-   .. versionadded:: next
+   .. versionadded:: 3.12.13
 
 
 :class:`xmlparser` objects have the following attributes:
diff --git a/Include/patchlevel.h b/Include/patchlevel.h
index 4fe232e1dbc3fa..a9e55db31f35e7 100644
--- a/Include/patchlevel.h
+++ b/Include/patchlevel.h
@@ -18,12 +18,12 @@
 /*--start constants--*/
 #define PY_MAJOR_VERSION        3
 #define PY_MINOR_VERSION        12
-#define PY_MICRO_VERSION        12
+#define PY_MICRO_VERSION        13
 #define PY_RELEASE_LEVEL        PY_RELEASE_LEVEL_FINAL
 #define PY_RELEASE_SERIAL       0
 
 /* Version as a string */
-#define PY_VERSION              "3.12.12+"
+#define PY_VERSION              "3.12.13"
 /*--end constants--*/
 
 /* Version as a single 4-byte hex number, e.g. 0x010502B2 == 1.5.2b2.
diff --git a/Lib/pydoc_data/topics.py b/Lib/pydoc_data/topics.py
index 3593d44cc5c5a9..e0e524f6729610 100644
--- a/Lib/pydoc_data/topics.py
+++ b/Lib/pydoc_data/topics.py
@@ -1,4 +1,4 @@
-# Autogenerated by Sphinx on Thu Oct  9 13:06:56 2025
+# Autogenerated by Sphinx on Tue Mar  3 13:38:43 2026
 # as part of the release process.
 
 topics = {
diff --git a/Misc/NEWS.d/3.12.13.rst b/Misc/NEWS.d/3.12.13.rst
new file mode 100644
index 00000000000000..e6143240cc7ce9
--- /dev/null
+++ b/Misc/NEWS.d/3.12.13.rst
@@ -0,0 +1,168 @@
+.. date: 2026-01-21-12-34-05
+.. gh-issue: 144125
+.. nonce: TAz5uo
+.. release date: 2026-03-03
+.. section: Security
+
+:mod:`~email.generator.BytesGenerator` will now refuse to serialize (write)
+headers that are unsafely folded or delimited; see
+:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas
+Bloemsaat and Petr Viktorin in :gh:`121650`).
+
+..
+
+.. date: 2026-01-16-14-40-31
+.. gh-issue: 143935
+.. nonce: U2YtKl
+.. section: Security
+
+Fixed a bug in the folding of comments when flattening an email message
+using a modern email policy. Comments consisting of a very long sequence of
+non-foldable characters could trigger a forced line wrap that omitted the
+required leading space on the continuation line, causing the remainder of
+the comment to be interpreted as a new header field. This enabled header
+injection with carefully crafted inputs.
+
+..
+
+.. date: 2026-01-16-11-51-19
+.. gh-issue: 143925
+.. nonce: mrtcHW
+.. section: Security
+
+Reject control characters in ``data:`` URL media types.
+
+..
+
+.. date: 2026-01-16-11-13-15
+.. gh-issue: 143919
+.. nonce: kchwZV
+.. section: Security
+
+Reject control characters in :class:`http.cookies.Morsel` fields and values.
+
+..
+
+.. date: 2026-01-16-11-07-36
+.. gh-issue: 143916
+.. nonce: dpWeOD
+.. section: Security
+
+Reject C0 control characters within wsgiref.headers.Headers fields, values,
+and parameters.
+
+..
+
+.. date: 2025-12-01-09-36-45
+.. gh-issue: 142145
+.. nonce: tcAUhg
+.. section: Security
+
+Remove quadratic behavior in ``xml.minidom`` node ID cache clearing.  In
+order to do this without breaking existing users, we also add the
+*ownerDocument* attribute to :mod:`xml.dom.minidom` elements and attributes
+created by directly instantiating the ``Element`` or ``Attr`` class. Note
+that this way of creating nodes is not supported; creator functions like
+:py:meth:`xml.dom.Document.documentElement` should be used instead.
+
+..
+
+.. date: 2025-08-15-23-08-44
+.. gh-issue: 137836
+.. nonce: b55rhh
+.. section: Security
+
+Add support of the "plaintext" element, RAWTEXT elements "xmp", "iframe",
+"noembed" and "noframes", and optionally RAWTEXT element "noscript" in
+:class:`html.parser.HTMLParser`.
+
+..
+
+.. date: 2025-06-28-13-23-53
+.. gh-issue: 136063
+.. nonce: aGk0Jv
+.. section: Security
+
+:mod:`email.message`: ensure linear complexity for legacy HTTP parameters
+parsing. Patch by Bénédikt Tran.
+
+..
+
+.. date: 2025-05-30-22-33-27
+.. gh-issue: 136065
+.. nonce: bu337o
+.. section: Security
+
+Fix quadratic complexity in :func:`os.path.expandvars`.
+
+..
+
+.. date: 2024-05-23-11-47-48
+.. gh-issue: 119451
+.. nonce: qkJe9-
+.. section: Security
+
+Fix a potential memory denial of service in the :mod:`http.client` module.
+When connecting to a malicious server, it could cause an arbitrary amount of
+memory to be allocated. This could have led to symptoms including a
+:exc:`MemoryError`, swapping, out of memory (OOM) killed processes or
+containers, or even system crashes.
+
+..
+
+.. date: 2024-05-23-11-44-41
+.. gh-issue: 119452
+.. nonce: PRfsSv
+.. section: Security
+
+Fix a potential memory denial of service in the :mod:`http.server` module.
+When a malicious user is connected to the CGI server on Windows, it could
+cause an arbitrary amount of memory to be allocated. This could have led to
+symptoms including a :exc:`MemoryError`, swapping, out of memory (OOM)
+killed processes or containers, or even system crashes.
+
+..
+
+.. date: 2024-05-21-22-11-31
+.. gh-issue: 119342
+.. nonce: BTFj4Z
+.. section: Security
+
+Fix a potential memory denial of service in the :mod:`plistlib` module. When
+reading a Plist file received from untrusted source, it could cause an
+arbitrary amount of memory to be allocated. This could have led to symptoms
+including a :exc:`MemoryError`, swapping, out of memory (OOM) killed
+processes or containers, or even system crashes.
+
+..
+
+.. date: 2026-02-15-00-00-00
+.. gh-issue: 144833
+.. nonce: TUelo1
+.. section: Library
+
+Fixed a use-after-free in :mod:`ssl` when ``SSL_new()`` returns NULL in
+``newPySSLSocket()``. The error was reported via a dangling pointer after
+the object had already been freed.
+
+..
+
+.. date: 2026-01-31-17-15-49
+.. gh-issue: 144363
+.. nonce: X9f0sU
+.. section: Library
+
+Update bundled `libexpat <https://libexpat.github.io/>`_ to 2.7.4
+
+..
+
+.. date: 2025-09-22-14-40-11
+.. gh-issue: 90949
+.. nonce: UM35nb
+.. section: Library
+
+Add :meth:`~xml.parsers.expat.xmlparser.SetAllocTrackerActivationThreshold`
+and :meth:`~xml.parsers.expat.xmlparser.SetAllocTrackerMaximumAmplification`
+to :ref:`xmlparser <xmlparser-objects>` objects to prevent use of
+disproportional amounts of dynamic memory from within an Expat parser. Patch
+by Bénédikt Tran.
diff --git 
a/Misc/NEWS.d/next/Library/2025-09-22-14-40-11.gh-issue-90949.UM35nb.rst 
b/Misc/NEWS.d/next/Library/2025-09-22-14-40-11.gh-issue-90949.UM35nb.rst
deleted file mode 100644
index 5611f33fb8e37b..00000000000000
--- a/Misc/NEWS.d/next/Library/2025-09-22-14-40-11.gh-issue-90949.UM35nb.rst
+++ /dev/null
@@ -1,5 +0,0 @@
-Add :meth:`~xml.parsers.expat.xmlparser.SetAllocTrackerActivationThreshold`
-and :meth:`~xml.parsers.expat.xmlparser.SetAllocTrackerMaximumAmplification`
-to :ref:`xmlparser <xmlparser-objects>` objects to prevent use of
-disproportional amounts of dynamic memory from within an Expat parser.
-Patch by Bénédikt Tran.
diff --git 
a/Misc/NEWS.d/next/Library/2026-01-31-17-15-49.gh-issue-144363.X9f0sU.rst 
b/Misc/NEWS.d/next/Library/2026-01-31-17-15-49.gh-issue-144363.X9f0sU.rst
deleted file mode 100644
index c17cea6613d06b..00000000000000
--- a/Misc/NEWS.d/next/Library/2026-01-31-17-15-49.gh-issue-144363.X9f0sU.rst
+++ /dev/null
@@ -1 +0,0 @@
-Update bundled `libexpat <https://libexpat.github.io/>`_ to 2.7.4
diff --git 
a/Misc/NEWS.d/next/Library/2026-02-15-00-00-00.gh-issue-144833.TUelo1.rst 
b/Misc/NEWS.d/next/Library/2026-02-15-00-00-00.gh-issue-144833.TUelo1.rst
deleted file mode 100644
index 6d5b18f59ee7ea..00000000000000
--- a/Misc/NEWS.d/next/Library/2026-02-15-00-00-00.gh-issue-144833.TUelo1.rst
+++ /dev/null
@@ -1,3 +0,0 @@
-Fixed a use-after-free in :mod:`ssl` when ``SSL_new()`` returns NULL in
-``newPySSLSocket()``. The error was reported via a dangling pointer after the
-object had already been freed.
diff --git 
a/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst 
b/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst
deleted file mode 100644
index 04fd8faca4cf7e..00000000000000
--- a/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst
+++ /dev/null
@@ -1,5 +0,0 @@
-Fix a potential memory denial of service in the :mod:`plistlib` module.
-When reading a Plist file received from untrusted source, it could cause
-an arbitrary amount of memory to be allocated.
-This could have led to symptoms including a :exc:`MemoryError`, swapping, out
-of memory (OOM) killed processes or containers, or even system crashes.
diff --git 
a/Misc/NEWS.d/next/Security/2024-05-23-11-44-41.gh-issue-119452.PRfsSv.rst 
b/Misc/NEWS.d/next/Security/2024-05-23-11-44-41.gh-issue-119452.PRfsSv.rst
deleted file mode 100644
index 98956627f2b30d..00000000000000
--- a/Misc/NEWS.d/next/Security/2024-05-23-11-44-41.gh-issue-119452.PRfsSv.rst
+++ /dev/null
@@ -1,5 +0,0 @@
-Fix a potential memory denial of service in the :mod:`http.server` module.
-When a malicious user is connected to the CGI server on Windows, it could cause
-an arbitrary amount of memory to be allocated.
-This could have led to symptoms including a :exc:`MemoryError`, swapping, out
-of memory (OOM) killed processes or containers, or even system crashes.
diff --git 
a/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst 
b/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst
deleted file mode 100644
index 6d6f25cd2f8bf7..00000000000000
--- a/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst
+++ /dev/null
@@ -1,5 +0,0 @@
-Fix a potential memory denial of service in the :mod:`http.client` module.
-When connecting to a malicious server, it could cause
-an arbitrary amount of memory to be allocated.
-This could have led to symptoms including a :exc:`MemoryError`, swapping, out
-of memory (OOM) killed processes or containers, or even system crashes.
diff --git 
a/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst 
b/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
deleted file mode 100644
index 1d152bb5318380..00000000000000
--- a/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
+++ /dev/null
@@ -1 +0,0 @@
-Fix quadratic complexity in :func:`os.path.expandvars`.
diff --git 
a/Misc/NEWS.d/next/Security/2025-06-28-13-23-53.gh-issue-136063.aGk0Jv.rst 
b/Misc/NEWS.d/next/Security/2025-06-28-13-23-53.gh-issue-136063.aGk0Jv.rst
deleted file mode 100644
index 940a3ad5a72f68..00000000000000
--- a/Misc/NEWS.d/next/Security/2025-06-28-13-23-53.gh-issue-136063.aGk0Jv.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-:mod:`email.message`: ensure linear complexity for legacy HTTP parameters
-parsing. Patch by Bénédikt Tran.
diff --git 
a/Misc/NEWS.d/next/Security/2025-08-15-23-08-44.gh-issue-137836.b55rhh.rst 
b/Misc/NEWS.d/next/Security/2025-08-15-23-08-44.gh-issue-137836.b55rhh.rst
deleted file mode 100644
index c30c9439a76a19..00000000000000
--- a/Misc/NEWS.d/next/Security/2025-08-15-23-08-44.gh-issue-137836.b55rhh.rst
+++ /dev/null
@@ -1,3 +0,0 @@
-Add support of the "plaintext" element, RAWTEXT elements "xmp", "iframe",
-"noembed" and "noframes", and optionally RAWTEXT element "noscript" in
-:class:`html.parser.HTMLParser`.
diff --git 
a/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst 
b/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
deleted file mode 100644
index 05c7df35d14bef..00000000000000
--- a/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
+++ /dev/null
@@ -1,6 +0,0 @@
-Remove quadratic behavior in ``xml.minidom`` node ID cache clearing.  In order
-to do this without breaking existing users, we also add the *ownerDocument*
-attribute to :mod:`xml.dom.minidom` elements and attributes created by directly
-instantiating the ``Element`` or ``Attr`` class. Note that this way of creating
-nodes is not supported; creator functions like
-:py:meth:`xml.dom.Document.documentElement` should be used instead.
diff --git 
a/Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst 
b/Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst
deleted file mode 100644
index 44bd0b27059f94..00000000000000
--- a/Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Reject C0 control characters within wsgiref.headers.Headers fields, values,
-and parameters.
diff --git 
a/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst 
b/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst
deleted file mode 100644
index 788c3e4ac2ebf7..00000000000000
--- a/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst
+++ /dev/null
@@ -1 +0,0 @@
-Reject control characters in :class:`http.cookies.Morsel` fields and values.
diff --git 
a/Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst 
b/Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst
deleted file mode 100644
index 46109dfbef3ee7..00000000000000
--- a/Misc/NEWS.d/next/Security/2026-01-16-11-51-19.gh-issue-143925.mrtcHW.rst
+++ /dev/null
@@ -1 +0,0 @@
-Reject control characters in ``data:`` URL media types.
diff --git 
a/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst 
b/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst
deleted file mode 100644
index c3d864936884ac..00000000000000
--- a/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst
+++ /dev/null
@@ -1,6 +0,0 @@
-Fixed a bug in the folding of comments when flattening an email message
-using a modern email policy. Comments consisting of a very long sequence of
-non-foldable characters could trigger a forced line wrap that omitted the
-required leading space on the continuation line, causing the remainder of
-the comment to be interpreted as a new header field. This enabled header
-injection with carefully crafted inputs.
diff --git 
a/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst 
b/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst
deleted file mode 100644
index e6333e724972c5..00000000000000
--- a/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst
+++ /dev/null
@@ -1,4 +0,0 @@
-:mod:`~email.generator.BytesGenerator` will now refuse to serialize (write) 
headers
-that are unsafely folded or delimited; see
-:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas
-Bloemsaat and Petr Viktorin in :gh:`121650`).
diff --git a/README.rst b/README.rst
index 7a384ed7833a9c..2a4c011567dd74 100644
--- a/README.rst
+++ b/README.rst
@@ -1,4 +1,4 @@
-This is Python version 3.12.12
+This is Python version 3.12.13
 ==============================
 
 .. image:: https://github.com/python/cpython/workflows/Tests/badge.svg

_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: [email protected]

[Python-checkins] Python 3.12.13

Reply via email to