Please test the 3.12 beta! Downloading it and trying it out helps us a lot in ensuring Python 3.12.0 will be as polished as possible.
We welcome 3.10 to the prestigious club of security-only releases. It’s officially an old version of Python now! If you haven’t rewritten all your if:elif:else:
s with pattern matching yet, are you even still writing Python?
At the same time, it looks like 3.7 is reaching end-of-life. Unless another security release happens in June, 3.7.17 will be the final release of Python 3.7. I mean, now that I typed it out for all you to read, I’m sure I jinxed it. But in case I didn’t, I would like to thank Ned Deily for serving as the release manager of Python 3.6 and Python 3.7. He was my mentor as Release Manager, and continues serving Python as the provider of Mac installers for new releases. Thank you, Ned!
Speaking of installers, Steve Dower used to be the sole provider of Windows installers for Python releases for years now. His secret was a well-automated Azure pipeline that let him build, sign, and publish releases with minimal manual effort. Now he extended the power to press the blue “Run pipeline” button to more members of the team. Thank you, Steve! This is an important bus factor increment. In fact, the Windows installers for both 3.12.0b2 and 3.11.4 were made by meinitiated by me. If there’s anything wrong with them, well, I guess that means I pressed the button wrong.
Updating is recommended due to security content:
urllib.parse.urlsplit()
now strips leading C0 control and space characters following the specification for URLs defined by WHATWG in response to CVE-2023-24329.uu.decode()
that could allow for directory traversal based on the input if no out_file
was specified.http.client.SimpleHTTPRequestHandler
.subprocess.Popen
now uses a safer approach to find cmd.exe
when launching with shell=True
.trace.__main__
now uses io.open_code()
for files to be executed instead of raw open()
.tarfile
, and shutil.unpack_archive()
, have a new filter
argument that allows limiting tar
features than may be surprising or dangerous, such as creating files outside the destination directory. See Extraction filters for details.threading.local
.Get it here: 3.12.0b2
116 new commits since 3.12.0 beta 1.
Get it here: 3.11.4
233 new commits.
Get it here: 3.10.12
Security-only release with no binaries. 20 new commits.
Get it here: 3.9.17
Security-only release with no binaries. 26 commits.
Get it here: 3.8.17
Security-only release with no binaries. 24 commits.
Get it here as it might be the last release of 3.7 ever:
3.7.17
Security-only release with no binaries. 21 commits.
Thanks to all of the many volunteers who help make Python Development and these releases possible! Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.
–
Łukasz Langa @ambv
on behalf of your friendly release team,
Ned Deily @nad
Steve Dower @steve.dower
Pablo Galindo Salgado @pablogsal
Łukasz Langa @ambv
Thomas Wouters @thomas