Python 3.12.12, 3.11.14, 3.10.19 and 3.9.24 are now available! (original) (raw)

October 9, 2025, 8:46pm 1

Old-timer Release Party

We couldn’t just let Hugo have fun with 3.14.0, so here are new security releases of the venerated Python versions, 3.12 through 3.9!

Security content in these releases

XML-related

• gh-139312: Upgraded bundled libexpat to 2.7.3 to fix CVE-2025-59375
• gh-139400: xml.parsers.expat: Made sure that parent Expat parsers are only garbage-collected once they are no longer referenced by subparsers created by ExternalEntityParserCreate().

Archive-related

• gh-130577: tarfile now validates archives to ensure member offsets are non-negative.
• gh-139700: Now checking consistency of the zip64 end of central directory record. Added support for records with “zip64 extensible data” if there are no bytes prepended to the ZIP file.

HTML parsing-related

• gh-135661: Fixed parsing start and end tags in html.parser.HTMLParser according to the HTML5 standard.
• Whitespaces no longer accepted between </ and the tag name. E.g. </ script> does not end the script section.
• Vertical tabulation (\v) and non-ASCII whitespaces no longer recognized as whitespaces. The only whitespaces are \t\n\r\f and space.
• Null character (U+0000) no longer ends the tag name.
• Attributes and slashes after the tag name in end tags are now ignored, instead of terminating after the first > in quoted attribute value. E.g. </script/foo=">"/>.
• Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. <a foo=bar/ //>.
• Multiple = between attribute name and value are no longer collapsed. E.g. <a foo==bar> produces attribute “foo” with value “=bar”.
• gh-135661: Fixed CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace.
• gh-102555: Fixed comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->.
• gh-135462: Fixed quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored.
• gh-118350: Fixed support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser.
• gh-86155: html.parser.HTMLParser.close() no longer loses data when the <script> tag is not closed.

Python 3.12.12

Python 3.11.14

Additional security content in this release:

• gh-135374: Update the bundled copy of setuptools to 79.0.1 to fix CVE-2025-47273 and CVE-2024-6345.

Python 3.10.19

Additional security content in this release:

• gh-135374: Update the bundled copy of setuptools to 79.0.1 to fix CVE-2025-47273 and CVE-2024-6345.

Python 3.9.24

Additional security content in this release:

• gh-135374: Update the bundled copy of setuptools to 79.0.1 to fix CVE-2025-47273 and CVE-2024-6345.
• gh-121227: Raise an SSL.SSLError if an empty protocols argument is passed to ssl.SSLContext.set_npn_protocols() to fix CVE-2024-5642

Stay safe and upgrade!

As always, upgrading is highly recommended to all users of affected versions.

Enjoy the new releases

Thanks to all of the many volunteers who help make Python Development and these releases possible! Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.

Regards from your very old tireless release team,
Thomas Wouters @thomas
Pablo Galindo Salgado @pablogsal
Łukasz Langa @ambv
Ned Deily @nad
Steve Dower @steve.dower

barry (Barry Warsaw) October 9, 2025, 9:34pm 2

And again, the CI images have been updated.

brettcannon (Brett Cannon) October 9, 2025, 9:42pm 3

Twice (Twice) October 15, 2025, 6:10am 4

Hi, thank you for maintaining these releases.

As Python 3.9 is approaching its EOL (see Status of Python versions), I’d like to ask whether 3.9.24 will be the final release of the 3.9 series, or if there will be one more release such as 3.9.25?

There is a final release planned.

hugovk (Hugo van Kemenade) October 15, 2025, 6:48am 6

Not quite: there’s still time until the end of October for a new release if necessary, we’ll have to wait and see.

@ambv will post an official EOL announcement when the time comes, whether there’s a new release needed or not.