Friday, February 19, 2021

Python 3.9.2 and 3.8.8 are now available

Convinced of the wonders of free two-day deliveries, I’m pleased to present you Python 3.9.2 and 3.8.8. Get them from:



Next up, the last full regular maintenance release of Python 3.8 is planned for May 3rd 2021, after which it will shift to source releases only for security bug fixes only. Maintenance releases for the 3.9 series will continue at regular bi-monthly intervals, with 3.9.3 planned for early May 2021.

Why the expedited final release?

This release, just as the candidate before it, contains two security fixes:

  • bpo-42938: Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values. This issue was assigned CVE-2021-3177.

  • bpo-42967: Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator. This issue was assigned CVE-2021-23336.

Since the announcement of the release candidates for 3.9.2 on 3.8.8, we received a number of inquiries from end users urging us to expedite the final releases due to the security content, especially CVE-2021-3177.

This took us somewhat by surprise since we believed security content is cherry-picked by downstream distributors from source either way, and the RC releases provide installers for everybody else interested in upgrading in the meantime. It turns out that release candidates are mostly invisible to the community and in many cases cannot be used due to upgrade processes which users have in place.

In turn, the other active release managers and I decided to stop providing release candidates for bugfix versions. Starting from now on after the initial 3.x.0 final release, all subsequent releases are going to be provided as is in bi-monthly intervals. The release calendar PEPs for 3.8 and 3.9 have been updated accordingly.

On the severity of CVE-2021-3177

We recommend you upgrade your systems to Python 3.8.8 or 3.9.2.

Our understanding is that while the CVE is listed as “remote code execution”, practical exploits of this vulnerability as such are very unlikely due the following conditions needing to be met for successful RCE:

  • pass an untrusted floating point number from a remote party to ctypes.c_double.from_param (note: Python floating point numbers were not affected);

  • have that object be passed to repr() (for instance through logging);

  • have that float point number be valid machine code;

  • have the buffer overflow overwrite the stack at exactly the right place for the code to get executed.

In fact, Red Hat’s evaluation of the vulnerability was consistent with ours. They write: “the highest threat from this vulnerability is to system availability.”

To be sure, denial of service through malicious input is also a serious issue. Thus, to help the community members for whom the release candidate was insufficient, we are releasing the final versions of 3.9.2 and 3.8.8 today.

What’s new?

The Python 3.9 series contains many new features and optimizations over 3.8. See the “What’s New in Python 3.9 2” document for more information about features included in the 3.9 series. We also have a detailed change log for 3.9.2rc1 specifically. The final release only contains a single bugfix over the release candidate.

Detailed information about all changes made in version 3.8.8rc1 specifically can be found in its respective changelog. The final version contains no changes over the release candidate.

We hope you enjoy those new releases!

Thanks to all of the many volunteers who help make Python Development and these releases possible! Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.

Your friendly release team,
Ned Deily @nad
Steve Dower @steve.dower
Łukasz Langa @ambv

Wednesday, February 17, 2021

Python 3.9.2rc1 and 3.8.8rc1 are now available for testing

I’m happy to announce two release candidates today: Python 3.9.2rc1, and Python 3.8.8rc1. Get them from:



Unless critical issues are discovered, both release candidates will become their respective final versions on Monday, March 1st.

Following that, the last full regular maintenance release of Python 3.8 is planned for May 3rd 2021, after which it will shift to source releases only for security bug fixes only. Maintenance releases for the 3.9 series will continue at regular bi-monthly intervals, with 3.9.3 planned for early May 2021.

Notable security content in today’s releases

  • bpo-42967: Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator.

  • bpo-42938: Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values.

What’s new?

The Python 3.9 series contains many new features and optimizations over 3.8. See the “What’s New in Python 3.9” document for more information about features included in the 3.9 series. We also have a detailed change log for 3.9.2rc1 specifically.

Detailed information about all changes made in version 3.8.8rc1 specifically can be found in its change log.

We hope you enjoy those new releases!

Thanks to all of the many volunteers who help make Python Development and these releases possible! Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.

Your friendly release team,
Ned Deily @nad
Steve Dower @steve.dower
Łukasz Langa @ambv

Monday, February 15, 2021

Python 3.7.10 and 3.6.13 security updates now available

 Python 3.7.10 and 3.6.13,  the lastest security fix rollups for Python 3.7 and Python 3.6, are now available. You can find the release files, links to the changelogs, and more information here:

    https://www.python.org/downloads/release/python-3710/
    https://www.python.org/downloads/release/python-3613/
  
These releases are source code only; Windows and macOS binary installers are not provided for security fix releases.

Note that Python 3.9 is now the latest feature release series of Python 3. You should consider upgrading to 3.9 as soon as practical. Get the latest release of 3.9.x here.

Thanks to all of the many volunteers who help make Python Development and these releases possible!  Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.

Wednesday, February 3, 2021

Python 3.10.0a5 is now available for testing

 Well, this one took a bit more time due to some surprise last time reference leaks and release blockers to fix, but now Python 3.10.0a5 it’s here. Will this be the first release announcements of the 3.10 series without copy-paste typos? Go get it here:

https://www.python.org/downloads/release/python-3100a5/

This is an early developer preview of Python 3.10

Major new features of the 3.10 series, compared to 3.9

Python 3.10 is still in development. This release, 3.10.0a5 is the fifth of seven planned alpha releases. Alpha releases are intended to make it easier to test the current state of new features and bug fixes and to test the release process. During the alpha phase, features may be added up until the start of the beta phase (2021-05-03) and, if necessary, may be modified or deleted up until the release candidate phase (2021-10-04). Please keep in mind that this is a preview release and its use is not recommended for production environments.

Many new features for Python 3.10 are still being planned and written. Among the new major new features and changes so far:

  • PEP 623 – Remove wstr from Unicode
  • PEP 604 – Allow writing union types as X | Y
  • PEP 612 – Parameter Specification Variables
  • PEP 626 – Precise line numbers for debugging and other tools.
  • bpo-38605from __future__ import annotations (PEP 563 ) is now the default.
  • PEP 618 – Add Optional Length-Checking To zip.
  • bpo-12782 : Parenthesized context managers are now officially allowed.
  • (Hey, fellow core developer, if a feature you find important is missing from this list, let Pablo know.)

The next pre-release of Python 3.10 will be 3.10.0a6, currently scheduled for 2021-03-01.

More resources

And now for something completely different

The Chandrasekhar limit is the maximum mass of a stable white dwarf star. White dwarfs resist gravitational collapse primarily through electron degeneracy pressure, compared to main sequence stars, which resist collapse through thermal pressure. The Chandrasekhar limit is the mass above which electron degeneracy pressure in the star’s core is insufficient to balance the star’s own gravitational self-attraction. Consequently, a white dwarf with a mass greater than the limit is subject to further gravitational collapse, evolving into a different type of stellar remnant, such as a neutron star or black hole. Those with masses up to the limit remain stable as white dwarfs. The currently accepted value of the Chandrasekhar limit is about 1.4 M☉ (2.765×1030 kg). So we can be safe knowing that our sun is not going to become a black hole!