Sunday, April 4, 2021

Python 3.9.4 hotfix is now available

Python 3.9.3 was released two days ago on Friday, April 2nd. It contains important security content listed below for reference. Unfortunately, it also introduced an unintentional ABI incompatibility, making some C extensions built with Python 3.9.0 - 3.9.2 crash with Python 3.9.3 on 32-bit systems. To minimize disruption, I decided to recall 3.9.3 and introduce this hotfix release: 3.9.4.

We highly recommend upgrading your Python 3.9 installations to 3.9.4 at your earliest convenience.

Get it here:

What is “ABI compatibility”?

Python guarantees that within a given language series (like the current 3.9) binary extensions written in C or C++ and compiled against headers of one release (like 3.9.0) will be importable from other versions in the same series (like 3.9.3). If this weren’t the case, library authors would have to ship separate binary wheels on PyPI for every single bugfix release of Python. That would be very inconvenient.

What broke in Python 3.9.3?

In a fix for a corner-case crash around recursion limits and exceptions, the PyThreadState struct needed to change. While PyThreadState’s only documented public member is the *interp field, it’s not uncommon for C extensions to access other fields in this struct as well.

When I approved the backport of this fix, I missed the fact that the variable size change would change the memory layout of said struct on 32-bit systems (on 64-bit systems alignment rules made the size change backwards compatible). Merging the backport was a mistake, and so 3.9.4 reverts it to restore compatibility with binary extensions built against Python 3.9.0 - 3.9.2. Details in bpo-43710.

Security Content in Python 3.9.3

  • bpo-43631: high-severity CVE-2021-3449 and CVE-2021-3450 were published for OpenSSL, it’s been upgraded to 1.1.1k in CI, and macOS and Windows installers.
  • bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer.
  • bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network. Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it.
  • bpo-43439: Add audit hooks for gc.get_objects(), gc.get_referrers() and gc.get_referents(). Patch by Pablo Galindo.

Release Calendar

Maintenance releases for the 3.9 series will continue at regular bi-monthly intervals, with 3.9.5 planned for May 3rd 2021 as well.

What’s new?

The Python 3.9 series contains many new features and optimizations over 3.8. See the “What’s New in Python 3.9 ” document for more information about features included in the 3.9 series. We also have a detailed change log for 3.9.3 specifically.

Detailed information about all changes made in version 3.8.9 can be found in its respective changelog.

We hope you enjoy those new releases!

Thanks to all of the many volunteers who help make Python Development and these releases possible! Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.

Your friendly release team,
Łukasz Langa @ambv
Ned Deily @nad
Steve Dower @steve.dower