Python 3.12.6 Released with Critical Security Fixes

Summary

Sources

python.orgpython.orgdiscuss.python.orglore.kernel.orgtweakers.net

Python 3.12.6 was released on September sixth, two thousand twenty-four, marking the sixth maintenance release of the Python 3.12 series. As the newest major release of the Python programming language, Python 3.12 comes with a host of new features and optimizations. The 3.12.6 version, in particular, includes approximately ninety bug fixes, build improvements, and documentation changes since the previous 3.12.5 release. The urgency of this release is underscored by the critical security fixes it incorporates. Notable among these are the upgrades to the bundled libexpat to version 2.6.3, addressing multiple security vulnerabilities identified as CVE-2024-28757, CVE-2024-45490, CVE-2024-45491, and CVE-2024-45492. Additionally, there was a significant fix for the quadratic complexity issue in parsing quoted cookie values with backslashes, addressed by the http.cookies module and resolving CVE-2024-7592. Another critical fix involves the removal of backtracking from tarfile header parsing for hdrcharset, PAX, and GNU sparse headers, addressing CVE-2024-6232. Furthermore, the email.utils module saw enhancements where functions like getaddresses and parseaddr now return more accurate tuples for invalid email addresses and include an optional strict parameter to handle malformed inputs, improving the earlier CVE-2023-27043 fix. Among the optimizations, names in zipfile.Path were sanitized to avoid infinite loops without breaking legitimate content, addressing CVE-2024-8088. In line with the previous release, Python 3.12.6 also drops support for macOS versions 10.9 through 10.12. These versions have not been supported by Apple since 2019, making their continued support in Python impractical. The 3.12 series introduced major new features, including updates to type annotations and the removal of deprecated members from the C implementation of unicode objects per PEP 623. Moreover, deprecated methods and classes in the unittest module were removed, aligning with PEP 594 and PEP 632. The smtpd and distutils modules were also deprecated, with setuptools continuing to provide the distutils module. Invalid backslash escape sequences in strings now trigger a SyntaxWarning instead of a DeprecationWarning, making them more noticeable. This change is a precursor to these warnings becoming syntax errors in future Python versions. Lastly, the internal representation of integers has been modified to prepare for performance enhancements. While this change is primarily an internal detail, it may impact developers using Cython-generated code. For further details on the changes in Python 3.12, refer to the comprehensive Whats New in Python 3.12 documentation. Python 3.12.6 addresses several critical security issues, making it an essential update for all users. One of the significant improvements in this release involves the upgrade of the bundled libexpat to version 2.6.3. This upgrade resolves multiple vulnerabilities, specifically CVE-2024-28757, CVE-2024-45490, CVE-2024-45491, and CVE-2024-45492. By updating to this version, the Python development team has ensured more robust handling of XML parsing operations, which are crucial for many applications. Another major security enhancement focuses on the http.cookies module. The issue of quadratic complexity in parsing quoted cookie values with backslashes has been addressed, fixing CVE-2024-7592. This fix ensures that the module can handle backslashes in quoted cookie values more efficiently, preventing potential performance degradation and security risks associated with complex parsing scenarios. The tarfile module also sees significant improvements in this release. The removal of backtracking from tarfile header parsing is a critical update that addresses CVE-2024-6232. This change affects the parsing of hdrcharset, PAX, and GNU sparse headers, making the tarfile module more secure and efficient by eliminating the risks associated with backtracking during header parsing. In the email.utils module, functions such as getaddresses and parseaddr have been updated to handle invalid email addresses more accurately. These functions now return more precise tuples when encountering invalid email addresses and include an optional strict parameter. By setting this parameter to false, users can revert to the previous behavior, which accepts malformed inputs. This improvement, which builds on the CVE-2023-27043 fix, enhances the accuracy and reliability of email address parsing in Python. Additionally, the zipfile.Path module now includes a fix for sanitizing names to avoid infinite loops, addressing CVE-2024-8088. This ensures that the module can handle names with legitimate characters without entering an infinite loop, thereby enhancing the overall stability and security of zipfile operations. These key security fixes and improvements in Python 3.12.6 highlight the ongoing commitment to maintaining the security and performance of the Python programming language. Users are strongly encouraged to upgrade to this latest release to benefit from these critical updates. Python 3.12.6 also introduces several deprecations and compatibility changes, reflecting an ongoing effort to streamline and modernize the language. Notably, this release removes the wstr and wstr_length members from the C implementation of unicode objects, in line with PEP 623. These members were previously deprecated and their removal marks a significant step in the evolution of Python’s handling of unicode data. In addition, the smtpd and distutils modules have been removed, as per PEP 594 and PEP 632. Although the distutils module remains available through the setuptools package, its deprecation signals a shift towards more modern and sustainable module management practices within Python. This change will require developers to adapt their workflows and dependencies to align with the updated ecosystem. Another important change is the dropping of support for macOS versions 10.9 through 10.12. These versions have not been supported by Apple since 2019, making it increasingly difficult to maintain compatibility. This deprecation aligns with the support policies already established for Python 3.13, ensuring consistency across Python versions. Users of macOS versions older than 10.13 will need to upgrade their operating systems to continue receiving updates and support from Python. Furthermore, Python 3.12.6 introduces internal changes in the representation of integers. These changes are designed to pave the way for future performance enhancements. While this update is primarily an internal detail, it may have implications for developers, particularly those who rely on Cython-generated code. Developers are advised to test their applications thoroughly to ensure compatibility with these changes and to take advantage of the potential performance benefits. These deprecations and compatibility changes demonstrate Python’s commitment to evolving in response to modern development needs while maintaining a balance between innovation and stability. Users and developers are encouraged to stay informed about these changes to ensure their code remains compatible and optimized for future Python releases.