Note: The release you're looking at is Python 3.9.19, asecurity bugfix release for the legacy 3.9 series.Python 3.12 is now the latest feature release series of Python 3.Get the latest release of 3.12.x here.

Security content in this release

• gh-115399 &gh-115398: bundled libexpat was updated to 2.6.0 to address CVE-2023-52425, and control of the new reparse deferral functionality was exposed with new APIs
• gh-109858:zipfile is now protected from the “quoted-overlap” zipbomb to address CVE-2024-0450. It now raisesBadZipFile when attempting to read an entry that overlaps with another entry or central directory
• gh-91133:tempfile.TemporaryDirectory cleanup no longer dereferences symlinks when working around file system permission errors to address CVE-2023-6597
• gh-115197:urllib.request no longer resolves the hostname before checking it against the system’s proxy bypass list on macOS and Windows
• gh-81194: a crash insocket.if_indextoname() with a specific value (UINT_MAX) was fixed. Relatedly, an integer overflow insocket.if_indextoname() on 64-bit non-Windows platforms was fixed
• gh-113659:.pth files with names starting with a dot or containing the hidden file attribute are now skipped
• gh-102388:iso2022_jp_3 andiso2022_jp_2004 codecs no longer read out of bounds

No installers

According to the release calendar specified inPEP 596, Python 3.9 is now in the "security fixes only" stage of its life cycle: the 3.9 branch only accepts security fixes and releases of those are made irregularly in source-only form until October 2025. Python 3.9 isn't receiving regular bug fixes anymore, and binary installers are no longer provided for it.Python 3.9.13 was the last fullbugfix release of Python 3.9 with binary installers.

Full Changelog