Python 3.9.3 and 3.8.9 Release Notes: Security Fixes and Improvements

Python 3.9.3 & 3.8.9 have been released ahead of schedule due to security fixes; the final regular maintenance release for Python 3.8 is still planned for May 3, 2021, after which only security‑only source releases will be provided, and Python 3.9.3 is also slated for May 3, 2021.

Main updates

3.9.3 & 3.8.9 OpenSSL high‑severity CVE‑2021‑3449 and CVE‑2021‑3450 fixes, upgraded to 1.1.1k in CI. CVE‑2021‑3426: removed pydoc.getfile to prevent directory‑traversal attacks that could expose arbitrary files or sensitive data. ftplib no longer trusts the IP address returned by a server’s PASV response by default, mitigating malicious FTP server probing. Added audit hooks for gc.get_objects(), gc.get_referrers() and gc.get_referents(). Fixed crash when sys.stderr is replaced with a callable object. Python now avoids a fatal error on startup when command‑line arguments contain invalid Unicode characters; Py_DecodeLocale() now escapes bytes outside the U+0000‑U+10FFFF range. Resolved a race condition in PyErr_CheckSignals when a non‑Python signal handler is executed.

3.9.3 Reports column offset for SyntaxError, improving handling of invalid line‑continuation characters. Fixed false positive import‑cycle detection when using from pkg.mod import attr , which could affect multithreaded code. Improved handling of exceptions near the recursion limit, converting some fatal RecursionErrors.

3.8.9 Fixed deadlock when using ssl.SSLContext.sni_callback() together with SSLContext debugging callbacks. Corrected long‑standing bug in smtplib.SMTP where AUTH LOGIN would fail when initial_response_ok=False .