These (potentially) affecting us: 3.7 - 3.11: gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters following the specification for URLs defined by WHATWG in response to CVE-2023-24329. 3.7 - 3.11: gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal based on the input if no out_file was specified. 3.7 - 3.11: gh-104049: Do not expose the local on-disk location in directory indexes produced by http.client.SimpleHTTPRequestHandler. 3.8 - 3.11: gh-103935: trace.__main__ now uses io.open_code() for files to be executed instead of raw open(). 3.8 - 3.11: gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter argument that allows limiting tar features than may be surprising or dangerous, such as creating files outside the destination directory. See Extraction filters for details. 3.9: gh-102126 : Fixed a deadlock at shutdown when clearing thread states if any finalizer tries to acquire the runtime head lock. 3.9: gh-100892: Fixed a crash due to a race while iterating over thread states in clearing threading.local. Also potentially affecting Prefix: 3.7 - 3.11: gh-101283 : subprocess.Popen now uses a safer approach to find cmd.exe when launching with shell=True. --- I'm not sure what to do about PyPy3. I don't have time right now to backport all fixes (these and possibly more from previous releases), and I definitely don't want to backport them both to the most recent masked RCs and the previous stable release.
cleanup done for dev-lang/python. For dev-python/pypy3, I'd like to wait a while more before stabilizing it.
(In reply to Michał Górny from comment #1) > cleanup done for dev-lang/python. For dev-python/pypy3, I'd like to wait a > while more before stabilizing it. The fixed pypy3 is pypy3-7.3.12, then?
