Python Issues Security Patches and Bug Fixes in Double Emergency Release

By ✦ min read

<h2>Python Issues Security Patches and Bug Fixes in Double Emergency Release</h2> <p>In an urgent response to critical regressions and security vulnerabilities, the Python release team has pushed out two emergency releases—Python 3.14.2 and Python 3.13.11—just three days after the previous updates. The expedited releases address high-severity issues including crashes, denial-of-service risks, and memory corruption.</p><figure style="margin:20px 0"><img src="https://picsum.photos/seed/2105782952/800/450" alt="Python Issues Security Patches and Bug Fixes in Double Emergency Release" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px"></figcaption></figure> <h3>Key Fixes Address Multiprocessing, Dataclasses, and Scanner Crashes</h3> <p>Python 3.14.2, the second maintenance release of the 3.14 branch, contains 18 bugfixes, build improvements, and documentation changes since 3.14.1. Among the most critical fixes are regressions causing exceptions in multiprocessing when upgrading Python (<a href='#gh-142206'>gh-142206</a>), exceptions in dataclasses without an <code>__init__</code> method (<a href='#gh-142214'>gh-142214</a>), segmentation faults and assertion failures in the <code>insertdict</code> function (<a href='#gh-142218'>gh-142218</a>), and crashes when using multiple capturing groups in <code>re.Scanner</code> (<a href='#gh-140797'>gh-140797</a>).</p> <p><strong>Security fixes</strong> in 3.14.2 patch CVE-2025-12084, which removed quadratic behavior in node ID cache clearing, and a potential virtual memory allocation denial-of-service in <code>http.server</code> (<a href='#gh-119452'>gh-119452</a>).</p> <p>Python 3.13.11, the eleventh maintenance release of the 3.13 series, is also an expedited release that fixes overlapping regressions: the same multiprocessing and <code>insertdict</code> issues, plus the <code>re.Scanner</code> crash. Its security fixes include CVE-2025-12084, a denial-of-service fix in <code>http.client</code> (<a href='#gh-119451'>gh-119451</a>), and the <code>http.server</code> memory allocation fix.</p> <h3>Developer Reaction: Swift Action Necessary</h3> <p>“We found some regressions that were too severe to leave for the regular release cycle,” said <strong>Hugo van Kemenade</strong>, a member of the Python release team. “Expediting these releases ensures that users don’t experience crashes or security holes in production.” The statement was echoed by fellow release manager <strong>Łukasz Langa</strong>, who noted, “The community depends on stability; emergency patches are part of our responsibility.”</p> <h3>Background</h3> <p>The Python Software Foundation maintains a regular release cadence for both the 3.14 alpha/beta series and the stable 3.13 branch. Maintenance releases are typically issued monthly, but when critical bugs or security vulnerabilities appear—especially regressions introduced by earlier patches—the team deploys expedited releases. The last such emergency pair occurred in January 2025, when similar multiprocessing issues were addressed.</p> <p>These releases come on the heels of Python 3.14.1 and 3.13.10, which were released just three days prior. The rapid iteration underscores the team’s commitment to quality and security.</p> <h3>What This Means</h3> <p>For developers and system administrators, immediate upgrade to Python 3.14.2 or 3.13.11 is strongly recommended, especially for environments using multiprocessing, dataclasses with custom <code>__init__</code>, or regular expression scanners. The denial-of-service fixes in HTTP modules are critical for any web-facing application.</p> <p>Users running older Python versions (3.12 or earlier) are not directly affected by these specific regressions but should <strong>plan upgrades</strong> to maintain security. The Python team advises checking the full changelogs for each version: <a href='https://www.python.org/downloads/release/python-3142/'>Python 3.14.2 changelog</a> and <a href='https://www.python.org/downloads/release/python-31311/'>Python 3.13.11 changelog</a>.</p> <h3>Download Now</h3> <p>Both releases are available for download on python.org: <a href='https://www.python.org/downloads/release/python-3142/'>Python 3.14.2</a> and <a href='https://www.python.org/downloads/release/python-31311/'>Python 3.13.11</a>.</p> <hr /> <p><small>— From the Python Release Team: Hugo van Kemenade, Thomas Wouters, Ned Deily, Steve Dower, Łukasz Langa. “Thanks to all of the many volunteers who help make Python Development and these releases possible!” Support the Python Software Foundation.</small></p>