python-3.14.2

[Bruce Dubbs]

New point version.

[Douglas R. Reno]

Security

    gh-139700: Check consistency of the zip64 end of central directory record. Support 
records with “zip64 extensible data” if there are no bytes prepended to the ZIP file.

    gh-139283: sqlite3: correctly handle maximum number of rows to fetch in 
Cursor.fetchmany and reject negative values for Cursor.arraysize. Patch by Bénédikt 
Tran.

    gh-137836: Add support of the “plaintext” element, RAWTEXT elements “xmp”, “iframe”, 
“noembed” and “noframes”, and optionally RAWTEXT element “noscript” in 
html.parser.HTMLParser.

    gh-136063: email.message: ensure linear complexity for legacy HTTP parameters 
parsing. Patch by Bénédikt Tran.

    gh-136065: Fix quadratic complexity in os.path.expandvars().

    gh-119451: Fix a potential memory denial of service in the http.client module. When 
connecting to a malicious server, it could cause an arbitrary amount of memory to be 
allocated. This could have led to symptoms including a MemoryError, swapping, out of 
memory (OOM) killed processes or containers, or even system crashes.

    gh-119342: Fix a potential memory denial of service in the plistlib module. When 
reading a Plist file received from untrusted source, it could cause an arbitrary amount 
of memory to be allocated. This could have led to symptoms including a MemoryError, 
swapping, out of memory (OOM) killed processes or containers, or even system crashes.

[Douglas R. Reno]

{{{
-------- Forwarded Message --------
Subject: [Security-announce][CVE-2025-13836] Excessive read buffering DoS in http.client
Date:     Mon, 1 Dec 2025 18:57:32 +0000
From:     Seth Larson <seth@python.org>
Reply-To:     security-sig@python.org
To:     security-announce@python.org



There is a MEDIUM severity vulnerability affecting CPython.

When reading an HTTP response from a server, if no read amount is specified, the
default behavior will be to use Content-Length. This allows a malicious server
to cause the client to read large amounts of data into memory, potentially
causing OOM or other DoS.

Please see the linked CVE ID for the latest information on
affected versions:

* https://www.cve.org/CVERecord?id=CVE-2025-13836
* https://github.com/python/cpython/pull/119454


-------- Forwarded Message --------
Subject: [Security-announce][CVE-2025-13837] Out-of-memory when loading Plist
Date:     Mon, 1 Dec 2025 18:58:33 +0000
From:     Seth Larson <seth@python.org>
Reply-To:     security-sig@python.org
To:     security-announce@python.org



There is a LOW severity vulnerability affecting CPython.

When loading a plist file, the plistlib module reads data in size specified by
the file itself, meaning a malicious file can cause OOM and DoS issues

Please see the linked CVE ID for the latest information on affected versions:

* https://www.cve.org/CVERecord?id=CVE-2025-13837
* https://github.com/python/cpython/pull/119343


-------- Forwarded Message --------
Subject: [Security-announce][CVE-2025-12084] Quadratic complexity in node ID cache clearing
Date:     Wed, 3 Dec 2025 18:59:03 +0000
From:     Seth Larson <seth@python.org>
Reply-To:     security-sig@python.org
To:     security-announce@python.org



There is a MEDIUM severity vulnerability affecting CPython.

When building nested elements using xml.dom.minidom methods such as
appendChild() that have a dependency on _clear_id_cache() the algorithm is
quadratic. Availability can be impacted when building excessively nested
documents.

Please see the linked CVE ID for the latest information on affected versions:

* https://www.cve.org/CVERecord?id=CVE-2025-12084
* https://github.com/python/cpython/pull/142146
}}}

[Bruce Dubbs]

Now version 3.14.2.

[Bruce Dubbs]

What's New in Python 3.14.2 final?

*Release date: 2025-12-05*

Security

• gh-142145: Remove quadratic behavior in xml.minidom node ID cache clearing.

• gh-119452: Fix a potential memory denial of service in the :mod:http.server module. When a malicious user is connected to the CGI server on Windows, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a :exc:MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes.

Library

• gh-140797: Revert changes to the undocumented :class:!re.Scanner class. Capturing groups are still allowed for backward compatibility, although using them can lead to incorrect result. They will be forbidden in future Python versions.

• gh-142206: The resource tracker in the :mod:multiprocessing module now uses the original communication protocol, as in Python 3.14.0 and below, by default. This avoids issues with upgrading Python while it is running. (Note that such 'in-place' upgrades are not tested.) The tracker remains compatible with subprocesses that use new protocol (that is, subprocesses using Python 3.13.10, 3.14.1 and 3.15).

• gh-142214: Fix two regressions in :mod:dataclasses in Python 3.14.1 related to annotations.

• An exception is no longer raised if slots=True is used and the init method does not have an annotate attribute (likely because init=False was used).

• An exception is no longer raised if annotations are requested on the init method and one of the fields is not present in the class annotations. This can occur in certain dynamic scenarios.

Core and Builtins

• gh-142218: Fix crash when inserting into a split table dictionary with a non :class:str key that matches an existing key.

• gh-116738: Fix :mod:cmath data race when initializing trigonometric tables with subinterpreters.

[Bruce Dubbs]

Fixed at commit ffc4af1d6c.

[Douglas R. Reno]

Note that LFS/BLFS 12.4 users will want to use Python 3.13.11 instead.

[zeckma]

One of the security fixes causes a regression in pyatspi2 and multiple tests. This has been observed by Debian. The regression has been labeled a release blocker but made it in both 3.14.2 and 3.13.11. We shall hold off on the SA filing until this regression is fixed.

[zeckma]

Regression fixed at 837e4beac2af6825d170cd9949d4ad21119191ce.

[zeckma]

SA-12.4-063 issued.