Python 3.9.23

Author: ambv

Include/patchlevel.h

@@ -18,12 +18,12 @@
 /*--start constants--*/
 #define PY_MAJOR_VERSION        3
 #define PY_MINOR_VERSION        9
-#define PY_MICRO_VERSION        22
+#define PY_MICRO_VERSION        23
 #define PY_RELEASE_LEVEL        PY_RELEASE_LEVEL_FINAL
 #define PY_RELEASE_SERIAL       0
 
 /* Version as a string */
-#define PY_VERSION              "3.9.22+"
+#define PY_VERSION              "3.9.23"
 /*--end constants--*/
 
 /* Version as a single 4-byte hex number, e.g. 0x010502B2 == 1.5.2b2.

Misc/NEWS.d/3.9.23.rst

@@ -0,0 +1,97 @@
+.. date: 2025-06-02-11-32-23
+.. gh-issue: 135034
+.. nonce: RLGjbp
+.. release date: 2025-06-03
+.. section: Security
+
+Fixes multiple issues that allowed ``tarfile`` extraction filters
+(``filter="data"`` and ``filter="tar"``) to be bypassed using crafted
+symlinks and hard links.
+
+Addresses CVE 2024-12718, CVE 2025-4138, CVE 2025-4330, and CVE 2025-4517.
+
+..
+
+.. date: 2025-05-09-20-22-54
+.. gh-issue: 133767
+.. nonce: kN2i3Q
+.. section: Security
+
+Fix use-after-free in the "unicode-escape" decoder with a non-"strict" error
+handler.
+
+..
+
+.. date: 2025-01-14-11-19-07
+.. gh-issue: 128840
+.. nonce: M1doZW
+.. section: Security
+
+Short-circuit the processing of long IPv6 addresses early in
+:mod:`ipaddress` to prevent excessive memory consumption and a minor
+denial-of-service.
+
+..
+
+.. date: 2024-08-06-11-43-08
+.. gh-issue: 80222
+.. nonce: wfR4BU
+.. section: Security
+
+Fix bug in the folding of quoted strings when flattening an email message
+using a modern email policy. Previously when a quoted string was folded so
+that it spanned more than one line, the surrounding quotes and internal
+escapes would be omitted. This could theoretically be used to spoof header
+lines using a carefully constructed quoted string if the resulting rendered
+email was transmitted or re-parsed.
+
+..
+
+.. date: 2025-05-28-15-53-27
+.. gh-issue: 128840
+.. nonce: Nur2pB
+.. section: Library
+
+Fix parsing long IPv6 addresses with embedded IPv4 address.
+
+..
+
+.. date: 2025-05-15-14-27-01
+.. gh-issue: 134062
+.. nonce: fRbJet
+.. section: Library
+
+:mod:`ipaddress`: fix collisions in :meth:`~object.__hash__` for
+:class:`~ipaddress.IPv4Network` and :class:`~ipaddress.IPv6Network` objects.
+
+..
+
+.. date: 2024-08-28-13-03-36
+.. gh-issue: 123409
+.. nonce: lW0YF-
+.. section: Library
+
+Fix :attr:`ipaddress.IPv6Address.reverse_pointer` output according to
+:rfc:`RFC 3596, §2.5 <3596#section-2.5>`.  Patch by Bénédikt Tran.
+
+..
+
+.. bpo: 43633
+.. date: 2021-10-31-16-06-28
+.. nonce: vflwXv
+.. section: Library
+
+Improve the textual representation of IPv4-mapped IPv6 addresses
+(:rfc:`4291` Sections 2.2, 2.5.5.2) in :mod:`ipaddress`. Patch by Oleksandr
+Pavliuk.
+
+..
+
+.. bpo: 25264
+.. date: 2021-04-08-22-11-27
+.. nonce: b33fa0
+.. section: Library
+
+:func:`os.path.realpath` now accepts a *strict* keyword-only argument. When
+set to ``True``, :exc:`OSError` is raised if a path doesn't exist or a
+symlink loop is encountered.

Misc/NEWS.d/next/Library/2021-04-08-22-11-27.bpo-25264.b33fa0.rst

@@ -1,4 +1,4 @@
-This is Python version 3.9.22
+This is Python version 3.9.23
 =============================
 
 .. image:: https://travis-ci.org/python/cpython.svg?branch=3.9