Python: Security Patches and Site Module Fix

CPython received critical security updates including an FTP library vulnerability fix and expat library upgrade, plus a major site module re-entrancy bug resolution. Twenty pull requests were merged addressing security, performance, and platform compatibility issues.

Duration: PT1M57S

Episode overview

This episode is a short developer briefing from Python.

It explains recent repository work in plain language.

  • Show: Python
  • Published: 2026-05-14T10:01:40Z
  • Audio duration: PT1M57S

Transcript excerpt

This excerpt keeps the crawler page concise. Listen to the episode or use the RSS feed for the full update.

Good morning. This is your Python developer briefing for May 14th, 2026.

Gregory Smith merged a critical security fix for the ftplib module, addressing CVE-2021-4189 where the ftpcp function bypassed existing PASV protections, potentially allowing malicious FTP servers to redirect data connections. Stan Ulbrych updated the bundled expat library to version 2.8.1, addressing security…

Barry Warsaw resolved a significant re-entrancy bug in the site module where .pth files calling site.addsitedir could crash with RuntimeError during startup, breaking tools like uv run. The fix implements a state class to manage site processing and prevent structural re-entrancy issues.

Kumar Aditya improved descriptor performance scaling in free-threading builds, while Petr Viktorin standardized private C macro naming with the _Py prefix and updated the xxlimited module for Python 3.15's limited API.

Multiple email parser fixes were backported across Python versions 3.13 through 3.15, correcting RFC 2047 whitespace handling in address headers that could cause extraneous spaces in display names.

Carlo Bramini contributed several Cygwin-specific improvements: enabling arc4random_buf usage, fixing dynamic…

Nearby episodes from Python

  1. Security Fix and OpenSSL Updates
  2. Weekly Recap - Free-Threading Stability & Platform Compatibility
  3. Cygwin Compatibility and Security Updates
  4. Security Updates and Documentation Improvements
  5. Library Cleanup and Performance Improvements
  6. Threading Safety and Email Parser Fixes
  7. Security Fixes and Site Module Updates
  8. Profiling Fixes and AsyncIO Improvements