Release Date: Dec. 3, 2024

This is a security release of Python 3.9

Note: The release you're looking at is Python 3.9.21, a security bugfix release for the legacy 3.9 series. Python 3.13 is now the latest feature release series of Python 3. Get the latest release of 3.13.x here.

Security content in this release

• gh-126623: Upgraded libexpat to 2.6.4 to fix CVE-2024-50602.
• gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to consistently use the mapped IPv4 address value for deciding properties. Properties which have their behavior fixed are is_multicast, is_reserved, is_link_local, is_global, and is_unspecified.
• gh-124651: Properly quote template strings in venv activation scripts.
• gh-103848: Added checks to ensure that [ bracketed ] hosts found by urllib.parse.urlsplit() are of IPv6 or IPvFuture format.
• gh-95588: Clarified the conflicting advice given in the ast documentation about ast.literal_eval() being “safe” for use on untrusted input while at the same time warning that it can crash the process. The latter statement is true and is deemed unfixable without a large amount of work unsuitable for a bugfix. So we keep the warning and no longer claim that literal_eval is safe.

No installers

According to the release calendar specified in PEP 596, Python 3.9 is now in the "security fixes only" stage of its life cycle: the 3.9 branch only accepts security fixes and releases of those are made irregularly in source-only form until October 2025. Python 3.9 isn't receiving regular bug fixes anymore, and binary installers are no longer provided for it. Python 3.9.13 was the last full bugfix release of Python 3.9 with binary installers.

Full Changelog