In a rapid follow-up to the previous updates, the Python release team has issued version 3.14.2 and 3.13.11 to fix critical regressions and security vulnerabilities. This Q&A covers the key changes, why these releases were expedited, and how they maintain Python's stability and safety.
Why were Python 3.14.2 and 3.13.11 released so quickly after the previous updates?
Just three days after the last maintenance releases, the team found regressions that needed immediate attention. These issues could disrupt running programs and cause crashes or security risks. To minimize impact, the releases were expedited, bundling both bug fixes and security patches. This rapid response demonstrates the project's commitment to reliability, ensuring developers can upgrade without breaking existing code or exposing systems to vulnerabilities.
What regressions were fixed in Python 3.14.2?
Python 3.14.2 resolves four specific regressions from 3.14.1:
- Multiprocessing exceptions (gh-142206): Exceptions occurring in
multiprocessingwhile Python is being upgraded could cause failures in running programs. - Dataclasses without __init__ (gh-142214): Exceptions were raised when using dataclasses that lacked an
__init__method. - Insertdict crashes (gh-142218): Segmentation faults and assertion failures in the dictionary insertion code (
insertdict). - Regex Scanner crash (gh-140797): A crash occurred when using multiple capturing groups in
re.Scanner.
These fixes ensure core functionality remains stable.
What regressions were fixed in Python 3.13.11?
Python 3.13.11 addresses three regressions identical to those in 3.14.2 (except the dataclasses issue):
- Multiprocessing exceptions (gh-142206) – same as above.
- Insertdict crashes (gh-142218) – same as above.
- Regex Scanner crash (gh-140797) – same as above.
By synchronizing critical fixes across branches, the team ensures both the latest and the previous stable series remain robust.
What security vulnerabilities were addressed in these releases?
Both releases include two shared security fixes, plus an extra one for 3.13.11:
- CVE-2025-12084 (gh-142145): Removes quadratic behavior in node ID cache clearing, preventing a potential denial-of-service attack.
- http.server DoS (gh-119452): Fixes a potential virtual memory allocation denial of service in the HTTP server module.
- http.client DoS (gh-119451, 3.13.11 only): Addresses a denial-of-service vulnerability in the HTTP client.
Upgrading is strongly recommended to protect against these threats.
Where can users download the new versions and find full changelogs?
Both releases are available on the official Python downloads page:
Changelogs are linked on those pages, providing a complete list of every bugfix, build improvement, and documentation change. For a quick overview, see the summaries in each release announcement.
Who contributed to these releases and how can the community support Python development?
The releases were prepared by the volunteer release team—Hugo van Kemenade, Thomas Wouters, Ned Deily, Steve Dower, and Łukasz Langa—with contributions from many other volunteers across the Python community. To support future development, you can volunteer your time or make organizational contributions to the Python Software Foundation. Every bit helps keep Python secure and innovative.