Python: Security Fix and OpenSSL Updates

Transcript

This is Python developer news for May 17th, 2026.

Farhan Saif merged a critical security fix for the pickle module that prevents segmentation faults when dictionaries are modified concurrently during pickling operations. The fix adds critical sections around borrowed reference handling in the `_pickle.c` module's `batch_dict_exact()` function. This change has been backported to Python 3.14.

OpenSSL has been upgraded to version 3.5.6 across all Python platforms. Zachary Ware updated Windows builds, Ned Deily handled macOS installer updates, and Russell Keith-Magee updated mobile platforms including iOS and Android. The CI pipeline has also been updated to use OpenSSL 3.5 for testing.

Mani Salahmand clarified documentation for multiprocessing Process arguments, replacing confusing wording about "unpickleable from within the child process" with clearer guidance that arguments usually need to be pickleable for transmission to child processes.

Savage Mechanic documented the flags argument for the IMAP4.append() method, specifying that it accepts either None or a string of IMAP flag tokens, with examples showing proper formatting.

Serhiy Storchaka restored commented-out test code in the email module's test_body_encode function, with the fix backported to Python versions 3.13, 3.14, and 3.15.

Looking ahead: The OpenSSL 3.5.6 upgrade represents a significant infrastructure update that affects security and compatibility across all Python distributions. The pickle security fix addresses potential crashes in multi-threaded applications using the pickle module.

That's your Python development update for today.