Python: Security Patches and Site Module Fix
CPython received critical security updates including an FTP library vulnerability fix and expat library upgrade, plus a major site module re-entrancy bug resolution. Twenty pull requests were merged addressing security, performance, and platform compatibility issues.
Duration: PT1M57S
Transcript
Good morning. This is your Python developer briefing for May 14th, 2026.
Gregory Smith merged a critical security fix for the ftplib module, addressing CVE-2021-4189 where the ftpcp function bypassed existing PASV protections, potentially allowing malicious FTP servers to redirect data connections. Stan Ulbrych updated the bundled expat library to version 2.8.1, addressing security vulnerabilities in XML parsing.
Barry Warsaw resolved a significant re-entrancy bug in the site module where .pth files calling site.addsitedir could crash with RuntimeError during startup, breaking tools like uv run. The fix implements a state class to manage site processing and prevent structural re-entrancy issues.
Kumar Aditya improved descriptor performance scaling in free-threading builds, while Petr Viktorin standardized private C macro naming with the _Py prefix and updated the xxlimited module for Python 3.15's limited API.
Multiple email parser fixes were backported across Python versions 3.13 through 3.15, correcting RFC 2047 whitespace handling in address headers that could cause extraneous spaces in display names.
Carlo Bramini contributed several Cygwin-specific improvements: enabling arc4random_buf usage, fixing dynamic loading file extensions, and correcting file descriptor handling in subprocess operations.
Additional updates include gzip header corruption checks, stricter XML encoding tests, and UDP Lite test compatibility fixes for newer Linux kernels.
What's next: Security patches are being backported across supported Python versions, and platform-specific improvements continue for Windows and Cygwin compatibility.
That's your Python update for today.