Notice: While JavaScript is not essential for this website, your interaction with the content will be limited. Please turn JavaScript on for the full experience.

Python 3.9.24

Release Date: Oct. 9, 2025

This is a security release of Python 3.9

Note: The release you're looking at is Python 3.9.24, a security bugfix release for the legacy 3.9 series. Python 3.14 is now the latest feature release series of Python 3. Get the latest release of 3.14.x here.

Security content in this release

XML-related

Archive-related

  • gh-130577: tarfile now validates archives to ensure member offsets are non-negative.
  • gh-139700: Now checking consistency of the zip64 end of central directory record. Added support for records with “zip64 extensible data” if there are no bytes prepended to the ZIP file.

HTML parsing-related

  • gh-135661: Fixed parsing start and end tags in html.parser.HTMLParser according to the HTML5 standard.
  • Whitespaces no longer accepted between </ and the tag name. E.g. </ script> does not end the script section.
  • Vertical tabulation (\v) and non-ASCII whitespaces no longer recognized as whitespaces. The only whitespaces are \t\n\r\f and space.
  • Null character (U+0000) no longer ends the tag name.
  • Attributes and slashes after the tag name in end tags are now ignored, instead of terminating after the first > in quoted attribute value. E.g. </script/foo=">"/>.
  • Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. <a foo=bar/ //>.
  • Multiple = between attribute name and value are no longer collapsed. E.g. <a foo==bar> produces attribute “foo” with value “=bar”.
  • gh-135661: Fixed CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace.
  • gh-102555: Fixed comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->.
  • gh-135462: Fixed quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored.
  • gh-118350: Fixed support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser.
  • gh-86155: html.parser.HTMLParser.close() no longer loses data when the <script> tag is not closed.

Other

No installers

According to the release calendar specified in PEP 596, Python 3.9 is now in the "security fixes only" stage of its life cycle: the 3.9 branch only accepts security fixes and releases of those are made irregularly in source-only form until October 2025. Python 3.9 isn't receiving regular bug fixes anymore, and binary installers are no longer provided for it. Python 3.9.13 was the last full bugfix release of Python 3.9 with binary installers.

Full Changelog

Files

Version Operating System Description MD5 Sum File Size Sigstore GPG
Gzipped source tarball Source release 86920338d557f26b01c9c4ebe1a1db09 25.3 MB .sigstore SIG
XZ compressed source tarball Source release d778f94c0f141ef1d9945f7452fa914d 19.2 MB .sigstore SIG