Release Date: April 4, 2021

This is the fourth maintenance release of Python 3.9

Note: The release you're looking at is Python 3.9.4, a bugfix release for the legacy 3.9 series. Python 3.11 is now the latest feature release series of Python 3. Get the latest release of 3.11.x here.

Python 3.9.4 is a hotfix release addressing an unintentional ABI incompatibility introduced in Python 3.9.3. Upgrading is highly recommended to all users. Details in bpo-43710.

To reiterate, Python 3.9.3 was itself an expedited release due to its security content:

• bpo-43631: high-severity CVE-2021-3449 and CVE-2021-3450 were published for OpenSSL, it's been upgraded to 1.1.1k in CI, and macOS and Windows installers.
• bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer.
• bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network. Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it.
• bpo-43439: Add audit hooks for gc.get_objects(), gc.get_referrers() and gc.get_referents(). Patch by Pablo Galindo.

Major new features of the 3.9 series, compared to 3.8

Some of the new major new features and changes in Python 3.9 are:

• PEP 573, Module State Access from C Extension Methods
• PEP 584, Union Operators in dict
• PEP 585, Type Hinting Generics In Standard Collections
• PEP 593, Flexible function and variable annotations
• PEP 602, Python adopts a stable annual release cadence
• PEP 614, Relaxing Grammar Restrictions On Decorators
• PEP 615, Support for the IANA Time Zone Database in the Standard Library
• PEP 616, String methods to remove prefixes and suffixes
• PEP 617, New PEG parser for CPython
• BPO 38379, garbage collection does not block on resurrected objects;
• BPO 38692, os.pidfd_open added that allows process management without races and signals;
• BPO 39926, Unicode support updated to version 13.0.0;
• BPO 1635741, when Python is initialized multiple times in the same process, it does not leak memory anymore;
• A number of Python builtins (range, tuple, set, frozenset, list, dict) are now sped up using PEP 590 vectorcall;
• A number of Python modules (_abc, audioop, _bz2, _codecs, _contextvars, _crypt, _functools, _json, _locale, operator, resource, time, _weakref) now use multiphase initialization as defined by PEP 489;
• A number of standard library modules (audioop, ast, grp, _hashlib, pwd, _posixsubprocess, random, select, struct, termios, zlib) are now using the stable ABI defined by PEP 384.

You can find a more comprehensive list in this release's "What's New" document.

More resources

• Online Documentation
• PEP 596, 3.9 Release Schedule
• Report bugs at https://bugs.python.org.
• Help fund Python and its community.

Full Changelog