Update: 8th December 2015:
The Python Foundation have released Python 3.5.1. Please see this more recent blog post for details.
Last weekend, the Python Foundation made available version 3.5.0 of Python. This 3.5.0 update is significant since it incorporates the following noteworthy changes:
- 7 buffer overreads resolved (essentially these are buffer overflows)
- 10 integer overflows resolved (11 other general overflows resolved)
- 1 use after free and 1 double free issue resolved
- 1 CVE (defined) resolved (resolves an issue with returning too much data, possible buffer overflow)
- Improved parsing of HTTP cookies to resolve a possible security issue
- Improved URL handling by CGIHTTPServer to prevent a security issue
- Resolved an arbitrary code execution vulnerability in the dbm.dumb module
- Disables SSL v3 (it can still be re-enabled manually (see the heading “Security improvements” for details)) while prioritizing the use of perfect forward secrecy (defined).
The full changelog is available here.
While none of the above overflows or the use after/double free bugs have been assigned CVE numbers and are not explicitly reported as security vulnerabilities, it is still best practice to patch these bugs if you are using an affected version of Python.
If you have an older release of Python installed e.g. 3.4.3 or older, please consider upgrading to the most recent 3.5.0 update to benefit from the above mentioned fixes.
As a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.