Due to awkward CDN caching, some users who downloaded the source code tarballs of Python 3.5.8 got a preliminary version instead of the final version. As best as we can tell, this only affects the .xz release; there are no known instances of users downloading an incorrect version of the .tgz file.

If you downloaded "Python-3.5.8.tar.xz" during the first twelve hours of its release, you might be affected. It's easy to determine this for yourself. The file size (15,382,140 bytes) and MD5 checksum (4464517ed6044bca4fc78ea9ed086c36) published on the release page have always matched the correct version. Also, the GPG signature file will only report a "Good signature" for the correct .xz file (using "gpg --verify").

What's the difference between the two? The only difference is that the final version also merges a fix for Python issue tracker #38243:

https://bugs.python.org/issue38243

The fix adds a call to "html.escape" at a judicious spot, line 896 in Lib/xmlrpc/server.py. The only other changes are one new test, to ensure this new code is working, and an entry in the NEWS file. You can see the complete list of changes here:

https://github.com/python/cpython/pull/16516/files

What should you do? It's up to you.

If you and your users aren't using the XMLRPC library built in to Python, you don't need to worry about which version of 3.5.8 you downloaded.

If you downloaded the .tgz tarball or the Git repo, you already have the correct version.

If you downloaded the xz file and want to make sure you have the fix, check the MD5 sum, and if it's wrong download a fresh copy (and make sure that one matches the known good MD5 sum!).

To smooth over this whole sordid mess, I plan to make a 3.5.9 release in the next day or so. It'll be identical to the 3.5.8 release; its only purpose is to ensure that all users have the same updated source code, including the fix for #38243.

Sorry for the mess, everybody,

//arry/