Due to an error when organizing caching in the content delivery system, when trying to load one of the assemblies the day before yesterday corrective release pre-build that does not contain all the fixes. Problem archive only , assembly distributed correctly.
All users who downloaded the Python-3.5.8.tar.xz file in the first 12 hours after release are advised to check the correctness of the downloaded data using the checksum (MD5 4464517ed6044bca4fc78ea9ed086c36). Unlike the final release, the pre-release did not include vulnerabilities in the XML-RPC server code. The vulnerability allowed JavaScript code substitution (XSS) through the server_title field due to the lack of angle bracket escaping. An attacker could achieve JavaScript substitution if the application sets the server name based on user input (for example, "server.set_server_name('test β)Β»).
Source: opennet.ru