Due to awkward CDN caching, some users who downloaded the source code tarballs of Python 3.5.8 got a preliminary version instead of the final version. As best as we can tell, this only affects the .xz release; there are no known instances of users downloading an incorrect version of the .tgz file.
If you downloaded "Python-3.5.8.tar.xz" during the first twelve hours of its release, you might be affected. It's easy to determine this for yourself. The file size (15,382,140 bytes) and MD5 checksum (4464517ed6044bca4fc78ea9ed086c36) published on the release page have always matched the correct version. Also, the GPG signature file will only report a "Good signature" for the correct .xz file (using "gpg --verify").
What's the difference between the two? The only difference is that the final version also merges a fix for Python issue tracker #38243:
The fix adds a call to "html.escape" at a judicious spot, line 896 in Lib/xmlrpc/server.py. The only other changes are one new test, to ensure this new code is working, and an entry in the NEWS file. You can see the complete list of changes here:
What should you do? It's up to you.
To smooth over this whole sordid mess, I plan to make a 3.5.9
release in the next day or so. It'll be identical to the 3.5.8
release; its only purpose is to ensure that all users have the
same updated source code, including the fix for #38243.
Sorry for the mess, everybody,