import CS python-pip-21.2.3-8.el9

SPECS/python-pip.spec

@@ -21,7 +21,7 @@
 
 Name:           python-%{srcname}
 Version:        %{base_version}%{?prerel:~%{prerel}}
-Release:        7%{?dist}
+Release:        8%{?dist}
 Summary:        A tool for installing and managing Python packages
 
 # We bundle a lot of libraries with pip, which itself is under MIT license.
@@ -196,6 +196,10 @@ BuildRequires:  python%{python3_pkgversion}-wheel
 BuildRequires:  ca-certificates
 Requires:       ca-certificates
 
+# pip has to require explicit version of python3 that provides
+# filters in tarfile module (fix for CVE-2007-4559).
+Requires:       python3 >= 3.9.17-2
+
 # This was previously required and we keep it recommended because a lot of
 # sdists installed via pip will try to import setuptools.
 # But pip doesn't actually require setuptools.
@@ -241,10 +245,11 @@ Requires:       ca-certificates
 Provides:       %{name}-wheel = %{version}-%{release}
 Obsoletes:      %{name}-wheel < %{version}-%{release}
 
-# Older versions of python3-libs expect Python wheels at the old unversioned
+# Older versions of python3-libs (< 3.9.9-2) expect Python wheels at the old unversioned
 # location, so we conflict with the old Python versions that wouldn't work with
 # the new wheel location.
-Conflicts:      python3-libs < 3.9.9-2
+# Moreover, Python older than (3.9.16-2) does not provide tarfile filters (fix for CVE-2007-4559).
+Conflicts:      python3-libs < 3.9.17-2
 
 # Virtual provides for the packages bundled by pip:
 %{bundled 3}
@@ -411,6 +416,10 @@ pytest_k='not completion and
 %{python_wheel_dir}/%{python_wheel_name}
 
 %changelog
+* Wed Feb 14 2024 Lumír Balhar <lbalhar@redhat.com> - 21.2.3-8
+- Require Python with tarfile filters
+Resolves: RHEL-25451
+
 * Tue Aug 08 2023 Petr Viktorin <pviktori@redhat.com> - 21.2.3-7
 - Use tarfile.data_filter for extracting (CVE-2007-4559, PEP-721, PEP-706)
 Resolves: RHBZ#2207997