From 1b6ca3feb0d2972c49c3833e4da91bf378721f68 Mon Sep 17 00:00:00 2001
From: eabdullin <eabdullin@almalinux.org>
Date: Thu, 21 Sep 2023 20:02:28 +0000
Subject: [PATCH] import CS python3.11-3.11.4-3.el9

---
 .gitignore                         |   3 +-
 .python3.11.metadata               |   3 +-
 SOURCES/00397-tarfile-filter.patch | 361 +++++++++++++++++++++++++++++
 SOURCES/Python-3.11.2.tar.xz.asc   |  16 --
 SOURCES/Python-3.11.4.tar.xz.asc   |  16 ++
 SOURCES/pgp_keys.asc               | 109 +++++++++
 SPECS/python3.11.spec              |  29 ++-
 7 files changed, 514 insertions(+), 23 deletions(-)
 create mode 100644 SOURCES/00397-tarfile-filter.patch
 delete mode 100644 SOURCES/Python-3.11.2.tar.xz.asc
 create mode 100644 SOURCES/Python-3.11.4.tar.xz.asc
 create mode 100644 SOURCES/pgp_keys.asc

diff --git a/.gitignore b/.gitignore
index 724e5cb..245fd29 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1 @@
-SOURCES/Python-3.11.2.tar.xz
-SOURCES/pgp_keys.asc
+SOURCES/Python-3.11.4.tar.xz
diff --git a/.python3.11.metadata b/.python3.11.metadata
index 0e4f954..6c4d744 100644
--- a/.python3.11.metadata
+++ b/.python3.11.metadata
@@ -1,2 +1 @@
-ae1c199ecb7a969588b15354e19e7b60cb65d1b9 SOURCES/Python-3.11.2.tar.xz
-befe131eceffa73877ba3adceca3b7b1da1d2319 SOURCES/pgp_keys.asc
+413b3715d919a7b473281529ab91eeea5c82e632 SOURCES/Python-3.11.4.tar.xz
diff --git a/SOURCES/00397-tarfile-filter.patch b/SOURCES/00397-tarfile-filter.patch
new file mode 100644
index 0000000..bd8f98f
--- /dev/null
+++ b/SOURCES/00397-tarfile-filter.patch
@@ -0,0 +1,361 @@
+From f36519078bde3cce4328c03fffccb846121fb5bc Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Wed, 9 Aug 2023 20:23:03 +0200
+Subject: [PATCH] Fix symlink handling for tarfile.data_filter
+
+---
+ Doc/library/tarfile.rst  |  5 +++++
+ Lib/tarfile.py           |  9 ++++++++-
+ Lib/test/test_tarfile.py | 26 ++++++++++++++++++++++++--
+ 3 files changed, 37 insertions(+), 3 deletions(-)
+
+diff --git a/Doc/library/tarfile.rst b/Doc/library/tarfile.rst
+index 00f3070324e..e0511bfeb64 100644
+--- a/Doc/library/tarfile.rst
++++ b/Doc/library/tarfile.rst
+@@ -740,6 +740,11 @@ A ``TarInfo`` object has the following public data attributes:
+    Name of the target file name, which is only present in :class:`TarInfo` objects
+    of type :const:`LNKTYPE` and :const:`SYMTYPE`.
+ 
++   For symbolic links (``SYMTYPE``), the linkname is relative to the directory
++   that contains the link.
++   For hard links (``LNKTYPE``), the linkname is relative to the root of
++   the archive.
++
+ 
+ .. attribute:: TarInfo.uid
+    :type: int
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index df4e41f7a0d..d62323715b4 100755
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -802,7 +802,14 @@ def _get_filtered_attrs(member, dest_path, for_data=True):
+         if member.islnk() or member.issym():
+             if os.path.isabs(member.linkname):
+                 raise AbsoluteLinkError(member)
+-            target_path = os.path.realpath(os.path.join(dest_path, member.linkname))
++            if member.issym():
++                target_path = os.path.join(dest_path,
++                                           os.path.dirname(name),
++                                           member.linkname)
++            else:
++                target_path = os.path.join(dest_path,
++                                           member.linkname)
++            target_path = os.path.realpath(target_path)
+             if os.path.commonpath([target_path, dest_path]) != dest_path:
+                 raise LinkOutsideDestinationError(member, target_path)
+     return new_attrs
+diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
+index 2eda7fc4cea..79fc35c2895 100644
+--- a/Lib/test/test_tarfile.py
++++ b/Lib/test/test_tarfile.py
+@@ -3337,10 +3337,12 @@ def __exit__(self, *exc):
+         self.bio = None
+ 
+     def add(self, name, *, type=None, symlink_to=None, hardlink_to=None,
+-            mode=None, **kwargs):
++            mode=None, size=None, **kwargs):
+         """Add a member to the test archive. Call within `with`."""
+         name = str(name)
+         tarinfo = tarfile.TarInfo(name).replace(**kwargs)
++        if size is not None:
++            tarinfo.size = size
+         if mode:
+             tarinfo.mode = _filemode_to_int(mode)
+         if symlink_to is not None:
+@@ -3416,7 +3418,8 @@ def check_context(self, tar, filter):
+                 raise self.raised_exception
+             self.assertEqual(self.expected_paths, set())
+ 
+-    def expect_file(self, name, type=None, symlink_to=None, mode=None):
++    def expect_file(self, name, type=None, symlink_to=None, mode=None,
++                    size=None):
+         """Check a single file. See check_context."""
+         if self.raised_exception:
+             raise self.raised_exception
+@@ -3445,6 +3448,8 @@ def expect_file(self, name, type=None, symlink_to=None, mode=None):
+             self.assertTrue(path.is_fifo())
+         else:
+             raise NotImplementedError(type)
++        if size is not None:
++            self.assertEqual(path.stat().st_size, size)
+         for parent in path.parents:
+             self.expected_paths.discard(parent)
+ 
+@@ -3649,6 +3654,22 @@ def test_sly_relative2(self):
+                     + """['"].*moo['"], which is outside the """
+                     + "destination")
+ 
++    def test_deep_symlink(self):
++        with ArchiveMaker() as arc:
++            arc.add('targetdir/target', size=3)
++            arc.add('linkdir/hardlink', hardlink_to='targetdir/target')
++            arc.add('linkdir/symlink', symlink_to='../targetdir/target')
++
++        for filter in 'tar', 'data', 'fully_trusted':
++            with self.check_context(arc.open(), filter):
++                self.expect_file('targetdir/target', size=3)
++                self.expect_file('linkdir/hardlink', size=3)
++                if os_helper.can_symlink():
++                    self.expect_file('linkdir/symlink', size=3,
++                                     symlink_to='../targetdir/target')
++                else:
++                    self.expect_file('linkdir/symlink', size=3)
++
+     def test_modes(self):
+         # Test how file modes are extracted
+         # (Note that the modes are ignored on platforms without working chmod)
+-- 
+2.41.0
+
+From 8b70605b594b3831331a9340ba764ff751871612 Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Mon, 6 Mar 2023 17:24:24 +0100
+Subject: [PATCH] CVE-2007-4559, PEP-706: Add filters for tarfile extraction
+ (downstream)
+
+Add and test RHEL-specific ways of configuring the default behavior: environment
+variable and config file.
+---
+ Lib/tarfile.py           |  42 +++++++++++++
+ Lib/test/test_shutil.py  |   3 +-
+ Lib/test/test_tarfile.py | 128 ++++++++++++++++++++++++++++++++++++++-
+ 3 files changed, 169 insertions(+), 4 deletions(-)
+
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index 130b5e0..3b7d8d5 100755
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -72,6 +72,13 @@ __all__ = ["TarFile", "TarInfo", "is_tarfile", "TarError", "ReadError",
+            "ENCODING", "USTAR_FORMAT", "GNU_FORMAT", "PAX_FORMAT",
+            "DEFAULT_FORMAT", "open"]
+ 
++# If true, use the safer (but backwards-incompatible) 'tar' extraction filter,
++# rather than 'fully_trusted', by default.
++# The emitted warning is changed to match.
++_RH_SAFER_DEFAULT = True
++
++# System-wide configuration file
++_CONFIG_FILENAME = '/etc/python/tarfile.cfg'
+ 
+ #---------------------------------------------------------
+ # tar constants
+@@ -2211,6 +2218,41 @@ class TarFile(object):
+         if filter is None:
+             filter = self.extraction_filter
+             if filter is None:
++                name = os.environ.get('PYTHON_TARFILE_EXTRACTION_FILTER')
++                if name is None:
++                    try:
++                        file = bltn_open(_CONFIG_FILENAME)
++                    except FileNotFoundError:
++                        pass
++                    else:
++                        import configparser
++                        conf = configparser.ConfigParser(
++                            interpolation=None,
++                            comment_prefixes=('#', ),
++                        )
++                        with file:
++                            conf.read_file(file)
++                        name = conf.get('tarfile',
++                                        'PYTHON_TARFILE_EXTRACTION_FILTER',
++                                        fallback='')
++                if name:
++                    try:
++                        filter = _NAMED_FILTERS[name]
++                    except KeyError:
++                        raise ValueError(f"filter {filter!r} not found") from None
++                    self.extraction_filter = filter
++                    return filter
++                if _RH_SAFER_DEFAULT:
++                    warnings.warn(
++                        'The default behavior of tarfile extraction has been '
++                        + 'changed to disallow common exploits '
++                        + '(including CVE-2007-4559). '
++                        + 'By default, absolute/parent paths are disallowed '
++                        + 'and some mode bits are cleared. '
++                        + 'See https://access.redhat.com/articles/7004769 '
++                        + 'for more details.',
++                        RuntimeWarning)
++                    return tar_filter
+                 return fully_trusted_filter
+             if isinstance(filter, str):
+                 raise TypeError(
+diff --git a/Lib/test/test_shutil.py b/Lib/test/test_shutil.py
+index 9bf4145..f247b82 100644
+--- a/Lib/test/test_shutil.py
++++ b/Lib/test/test_shutil.py
+@@ -1665,7 +1665,8 @@ class TestArchives(BaseTest, unittest.TestCase):
+     def check_unpack_tarball(self, format):
+         self.check_unpack_archive(format, filter='fully_trusted')
+         self.check_unpack_archive(format, filter='data')
+-        with warnings_helper.check_no_warnings(self):
++        with warnings_helper.check_warnings(
++                ('.*CVE-2007-4559', RuntimeWarning)):
+             self.check_unpack_archive(format)
+ 
+     def test_unpack_archive_tar(self):
+diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
+index cdea033..4724285 100644
+--- a/Lib/test/test_tarfile.py
++++ b/Lib/test/test_tarfile.py
+@@ -2,7 +2,7 @@ import sys
+ import os
+ import io
+ from hashlib import sha256
+-from contextlib import contextmanager
++from contextlib import contextmanager, ExitStack
+ from random import Random
+ import pathlib
+ import shutil
+@@ -2999,7 +2999,11 @@ class NoneInfoExtractTests(ReadTest):
+         tar = tarfile.open(tarname, mode='r', encoding="iso8859-1")
+         cls.control_dir = pathlib.Path(TEMPDIR) / "extractall_ctrl"
+         tar.errorlevel = 0
+-        tar.extractall(cls.control_dir, filter=cls.extraction_filter)
++        with ExitStack() as cm:
++            if cls.extraction_filter is None:
++                cm.enter_context(warnings.catch_warnings())
++                warnings.simplefilter(action="ignore", category=RuntimeWarning)
++            tar.extractall(cls.control_dir, filter=cls.extraction_filter)
+         tar.close()
+         cls.control_paths = set(
+             p.relative_to(cls.control_dir)
+@@ -3674,7 +3678,8 @@ class TestExtractionFilters(unittest.TestCase):
+         """Ensure the default filter does not warn (like in 3.12)"""
+         with ArchiveMaker() as arc:
+             arc.add('foo')
+-        with warnings_helper.check_no_warnings(self):
++        with warnings_helper.check_warnings(
++                ('.*CVE-2007-4559', RuntimeWarning)):
+             with self.check_context(arc.open(), None):
+                 self.expect_file('foo')
+ 
+@@ -3844,6 +3849,123 @@ class TestExtractionFilters(unittest.TestCase):
+             self.expect_exception(TypeError)  # errorlevel is not int
+ 
+ 
++    @contextmanager
++    def rh_config_context(self, config_lines=None):
++        """Set up for testing various ways of overriding the default filter
++
++        return a triple with:
++        - temporary directory
++        - EnvironmentVarGuard()
++        - a test archive for use with check_* methods below
++
++        If config_lines is given, write them to the config file. Otherwise
++        the config file is missing.
++        """
++        tempdir = pathlib.Path(TEMPDIR) / 'tmp'
++        configfile = tempdir / 'tarfile.cfg'
++        with ArchiveMaker() as arc:
++            arc.add('good')
++            arc.add('ugly', symlink_to='/etc/passwd')
++            arc.add('../bad')
++        with (
++                os_helper.temp_dir(tempdir),
++                support.swap_attr(tarfile, '_CONFIG_FILENAME', str(configfile)),
++                os_helper.EnvironmentVarGuard() as env,
++                arc.open() as tar,
++        ):
++            if config_lines is not None:
++                with configfile.open('w') as f:
++                    for line in config_lines:
++                        print(line, file=f)
++            yield tempdir, env, tar
++
++    def check_rh_default_behavior(self, tar, tempdir):
++        """Check RH default: warn and refuse to extract dangerous files."""
++        with (
++                warnings_helper.check_warnings(
++                    ('.*CVE-2007-4559', RuntimeWarning)),
++                self.assertRaises(tarfile.OutsideDestinationError),
++        ):
++            tar.extractall(tempdir / 'outdir')
++
++    def check_trusted_default(self, tar, tempdir):
++        """Check 'fully_trusted' is configured as the default filter."""
++        with (
++                warnings_helper.check_no_warnings(self),
++        ):
++            tar.extractall(tempdir / 'outdir')
++            self.assertTrue((tempdir / 'outdir/good').exists())
++            self.assertEqual((tempdir / 'outdir/ugly').readlink(),
++                             pathlib.Path('/etc/passwd'))
++            self.assertTrue((tempdir / 'bad').exists())
++
++    def test_rh_default_no_conf(self):
++        with self.rh_config_context() as (tempdir, env, tar):
++            self.check_rh_default_behavior(tar, tempdir)
++
++    def test_rh_default_from_file(self):
++        lines = ['[tarfile]', 'PYTHON_TARFILE_EXTRACTION_FILTER=fully_trusted']
++        with self.rh_config_context(lines) as (tempdir, env, tar):
++            self.check_trusted_default(tar, tempdir)
++
++    def test_rh_empty_config_file(self):
++        """Empty config file -> default behavior"""
++        lines = []
++        with self.rh_config_context(lines) as (tempdir, env, tar):
++            self.check_rh_default_behavior(tar, tempdir)
++
++    def test_empty_config_section(self):
++        """Empty section in config file -> default behavior"""
++        lines = ['[tarfile]']
++        with self.rh_config_context(lines) as (tempdir, env, tar):
++            self.check_rh_default_behavior(tar, tempdir)
++
++    def test_rh_default_empty_config_option(self):
++        """Empty option value in config file -> default behavior"""
++        lines = ['[tarfile]', 'PYTHON_TARFILE_EXTRACTION_FILTER=']
++        with self.rh_config_context(lines) as (tempdir, env, tar):
++            self.check_rh_default_behavior(tar, tempdir)
++
++    def test_bad_config_option(self):
++        """Bad option value in config file -> ValueError"""
++        lines = ['[tarfile]', 'PYTHON_TARFILE_EXTRACTION_FILTER=unknown!']
++        with self.rh_config_context(lines) as (tempdir, env, tar):
++            with self.assertRaises(ValueError):
++                tar.extractall(tempdir / 'outdir')
++
++    def test_default_from_envvar(self):
++        with self.rh_config_context() as (tempdir, env, tar):
++            env['PYTHON_TARFILE_EXTRACTION_FILTER'] = 'fully_trusted'
++            self.check_trusted_default(tar, tempdir)
++
++    def test_empty_envvar(self):
++        """Empty env variable -> default behavior"""
++        with self.rh_config_context() as (tempdir, env, tar):
++            env['PYTHON_TARFILE_EXTRACTION_FILTER'] = ''
++            self.check_rh_default_behavior(tar, tempdir)
++
++    def test_bad_envvar(self):
++        with self.rh_config_context() as (tempdir, env, tar):
++            env['PYTHON_TARFILE_EXTRACTION_FILTER'] = 'unknown!'
++            with self.assertRaises(ValueError):
++                tar.extractall(tempdir / 'outdir')
++
++    def test_envvar_overrides_file(self):
++        lines = ['[tarfile]', 'PYTHON_TARFILE_EXTRACTION_FILTER=data']
++        with self.rh_config_context(lines) as (tempdir, env, tar):
++            env['PYTHON_TARFILE_EXTRACTION_FILTER'] = 'fully_trusted'
++            self.check_trusted_default(tar, tempdir)
++
++    def test_monkeypatch_overrides_envvar(self):
++        with self.rh_config_context(None) as (tempdir, env, tar):
++            env['PYTHON_TARFILE_EXTRACTION_FILTER'] = 'data'
++            with support.swap_attr(
++                    tarfile.TarFile, 'extraction_filter',
++                    staticmethod(tarfile.fully_trusted_filter)
++            ):
++                self.check_trusted_default(tar, tempdir)
++
++
+ def setUpModule():
+     os_helper.unlink(TEMPDIR)
+     os.makedirs(TEMPDIR)
+-- 
+2.41.0
+
diff --git a/SOURCES/Python-3.11.2.tar.xz.asc b/SOURCES/Python-3.11.2.tar.xz.asc
deleted file mode 100644
index 1cd2b66..0000000
--- a/SOURCES/Python-3.11.2.tar.xz.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmPiV84ACgkQ/+h0BBaL
-2EeZ1xAAwBi0AEjUlZ9oeC54VuqC/XLuVwc3xWf+Irw/5mJA2/weJHoQqG9aEDkB
-ph1pDJ6G/vDyKdjh8NZKkKftIL9pggRpAcA4mQ3XcDMKI/J+EQe5P/BwsTGClLhK
-cZg6IcQKZvo9djfyRz48w9wfKs34NasBgoFQP+hOzmU10UMrcR7gUSB2ZgMVMDID
-0rK1w2aPmZmDLUltBhf6Xb2voUYo+3jINLHWmQC6tdDOBxtxv222dhxS1mvpV7Zu
-Xw8do9OsQxonc+owkpciMKDLcFoVmkdQPz9bmvHJKovMXT2RY7FEam9H7ukr35fC
-xA6BKnyMgvWIWQVTwjBhcz3C85adzAz/ypHNTbJOuPxp1ZP8qO3D6vPlhZIFyTeJ
-7LhagUBUkIKKtbz7u3ERJgvA6tn3UVyLOXM1DnaKkXQ1FgSymgWPRU7BsxanQ8FD
-QkfTjC8fatZLCewNfGInkeAdLue+rMwZc8Q6vw2CAmcVdOKsQ98Db/FLF5sC+Kjz
-D3brUESEX1ELcVk7vumUI0/z+MECF11dpv5hPOZ4cZDoInsNu846TfU0rzOeVe7H
-gGO6Ae/Lu5gG09TNqepbFGA/dWR8V3zdLs5ZShTT4FsNFrHh7GDAEAMZSwT3AsVZ
-TjOdU3+xEGsEfrYWRXOkhVIQdJtuovwv9+me5YWeyC4Puzp0Zwk=
-=8/cW
------END PGP SIGNATURE-----
diff --git a/SOURCES/Python-3.11.4.tar.xz.asc b/SOURCES/Python-3.11.4.tar.xz.asc
new file mode 100644
index 0000000..bf39d4a
--- /dev/null
+++ b/SOURCES/Python-3.11.4.tar.xz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmR/sHIACgkQ/+h0BBaL
+2EfQDQ//eFWvcQ5ijhVd3r5lp7NTNUPK6xKR2iqzpNWlN2Z4QkGJ2+IworBaZoGA
+tzmbT0j0LB9ZQ+ba3xnqXGXD8Ky+fHLg8GV5yshPlH/bD7tPuHtfDRxNcWplEVSS
+MbMuLjAYavTIHhYEz/Rpx4jvZTI5lwplVqj9WxNI/8tNrL5M2bsCtv+IB6brohiw
+rUOUlT/KDkZbrGfB1Fe033Ep8hay5MkKjhgr7O1dU7zMuDRG+HRsCYGs7a5x6KhH
+3QNTEp+GEIAKEsip5nR7vl5KqL02lHa5sf36SV2wjRTwO+IhgV7lvtJEwOD12oE5
+c+TCQMFbmBXg2vVmNBN/Lwftw1SwT/+orFX6V4U93jq6QNUo4GvPqum6YzuayGYc
+/JM4MNziqmfdNW2YjEHPPfzti3f40eTapys97YufOrmYjM2NY0Fs+kAErvyxiWqi
+guVQtaZIYeLl/9KWqQ0F/Apy1N+fVDuWBkZlizwHrUsGips4Rp7Bh/iCrDdOj+1D
+gRCio7+KvdtzHavZPZnU5dcpUiXZgsDzOTI138IyYaEtVUS59ELkA2qxI1yCb5mk
+eLVG1L7r/J2tIaTcguQppp5Z+62UDTArlUbnRxda0buzA2r1aFiQCTMwp+kTRegw
+T9Ht/CT/D4vpMdmSQTun9MkKifcK+2uGfSsS7Lz4fSWjQLqg36k=
+=zSfJ
+-----END PGP SIGNATURE-----
diff --git a/SOURCES/pgp_keys.asc b/SOURCES/pgp_keys.asc
new file mode 100644
index 0000000..11dccb8
--- /dev/null
+++ b/SOURCES/pgp_keys.asc
@@ -0,0 +1,109 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFq+ToQBEADRYvIVtbK6owynD3j3nxwpW2KEk/p+aDvtXmc2SR2dBcZ8sFW2
+R5vEsG8d3/D3wgv5pcL3KfNNXQYUnXVbobrFUUWQYc79qIsE3MgiPf5NVOtwKPUR
+i5g9YJgKvpBxkQfqp3LYGm9ZBtwo3DVLA3yn7KsazCmAgTNFJYw7ku1XxgmIzY6K
+5J30DfbJiqDqj4f9GslCCCCH3qiPnuLG/HUyVLHMpbWlaiy9NI0GcaLxjJewHj9w
+W2D2lydkxe5JGo7egUkV3ILcuLVSVKA35SKY27dYqfuyqp9tAzaRbjDYjsYdHA6G
+BqrNrKBn/GwlFDPrVdcvN3ZSY2wMLTxWE3Axc/FweuHxFnou/80FwX7F3JD+oEQ6
+rofmcxOBCC7J98I7HZAhP9jBn88XIS2hztbLq8d6rZJZRtcz0k61VR0ddO+TrFmf
+9rMYCPgCckRtVxeFIVIabrN1IzKynLFeo040h8hSGswd6YKDOVwjJY6Oa6EmVefZ
+a8QSt4+M65RSzH6SEPY008F3nJUAK6MEkzTak+tFltZNrVWu8p2xd1j9nmxAwEhZ
+/lgbxLqzYgaUWmfyHeZ8yVA0MhHzdiAL8nVUEdG3KecIq0RWCJLGLWWIjd6KAJl1
+yAmhRYKK/sjPDsL3elHsFACfZbyx3o5GGQNlas1FYoPLWbaNGaJtgFTF2QARAQAB
+tCtQYWJsbyBHYWxpbmRvIFNhbGdhZG8gPHBhYmxvZ3NhbEBnbWFpbC5jb20+iQJO
+BBMBCgA4FiEEoDXIwZIZuoIezqhrZOYo+NaEaW0FAlq+ToQCGwMFCwkIBwMFFQoJ
+CAsFFgIDAQACHgECF4AACgkQZOYo+NaEaW2bmA/+PXIap2udLoUVOHxnsIBdqYwp
+sv1Aj5lfIJmNhmxPbHShwp1Jg+w4urxe+2Dj5ofKVlIo1i83bQkvnKJMDXDVuc/K
+P6zqhBJ3rT4Q3qx2mzX8bIfQoJ2JHuH4lkP+I7doDcHHRyeNASyk72VdQmU4twNw
+Ibn8nSNV6ThKHdoPYzVnO2rZUFcGIqH5HNsvR+B7cc1MBCHsgURYwSVhSePIFGlZ
+iasdBD6QQkDSe4QWi7AcJFWFElw4kbOKJWxAWsrEk+tMXJVGRjnmL289EmPCx/vx
+BqKy7Mse0yWCSRR3vB+O6TB1S5SgEyEgqlYsfGNv1qf/rfRD4KkyCbNU3LhY1Aim
+vJP4pDW+KFxTk2Ks8vrx8gOSd2aFqPeO/pFDrpsF7PD62XwsfoXu4xc5V0Giw7r1
+Nai0nax7kOrldNF8TbbtRjW0jmoC7wLIDujAkwDIOroZ0CXA3N4HVHdSbrHm/urX
+nyxJXupXAQNwGx64JCBcbF2fp3Kvu1VAXBEFnd01KaopthHcbG5pA50Kl2Vhe+98
+OdezUX42fHkQpQkB7HgtXfm6W1bw6YRBamrNvs1OoHBYmUjlECpe566IIu25Hc8s
+x3qA+6eca7iqizyLG+WyMT8ZIYTWGAS59jxwR4esqGczbbZPSAPHFwLbGv7Wr0Rd
+TPu5B0FcKpDkTd4IxQW5Ag0EWr5O2gEQAMjLe4CtbSfofmJrz5wfNkMVsZ81Gbqe
+MoYd3dtkJnQYERUj8flzBj3ucaxGJ+Cuf7ybh3naPopKvEI1q0vkcgCDqrEgXK//
+jKJbP28uPSMGhOG28q4PbamG55gy5FtM3ezzAxPWWKe9qBpV65GMmFy7eBQx2iJs
+yiDIOOQQ4kraS+cTqNFimEXAGLCOQRNLcwIZzwAAHoW7HEpNUfVwaBD9kMlbo1ND
+I60IKcNrNcmcmRxhJqfxjj8YBMwcKHO6GBE3AVpaE/+UO9zyr4TH+0YuQUgxKlPW
+Dkg5XlkDo0S1GyLY5e9ckIDIlkTdDa2pOkoE2yB5MQCEga3YiHrKUVTTWaxn9XVJ
+6x5ZjUF6bgSWGkrG5dUqSYoO1iDMuNVjtiujNyf/rvfj5cNxS7/lgxchhQKZHZXL
+WVqxlneeVJ6s0P4+ROVG9ga2Sve7aUJ6wXIewZwulBcV2sE/W/DgxHgLBi53CUQt
+vEzFzKvo48GnDqL5VYjA7l0HMYHd4GksCLi8E8U6Cgj+imXiM8voL7pHRZfs8mY8
+udR+UT4e1Scl2MYP2qBJ9/17B/X52B3s1EZdqI/r+hfOyqrhPs+dbAN0mtMPn68+
+nrvY1+nscvrSYEP6ZBlc9Hp2mgJdb6IcTvINXBEeLRjgc3pjViva443pkiFp9Axm
+ecOckMKP3uSlABEBAAGJBGwEGAEKACAWIQSgNcjBkhm6gh7OqGtk5ij41oRpbQUC
+Wr5O2gIbAgJACRBk5ij41oRpbcF0IAQZAQoAHRYhBM/cokWxBDzypfl4Zf/odAQW
+i9hHBQJavk7aAAoJEP/odAQWi9hHr7YP/RCLre1CmOoWYpAtoa1yVCeYMDV6eQgL
+B488/BEZHQE1zbrYy16XkhORob3JF/kUMjmJW7XaFF8FrWvRcdj/xaUGbOOEulKg
+v+8zWfswYQRiZ4/JlwER4vRLi6fTE89MVER6Fkj2ASD4D2cifY+EztD4flV3sq3s
+vIogGFaN9IvdrdeptOVGXs1RmAyoTsiS2mKQ6xsGh8B9ZAm55W8fBOGiSzLX21Xk
+Ofdw53BrFQxn3cu/JgIKpdeZxgukcvEAI62B6X+YL6Na4j0eqEGLzsNtU1+xeJlo
+WtVvmRwnRHGSxF6fzIZ3mk/p/aFiXAEq/xITCTY6tDv7x7pFE/RpdlJZyNJ+R5Y4
+SQiuDsylxNCa/4G5EB6q+7iVYtbEQ9MnZg2phowEE42tlj0rz8/rvDK3LH3xibot
+KHIodCWKlWByxH99u2PuHUQ0c1oCVBUE1KkruMpvI236DpU/dvdq4JLSg/fWrys/
+VIjqLZgsIE5g/KO9XqngWHkLcBLh4CNAmHJ8Iia+s+/rfgsejQWB5uJb6eYg2JjB
+4WP1EI0rULM6fdrCNB+MJ36wE2Lnb4bfT0phOMgjjH5/Ki7ZCbkxkOsBs4SRjiS+
+weCsmpAtMqodWY/Cnw9pWSA/qLSRD5/mKeb9SO6OZ/OPfAatwnGHsvZ2sAueC6rR
+04W5BfXZWrnJUXQP/id/EKE1Ksp5fKoxSCbkKTCig+Sf5Afwe36yFN+niZBqzn5b
+BgL/HIKaZM97oDHersPPANeEgS+JVlBf95iKIYnQbZP43FLVbvOuaINhBIVtFO54
+2Y7EYwl41kP7ILDElVy36KAmdQyBAfrjnZiRA70xShOxApLug1L0lxhR3YfmLwNi
+RJ0V6KnYDKf0pfdhO9VFyFFWUojX1usn2SmSsXNizsNtvRqHXzPnX0rbJzZ9+N4O
+9k1nxygYFG/2R/jGonVmTjRzcAHrAkNJETMWXMA7/8wRMDwluz8j+cCldey9x8Vk
+JwgLGnZSbQtVpcFAnm5r/36Gt+9wc1VWMyrUrVr6Z679aqAbG7PMaeR5h5ygMj1k
+VqRTYAUPSk1f8bZKRssQkQwEbp9dVIjm9SsR8VT7/tB+UuB85dABxgHfv3psJRT+
+tL8g9V7kSZqQfcLNGmvEVvr2Zl9NtxwXtsFM2OBprxCenwb+e9Ppm1LjfJG/NE72
+mAnOERfDaiLt4bqNo36Ei5sGCJ4Fx61phzNBXzkdRNM47i8J5UZRKFkE91c99BVM
+HKUaY61NRK24fR0zP98ftDU82YFw0VRFJpTeBrO5ivN1MlQxUPzUWxKxMxO+20wa
+UOXroEw11Tb4SRLGOla1pCl6lCUPJRy9IzadPDgTr/OTMkob/snt/XLdnV5/uQIN
+BFq+TvoBEAC8Oy1g6pPWBbrCMhIq7VWY2fjylJ1fwg5BPXkOKVK1dsGYO4QD7oW9
+L0aSqcFSNFGF9Cl0Ri4TFXZC3hnG4HeSXUWApuKdBLn21H3jba36Ay1oGcGfdm0v
+Zght4c6BlMVBpGCw2wIkJbUNEy6InMM+O8CCbbaH3iJkJ4141P7pODHignx5AmZI
+conMui4YOhC+IXQXynVEv1Juk7erB1Nh1RcRvsA4lb44HWx49lIwe85ejOmoZ0O3
+6f9NJRer6bV0+rHWmg4IV5Q9h/Gn4IhEDZxA0DZl1RQI7dMgaMbIFbXGq7Kgzstz
+EUnOoy29hXodxVmwIsMrAiQUYtwJ9hW+ESsw47+W2iPHVgviGWl7r/SgcgMYmf6m
+5kiTBtwU7BQPS9G3zwwP2Rm3AA/6g39Q+tQKjOwi1I8+GZsY2On44Zly7BreBNg5
+4gJgdAGcMOYU9etr050clH3UpTYcAEtX++ahtOKhJgLIPNcIAQNlnifqvU0VYpgw
+R4YpZ7hgg+AVDzC73PIM0lFI0XiDuqChbxE+K1jmLXWe5iJF0dzgVTwP+PmsifNZ
+Wg3+YxSsS+hDMPQ2xPiQN49gT4JJDHcDuyhHyCGYgyMiVJCsku9KrkubbfVRivyN
+ZF2Zfo3f+nbrRxsftz0yjAq8byCvb0V0XOpt4pJ/ddlug9ytRxALNwARAQABiQI2
+BBgBCgAgFiEEoDXIwZIZuoIezqhrZOYo+NaEaW0FAlq+TvoCGwwACgkQZOYo+NaE
+aW3urA//UQ/cKQ7HvWjcLphzQOZc+6m5YL0wxvZkSjemU7mqjZdpacteIvRAoers
+EqXHc208liIBtNfRzoreXdcXNzie65xXkrRnWoHVH/fTWy4lOnHr2CMXLeHjUgg/
+M6PYi8+sARm05YFB8nsYhlhx3IdLhcfeVVbJedQKO0yL3CK1okT30DUVq5Lq6X/K
+DC6AxuJR3D6UMSoT0WLaoX8qbhAp88qLynInfBVL18d97h916WPLTPeP0eHwhwND
+bYtKDCMDuKQ9XX5+QsNH0RmbxlX274LHrUMMvkLKxcfCBvP+iuqrBeIuoeVzXYJZ
+j7ZJtEH79bW44eecl/CY/STFYgSQ2XGTp2BI2q60wAmtKlNhwxY5ena0FgyFl6Tm
+5OBHW/Pwo+ndQJGfbrCyWkTgRay9c8er3gl3GQYIBH6X0kCiG7h/Epj0b5CHOPU5
+hCw0kEB8MB4poTIjeiY+Q01472/lQ68CL3DX158hR5d3XaPSIxAN+qFsfB1o316p
+yjxhfK1MD/IfrOgjlggPPnc/KmLkCzpgdwKcZwLCdZq9hYBvF1Zs34HbaVMYbWTK
+uxLowtXGU43vatCXXqmPOvl4/g4tZD6rysJDgOrHQnEHzT+Napn07s0BRC0IbbNn
+FynUrkr5KMSuRz7Hg7xMApENOrb0nqdHSUJ914ZpuMIS6RhJgGu5Ag0EWr5PIAEQ
+ALfh9vPD2B+miHDTMADI8aRZ7g9tnzynZYkk3+2sCiiusetsQQ+HIPJ/ASEJB7On
+ane9dyT/LTRhrK9qaxgVMimk2COXB/xyh7Mnw7nJgFU0aRSbtX0vbvQz2suSzrQ6
+9mPKzan28JGoClqB0bw1vwf3VjjxHV2dgD57CmqFPv7kAC/2a56dE+etzXattZAL
++2JWTpmfQ0ePRRadtBm0VahQhnU8x0+jvAVrEawqpVW83ozYFyW/0WInM2J7jHgQ
+16OosY4lj5L/DxpVxaArhRFoRfWPXfC37iE8Mou/I95isvPQIhp1wTo4jG0KM02B
+oIVbp/QRNBQ6WtpOzvJs1gqQiJJTfqbKJXQ3NDEY9crpVS83HJ+Zv99PNsyNkFjG
+QpU84U3ZhsI4ygjdY45mpZueqI1RVcRQdu8Hgvoo/78Q/Sir6gMGop3mVdVo2guI
+kFcJrXh0Xk3ech4aVqrmKx/mPXGwOAQU0DAul4RW3fKg1QxQE7Tlw3+95Ee/+q5j
+HARL0uDbCJpRO8Sl8NDEuL32n/2Ot6kQeCSHrU7KJRYAkTxkKvr8zNow7hFhHFPE
+SnHvTnskI6noh0VY6NwMhmLvhm0wKkRxZPzUNc3sgLvbK1NymIZ9aKCZamzhZrmG
+vnblEz/OSLwGUua465H3hM1vvBQiartj7+6ZqWIkSmBPABEBAAGJAjYEGAEKACAW
+IQSgNcjBkhm6gh7OqGtk5ij41oRpbQUCWr5PIAIbIAAKCRBk5ij41oRpbWmeEACG
++axtDC8UoNp9ORiYwEWLzZWDuugE+ah7DYYGD4Vs633FXVZW3SgM/bFtJ/0Lg8CF
+74jI4LMHyIjDzEjcoItwnhBLix+kUoJTvrY58GPydwekLuw1p4KXLqtRs4fsZbNQ
+YTknl4jYtRWoxO98x7tun7Gq2gqmJkIB2uj630fKz5cBk6p6oDFKjzyrHe+V7BiK
+3okQPaD4x7hq8OnTy7lOy92ZZAqztS4tNEb4DkYW1MpuwsJ7hbBZitc1siI+FVVb
+GjVVGZz6ssXoW67Tz8+VxdWJxNLXlv27eMcj4sme5S0th/YYNA5fRRv6zuzqZAru
+YNGLpYYU7JLvZJ+3lCwa5j5ycOGBF0GvsGs6gj6h+CHkjR/BgzAgWC+GgUgslt6q
+aH04rWtV6rVz+Y91LcrX5P6OM4anmXD3Gp3kl35AypXb4KyASF19+11RUziD4Z7q
+wQEWfbwOltNyZv2lD8s2jPr7P02axWRQUbZAEhxRmvOQev/FZPyCF6gqUo/HxRbQ
+y3bzmnipyHSv1DlXNfCFCHvN8kGyZnRWARqIKRg+j9ediJgOUqlLhg6KmrTVxd5v
+3Dfv52PW2UODDTM20s3cQGuX/UswzMRwPI/+P44iCMwEKdm7duM/5oisZT9Vhy7g
+P15MreFZLcZvUVgjqgy0u57cstyGK1Bo9e2sFcK2fA==
+=6Zb4
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/SPECS/python3.11.spec b/SPECS/python3.11.spec
index 0cbd1ba..e838321 100644
--- a/SPECS/python3.11.spec
+++ b/SPECS/python3.11.spec
@@ -16,11 +16,11 @@ URL: https://www.python.org/
 
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
-%global general_version %{pybasever}.2
+%global general_version %{pybasever}.4
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: Python
 
 
@@ -63,7 +63,7 @@ License: Python
 # If the rpmwheels condition is disabled, we use the bundled wheel packages
 # from Python with the versions below.
 # This needs to be manually updated when we update Python.
-%global pip_version 22.3.1
+%global pip_version 23.1.2
 %global setuptools_version 65.5.0
 
 # Expensive optimizations (mainly, profile-guided optimizations)
@@ -332,6 +332,16 @@ Patch329: 00329-fips.patch
 # https://github.com/GrahamDumpleton/mod_wsgi/issues/730
 Patch371: 00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch
 
+# 00397 #
+# Filters for tarfile extraction (CVE-2007-4559, PEP-706)
+# First patch fixes determination of symlink targets, which were treated
+# as relative to the root of the archive,
+# rather than the directory containing the symlink.
+# Not yet upstream as of this writing.
+# The second patch is Red Hat configuration, see KB for documentation:
+# - https://access.redhat.com/articles/7004769
+Patch397: 00397-tarfile-filter.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -1599,6 +1609,19 @@ CheckPython optimized
 # ======================================================
 
 %changelog
+* Wed Aug 09 2023 Petr Viktorin <pviktori@redhat.com> - 3.11.4-3
+- Fix symlink handling in the fix for CVE-2023-24329
+Resolves: rhbz#263261
+
+* Fri Jun 30 2023 Charalampos Stratakis <cstratak@redhat.com> - 3.11.4-2
+- Security fix for CVE-2007-4559
+Resolves: rhbz#263261
+
+* Mon Jun 26 2023 Charalampos Stratakis <cstratak@redhat.com> - 3.11.4-1
+- Update to 3.11.4
+- Security fix for CVE-2023-24329
+Resolves: rhbz#2173917
+
 * Thu Feb 16 2023 Charalampos Stratakis <cstratak@redhat.com> - 3.11.2-2
 - Support OpenSSL FIPS mode