import UBI python3.12-3.12.12-1.el10_1

import UBI python3.12-3.12.11-3.el10
import UBI python3.12-3.12.9-2.el10_0.3
2025-12-22 18:24:34 +00:00 · 2025-11-11 21:47:56 +00:00 · 2025-09-02 06:06:26 +00:00 · 2025-07-01 23:10:56 +00:00 · 2025-06-24 09:45:00 +00:00 · 2025-05-14 18:53:00 +00:00
20 changed files with 836 additions and 1637 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/Python-3.12.1.tar.xz
+Python-3.12.12.tar.xz
--- a/.python3.12.metadata
+++ b/.python3.12.metadata
@ -1 +0,0 @@
-5b11c58ea58cd6b8e1943c7e9b5f6e0997ca3632 SOURCES/Python-3.12.1.tar.xz
--- a/SOURCES/00251-change-user-install-location.patch
+++ b/SOURCES/00251-change-user-install-location.patch
@ -30,10 +30,10 @@ Co-authored-by: Lumír Balhar <frenzy.madness@gmail.com>
 3 files changed, 71 insertions(+), 4 deletions(-)

 diff --git a/Lib/site.py b/Lib/site.py
-index 672fa7b000..0a9c5be53e 100644
+index aed254ad50..568dbdb945 100644
 --- a/Lib/site.py
 +++ b/Lib/site.py
-@@ -377,8 +377,15 @@ def getsitepackages(prefixes=None):
+@@ -398,8 +398,15 @@ def getsitepackages(prefixes=None):
     return sitepackages
 
 def addsitepackages(known_paths, prefixes=None):
@ -51,7 +51,7 @@ index 672fa7b000..0a9c5be53e 100644
         if os.path.isdir(sitedir):
             addsitedir(sitedir, known_paths)
 diff --git a/Lib/sysconfig.py b/Lib/sysconfig.py
-index 122d441bd1..2d354a11da 100644
+index acc8d4d182..6355669f62 100644
 --- a/Lib/sysconfig.py
 +++ b/Lib/sysconfig.py
@@ -104,6 +104,11 @@
@ -86,7 +86,7 @@ index 122d441bd1..2d354a11da 100644
 _SCHEME_KEYS = ('stdlib', 'platstdlib', 'purelib', 'platlib', 'include',
                 'scripts', 'data')
 
-@@ -263,11 +281,40 @@ def _extend_dict(target_dict, other_dict):
+@@ -268,11 +286,40 @@ def _extend_dict(target_dict, other_dict):
         target_dict[key] = value
 
 
@ -119,7 +119,7 @@ index 122d441bd1..2d354a11da 100644
 +    # we only change the defaults here, so explicit --prefix will take precedence
 +    # https://fedoraproject.org/wiki/Changes/Making_sudo_pip_safe
 +    if (scheme == 'posix_prefix' and
-+        _PREFIX == '/usr' and
+        sys.prefix == '/usr' and
 +        'RPM_BUILD_ROOT' not in os.environ):
 +            _extend_dict(vars, _config_vars_local())
 +    else:
@ -129,10 +129,10 @@ index 122d441bd1..2d354a11da 100644
         # On Windows we want to substitute 'lib' for schemes rather
         # than the native value (without modifying vars, in case it
 diff --git a/Lib/test/test_sysconfig.py b/Lib/test/test_sysconfig.py
-index b6dbf3d52c..4f06a7673c 100644
+index 67647e1b78..7baddaa9d6 100644
 --- a/Lib/test/test_sysconfig.py
 +++ b/Lib/test/test_sysconfig.py
-@@ -110,8 +110,19 @@ def test_get_path(self):
+@@ -119,8 +119,19 @@ def test_get_path(self):
         for scheme in _INSTALL_SCHEMES:
             for name in _INSTALL_SCHEMES[scheme]:
                 expected = _INSTALL_SCHEMES[scheme][name].format(**config_vars)
@ -153,7 +153,7 @@ index b6dbf3d52c..4f06a7673c 100644
                     os.path.normpath(expected),
                 )
 
-@@ -335,7 +346,7 @@ def test_get_config_h_filename(self):
+@@ -353,7 +364,7 @@ def test_get_config_h_filename(self):
         self.assertTrue(os.path.isfile(config_h), config_h)
 
     def test_get_scheme_names(self):
@ -162,7 +162,7 @@ index b6dbf3d52c..4f06a7673c 100644
         if HAS_USER_BASE:
             wanted.extend(['nt_user', 'osx_framework_user', 'posix_user'])
         self.assertEqual(get_scheme_names(), tuple(sorted(wanted)))
-@@ -347,6 +358,8 @@ def test_symlink(self): # Issue 7880
+@@ -365,6 +376,8 @@ def test_symlink(self): # Issue 7880
             cmd = "-c", "import sysconfig; print(sysconfig.get_platform())"
             self.assertEqual(py.call_real(*cmd), py.call_link(*cmd))
 
--- a/SOURCES/00329-fips.patch
+++ b/SOURCES/00329-fips.patch
@ -1,7 +1,7 @@
-From 5cedde59cde3f05af798a7cb5bc722cb0deb4835 Mon Sep 17 00:00:00 2001
+From 11deb3112bd90bc2dce2fcd4a1f5975c08b91360 Mon Sep 17 00:00:00 2001
 From: Charalampos Stratakis <cstratak@redhat.com>
 Date: Thu, 12 Dec 2019 16:58:31 +0100
-Subject: [PATCH 1/6] Expose blake2b and blake2s hashes from OpenSSL
+Subject: [PATCH 1/5] Expose blake2b and blake2s hashes from OpenSSL

 These aren't as powerful as Python's own implementation, but they can be
 used under FIPS.
@ -29,10 +29,10 @@ index 73d758a..5921360 100644
             computed = m.hexdigest() if not shake else m.hexdigest(length)
             self.assertEqual(
 diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
-index af6d1b2..980712f 100644
+index 2998820..b96001e 100644
 --- a/Modules/_hashopenssl.c
 +++ b/Modules/_hashopenssl.c
-@@ -1079,6 +1079,41 @@ _hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj,
+@@ -1128,6 +1128,41 @@ _hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj,
 }
 
 
@ -74,7 +74,7 @@ index af6d1b2..980712f 100644
 #ifdef PY_OPENSSL_HAS_SHA3
 
 /*[clinic input]
-@@ -2067,6 +2102,8 @@ static struct PyMethodDef EVP_functions[] = {
+@@ -2116,6 +2151,8 @@ static struct PyMethodDef EVP_functions[] = {
     _HASHLIB_OPENSSL_SHA256_METHODDEF
     _HASHLIB_OPENSSL_SHA384_METHODDEF
     _HASHLIB_OPENSSL_SHA512_METHODDEF
@ -84,7 +84,7 @@ index af6d1b2..980712f 100644
     _HASHLIB_OPENSSL_SHA3_256_METHODDEF
     _HASHLIB_OPENSSL_SHA3_384_METHODDEF
 diff --git a/Modules/clinic/_hashopenssl.c.h b/Modules/clinic/_hashopenssl.c.h
-index fb61a44..1e42b87 100644
+index 84e2346..7fe03a3 100644
 --- a/Modules/clinic/_hashopenssl.c.h
 +++ b/Modules/clinic/_hashopenssl.c.h
@@ -743,6 +743,156 @@ exit:
@ -248,16 +248,16 @@ index fb61a44..1e42b87 100644
 #ifndef _HASHLIB_SCRYPT_METHODDEF
     #define _HASHLIB_SCRYPT_METHODDEF
 #endif /* !defined(_HASHLIB_SCRYPT_METHODDEF) */
-/*[clinic end generated code: output=b339e255db698147 input=a9049054013a1b77]*/
-+/*[clinic end generated code: output=1d988d457a8beebe input=a9049054013a1b77]*/
+-/*[clinic end generated code: output=4734184f6555dc95 input=a9049054013a1b77]*/
+/*[clinic end generated code: output=f0bfddb963a21208 input=a9049054013a1b77]*/
 -- 
-2.43.0
+2.47.1


-From 2a12baa9e201f54560ec99ad5ee1fa5b0006aa39 Mon Sep 17 00:00:00 2001
+From ea9d5c84e25b5c04c2823e1edee4354dd6b2b7a5 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <pviktori@redhat.com>
 Date: Thu, 25 Jul 2019 17:19:06 +0200
-Subject: [PATCH 2/6] Disable Python's hash implementations in FIPS mode,
+Subject: [PATCH 2/5] Disable Python's hash implementations in FIPS mode,
 forcing OpenSSL

 ---
@ -445,10 +445,10 @@ index a8bad9d..1b1d937 100644
 +    if (_Py_hashlib_fips_error(exc, name)) return NULL; \
 +} while (0)
 diff --git a/configure.ac b/configure.ac
-index 1876f77..1875d1e 100644
+index 9270b5f..a9eb2c9 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -7439,7 +7439,8 @@ PY_STDLIB_MOD([_sha2],
+@@ -7482,7 +7482,8 @@ PY_STDLIB_MOD([_sha2],
 PY_STDLIB_MOD([_sha3], [test "$with_builtin_sha3" = yes])
 PY_STDLIB_MOD([_blake2],
   [test "$with_builtin_blake2" = yes], [],
@ -459,13 +459,13 @@ index 1876f77..1875d1e 100644
 PY_STDLIB_MOD([_crypt],
   [], [test "$ac_cv_crypt_crypt" = yes],
 -- 
-2.43.0
+2.47.1


-From bca05b7fdb8dcab21ef80db1d59dd5daa835d84b Mon Sep 17 00:00:00 2001
+From 29a7b7ac9e18a501ed78bde7a449b90c57d44e24 Mon Sep 17 00:00:00 2001
 From: Charalampos Stratakis <cstratak@redhat.com>
 Date: Fri, 29 Jan 2021 14:16:21 +0100
-Subject: [PATCH 3/6] Use python's fall back crypto implementations only if we
+Subject: [PATCH 3/5] Use python's fall back crypto implementations only if we
 are not in FIPS mode

 ---
@ -552,13 +552,13 @@ index dd61a9a..6031b02 100644
         get_builtin_constructor = getattr(hashlib,
                                           '__get_builtin_constructor')
 -- 
-2.43.0
+2.47.1


-From c9a79f0aafd28677e3e0b8a1f6410105a71ff071 Mon Sep 17 00:00:00 2001
+From 59accf544492400c9fd32a8e682fb6f2206e932e Mon Sep 17 00:00:00 2001
 From: Charalampos Stratakis <cstratak@redhat.com>
 Date: Wed, 31 Jul 2019 15:43:43 +0200
-Subject: [PATCH 4/6] Test equivalence of hashes for the various digests with
+Subject: [PATCH 4/5] Test equivalence of hashes for the various digests with
 usedforsecurity=True/False

 ---
@ -712,21 +712,21 @@ index 6031b02..5bd5297 100644
 class KDFTests(unittest.TestCase):
 
 -- 
-2.43.0
+2.47.1


-From e972a838729ea84a0f2e0ca8e88ae1bfc129e7d8 Mon Sep 17 00:00:00 2001
+From 21efadd8b488956482bdc6ccd91c37dcef705129 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <pviktori@redhat.com>
 Date: Mon, 26 Aug 2019 19:39:48 +0200
-Subject: [PATCH 5/6] Guard against Python HMAC in FIPS mode
+Subject: [PATCH 5/5] Guard against Python HMAC in FIPS mode

 ---
- Lib/hmac.py           | 13 +++++++++----
+ Lib/hmac.py           | 12 +++++++++---
 Lib/test/test_hmac.py | 10 ++++++++++
- 2 files changed, 19 insertions(+), 4 deletions(-)
+ 2 files changed, 19 insertions(+), 3 deletions(-)

 diff --git a/Lib/hmac.py b/Lib/hmac.py
-index 8b4f920..20ef96c 100644
+index 8b4eb2f..8930bda 100644
 --- a/Lib/hmac.py
 +++ b/Lib/hmac.py
@@ -16,8 +16,9 @@ else:
@ -741,16 +741,9 @@ index 8b4f920..20ef96c 100644
 
 # The size of the digests returned by HMAC depends on the underlying
 # hashing module used.  Use digest_size from the instance of HMAC instead.
-@@ -48,17 +49,18 @@ class HMAC:
-                    msg argument.  Passing it as a keyword argument is
-                    recommended, though not required for legacy API reasons.
-         """
-
-         if not isinstance(key, (bytes, bytearray)):
-             raise TypeError("key: expected bytes or bytearray, but got %r" % type(key).__name__)
- 
+@@ -55,10 +56,12 @@ class HMAC:
         if not digestmod:
-             raise TypeError("Missing required parameter 'digestmod'.")
+             raise TypeError("Missing required argument 'digestmod'.")
 
 -        if _hashopenssl and isinstance(digestmod, (str, _functype)):
 +        if _hashopenssl.get_fips_mode() or (_hashopenssl and isinstance(digestmod, (str, _functype))):
@ -762,7 +755,7 @@ index 8b4f920..20ef96c 100644
                 self._init_old(key, msg, digestmod)
         else:
             self._init_old(key, msg, digestmod)
-@@ -69,6 +71,9 @@ class HMAC:
+@@ -69,6 +72,9 @@ class HMAC:
         self.block_size = self._hmac.block_size
 
     def _init_old(self, key, msg, digestmod):
@ -773,7 +766,7 @@ index 8b4f920..20ef96c 100644
             digest_cons = digestmod
         elif isinstance(digestmod, str):
 diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py
-index a39a2c4..b7b24ab 100644
+index 1502fba..7997073 100644
 --- a/Lib/test/test_hmac.py
 +++ b/Lib/test/test_hmac.py
@@ -5,6 +5,7 @@ import hashlib
@ -812,7 +805,7 @@ index a39a2c4..b7b24ab 100644
     @unittest.skipUnless(sha256_module is not None, 'need _sha256')
     def test_with_sha256_module(self):
         h = hmac.HMAC(b"key", b"hash this!", digestmod=sha256_module.sha256)
-@@ -481,6 +489,7 @@ class SanityTestCase(unittest.TestCase):
+@@ -489,6 +497,7 @@ class UpdateTestCase(unittest.TestCase):
 
 class CopyTestCase(unittest.TestCase):
 
@ -820,7 +813,7 @@ index a39a2c4..b7b24ab 100644
     @hashlib_helper.requires_hashdigest('sha256')
     def test_attributes_old(self):
         # Testing if attributes are of same type.
-@@ -492,6 +501,7 @@ class CopyTestCase(unittest.TestCase):
+@@ -500,6 +509,7 @@ class CopyTestCase(unittest.TestCase):
         self.assertEqual(type(h1._outer), type(h2._outer),
             "Types of outer don't match.")
 
@ -829,270 +822,5 @@ index a39a2c4..b7b24ab 100644
     def test_realcopy_old(self):
         # Testing if the copy method created a real copy.
 -- 
-2.43.0
-
-
-From b12202196a78b877dcd32cfea273051b60038a41 Mon Sep 17 00:00:00 2001
-From: Petr Viktorin <encukou@gmail.com>
-Date: Wed, 25 Aug 2021 16:44:43 +0200
-Subject: [PATCH 6/6] Disable hash-based PYCs in FIPS mode
-
-If FIPS mode is on, we can't use siphash-based HMAC
-(_Py_KeyedHash), so:
-
- Unchecked hash PYCs can be imported, but not created
- Checked hash PYCs can not be imported nor created
- The default mode is timestamp-based PYCs, even if
-  SOURCE_DATE_EPOCH is set.
-
-If FIPS mode is off, there are no changes in behavior.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1835169
---
- Lib/py_compile.py                             |  4 +++-
- Lib/test/support/__init__.py                  | 14 +++++++++++++
- Lib/test/test_cmd_line_script.py              |  2 ++
- Lib/test/test_compileall.py                   | 11 +++++++++-
- .../test_importlib/source/test_file_loader.py |  6 ++++++
- Lib/test/test_py_compile.py                   | 11 ++++++++--
- Lib/test/test_zipimport.py                    |  2 ++
- Python/import.c                               | 20 +++++++++++++++++++
- 8 files changed, 66 insertions(+), 4 deletions(-)
-
-diff --git a/Lib/py_compile.py b/Lib/py_compile.py
-index 388614e..fd9a139 100644
--- a/Lib/py_compile.py
-+++ b/Lib/py_compile.py
-@@ -70,7 +70,9 @@ class PycInvalidationMode(enum.Enum):
- 
- 
- def _get_default_invalidation_mode():
-    if os.environ.get('SOURCE_DATE_EPOCH'):
-+    import _hashlib
-+    if (os.environ.get('SOURCE_DATE_EPOCH') and not
-+          _hashlib.get_fips_mode()):
-         return PycInvalidationMode.CHECKED_HASH
-     else:
-         return PycInvalidationMode.TIMESTAMP
-diff --git a/Lib/test/support/__init__.py b/Lib/test/support/__init__.py
-index fd9265c..fcd1ea7 100644
--- a/Lib/test/support/__init__.py
-+++ b/Lib/test/support/__init__.py
-@@ -2346,6 +2346,20 @@ def sleeping_retry(timeout, err_msg=None, /,
-         delay = min(delay * 2, max_delay)
- 
- 
-+def fails_in_fips_mode(expected_error):
-+    import _hashlib
-+    if _hashlib.get_fips_mode():
-+        def _decorator(func):
-+            def _wrapper(self, *args, **kwargs):
-+                with self.assertRaises(expected_error):
-+                    func(self, *args, **kwargs)
-+            return _wrapper
-+    else:
-+        def _decorator(func):
-+            return func
-+    return _decorator
-+
-+
- @contextlib.contextmanager
- def adjust_int_max_str_digits(max_digits):
-     """Temporarily change the integer string conversion length limit."""
-diff --git a/Lib/test/test_cmd_line_script.py b/Lib/test/test_cmd_line_script.py
-index 1b58882..d6caff1 100644
--- a/Lib/test/test_cmd_line_script.py
-+++ b/Lib/test/test_cmd_line_script.py
-@@ -286,6 +286,7 @@ class CmdLineTest(unittest.TestCase):
-             self._check_script(zip_name, run_name, zip_name, zip_name, '',
-                                zipimport.zipimporter)
- 
-+    @support.fails_in_fips_mode(ImportError)
-     def test_zipfile_compiled_checked_hash(self):
-         with os_helper.temp_dir() as script_dir:
-             script_name = _make_test_script(script_dir, '__main__')
-@@ -296,6 +297,7 @@ class CmdLineTest(unittest.TestCase):
-             self._check_script(zip_name, run_name, zip_name, zip_name, '',
-                                zipimport.zipimporter)
- 
-+    @support.fails_in_fips_mode(ImportError)
-     def test_zipfile_compiled_unchecked_hash(self):
-         with os_helper.temp_dir() as script_dir:
-             script_name = _make_test_script(script_dir, '__main__')
-diff --git a/Lib/test/test_compileall.py b/Lib/test/test_compileall.py
-index 9cd92ad..4ec29a1 100644
--- a/Lib/test/test_compileall.py
-+++ b/Lib/test/test_compileall.py
-@@ -806,14 +806,23 @@ class CommandLineTestsBase:
-         out = self.assertRunOK('badfilename')
-         self.assertRegex(out, b"Can't list 'badfilename'")
- 
-    def test_pyc_invalidation_mode(self):
-+    @support.fails_in_fips_mode(AssertionError)
-+    def test_pyc_invalidation_mode_checked(self):
-         script_helper.make_script(self.pkgdir, 'f1', '')
-         pyc = importlib.util.cache_from_source(
-             os.path.join(self.pkgdir, 'f1.py'))
-+
-         self.assertRunOK('--invalidation-mode=checked-hash', self.pkgdir)
-         with open(pyc, 'rb') as fp:
-             data = fp.read()
-         self.assertEqual(int.from_bytes(data[4:8], 'little'), 0b11)
-+
-+    @support.fails_in_fips_mode(AssertionError)
-+    def test_pyc_invalidation_mode_unchecked(self):
-+        script_helper.make_script(self.pkgdir, 'f1', '')
-+        pyc = importlib.util.cache_from_source(
-+            os.path.join(self.pkgdir, 'f1.py'))
-+
-         self.assertRunOK('--invalidation-mode=unchecked-hash', self.pkgdir)
-         with open(pyc, 'rb') as fp:
-             data = fp.read()
-diff --git a/Lib/test/test_importlib/source/test_file_loader.py b/Lib/test/test_importlib/source/test_file_loader.py
-index f35adec..62087c6 100644
--- a/Lib/test/test_importlib/source/test_file_loader.py
-+++ b/Lib/test/test_importlib/source/test_file_loader.py
-@@ -16,6 +16,7 @@ import types
- import unittest
- import warnings
- 
-+from test import support
- from test.support.import_helper import make_legacy_pyc, unload
- 
- from test.test_py_compile import without_source_date_epoch
-@@ -237,6 +238,7 @@ class SimpleTest(abc.LoaderTests):
-                 loader.load_module('bad name')
- 
-     @util.writes_bytecode_files
-+    @support.fails_in_fips_mode(ImportError)
-     def test_checked_hash_based_pyc(self):
-         with util.create_modules('_temp') as mapping:
-             source = mapping['_temp']
-@@ -268,6 +270,7 @@ class SimpleTest(abc.LoaderTests):
-             )
- 
-     @util.writes_bytecode_files
-+    @support.fails_in_fips_mode(ImportError)
-     def test_overridden_checked_hash_based_pyc(self):
-         with util.create_modules('_temp') as mapping, \
-              unittest.mock.patch('_imp.check_hash_based_pycs', 'never'):
-@@ -293,6 +296,7 @@ class SimpleTest(abc.LoaderTests):
-             self.assertEqual(mod.state, 'old')
- 
-     @util.writes_bytecode_files
-+    @support.fails_in_fips_mode(ImportError)
-     def test_unchecked_hash_based_pyc(self):
-         with util.create_modules('_temp') as mapping:
-             source = mapping['_temp']
-@@ -323,6 +327,7 @@ class SimpleTest(abc.LoaderTests):
-             )
- 
-     @util.writes_bytecode_files
-+    @support.fails_in_fips_mode(ImportError)
-     def test_overridden_unchecked_hash_based_pyc(self):
-         with util.create_modules('_temp') as mapping, \
-              unittest.mock.patch('_imp.check_hash_based_pycs', 'always'):
-@@ -432,6 +437,7 @@ class BadBytecodeTest:
-                                                del_source=del_source)
-             test('_temp', mapping, bc_path)
- 
-+    @support.fails_in_fips_mode(ImportError)
-     def _test_partial_hash(self, test, *, del_source=False):
-         with util.create_modules('_temp') as mapping:
-             bc_path = self.manipulate_bytecode(
-diff --git a/Lib/test/test_py_compile.py b/Lib/test/test_py_compile.py
-index c4e6551..81fd962 100644
--- a/Lib/test/test_py_compile.py
-+++ b/Lib/test/test_py_compile.py
-@@ -141,13 +141,16 @@ class PyCompileTestsBase:
-             importlib.util.cache_from_source(bad_coding)))
- 
-     def test_source_date_epoch(self):
-+        import _hashlib
-         py_compile.compile(self.source_path, self.pyc_path)
-         self.assertTrue(os.path.exists(self.pyc_path))
-         self.assertFalse(os.path.exists(self.cache_path))
-         with open(self.pyc_path, 'rb') as fp:
-             flags = importlib._bootstrap_external._classify_pyc(
-                 fp.read(), 'test', {})
-        if os.environ.get('SOURCE_DATE_EPOCH'):
-+        if _hashlib.get_fips_mode():
-+            expected_flags = 0b00
-+        elif os.environ.get('SOURCE_DATE_EPOCH'):
-             expected_flags = 0b11
-         else:
-             expected_flags = 0b00
-@@ -178,7 +181,8 @@ class PyCompileTestsBase:
-         # Specifying optimized bytecode should lead to a path reflecting that.
-         self.assertIn('opt-2', py_compile.compile(self.source_path, optimize=2))
- 
-    def test_invalidation_mode(self):
-+    @support.fails_in_fips_mode(ImportError)
-+    def test_invalidation_mode_checked(self):
-         py_compile.compile(
-             self.source_path,
-             invalidation_mode=py_compile.PycInvalidationMode.CHECKED_HASH,
-@@ -187,6 +191,9 @@ class PyCompileTestsBase:
-             flags = importlib._bootstrap_external._classify_pyc(
-                 fp.read(), 'test', {})
-         self.assertEqual(flags, 0b11)
-+
-+    @support.fails_in_fips_mode(ImportError)
-+    def test_invalidation_mode_unchecked(self):
-         py_compile.compile(
-             self.source_path,
-             invalidation_mode=py_compile.PycInvalidationMode.UNCHECKED_HASH,
-diff --git a/Lib/test/test_zipimport.py b/Lib/test/test_zipimport.py
-index 14c1971..bcd1466 100644
--- a/Lib/test/test_zipimport.py
-+++ b/Lib/test/test_zipimport.py
-@@ -190,6 +190,7 @@ class UncompressedZipImportTestCase(ImportHooksBaseTestCase):
-                  TESTMOD + pyc_ext: (NOW, test_pyc)}
-         self.doTest(pyc_ext, files, TESTMOD)
- 
-+    @support.fails_in_fips_mode(ImportError)
-     def testUncheckedHashBasedPyc(self):
-         source = b"state = 'old'"
-         source_hash = importlib.util.source_hash(source)
-@@ -204,6 +205,7 @@ class UncompressedZipImportTestCase(ImportHooksBaseTestCase):
-             self.assertEqual(mod.state, 'old')
-         self.doTest(None, files, TESTMOD, call=check)
- 
-+    @support.fails_in_fips_mode(ImportError)
-     @unittest.mock.patch('_imp.check_hash_based_pycs', 'always')
-     def test_checked_hash_based_change_pyc(self):
-         source = b"state = 'old'"
-diff --git a/Python/import.c b/Python/import.c
-index 54232a1..236786b 100644
--- a/Python/import.c
-+++ b/Python/import.c
-@@ -3829,6 +3829,26 @@ static PyObject *
- _imp_source_hash_impl(PyObject *module, long key, Py_buffer *source)
- /*[clinic end generated code: output=edb292448cf399ea input=9aaad1e590089789]*/
- {
-+    PyObject *_hashlib = PyImport_ImportModule("_hashlib");
-+    if (_hashlib == NULL) {
-+        return NULL;
-+    }
-+    PyObject *fips_mode_obj = PyObject_CallMethod(_hashlib, "get_fips_mode", NULL);
-+    Py_DECREF(_hashlib);
-+    if (fips_mode_obj == NULL) {
-+        return NULL;
-+    }
-+    int fips_mode = PyObject_IsTrue(fips_mode_obj);
-+    Py_DECREF(fips_mode_obj);
-+    if (fips_mode < 0) {
-+        return NULL;
-+    }
-+    if (fips_mode) {
-+        PyErr_SetString(
-+            PyExc_ImportError,
-+            "hash-based PYC validation (siphash24) not available in FIPS mode");
-+        return NULL;
-+    };
-     union {
-         uint64_t x;
-         char data[sizeof(uint64_t)];
-- 
-2.43.0
+2.47.1

--- a/SOURCES/00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch
+++ b/SOURCES/00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch
@ -16,10 +16,10 @@ https://github.com/GrahamDumpleton/mod_wsgi/issues/730
 2 files changed, 8 insertions(+), 50 deletions(-)

 diff --git a/Lib/test/test_threading.py b/Lib/test/test_threading.py
-index 756d5e329f..5d09775efc 100644
+index 75a56f7830..c2509fced1 100644
 --- a/Lib/test/test_threading.py
 +++ b/Lib/test/test_threading.py
-@@ -1007,39 +1007,6 @@ def noop(): pass
+@@ -1100,39 +1100,6 @@ def noop(): pass
             threading.Thread(target=noop).start()
             # Thread.join() is not called
 
@ -56,14 +56,14 @@ index 756d5e329f..5d09775efc 100644
 -        self.assertEqual(out, b'')
 -        self.assertEqual(err, b'')
 -
-     def test_start_new_thread_at_exit(self):
+     def test_start_new_thread_at_finalization(self):
         code = """if 1:
-             import atexit
+             import _thread
 diff --git a/Lib/threading.py b/Lib/threading.py
-index 8dcaf8ca6a..ed0b0f4632 100644
+index 064c74d40f..9e3abacd42 100644
 --- a/Lib/threading.py
 +++ b/Lib/threading.py
-@@ -1586,29 +1586,20 @@ def _shutdown():
+@@ -1587,29 +1587,20 @@ def _shutdown():
 
     global _SHUTTING_DOWN
     _SHUTTING_DOWN = True
--- a/SOURCES/00397-tarfile-filter.patch
+++ b/SOURCES/00397-tarfile-filter.patch
@ -1,19 +1,24 @@
-From 73d2995223c725638d53b9cb8e1d26b82daf0874 Mon Sep 17 00:00:00 2001
+From ddd8064257a1916726b784d43f18e889ea1634f7 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <encukou@gmail.com>
-Date: Mon, 6 Mar 2023 17:24:24 +0100
+Date: Tue, 2 Jul 2024 11:40:37 +0200
 Subject: [PATCH] CVE-2007-4559, PEP-706: Add filters for tarfile extraction
 (downstream)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit

 Add and test RHEL-specific ways of configuring the default behavior: environment
 variable and config file.
+
+Co-Authored-By: Tomáš Hrnčiar <thrnciar@redhat.com>
 ---
- Lib/tarfile.py           |  47 +++++++++++++--
+ Lib/tarfile.py           |  47 +++++++++++--
 Lib/test/test_shutil.py  |   2 +-
- Lib/test/test_tarfile.py | 123 ++++++++++++++++++++++++++++++++++++++-
- 3 files changed, 163 insertions(+), 9 deletions(-)
+ Lib/test/test_tarfile.py | 147 +++++++++++++++++++++++++++++++++++++--
+ 3 files changed, 185 insertions(+), 11 deletions(-)

 diff --git a/Lib/tarfile.py b/Lib/tarfile.py
-index 02f5e3b..f7109f3 100755
+index e1487e3..89b6843 100755
 --- a/Lib/tarfile.py
 +++ b/Lib/tarfile.py
@@ -71,6 +71,13 @@ __all__ = ["TarFile", "TarInfo", "is_tarfile", "TarError", "ReadError",
@ -30,7 +35,7 @@ index 02f5e3b..f7109f3 100755
 
 #---------------------------------------------------------
 # tar constants
-@@ -2217,11 +2224,41 @@ class TarFile(object):
+@@ -2218,11 +2225,41 @@ class TarFile(object):
         if filter is None:
             filter = self.extraction_filter
             if filter is None:
@ -38,7 +43,7 @@ index 02f5e3b..f7109f3 100755
 -                    'Python 3.14 will, by default, filter extracted tar '
 -                    + 'archives and reject files or modify their metadata. '
 -                    + 'Use the filter argument to control this behavior.',
-                    DeprecationWarning)
+-                    DeprecationWarning, stacklevel=3)
 +                name = os.environ.get('PYTHON_TARFILE_EXTRACTION_FILTER')
 +                if name is None:
 +                    try:
@ -72,16 +77,16 @@ index 02f5e3b..f7109f3 100755
 +                        + 'and some mode bits are cleared. '
 +                        + 'See https://access.redhat.com/articles/7004769 '
 +                        + 'for more details.',
-+                        RuntimeWarning)
+                        RuntimeWarning, stacklevel=3)
 +                    return tar_filter
                 return fully_trusted_filter
             if isinstance(filter, str):
                 raise TypeError(
 diff --git a/Lib/test/test_shutil.py b/Lib/test/test_shutil.py
-index 5fd8fb4..501da8f 100644
+index 7bc5d12..88b4bdb 100644
 --- a/Lib/test/test_shutil.py
 +++ b/Lib/test/test_shutil.py
-@@ -1950,7 +1950,7 @@ class TestArchives(BaseTest, unittest.TestCase):
+@@ -2096,7 +2096,7 @@ class TestArchives(BaseTest, unittest.TestCase):
         self.check_unpack_archive(format, filter='fully_trusted')
         self.check_unpack_archive(format, filter='data')
         with warnings_helper.check_warnings(
@ -91,10 +96,48 @@ index 5fd8fb4..501da8f 100644
 
     def test_unpack_archive_tar(self):
 diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
-index c5fc76d..397e334 100644
+index 3fbd25e..9aa727e 100644
 --- a/Lib/test/test_tarfile.py
 +++ b/Lib/test/test_tarfile.py
-@@ -3097,8 +3097,8 @@ class NoneInfoExtractTests(ReadTest):
+@@ -727,7 +727,17 @@ class MiscReadTestBase(CommonReadTest):
+             tarfile.open(tarname, encoding="iso8859-1") as tar
+         ):
+             directories = [t for t in tar if t.isdir()]
+-            with self.assertWarnsRegex(DeprecationWarning, "Use the filter argument") as cm:
+            with self.assertWarnsRegex(
+                RuntimeWarning,
+                re.escape(
+                    'The default behavior of tarfile extraction has been '
+                    'changed to disallow common exploits '
+                    '(including CVE-2007-4559). '
+                    'By default, absolute/parent paths are disallowed '
+                    'and some mode bits are cleared. '
+                    'See https://access.redhat.com/articles/7004769 '
+                    'for more details.'
+                )) as cm:
+                 tar.extractall(DIR, directories)
+             # check that the stacklevel of the deprecation warning is correct:
+             self.assertEqual(cm.filename, __file__)
+@@ -740,7 +750,17 @@ class MiscReadTestBase(CommonReadTest):
+             tarfile.open(tarname, encoding="iso8859-1") as tar
+         ):
+             tarinfo = tar.getmember(dirtype)
+-            with self.assertWarnsRegex(DeprecationWarning, "Use the filter argument") as cm:
+            with self.assertWarnsRegex(
+                RuntimeWarning,
+                re.escape(
+                    'The default behavior of tarfile extraction has been '
+                    'changed to disallow common exploits '
+                    '(including CVE-2007-4559). '
+                    'By default, absolute/parent paths are disallowed '
+                    'and some mode bits are cleared. '
+                    'See https://access.redhat.com/articles/7004769 '
+                    'for more details.'
+                )) as cm:
+                 tar.extract(tarinfo, path=DIR)
+             # check that the stacklevel of the deprecation warning is correct:
+             self.assertEqual(cm.filename, __file__)
+@@ -3144,8 +3164,8 @@ class NoneInfoExtractTests(ReadTest):
         tar.errorlevel = 0
         with ExitStack() as cm:
             if cls.extraction_filter is None:
@ -105,7 +148,7 @@ index c5fc76d..397e334 100644
             tar.extractall(cls.control_dir, filter=cls.extraction_filter)
         tar.close()
         cls.control_paths = set(
-@@ -3919,7 +3919,7 @@ class TestExtractionFilters(unittest.TestCase):
+@@ -3966,7 +3986,7 @@ class TestExtractionFilters(unittest.TestCase):
         with ArchiveMaker() as arc:
             arc.add('foo')
         with warnings_helper.check_warnings(
@ -114,7 +157,7 @@ index c5fc76d..397e334 100644
             with self.check_context(arc.open(), None):
                 self.expect_file('foo')
 
-@@ -4089,6 +4089,123 @@ class TestExtractionFilters(unittest.TestCase):
+@@ -4136,6 +4156,123 @@ class TestExtractionFilters(unittest.TestCase):
             self.expect_exception(TypeError)  # errorlevel is not int
 
 
@ -235,9 +278,9 @@ index c5fc76d..397e334 100644
 +                self.check_trusted_default(tar, tempdir)
 +
 +
- def setUpModule():
-     os_helper.unlink(TEMPDIR)
-     os.makedirs(TEMPDIR)
+ class OverwriteTests(archiver_tests.OverwriteTests, unittest.TestCase):
+     testdir = os.path.join(TEMPDIR, "testoverwrite")
+ 
 -- 
-2.43.0
+2.44.0

--- a/00462-fix-pyssl_seterror-handling-ssl_error_syscall.patch
+++ b/00462-fix-pyssl_seterror-handling-ssl_error_syscall.patch
@ -0,0 +1,196 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: yevgeny hong <hongyevgeny@gmail.com>
+Date: Tue, 26 Mar 2024 16:45:43 +0900
+Subject: 00462: Fix PySSL_SetError handling SSL_ERROR_SYSCALL
+
+Python 3.10 changed from using SSL_write() and SSL_read() to SSL_write_ex() and
+SSL_read_ex(), but did not update handling of the return value.
+
+Change error handling so that the return value is not examined.
+OSError (not EOF) is now returned when retval is 0.
+
+This resolves the issue of failing tests when a system is
+stressed on OpenSSL 3.5.
+
+Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
+Co-authored-by: Petr Viktorin <encukou@gmail.com>
+---
+ Lib/test/test_ssl.py                          | 28 ++++++-----
+ ...-02-18-09-50-31.gh-issue-115627.HGchj0.rst |  2 +
+ Modules/_ssl.c                                | 48 +++++++------------
+ 3 files changed, 35 insertions(+), 43 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2024-02-18-09-50-31.gh-issue-115627.HGchj0.rst
+
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+index b13e37d0cd..daeb8cba74 100644
+--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
+@@ -2427,16 +2427,18 @@ def run(self):
+                         self.write(msg.lower())
+                 except OSError as e:
+                     # handles SSLError and socket errors
+                    if isinstance(e, ConnectionError):
+                        # OpenSSL 1.1.1 sometimes raises
+                        # ConnectionResetError when connection is not
+                        # shut down gracefully.
+                        if self.server.chatty and support.verbose:
+                            print(f" Connection reset by peer: {self.addr}")
+
+                        self.close()
+                        self.running = False
+                        return
+                     if self.server.chatty and support.verbose:
+-                        if isinstance(e, ConnectionError):
+-                            # OpenSSL 1.1.1 sometimes raises
+-                            # ConnectionResetError when connection is not
+-                            # shut down gracefully.
+-                            print(
+-                                f" Connection reset by peer: {self.addr}"
+-                            )
+-                        else:
+-                            handle_error("Test server failure:\n")
+                        handle_error("Test server failure:\n")
+                     try:
+                         self.write(b"ERROR\n")
+                     except OSError:
+@@ -3148,8 +3150,8 @@ def test_wrong_cert_tls13(self):
+                                         suppress_ragged_eofs=False) as s:
+             s.connect((HOST, server.port))
+             with self.assertRaisesRegex(
+-                ssl.SSLError,
+-                'alert unknown ca|EOF occurred|TLSV1_ALERT_UNKNOWN_CA'
+                OSError,
+                'alert unknown ca|EOF occurred|TLSV1_ALERT_UNKNOWN_CA|closed by the remote host|Connection reset by peer'
+             ):
+                 # TLS 1.3 perform client cert exchange after handshake
+                 s.write(b'data')
+@@ -4422,8 +4424,8 @@ def msg_cb(conn, direction, version, content_type, msg_type, data):
+                 # test sometimes fails with EOF error. Test passes as long as
+                 # server aborts connection with an error.
+                 with self.assertRaisesRegex(
+-                    ssl.SSLError,
+-                    '(certificate required|EOF occurred)'
+                    OSError,
+                    'certificate required|EOF occurred|closed by the remote host|Connection reset by peer'
+                 ):
+                     # receive CertificateRequest
+                     data = s.recv(1024)
+diff --git a/Misc/NEWS.d/next/Library/2024-02-18-09-50-31.gh-issue-115627.HGchj0.rst b/Misc/NEWS.d/next/Library/2024-02-18-09-50-31.gh-issue-115627.HGchj0.rst
+new file mode 100644
+index 0000000000..75d926ab59
+--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2024-02-18-09-50-31.gh-issue-115627.HGchj0.rst
+@@ -0,0 +1,2 @@
+Fix the :mod:`ssl` module error handling of connection terminate by peer.
+It now throws an OSError with the appropriate error code instead of an EOFError.
+diff --git a/Modules/_ssl.c b/Modules/_ssl.c
+index 0b8cf0b6df..42a4c95890 100644
+--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
+@@ -573,7 +573,7 @@ PySSL_ChainExceptions(PySSLSocket *sslsock) {
+ }
+ 
+ static PyObject *
+-PySSL_SetError(PySSLSocket *sslsock, int ret, const char *filename, int lineno)
+PySSL_SetError(PySSLSocket *sslsock, const char *filename, int lineno)
+ {
+     PyObject *type;
+     char *errstr = NULL;
+@@ -586,7 +586,6 @@ PySSL_SetError(PySSLSocket *sslsock, int ret, const char *filename, int lineno)
+     _sslmodulestate *state = get_state_sock(sslsock);
+     type = state->PySSLErrorObject;
+ 
+-    assert(ret <= 0);
+     e = ERR_peek_last_error();
+ 
+     if (sslsock->ssl != NULL) {
+@@ -619,32 +618,21 @@ PySSL_SetError(PySSLSocket *sslsock, int ret, const char *filename, int lineno)
+         case SSL_ERROR_SYSCALL:
+         {
+             if (e == 0) {
+-                PySocketSockObject *s = GET_SOCKET(sslsock);
+-                if (ret == 0 || (((PyObject *)s) == Py_None)) {
+                /* underlying BIO reported an I/O error */
+                ERR_clear_error();
+#ifdef MS_WINDOWS
+                if (err.ws) {
+                    return PyErr_SetFromWindowsErr(err.ws);
+                }
+#endif
+                if (err.c) {
+                    errno = err.c;
+                    return PyErr_SetFromErrno(PyExc_OSError);
+                }
+                else {
+                     p = PY_SSL_ERROR_EOF;
+                     type = state->PySSLEOFErrorObject;
+                     errstr = "EOF occurred in violation of protocol";
+-                } else if (s && ret == -1) {
+-                    /* underlying BIO reported an I/O error */
+-                    ERR_clear_error();
+-#ifdef MS_WINDOWS
+-                    if (err.ws) {
+-                        return PyErr_SetFromWindowsErr(err.ws);
+-                    }
+-#endif
+-                    if (err.c) {
+-                        errno = err.c;
+-                        return PyErr_SetFromErrno(PyExc_OSError);
+-                    }
+-                    else {
+-                        p = PY_SSL_ERROR_EOF;
+-                        type = state->PySSLEOFErrorObject;
+-                        errstr = "EOF occurred in violation of protocol";
+-                    }
+-                } else { /* possible? */
+-                    p = PY_SSL_ERROR_SYSCALL;
+-                    type = state->PySSLSyscallErrorObject;
+-                    errstr = "Some I/O error occurred";
+                 }
+             } else {
+                 if (ERR_GET_LIB(e) == ERR_LIB_SSL &&
+@@ -1007,7 +995,7 @@ _ssl__SSLSocket_do_handshake_impl(PySSLSocket *self)
+              err.ssl == SSL_ERROR_WANT_WRITE);
+     Py_XDECREF(sock);
+     if (ret < 1)
+-        return PySSL_SetError(self, ret, __FILE__, __LINE__);
+        return PySSL_SetError(self, __FILE__, __LINE__);
+     if (PySSL_ChainExceptions(self) < 0)
+         return NULL;
+     Py_RETURN_NONE;
+@@ -2424,7 +2412,7 @@ _ssl__SSLSocket_write_impl(PySSLSocket *self, Py_buffer *b)
+ 
+     Py_XDECREF(sock);
+     if (retval == 0)
+-        return PySSL_SetError(self, retval, __FILE__, __LINE__);
+        return PySSL_SetError(self, __FILE__, __LINE__);
+     if (PySSL_ChainExceptions(self) < 0)
+         return NULL;
+     return PyLong_FromSize_t(count);
+@@ -2454,7 +2442,7 @@ _ssl__SSLSocket_pending_impl(PySSLSocket *self)
+     self->err = err;
+ 
+     if (count < 0)
+-        return PySSL_SetError(self, count, __FILE__, __LINE__);
+        return PySSL_SetError(self, __FILE__, __LINE__);
+     else
+         return PyLong_FromLong(count);
+ }
+@@ -2577,7 +2565,7 @@ _ssl__SSLSocket_read_impl(PySSLSocket *self, Py_ssize_t len,
+              err.ssl == SSL_ERROR_WANT_WRITE);
+ 
+     if (retval == 0) {
+-        PySSL_SetError(self, retval, __FILE__, __LINE__);
+        PySSL_SetError(self, __FILE__, __LINE__);
+         goto error;
+     }
+     if (self->exc != NULL)
+@@ -2703,7 +2691,7 @@ _ssl__SSLSocket_shutdown_impl(PySSLSocket *self)
+     }
+     if (ret < 0) {
+         Py_XDECREF(sock);
+-        PySSL_SetError(self, ret, __FILE__, __LINE__);
+        PySSL_SetError(self, __FILE__, __LINE__);
+         return NULL;
+     }
+     if (self->exc != NULL)
--- a/00464-enable-pac-and-bti-protections-for-aarch64.patch
+++ b/00464-enable-pac-and-bti-protections-for-aarch64.patch
@ -0,0 +1,102 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Charalampos Stratakis <cstratak@redhat.com>
+Date: Tue, 3 Jun 2025 03:02:15 +0200
+Subject: 00464: Enable PAC and BTI protections for aarch64
+
+Apply protection against ROP/JOP attacks for aarch64 on asm_trampoline.S
+
+The BTI flag must be applied in the assembler sources for this class
+of attacks to be mitigated on newer aarch64 processors.
+
+Upstream PR: https://github.com/python/cpython/pull/130864/files
+
+The upstream patch is incomplete but only for the case where
+frame pointers are not used on 3.13+.
+
+Since on Fedora we always compile with frame pointers the BTI/PAC
+hardware protections can be enabled without losing Perf unwinding.
+---
+ Python/asm_trampoline.S         |  4 +++
+ Python/asm_trampoline_aarch64.h | 50 +++++++++++++++++++++++++++++++++
+ 2 files changed, 54 insertions(+)
+ create mode 100644 Python/asm_trampoline_aarch64.h
+
+diff --git a/Python/asm_trampoline.S b/Python/asm_trampoline.S
+index 341d0bbe51..ae882660b5 100644
+--- a/Python/asm_trampoline.S
+++ b/Python/asm_trampoline.S
+@@ -1,3 +1,5 @@
+#include "asm_trampoline_aarch64.h"
+
+     .text
+     .globl	_Py_trampoline_func_start
+ # The following assembly is equivalent to:
+@@ -20,10 +22,12 @@ _Py_trampoline_func_start:
+ #if defined(__aarch64__) && defined(__AARCH64EL__) && !defined(__ILP32__)
+     // ARM64 little endian, 64bit ABI
+     // generate with aarch64-linux-gnu-gcc 12.1
+    SIGN_LR
+     stp     x29, x30, [sp, -16]!
+     mov     x29, sp
+     blr     x3
+     ldp     x29, x30, [sp], 16
+    VERIFY_LR
+     ret
+ #endif
+     .globl	_Py_trampoline_func_end
+diff --git a/Python/asm_trampoline_aarch64.h b/Python/asm_trampoline_aarch64.h
+new file mode 100644
+index 0000000000..4b0ec4a7dc
+--- /dev/null
+++ b/Python/asm_trampoline_aarch64.h
+@@ -0,0 +1,50 @@
+#ifndef ASM_TRAMPOLINE_AARCH_64_H_
+#define ASM_TRAMPOLINE_AARCH_64_H_
+
+/*
+ * References:
+ *  - https://developer.arm.com/documentation/101028/0012/5--Feature-test-macros
+ *  - https://github.com/ARM-software/abi-aa/blob/main/aaelf64/aaelf64.rst
+ */
+
+#if defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1
+  #define BTI_J hint 36 /* bti j: for jumps, IE br instructions */
+  #define BTI_C hint 34  /* bti c: for calls, IE bl instructions */
+  #define GNU_PROPERTY_AARCH64_BTI 1 /* bit 0 GNU Notes is for BTI support */
+#else
+  #define BTI_J
+  #define BTI_C
+  #define GNU_PROPERTY_AARCH64_BTI 0
+#endif
+
+#if defined(__ARM_FEATURE_PAC_DEFAULT)
+  #if __ARM_FEATURE_PAC_DEFAULT & 1
+    #define SIGN_LR hint 25 /* paciasp: sign with the A key */
+    #define VERIFY_LR hint 29 /* autiasp: verify with the A key */
+  #elif __ARM_FEATURE_PAC_DEFAULT & 2
+    #define SIGN_LR hint 27 /* pacibsp: sign with the b key */
+    #define VERIFY_LR hint 31 /* autibsp: verify with the b key */
+  #endif
+  #define GNU_PROPERTY_AARCH64_POINTER_AUTH 2 /* bit 1 GNU Notes is for PAC support */
+#else
+  #define SIGN_LR BTI_C
+  #define VERIFY_LR
+  #define GNU_PROPERTY_AARCH64_POINTER_AUTH 0
+#endif
+
+/* Add the BTI and PAC support to GNU Notes section */
+#if GNU_PROPERTY_AARCH64_BTI != 0 || GNU_PROPERTY_AARCH64_POINTER_AUTH != 0
+    .pushsection .note.gnu.property, "a"; /* Start a new allocatable section */
+    .balign 8; /* align it on a byte boundry */
+    .long 4; /* size of "GNU\0" */
+    .long 0x10; /* size of descriptor */
+    .long 0x5; /* NT_GNU_PROPERTY_TYPE_0 */
+    .asciz "GNU";
+    .long 0xc0000000; /* GNU_PROPERTY_AARCH64_FEATURE_1_AND */
+    .long 4; /* Four bytes of data */
+    .long (GNU_PROPERTY_AARCH64_BTI|GNU_PROPERTY_AARCH64_POINTER_AUTH); /* BTI or PAC is enabled */
+    .long 0; /* padding for 8 byte alignment */
+    .popsection; /* end the section */
+#endif
+
+#endif
--- a/Python-3.12.12.tar.xz.asc
+++ b/Python-3.12.12.tar.xz.asc
@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEEcWlgX2LHUTVtBUomqCHmgOX6YwUFAmjnnr1fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDcx
+Njk2MDVGNjJDNzUxMzU2RDA1NEEyNkE4MjFFNjgwRTVGQTYzMDUACgkQqCHmgOX6
+YwXF3Q//VrreGa+P8lvp9UMjoj/YquKPwLqjzzAWf5vzHipkebdiESsB1HfGu04k
+Jw+ctTnXHf/12u0W7ijv+56JtcJFqEzh8yGokWqOzc99rpCeCY9qtuwaVYtZrTNx
+wepRaDAHdhP4Z2kLPDiE6pCXu2NIR5wHqHjQ8JGmprhASc07uxEhNN/gucVR2Sbr
+cCfC9rHfHkdhoPpZRRbcraAaxPGL3VyBXf7HuYbHhf4GuF9EVDlFg5I0BzHCKJDd
+ebPXYHvsoDgrMMqPXiX/YkGNByf3Ze6KZTNSGICy8SDzIzZgpmtOe5rzvlOXJBZZ
+SVfX8SqP4Ufml+MfJrGEx30S9reYYvnyTSmttpbDznonROKPEZOuDt08+CG3yR+T
+o5RdIneWmGXRf1mBrFKH9Br5tfOd+YeldfxdoQgla2fFHFVRnab1lsZFOC/HZ5z2
+Q3rPfVMDYKO8yoIKqv0BUzlkn9wYphCWoPHq0Y+SGjcP+Zh5qRTMqZYIaGekhWmx
+86egHHVqedMI0Q9hvgIEirupVJ1q34FZn2+3sEka9hdOie9aNHXWTmgWCGDm46qj
+qC9tT/jkMzWIY2Y4RdVDMdSCb7HkBEl1eAANq511gJ+eSWAXbP1sVrQoiAQY+EkC
+Yu2ceZYsl9i6zm7i/QaU/mOGB7xMZhMQLZBnZTHSzAZo/pBN7y8=
+=RuLK
+-----END PGP SIGNATURE-----
--- a/SOURCES/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch
+++ b/SOURCES/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch
@ -1,483 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Victor Stinner <vstinner@python.org>
-Date: Fri, 15 Dec 2023 16:10:40 +0100
-Subject: [PATCH] 00415: [CVE-2023-27043] gh-102988: Reject malformed addresses
- in email.parseaddr() (#111116)
-
-Detect email address parsing errors and return empty tuple to
-indicate the parsing error (old API). Add an optional 'strict'
-parameter to getaddresses() and parseaddr() functions. Patch by
-Thomas Dwyer.
-
-Co-Authored-By: Thomas Dwyer <github@tomd.tel>
---
- Doc/library/email.utils.rst                   |  19 +-
- Lib/email/utils.py                            | 151 +++++++++++++-
- Lib/test/test_email/test_email.py             | 187 +++++++++++++++++-
- ...-10-20-15-28-08.gh-issue-102988.dStNO7.rst |   8 +
- 4 files changed, 344 insertions(+), 21 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
-
-diff --git a/Doc/library/email.utils.rst b/Doc/library/email.utils.rst
-index 345b64001c..d693a9bc39 100644
--- a/Doc/library/email.utils.rst
-+++ b/Doc/library/email.utils.rst
-@@ -58,13 +58,18 @@ of the new API.
-    begins with angle brackets, they are stripped off.
- 
- 
-.. function:: parseaddr(address)
-+.. function:: parseaddr(address, *, strict=True)
- 
-    Parse address -- which should be the value of some address-containing field such
-    as :mailheader:`To` or :mailheader:`Cc` -- into its constituent *realname* and
-    *email address* parts.  Returns a tuple of that information, unless the parse
-    fails, in which case a 2-tuple of ``('', '')`` is returned.
- 
-+   If *strict* is true, use a strict parser which rejects malformed inputs.
-+
-+   .. versionchanged:: 3.13
-+      Add *strict* optional parameter and reject malformed inputs by default.
-+
- 
- .. function:: formataddr(pair, charset='utf-8')
- 
-@@ -82,12 +87,15 @@ of the new API.
-       Added the *charset* option.
- 
- 
-.. function:: getaddresses(fieldvalues)
-+.. function:: getaddresses(fieldvalues, *, strict=True)
- 
-    This method returns a list of 2-tuples of the form returned by ``parseaddr()``.
-    *fieldvalues* is a sequence of header field values as might be returned by
-   :meth:`Message.get_all <email.message.Message.get_all>`.  Here's a simple
-   example that gets all the recipients of a message::
-+   :meth:`Message.get_all <email.message.Message.get_all>`.
-+
-+   If *strict* is true, use a strict parser which rejects malformed inputs.
-+
-+   Here's a simple example that gets all the recipients of a message::
- 
-       from email.utils import getaddresses
- 
-@@ -97,6 +105,9 @@ of the new API.
-       resent_ccs = msg.get_all('resent-cc', [])
-       all_recipients = getaddresses(tos + ccs + resent_tos + resent_ccs)
- 
-+   .. versionchanged:: 3.13
-+      Add *strict* optional parameter and reject malformed inputs by default.
-+
- 
- .. function:: parsedate(date)
- 
-diff --git a/Lib/email/utils.py b/Lib/email/utils.py
-index 81da5394ea..43c3627fca 100644
--- a/Lib/email/utils.py
-+++ b/Lib/email/utils.py
-@@ -48,6 +48,7 @@
- specialsre = re.compile(r'[][\\()<>@,:;".]')
- escapesre = re.compile(r'[\\"]')
- 
-+
- def _has_surrogates(s):
-     """Return True if s contains surrogate-escaped binary data."""
-     # This check is based on the fact that unless there are surrogates, utf8
-@@ -106,12 +107,127 @@ def formataddr(pair, charset='utf-8'):
-     return address
- 
- 
-+def _iter_escaped_chars(addr):
-+    pos = 0
-+    escape = False
-+    for pos, ch in enumerate(addr):
-+        if escape:
-+            yield (pos, '\\' + ch)
-+            escape = False
-+        elif ch == '\\':
-+            escape = True
-+        else:
-+            yield (pos, ch)
-+    if escape:
-+        yield (pos, '\\')
- 
-def getaddresses(fieldvalues):
-    """Return a list of (REALNAME, EMAIL) for each fieldvalue."""
-    all = COMMASPACE.join(str(v) for v in fieldvalues)
-    a = _AddressList(all)
-    return a.addresslist
-+
-+def _strip_quoted_realnames(addr):
-+    """Strip real names between quotes."""
-+    if '"' not in addr:
-+        # Fast path
-+        return addr
-+
-+    start = 0
-+    open_pos = None
-+    result = []
-+    for pos, ch in _iter_escaped_chars(addr):
-+        if ch == '"':
-+            if open_pos is None:
-+                open_pos = pos
-+            else:
-+                if start != open_pos:
-+                    result.append(addr[start:open_pos])
-+                start = pos + 1
-+                open_pos = None
-+
-+    if start < len(addr):
-+        result.append(addr[start:])
-+
-+    return ''.join(result)
-+
-+
-+supports_strict_parsing = True
-+
-+def getaddresses(fieldvalues, *, strict=True):
-+    """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
-+
-+    When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
-+    its place.
-+
-+    If strict is true, use a strict parser which rejects malformed inputs.
-+    """
-+
-+    # If strict is true, if the resulting list of parsed addresses is greater
-+    # than the number of fieldvalues in the input list, a parsing error has
-+    # occurred and consequently a list containing a single empty 2-tuple [('',
-+    # '')] is returned in its place. This is done to avoid invalid output.
-+    #
-+    # Malformed input: getaddresses(['alice@example.com <bob@example.com>'])
-+    # Invalid output: [('', 'alice@example.com'), ('', 'bob@example.com')]
-+    # Safe output: [('', '')]
-+
-+    if not strict:
-+        all = COMMASPACE.join(str(v) for v in fieldvalues)
-+        a = _AddressList(all)
-+        return a.addresslist
-+
-+    fieldvalues = [str(v) for v in fieldvalues]
-+    fieldvalues = _pre_parse_validation(fieldvalues)
-+    addr = COMMASPACE.join(fieldvalues)
-+    a = _AddressList(addr)
-+    result = _post_parse_validation(a.addresslist)
-+
-+    # Treat output as invalid if the number of addresses is not equal to the
-+    # expected number of addresses.
-+    n = 0
-+    for v in fieldvalues:
-+        # When a comma is used in the Real Name part it is not a deliminator.
-+        # So strip those out before counting the commas.
-+        v = _strip_quoted_realnames(v)
-+        # Expected number of addresses: 1 + number of commas
-+        n += 1 + v.count(',')
-+    if len(result) != n:
-+        return [('', '')]
-+
-+    return result
-+
-+
-+def _check_parenthesis(addr):
-+    # Ignore parenthesis in quoted real names.
-+    addr = _strip_quoted_realnames(addr)
-+
-+    opens = 0
-+    for pos, ch in _iter_escaped_chars(addr):
-+        if ch == '(':
-+            opens += 1
-+        elif ch == ')':
-+            opens -= 1
-+            if opens < 0:
-+                return False
-+    return (opens == 0)
-+
-+
-+def _pre_parse_validation(email_header_fields):
-+    accepted_values = []
-+    for v in email_header_fields:
-+        if not _check_parenthesis(v):
-+            v = "('', '')"
-+        accepted_values.append(v)
-+
-+    return accepted_values
-+
-+
-+def _post_parse_validation(parsed_email_header_tuples):
-+    accepted_values = []
-+    # The parser would have parsed a correctly formatted domain-literal
-+    # The existence of an [ after parsing indicates a parsing failure
-+    for v in parsed_email_header_tuples:
-+        if '[' in v[1]:
-+            v = ('', '')
-+        accepted_values.append(v)
-+
-+    return accepted_values
- 
- 
- def _format_timetuple_and_zone(timetuple, zone):
-@@ -205,16 +321,33 @@ def parsedate_to_datetime(data):
-             tzinfo=datetime.timezone(datetime.timedelta(seconds=tz)))
- 
- 
-def parseaddr(addr):
-+def parseaddr(addr, *, strict=True):
-     """
-     Parse addr into its constituent realname and email address parts.
- 
-     Return a tuple of realname and email address, unless the parse fails, in
-     which case return a 2-tuple of ('', '').
-+
-+    If strict is True, use a strict parser which rejects malformed inputs.
-     """
-    addrs = _AddressList(addr).addresslist
-    if not addrs:
-        return '', ''
-+    if not strict:
-+        addrs = _AddressList(addr).addresslist
-+        if not addrs:
-+            return ('', '')
-+        return addrs[0]
-+
-+    if isinstance(addr, list):
-+        addr = addr[0]
-+
-+    if not isinstance(addr, str):
-+        return ('', '')
-+
-+    addr = _pre_parse_validation([addr])[0]
-+    addrs = _post_parse_validation(_AddressList(addr).addresslist)
-+
-+    if not addrs or len(addrs) > 1:
-+        return ('', '')
-+
-     return addrs[0]
- 
- 
-diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py
-index 2a237095b9..4672b790d8 100644
--- a/Lib/test/test_email/test_email.py
-+++ b/Lib/test/test_email/test_email.py
-@@ -16,6 +16,7 @@
- 
- import email
- import email.policy
-+import email.utils
- 
- from email.charset import Charset
- from email.generator import Generator, DecodedGenerator, BytesGenerator
-@@ -3337,15 +3338,137 @@ def test_getaddresses_comma_in_name(self):
-             ],
-         )
- 
-+    def test_parsing_errors(self):
-+        """Test for parsing errors from CVE-2023-27043 and CVE-2019-16056"""
-+        alice = 'alice@example.org'
-+        bob = 'bob@example.com'
-+        empty = ('', '')
-+
-+        # Test utils.getaddresses() and utils.parseaddr() on malformed email
-+        # addresses: default behavior (strict=True) rejects malformed address,
-+        # and strict=False which tolerates malformed address.
-+        for invalid_separator, expected_non_strict in (
-+            ('(', [(f'<{bob}>', alice)]),
-+            (')', [('', alice), empty, ('', bob)]),
-+            ('<', [('', alice), empty, ('', bob), empty]),
-+            ('>', [('', alice), empty, ('', bob)]),
-+            ('[', [('', f'{alice}[<{bob}>]')]),
-+            (']', [('', alice), empty, ('', bob)]),
-+            ('@', [empty, empty, ('', bob)]),
-+            (';', [('', alice), empty, ('', bob)]),
-+            (':', [('', alice), ('', bob)]),
-+            ('.', [('', alice + '.'), ('', bob)]),
-+            ('"', [('', alice), ('', f'<{bob}>')]),
-+        ):
-+            address = f'{alice}{invalid_separator}<{bob}>'
-+            with self.subTest(address=address):
-+                self.assertEqual(utils.getaddresses([address]),
-+                                 [empty])
-+                self.assertEqual(utils.getaddresses([address], strict=False),
-+                                 expected_non_strict)
-+
-+                self.assertEqual(utils.parseaddr([address]),
-+                                 empty)
-+                self.assertEqual(utils.parseaddr([address], strict=False),
-+                                 ('', address))
-+
-+        # Comma (',') is treated differently depending on strict parameter.
-+        # Comma without quotes.
-+        address = f'{alice},<{bob}>'
-+        self.assertEqual(utils.getaddresses([address]),
-+                         [('', alice), ('', bob)])
-+        self.assertEqual(utils.getaddresses([address], strict=False),
-+                         [('', alice), ('', bob)])
-+        self.assertEqual(utils.parseaddr([address]),
-+                         empty)
-+        self.assertEqual(utils.parseaddr([address], strict=False),
-+                         ('', address))
-+
-+        # Real name between quotes containing comma.
-+        address = '"Alice, alice@example.org" <bob@example.com>'
-+        expected_strict = ('Alice, alice@example.org', 'bob@example.com')
-+        self.assertEqual(utils.getaddresses([address]), [expected_strict])
-+        self.assertEqual(utils.getaddresses([address], strict=False), [expected_strict])
-+        self.assertEqual(utils.parseaddr([address]), expected_strict)
-+        self.assertEqual(utils.parseaddr([address], strict=False),
-+                         ('', address))
-+
-+        # Valid parenthesis in comments.
-+        address = 'alice@example.org (Alice)'
-+        expected_strict = ('Alice', 'alice@example.org')
-+        self.assertEqual(utils.getaddresses([address]), [expected_strict])
-+        self.assertEqual(utils.getaddresses([address], strict=False), [expected_strict])
-+        self.assertEqual(utils.parseaddr([address]), expected_strict)
-+        self.assertEqual(utils.parseaddr([address], strict=False),
-+                         ('', address))
-+
-+        # Invalid parenthesis in comments.
-+        address = 'alice@example.org )Alice('
-+        self.assertEqual(utils.getaddresses([address]), [empty])
-+        self.assertEqual(utils.getaddresses([address], strict=False),
-+                         [('', 'alice@example.org'), ('', ''), ('', 'Alice')])
-+        self.assertEqual(utils.parseaddr([address]), empty)
-+        self.assertEqual(utils.parseaddr([address], strict=False),
-+                         ('', address))
-+
-+        # Two addresses with quotes separated by comma.
-+        address = '"Jane Doe" <jane@example.net>, "John Doe" <john@example.net>'
-+        self.assertEqual(utils.getaddresses([address]),
-+                         [('Jane Doe', 'jane@example.net'),
-+                          ('John Doe', 'john@example.net')])
-+        self.assertEqual(utils.getaddresses([address], strict=False),
-+                         [('Jane Doe', 'jane@example.net'),
-+                          ('John Doe', 'john@example.net')])
-+        self.assertEqual(utils.parseaddr([address]), empty)
-+        self.assertEqual(utils.parseaddr([address], strict=False),
-+                         ('', address))
-+
-+        # Test email.utils.supports_strict_parsing attribute
-+        self.assertEqual(email.utils.supports_strict_parsing, True)
-+
-     def test_getaddresses_nasty(self):
-        eq = self.assertEqual
-        eq(utils.getaddresses(['foo: ;']), [('', '')])
-        eq(utils.getaddresses(
-           ['[]*-- =~$']),
-           [('', ''), ('', ''), ('', '*--')])
-        eq(utils.getaddresses(
-           ['foo: ;', '"Jason R. Mastaler" <jason@dom.ain>']),
-           [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')])
-+        for addresses, expected in (
-+            (['"Sürname, Firstname" <to@example.com>'],
-+             [('Sürname, Firstname', 'to@example.com')]),
-+
-+            (['foo: ;'],
-+             [('', '')]),
-+
-+            (['foo: ;', '"Jason R. Mastaler" <jason@dom.ain>'],
-+             [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')]),
-+
-+            ([r'Pete(A nice \) chap) <pete(his account)@silly.test(his host)>'],
-+             [('Pete (A nice ) chap his account his host)', 'pete@silly.test')]),
-+
-+            (['(Empty list)(start)Undisclosed recipients  :(nobody(I know))'],
-+             [('', '')]),
-+
-+            (['Mary <@machine.tld:mary@example.net>, , jdoe@test   . example'],
-+             [('Mary', 'mary@example.net'), ('', ''), ('', 'jdoe@test.example')]),
-+
-+            (['John Doe <jdoe@machine(comment).  example>'],
-+             [('John Doe (comment)', 'jdoe@machine.example')]),
-+
-+            (['"Mary Smith: Personal Account" <smith@home.example>'],
-+             [('Mary Smith: Personal Account', 'smith@home.example')]),
-+
-+            (['Undisclosed recipients:;'],
-+             [('', '')]),
-+
-+            ([r'<boss@nil.test>, "Giant; \"Big\" Box" <bob@example.net>'],
-+             [('', 'boss@nil.test'), ('Giant; "Big" Box', 'bob@example.net')]),
-+        ):
-+            with self.subTest(addresses=addresses):
-+                self.assertEqual(utils.getaddresses(addresses),
-+                                 expected)
-+                self.assertEqual(utils.getaddresses(addresses, strict=False),
-+                                 expected)
-+
-+        addresses = ['[]*-- =~$']
-+        self.assertEqual(utils.getaddresses(addresses),
-+                         [('', '')])
-+        self.assertEqual(utils.getaddresses(addresses, strict=False),
-+                         [('', ''), ('', ''), ('', '*--')])
- 
-     def test_getaddresses_embedded_comment(self):
-         """Test proper handling of a nested comment"""
-@@ -3536,6 +3659,54 @@ def test_mime_classes_policy_argument(self):
-                 m = cls(*constructor, policy=email.policy.default)
-                 self.assertIs(m.policy, email.policy.default)
- 
-+    def test_iter_escaped_chars(self):
-+        self.assertEqual(list(utils._iter_escaped_chars(r'a\\b\"c\\"d')),
-+                         [(0, 'a'),
-+                          (2, '\\\\'),
-+                          (3, 'b'),
-+                          (5, '\\"'),
-+                          (6, 'c'),
-+                          (8, '\\\\'),
-+                          (9, '"'),
-+                          (10, 'd')])
-+        self.assertEqual(list(utils._iter_escaped_chars('a\\')),
-+                         [(0, 'a'), (1, '\\')])
-+
-+    def test_strip_quoted_realnames(self):
-+        def check(addr, expected):
-+            self.assertEqual(utils._strip_quoted_realnames(addr), expected)
-+
-+        check('"Jane Doe" <jane@example.net>, "John Doe" <john@example.net>',
-+              ' <jane@example.net>,  <john@example.net>')
-+        check(r'"Jane \"Doe\"." <jane@example.net>',
-+              ' <jane@example.net>')
-+
-+        # special cases
-+        check(r'before"name"after', 'beforeafter')
-+        check(r'before"name"', 'before')
-+        check(r'b"name"', 'b')  # single char
-+        check(r'"name"after', 'after')
-+        check(r'"name"a', 'a')  # single char
-+        check(r'"name"', '')
-+
-+        # no change
-+        for addr in (
-+            'Jane Doe <jane@example.net>, John Doe <john@example.net>',
-+            'lone " quote',
-+        ):
-+            self.assertEqual(utils._strip_quoted_realnames(addr), addr)
-+
-+
-+    def test_check_parenthesis(self):
-+        addr = 'alice@example.net'
-+        self.assertTrue(utils._check_parenthesis(f'{addr} (Alice)'))
-+        self.assertFalse(utils._check_parenthesis(f'{addr} )Alice('))
-+        self.assertFalse(utils._check_parenthesis(f'{addr} (Alice))'))
-+        self.assertFalse(utils._check_parenthesis(f'{addr} ((Alice)'))
-+
-+        # Ignore real name between quotes
-+        self.assertTrue(utils._check_parenthesis(f'")Alice((" {addr}'))
-+
- 
- # Test the iterator/generators
- class TestIterators(TestEmailBase):
-diff --git a/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst b/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
-new file mode 100644
-index 0000000000..3d0e9e4078
--- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
-@@ -0,0 +1,8 @@
-+:func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now
-+return ``('', '')`` 2-tuples in more situations where invalid email
-+addresses are encountered instead of potentially inaccurate values. Add
-+optional *strict* parameter to these two functions: use ``strict=False`` to
-+get the old behavior, accept malformed inputs.
-+``getattr(email.utils, 'supports_strict_parsing', False)`` can be use to check
-+if the *strict* paramater is available. Patch by Thomas Dwyer and Victor
-+Stinner to improve the CVE-2023-27043 fix.
--- a/SOURCES/Python-3.12.1.tar.xz.asc
+++ b/SOURCES/Python-3.12.1.tar.xz.asc
@ -1,18 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQKTBAABCgB9FiEEcWlgX2LHUTVtBUomqCHmgOX6YwUFAmVyMspfFIAAAAAALgAo
-aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDcx
-Njk2MDVGNjJDNzUxMzU2RDA1NEEyNkE4MjFFNjgwRTVGQTYzMDUACgkQqCHmgOX6
-YwWv5w/+JlGtfy+x+6mtauH1uOkt7n9PMQou1LcthDs5s41wuwjO7RbwnmJD6aDk
-DqwLHheoq6Kjbl6PF1kG2T8ZbHkMudhnc5yH4eQG52IGNQ6evilxoC6AyhVg8ANi
-+u6Juh9r2Hjz/LDWFB4hzwcOBKy0jYw98+A0uMvpPd2bmdFMBLQE0GTZCdrRsGYs
-q0oysUX7uCJBfINp7XwiVGAK/6ma0nrr0A1ho6LCau+VGkDnJZdKZgIMyyxp6qL1
-7tMjb3LUpV3FWp57L2za59TaayApNf5BlanC+de6oKEhEJ8oEFyWxOx2GmXHZwch
-ucj7Z1dxuI7fjNVkEvZ+JuheLGtB9mAmUZslXgUJf5wo49bCo9E4/ZlIFQk7VJR3
-Bm9VlQb5mMydB8QJbMy/BpgNjgKmEvBTnir37prJpUV/TL1YZT0eZ5JxCnlUIL/F
-6cOzAE3zHPnvHcyHhKV3q5CoONdBtB3RWgS66m4eMneuWoNKaoEbO5IDxtKvCd1J
-AKLmzCB0/KCWVUIYBTfJ8ytBVQA0Z2w8CZ7SC8asX4DocDCvxim1sQg5s8c4mzh+
-1JVbyqqEmf9m74Mqby0vICC6UVvgaPyiOxTphtRXLIYHUscLVn5+586RMYnM9nP4
-nEK+H/fq6Rcp1XEtIPzCG4IPUAYnuDLjbGQegltpKV/SAYn+DGg=
-=dCpy
-----END PGP SIGNATURE-----
--- a/SOURCES/import_all_modules_py3_12.py
+++ b/SOURCES/import_all_modules_py3_12.py
@ -1,171 +0,0 @@
-'''Script to perform import of each module given to %%py_check_import
-'''
-import argparse
-import importlib
-import fnmatch
-import os
-import re
-import site
-import sys
-
-from contextlib import contextmanager
-from pathlib import Path
-
-
-def read_modules_files(file_paths):
-    '''Read module names from the files (modules must be newline separated).
-
-    Return the module names list or, if no files were provided, an empty list.
-    '''
-
-    if not file_paths:
-        return []
-
-    modules = []
-    for file in file_paths:
-        file_contents = file.read_text()
-        modules.extend(file_contents.split())
-    return modules
-
-
-def read_modules_from_cli(argv):
-    '''Read module names from command-line arguments (space or comma separated).
-
-    Return the module names list.
-    '''
-
-    if not argv:
-        return []
-
-    # %%py3_check_import allows to separate module list with comma or whitespace,
-    # we need to unify the output to a list of particular elements
-    modules_as_str = ' '.join(argv)
-    modules = re.split(r'[\s,]+', modules_as_str)
-    # Because of shell expansion in some less typical cases it may happen
-    # that a trailing space will occur at the end of the list.
-    # Remove the empty items from the list before passing it further
-    modules = [m for m in modules if m]
-    return modules
-
-
-def filter_top_level_modules_only(modules):
-    '''Filter out entries with nested modules (containing dot) ie. 'foo.bar'.
-
-    Return the list of top-level modules.
-    '''
-
-    return [module for module in modules if '.' not in module]
-
-
-def any_match(text, globs):
-    '''Return True if any of given globs fnmatchcase's the given text.'''
-
-    return any(fnmatch.fnmatchcase(text, g) for g in globs)
-
-
-def exclude_unwanted_module_globs(globs, modules):
-    '''Filter out entries which match the either of the globs given as argv.
-
-    Return the list of filtered modules.
-    '''
-
-    return [m for m in modules if not any_match(m, globs)]
-
-
-def read_modules_from_all_args(args):
-    '''Return a joined list of modules from all given command-line arguments.
-    '''
-
-    modules = read_modules_files(args.filename)
-    modules.extend(read_modules_from_cli(args.modules))
-    if args.exclude:
-        modules = exclude_unwanted_module_globs(args.exclude, modules)
-
-    if args.top_level:
-        modules = filter_top_level_modules_only(modules)
-
-    # Error when someone accidentally managed to filter out everything
-    if len(modules) == 0:
-        raise ValueError('No modules to check were left')
-
-    return modules
-
-
-def import_modules(modules):
-    '''Procedure to perform import check for each module name from the given list of modules.
-    '''
-
-    for module in modules:
-        print('Check import:', module, file=sys.stderr)
-        importlib.import_module(module)
-
-
-def argparser():
-    parser = argparse.ArgumentParser(
-        description='Generate list of all importable modules for import check.'
-    )
-    parser.add_argument(
-        'modules', nargs='*',
-        help=('Add modules to check the import (space or comma separated).'),
-    )
-    parser.add_argument(
-        '-f', '--filename', action='append', type=Path,
-        help='Add importable module names list from file.',
-    )
-    parser.add_argument(
-        '-t', '--top-level', action='store_true',
-        help='Check only top-level modules.',
-    )
-    parser.add_argument(
-        '-e', '--exclude', action='append',
-        help='Provide modules globs to be excluded from the check.',
-    )
-    return parser
-
-
-@contextmanager
-def remove_unwanteds_from_sys_path():
-    '''Remove cwd and this script's parent from sys.path for the import test.
-    Bring the original contents back after import is done (or failed)
-    '''
-
-    cwd_absolute = Path.cwd().absolute()
-    this_file_parent = Path(__file__).parent.absolute()
-    old_sys_path = list(sys.path)
-    for path in old_sys_path:
-        if Path(path).absolute() in (cwd_absolute, this_file_parent):
-            sys.path.remove(path)
-    try:
-        yield
-    finally:
-        sys.path = old_sys_path
-
-
-def addsitedirs_from_environ():
-    '''Load directories from the _PYTHONSITE environment variable (separated by :)
-    and load the ones already present in sys.path via site.addsitedir()
-    to handle .pth files in them.
-
-    This is needed to properly import old-style namespace packages with nspkg.pth files.
-    See https://bugzilla.redhat.com/2018551 for a more detailed rationale.'''
-    for path in os.getenv('_PYTHONSITE', '').split(':'):
-        if path in sys.path:
-            site.addsitedir(path)
-
-
-def main(argv=None):
-
-    cli_args = argparser().parse_args(argv)
-
-    if not cli_args.modules and not cli_args.filename:
-        raise ValueError('No modules to check were provided')
-
-    modules = read_modules_from_all_args(cli_args)
-
-    with remove_unwanteds_from_sys_path():
-        addsitedirs_from_environ()
-        import_modules(modules)
-
-
-if __name__ == '__main__':
-    main()
--- a/SOURCES/macros.python3.12
+++ b/SOURCES/macros.python3.12
@ -1,91 +0,0 @@
-%__python3 /usr/bin/python3.12
-%python3_pkgversion 3.12
-
-# The following are macros from macros.python3 in Fedora that are newer/different than those in the python3-rpm-macros package in RHEL 8.
-# These macros overwrite/supercede some of the macros in the python3-rpm-macros package in RHEL.
-
-# nb: $RPM_BUILD_ROOT is not set when the macros are expanded (at spec parse time)
-#     so we set it manually (to empty string), making our Python prefer the correct install scheme location
-# platbase/base is explicitly set to %%{_prefix} to support custom values, such as /app for flatpaks
-%python3_sitelib %(RPM_BUILD_ROOT= %{__python3} -Ic "import sysconfig; print(sysconfig.get_path('purelib', vars={'platbase': '%{_prefix}', 'base': '%{_prefix}'}))")
-%python3_sitearch %(RPM_BUILD_ROOT= %{__python3} -Ic "import sysconfig; print(sysconfig.get_path('platlib', vars={'platbase': '%{_prefix}', 'base': '%{_prefix}'}))")
-%python3_version %(RPM_BUILD_ROOT= %{__python3} -Ic "import sys; sys.stdout.write('{0.major}.{0.minor}'.format(sys.version_info))")
-%python3_version_nodots %(RPM_BUILD_ROOT= %{__python3} -Ic "import sys; sys.stdout.write('{0.major}{0.minor}'.format(sys.version_info))")
-%python3_platform %(RPM_BUILD_ROOT= %{__python3} -Ic "import sysconfig; print(sysconfig.get_platform())")
-%python3_platform_triplet %(RPM_BUILD_ROOT= %{__python3} -Ic "import sysconfig; print(sysconfig.get_config_var('MULTIARCH'))")
-%python3_ext_suffix %(RPM_BUILD_ROOT= %{__python3} -Ic "import sysconfig; print(sysconfig.get_config_var('EXT_SUFFIX'))")
-%python3_cache_tag %(RPM_BUILD_ROOT= %{__python3} -Ic "import sys; print(sys.implementation.cache_tag)")
-
-%_py3_shebang_s s
-%_py3_shebang_P %(RPM_BUILD_ROOT= %{__python3} -Ic "import sys; print('P' if hasattr(sys.flags, 'safe_path') else '')")
-%py3_shbang_opts -%{?_py3_shebang_s}%{?_py3_shebang_P}
-
-%py3_shebang_fix %{expand:\\\
-  if [ -z "%{?py3_shebang_flags}" ]; then
-    shebang_flags="-k"
-  else
-    shebang_flags="-ka%{py3_shebang_flags}"
-  fi
-  %{__python3} -B %{_rpmconfigdir}/redhat/pathfix_py3_12.py -pni %{__python3} $shebang_flags}
-
-%py3_install() %{expand:\\\
-  CFLAGS="${CFLAGS:-${RPM_OPT_FLAGS}}" LDFLAGS="${LDFLAGS:-${RPM_LD_FLAGS}}"\\\
-  %{__python3} %{py_setup} %{?py_setup_args} install -O1 --skip-build --root %{buildroot} --prefix %{_prefix} %{?*}
-  rm -rfv %{buildroot}%{_bindir}/__pycache__
-}
-
-%py3_install_egg() %{expand:\\\
-  mkdir -p %{buildroot}%{python3_sitelib}
-  %{__python3} -m easy_install -m --prefix %{buildroot}%{_prefix} -Z dist/*-py%{python3_version}.egg %{?*}
-  rm -rfv %{buildroot}%{_bindir}/__pycache__
-}
-
-%py3_install_wheel() %{expand:\\\
-  %{__python3} -m pip install -I dist/%{1} --root %{buildroot} --prefix %{_prefix} --no-deps --no-index --no-warn-script-location
-  rm -rfv %{buildroot}%{_bindir}/__pycache__
-  for distinfo in %{buildroot}%{python3_sitelib}/*.dist-info %{buildroot}%{python3_sitearch}/*.dist-info; do
-    if [ -f ${distinfo}/direct_url.json ]; then
-      rm -fv ${distinfo}/direct_url.json
-      sed -i '/direct_url.json/d' ${distinfo}/RECORD
-    fi
-  done
-}
-
-# With $PATH and $PYTHONPATH set to the %%buildroot,
-# try to import the Python 3 module(s) given as command-line args or read from file (-f).
-# Respect the custom values of %%py3_shebang_flags or set nothing if it's undefined.
-# Filter and check import on only top-level modules using -t flag.
-# Exclude unwanted modules by passing their globs to -e option.
-# Useful as a smoke test in %%check when running tests is not feasible.
-# Use spaces or commas as separators if providing list directly.
-# Use newlines as separators if providing list in a file.
-%py3_check_import(e:tf:) %{expand:\\\
-  PATH="%{buildroot}%{_bindir}:$PATH"\\\
-  PYTHONPATH="${PYTHONPATH:-%{buildroot}%{python3_sitearch}:%{buildroot}%{python3_sitelib}}"\\\
-  _PYTHONSITE="%{buildroot}%{python3_sitearch}:%{buildroot}%{python3_sitelib}"\\\
-  PYTHONDONTWRITEBYTECODE=1\\\
-  %{lua:
-  local command = "%{__python3} "
-  if rpm.expand("%{?py3_shebang_flags}") ~= "" then
-    command = command .. "-%{py3_shebang_flags}"
-  end
-  command = command .. " %{_rpmconfigdir}/redhat/import_all_modules_py3_12.py "
-  -- handle multiline arguments correctly, see https://bugzilla.redhat.com/2018809
-  local args=rpm.expand('%{?**}'):gsub("[%s\\\\]*%s+", " ")
-  print(command .. args)
-  }
-}
-
-# Environment variables used by %%pytest, %%tox or standalone, e.g.:
-#  %%{py3_test_envvars} %%{python3} -m unittest
-%py3_test_envvars %{expand:\\\
-  CFLAGS="${CFLAGS:-${RPM_OPT_FLAGS}}" LDFLAGS="${LDFLAGS:-${RPM_LD_FLAGS}}"\\\
-  PATH="%{buildroot}%{_bindir}:$PATH"\\\
-  PYTHONPATH="${PYTHONPATH:-%{buildroot}%{python3_sitearch}:%{buildroot}%{python3_sitelib}}"\\\
-  PYTHONDONTWRITEBYTECODE=1\\\
-  %{?__pytest_addopts:PYTEST_ADDOPTS="${PYTEST_ADDOPTS:-} %{__pytest_addopts}"}\\\
-  PYTEST_XDIST_AUTO_NUM_WORKERS=%{_smp_build_ncpus}}
-
-# This is intended for Python 3 only, hence also no Python version in the name.
-%__pytest /usr/bin/pytest-%{python3_version}
-%pytest %py3_test_envvars %__pytest
--- a/SOURCES/pathfix_py3_12.py
+++ b/SOURCES/pathfix_py3_12.py
@ -1,199 +0,0 @@
-#!/usr/bin/env python3
-
-import sys
-import os
-from stat import *
-import getopt
-
-err = sys.stderr.write
-dbg = err
-rep = sys.stdout.write
-
-new_interpreter = None
-preserve_timestamps = False
-create_backup = True
-keep_flags = False
-add_flags = b''
-
-
-def main():
-    global new_interpreter
-    global preserve_timestamps
-    global create_backup
-    global keep_flags
-    global add_flags
-
-    usage = ('usage: %s -i /interpreter -p -n -k -a file-or-directory ...\n' %
-             sys.argv[0])
-    try:
-        opts, args = getopt.getopt(sys.argv[1:], 'i:a:kpn')
-    except getopt.error as msg:
-        err(str(msg) + '\n')
-        err(usage)
-        sys.exit(2)
-    for o, a in opts:
-        if o == '-i':
-            new_interpreter = a.encode()
-        if o == '-p':
-            preserve_timestamps = True
-        if o == '-n':
-            create_backup = False
-        if o == '-k':
-            keep_flags = True
-        if o == '-a':
-            add_flags = a.encode()
-            if b' ' in add_flags:
-                err("-a option doesn't support whitespaces")
-                sys.exit(2)
-    if not new_interpreter or not new_interpreter.startswith(b'/') or \
-           not args:
-        err('-i option or file-or-directory missing\n')
-        err(usage)
-        sys.exit(2)
-    bad = 0
-    for arg in args:
-        if os.path.isdir(arg):
-            if recursedown(arg): bad = 1
-        elif os.path.islink(arg):
-            err(arg + ': will not process symbolic links\n')
-            bad = 1
-        else:
-            if fix(arg): bad = 1
-    sys.exit(bad)
-
-
-def ispython(name):
-    return name.endswith('.py')
-
-
-def recursedown(dirname):
-    dbg('recursedown(%r)\n' % (dirname,))
-    bad = 0
-    try:
-        names = os.listdir(dirname)
-    except OSError as msg:
-        err('%s: cannot list directory: %r\n' % (dirname, msg))
-        return 1
-    names.sort()
-    subdirs = []
-    for name in names:
-        if name in (os.curdir, os.pardir): continue
-        fullname = os.path.join(dirname, name)
-        if os.path.islink(fullname): pass
-        elif os.path.isdir(fullname):
-            subdirs.append(fullname)
-        elif ispython(name):
-            if fix(fullname): bad = 1
-    for fullname in subdirs:
-        if recursedown(fullname): bad = 1
-    return bad
-
-
-def fix(filename):
-##  dbg('fix(%r)\n' % (filename,))
-    try:
-        f = open(filename, 'rb')
-    except IOError as msg:
-        err('%s: cannot open: %r\n' % (filename, msg))
-        return 1
-    with f:
-        line = f.readline()
-        fixed = fixline(line)
-        if line == fixed:
-            rep(filename+': no change\n')
-            return
-        head, tail = os.path.split(filename)
-        tempname = os.path.join(head, '@' + tail)
-        try:
-            g = open(tempname, 'wb')
-        except IOError as msg:
-            err('%s: cannot create: %r\n' % (tempname, msg))
-            return 1
-        with g:
-            rep(filename + ': updating\n')
-            g.write(fixed)
-            BUFSIZE = 8*1024
-            while 1:
-                buf = f.read(BUFSIZE)
-                if not buf: break
-                g.write(buf)
-
-    # Finishing touch -- move files
-
-    mtime = None
-    atime = None
-    # First copy the file's mode to the temp file
-    try:
-        statbuf = os.stat(filename)
-        mtime = statbuf.st_mtime
-        atime = statbuf.st_atime
-        os.chmod(tempname, statbuf[ST_MODE] & 0o7777)
-    except OSError as msg:
-        err('%s: warning: chmod failed (%r)\n' % (tempname, msg))
-    # Then make a backup of the original file as filename~
-    if create_backup:
-        try:
-            os.rename(filename, filename + '~')
-        except OSError as msg:
-            err('%s: warning: backup failed (%r)\n' % (filename, msg))
-    else:
-        try:
-            os.remove(filename)
-        except OSError as msg:
-            err('%s: warning: removing failed (%r)\n' % (filename, msg))
-    # Now move the temp file to the original file
-    try:
-        os.rename(tempname, filename)
-    except OSError as msg:
-        err('%s: rename failed (%r)\n' % (filename, msg))
-        return 1
-    if preserve_timestamps:
-        if atime and mtime:
-            try:
-                os.utime(filename, (atime, mtime))
-            except OSError as msg:
-                err('%s: reset of timestamp failed (%r)\n' % (filename, msg))
-                return 1
-    # Return success
-    return 0
-
-
-def parse_shebang(shebangline):
-    shebangline = shebangline.rstrip(b'\n')
-    start = shebangline.find(b' -')
-    if start == -1:
-        return b''
-    return shebangline[start:]
-
-
-def populate_flags(shebangline):
-    old_flags = b''
-    if keep_flags:
-        old_flags = parse_shebang(shebangline)
-        if old_flags:
-            old_flags = old_flags[2:]
-    if not (old_flags or add_flags):
-        return b''
-    # On Linux, the entire string following the interpreter name
-    # is passed as a single argument to the interpreter.
-    # e.g. "#! /usr/bin/python3 -W Error -s" runs "/usr/bin/python3 "-W Error -s"
-    # so shebang should have single '-' where flags are given and
-    # flag might need argument for that reasons adding new flags is
-    # between '-' and original flags
-    # e.g. #! /usr/bin/python3 -sW Error
-    return b' -' + add_flags + old_flags
-
-
-def fixline(line):
-    if not line.startswith(b'#!'):
-        return line
-
-    if b"python" not in line:
-        return line
-
-    flags = populate_flags(line)
-    return b'#! ' + new_interpreter + flags + b'\n'
-
-
-if __name__ == '__main__':
-    main()
--- a/SOURCES/Yhg1s.gpg
+++ b/SOURCES/Yhg1s.gpg
--- a/SOURCES/check-pyc-timestamps.py
+++ b/SOURCES/check-pyc-timestamps.py
@ -16,7 +16,6 @@ LEVELS = (None, 1, 2)
 # list of globs of test and other files that we expect not to have bytecode
 not_compiled = [
    '/usr/bin/*',
-    '/usr/lib/rpm/redhat/*',
    '*/test/badsyntax_*.py',
    '*/tokenizedata/bad_coding.py',
    '*/tokenizedata/bad_coding2.py',
--- a/SOURCES/idle3.appdata.xml
+++ b/SOURCES/idle3.appdata.xml
--- a/SOURCES/idle3.desktop
+++ b/SOURCES/idle3.desktop
--- a/SPECS/python3.12.spec
+++ b/SPECS/python3.12.spec
--- a/1
+++ b/1
@ -0,0 +1 @@
+SHA512 (Python-3.12.12.tar.xz) = 4b99d240dd96a6e154909dcffe87f8bb38193d634cd80a1c3d9e819b7a63af2afa46d5e6423e81f00dd388840dc29a4a71580f6aa1ce9a12e559c1d63f65a205
Author	SHA1	Message	Date
eabdullin	5e7f5070b7	import UBI python3.12-3.12.12-1.el10_1	2025-12-22 18:24:34 +00:00
eabdullin	fd35a315c8	import UBI python3.12-3.12.11-3.el10	2025-11-11 21:47:56 +00:00
eabdullin	04b8262432	import UBI python3.12-3.12.9-2.el10_0.3	2025-09-02 06:06:26 +00:00
eabdullin	0c1cda5140	import UBI python3.12-3.12.9-2.el10_0.2	2025-07-01 23:10:56 +00:00
eabdullin	d8400d1743	import UBI python3.12-3.12.9-2.el10_0.1	2025-06-24 09:45:00 +00:00
eabdullin	1dec303d15	import UBI python3.12-3.12.9-2.el10_0	2025-05-14 18:53:00 +00:00
				`@ -1 +0,0 @@`
				`5b11c58ea58cd6b8e1943c7e9b5f6e0997ca3632 SOURCES/Python-3.12.1.tar.xz`
				`@ -0,0 +1 @@`
				`SHA512 (Python-3.12.12.tar.xz) = 4b99d240dd96a6e154909dcffe87f8bb38193d634cd80a1c3d9e819b7a63af2afa46d5e6423e81f00dd388840dc29a4a71580f6aa1ce9a12e559c1d63f65a205`