Update to 3.12.3

- __phello__
  - _xxsubinterpreters
  - xxlimited
  - xxlimited_35
  - xxsubtype

Source: https://github.com/python/cpython/blob/v3.12.2/Tools/build/generate_stdlib_module_names.py#L23

.python3.12.metadata

@@ -0,0 +1,2 @@
+3df73004a9b224d021fd397724e8bd4f9b6cc824 Python-3.12.3.tar.xz
+a02c000e85f7a1acd7eaa4db66654833ea68c047 Python-3.12.3.tar.xz.asc

00251-change-user-install-location.patch

@@ -30,10 +30,10 @@ Co-authored-by: Lumír Balhar <frenzy.madness@gmail.com>
  3 files changed, 71 insertions(+), 4 deletions(-)
 
 diff --git a/Lib/site.py b/Lib/site.py
-index 672fa7b000..0a9c5be53e 100644
+index 924b2460d9..51b5baca93 100644
 --- a/Lib/site.py
 +++ b/Lib/site.py
-@@ -377,8 +377,15 @@ def getsitepackages(prefixes=None):
+@@ -387,8 +387,15 @@ def getsitepackages(prefixes=None):
      return sitepackages
  
  def addsitepackages(known_paths, prefixes=None):
@@ -129,7 +129,7 @@ index 122d441bd1..2d354a11da 100644
          # On Windows we want to substitute 'lib' for schemes rather
          # than the native value (without modifying vars, in case it
 diff --git a/Lib/test/test_sysconfig.py b/Lib/test/test_sysconfig.py
-index b6dbf3d52c..4f06a7673c 100644
+index 1137c2032b..8fc2b84f52 100644
 --- a/Lib/test/test_sysconfig.py
 +++ b/Lib/test/test_sysconfig.py
 @@ -110,8 +110,19 @@ def test_get_path(self):
@@ -153,7 +153,7 @@ index b6dbf3d52c..4f06a7673c 100644
                      os.path.normpath(expected),
                  )
  
-@@ -335,7 +346,7 @@ def test_get_config_h_filename(self):
+@@ -344,7 +355,7 @@ def test_get_config_h_filename(self):
          self.assertTrue(os.path.isfile(config_h), config_h)
  
      def test_get_scheme_names(self):
@@ -162,7 +162,7 @@ index b6dbf3d52c..4f06a7673c 100644
          if HAS_USER_BASE:
              wanted.extend(['nt_user', 'osx_framework_user', 'posix_user'])
          self.assertEqual(get_scheme_names(), tuple(sorted(wanted)))
-@@ -347,6 +358,8 @@ def test_symlink(self): # Issue 7880
+@@ -356,6 +367,8 @@ def test_symlink(self): # Issue 7880
              cmd = "-c", "import sysconfig; print(sysconfig.get_platform())"
              self.assertEqual(py.call_real(*cmd), py.call_link(*cmd))
  

00329-fips.patch

@@ -750,7 +750,7 @@ index 8b4f920..20ef96c 100644
              raise TypeError("key: expected bytes or bytearray, but got %r" % type(key).__name__)
  
          if not digestmod:
-             raise TypeError("Missing required parameter 'digestmod'.")
+             raise TypeError("Missing required argument 'digestmod'.")
  
 -        if _hashopenssl and isinstance(digestmod, (str, _functype)):
 +        if _hashopenssl.get_fips_mode() or (_hashopenssl and isinstance(digestmod, (str, _functype))):

00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch

@@ -16,10 +16,10 @@ https://github.com/GrahamDumpleton/mod_wsgi/issues/730
  2 files changed, 8 insertions(+), 50 deletions(-)
 
 diff --git a/Lib/test/test_threading.py b/Lib/test/test_threading.py
-index 756d5e329f..5d09775efc 100644
+index 2e4b860b97..3066b23ee1 100644
 --- a/Lib/test/test_threading.py
 +++ b/Lib/test/test_threading.py
-@@ -1007,39 +1007,6 @@ def noop(): pass
+@@ -1100,39 +1100,6 @@ def noop(): pass
              threading.Thread(target=noop).start()
              # Thread.join() is not called
  
@@ -56,14 +56,14 @@ index 756d5e329f..5d09775efc 100644
 -        self.assertEqual(out, b'')
 -        self.assertEqual(err, b'')
 -
-     def test_start_new_thread_at_exit(self):
+     def test_start_new_thread_at_finalization(self):
          code = """if 1:
-             import atexit
+             import _thread
 diff --git a/Lib/threading.py b/Lib/threading.py
-index 8dcaf8ca6a..ed0b0f4632 100644
+index 98cb43c697..ee647f8549 100644
 --- a/Lib/threading.py
 +++ b/Lib/threading.py
-@@ -1586,29 +1586,20 @@ def _shutdown():
+@@ -1585,29 +1585,20 @@ def _shutdown():
  
      global _SHUTTING_DOWN
      _SHUTTING_DOWN = True

00397-tarfile-filter.patch

@@ -0,0 +1,243 @@
+From 73d2995223c725638d53b9cb8e1d26b82daf0874 Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Mon, 6 Mar 2023 17:24:24 +0100
+Subject: [PATCH] CVE-2007-4559, PEP-706: Add filters for tarfile extraction
+ (downstream)
+
+Add and test RHEL-specific ways of configuring the default behavior: environment
+variable and config file.
+---
+ Lib/tarfile.py           |  47 +++++++++++++--
+ Lib/test/test_shutil.py  |   2 +-
+ Lib/test/test_tarfile.py | 123 ++++++++++++++++++++++++++++++++++++++-
+ 3 files changed, 163 insertions(+), 9 deletions(-)
+
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index 02f5e3b..f7109f3 100755
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -71,6 +71,13 @@ __all__ = ["TarFile", "TarInfo", "is_tarfile", "TarError", "ReadError",
+            "OutsideDestinationError", "SpecialFileError", "AbsolutePathError",
+            "LinkOutsideDestinationError"]
+ 
++# If true, use the safer (but backwards-incompatible) 'tar' extraction filter,
++# rather than 'fully_trusted', by default.
++# The emitted warning is changed to match.
++_RH_SAFER_DEFAULT = True
++
++# System-wide configuration file
++_CONFIG_FILENAME = '/etc/python/tarfile.cfg'
+ 
+ #---------------------------------------------------------
+ # tar constants
+@@ -2217,11 +2224,41 @@ class TarFile(object):
+         if filter is None:
+             filter = self.extraction_filter
+             if filter is None:
+-                warnings.warn(
+-                    'Python 3.14 will, by default, filter extracted tar '
+-                    + 'archives and reject files or modify their metadata. '
+-                    + 'Use the filter argument to control this behavior.',
+-                    DeprecationWarning)
++                name = os.environ.get('PYTHON_TARFILE_EXTRACTION_FILTER')
++                if name is None:
++                    try:
++                        file = bltn_open(_CONFIG_FILENAME)
++                    except FileNotFoundError:
++                        pass
++                    else:
++                        import configparser
++                        conf = configparser.ConfigParser(
++                            interpolation=None,
++                            comment_prefixes=('#', ),
++                        )
++                        with file:
++                            conf.read_file(file)
++                        name = conf.get('tarfile',
++                                        'PYTHON_TARFILE_EXTRACTION_FILTER',
++                                        fallback='')
++                if name:
++                    try:
++                        filter = _NAMED_FILTERS[name]
++                    except KeyError:
++                        raise ValueError(f"filter {filter!r} not found") from None
++                    self.extraction_filter = filter
++                    return filter
++                if _RH_SAFER_DEFAULT:
++                    warnings.warn(
++                        'The default behavior of tarfile extraction has been '
++                        + 'changed to disallow common exploits '
++                        + '(including CVE-2007-4559). '
++                        + 'By default, absolute/parent paths are disallowed '
++                        + 'and some mode bits are cleared. '
++                        + 'See https://access.redhat.com/articles/7004769 '
++                        + 'for more details.',
++                        RuntimeWarning)
++                    return tar_filter
+                 return fully_trusted_filter
+             if isinstance(filter, str):
+                 raise TypeError(
+diff --git a/Lib/test/test_shutil.py b/Lib/test/test_shutil.py
+index 5fd8fb4..501da8f 100644
+--- a/Lib/test/test_shutil.py
++++ b/Lib/test/test_shutil.py
+@@ -1950,7 +1950,7 @@ class TestArchives(BaseTest, unittest.TestCase):
+         self.check_unpack_archive(format, filter='fully_trusted')
+         self.check_unpack_archive(format, filter='data')
+         with warnings_helper.check_warnings(
+-                ('Python 3.14', DeprecationWarning)):
++                ('.*CVE-2007-4559', RuntimeWarning)):
+             self.check_unpack_archive(format)
+ 
+     def test_unpack_archive_tar(self):
+diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
+index c5fc76d..397e334 100644
+--- a/Lib/test/test_tarfile.py
++++ b/Lib/test/test_tarfile.py
+@@ -3097,8 +3097,8 @@ class NoneInfoExtractTests(ReadTest):
+         tar.errorlevel = 0
+         with ExitStack() as cm:
+             if cls.extraction_filter is None:
+-                cm.enter_context(warnings.catch_warnings(
+-                    action="ignore", category=DeprecationWarning))
++                cm.enter_context(warnings.catch_warnings())
++                warnings.simplefilter(action="ignore", category=RuntimeWarning)
+             tar.extractall(cls.control_dir, filter=cls.extraction_filter)
+         tar.close()
+         cls.control_paths = set(
+@@ -3919,7 +3919,7 @@ class TestExtractionFilters(unittest.TestCase):
+         with ArchiveMaker() as arc:
+             arc.add('foo')
+         with warnings_helper.check_warnings(
+-                ('Python 3.14', DeprecationWarning)):
++                ('.*CVE-2007-4559', RuntimeWarning)):
+             with self.check_context(arc.open(), None):
+                 self.expect_file('foo')
+ 
+@@ -4089,6 +4089,123 @@ class TestExtractionFilters(unittest.TestCase):
+             self.expect_exception(TypeError)  # errorlevel is not int
+ 
+ 
++    @contextmanager
++    def rh_config_context(self, config_lines=None):
++        """Set up for testing various ways of overriding the default filter
++
++        return a triple with:
++        - temporary directory
++        - EnvironmentVarGuard()
++        - a test archive for use with check_* methods below
++
++        If config_lines is given, write them to the config file. Otherwise
++        the config file is missing.
++        """
++        tempdir = pathlib.Path(TEMPDIR) / 'tmp'
++        configfile = tempdir / 'tarfile.cfg'
++        with ArchiveMaker() as arc:
++            arc.add('good')
++            arc.add('ugly', symlink_to='/etc/passwd')
++            arc.add('../bad')
++        with (
++                os_helper.temp_dir(tempdir),
++                support.swap_attr(tarfile, '_CONFIG_FILENAME', str(configfile)),
++                os_helper.EnvironmentVarGuard() as env,
++                arc.open() as tar,
++        ):
++            if config_lines is not None:
++                with configfile.open('w') as f:
++                    for line in config_lines:
++                        print(line, file=f)
++            yield tempdir, env, tar
++
++    def check_rh_default_behavior(self, tar, tempdir):
++        """Check RH default: warn and refuse to extract dangerous files."""
++        with (
++                warnings_helper.check_warnings(
++                    ('.*CVE-2007-4559', RuntimeWarning)),
++                self.assertRaises(tarfile.OutsideDestinationError),
++        ):
++            tar.extractall(tempdir / 'outdir')
++
++    def check_trusted_default(self, tar, tempdir):
++        """Check 'fully_trusted' is configured as the default filter."""
++        with (
++                warnings_helper.check_no_warnings(self),
++        ):
++            tar.extractall(tempdir / 'outdir')
++            self.assertTrue((tempdir / 'outdir/good').exists())
++            self.assertEqual((tempdir / 'outdir/ugly').readlink(),
++                             pathlib.Path('/etc/passwd'))
++            self.assertTrue((tempdir / 'bad').exists())
++
++    def test_rh_default_no_conf(self):
++        with self.rh_config_context() as (tempdir, env, tar):
++            self.check_rh_default_behavior(tar, tempdir)
++
++    def test_rh_default_from_file(self):
++        lines = ['[tarfile]', 'PYTHON_TARFILE_EXTRACTION_FILTER=fully_trusted']
++        with self.rh_config_context(lines) as (tempdir, env, tar):
++            self.check_trusted_default(tar, tempdir)
++
++    def test_rh_empty_config_file(self):
++        """Empty config file -> default behavior"""
++        lines = []
++        with self.rh_config_context(lines) as (tempdir, env, tar):
++            self.check_rh_default_behavior(tar, tempdir)
++
++    def test_empty_config_section(self):
++        """Empty section in config file -> default behavior"""
++        lines = ['[tarfile]']
++        with self.rh_config_context(lines) as (tempdir, env, tar):
++            self.check_rh_default_behavior(tar, tempdir)
++
++    def test_rh_default_empty_config_option(self):
++        """Empty option value in config file -> default behavior"""
++        lines = ['[tarfile]', 'PYTHON_TARFILE_EXTRACTION_FILTER=']
++        with self.rh_config_context(lines) as (tempdir, env, tar):
++            self.check_rh_default_behavior(tar, tempdir)
++
++    def test_bad_config_option(self):
++        """Bad option value in config file -> ValueError"""
++        lines = ['[tarfile]', 'PYTHON_TARFILE_EXTRACTION_FILTER=unknown!']
++        with self.rh_config_context(lines) as (tempdir, env, tar):
++            with self.assertRaises(ValueError):
++                tar.extractall(tempdir / 'outdir')
++
++    def test_default_from_envvar(self):
++        with self.rh_config_context() as (tempdir, env, tar):
++            env['PYTHON_TARFILE_EXTRACTION_FILTER'] = 'fully_trusted'
++            self.check_trusted_default(tar, tempdir)
++
++    def test_empty_envvar(self):
++        """Empty env variable -> default behavior"""
++        with self.rh_config_context() as (tempdir, env, tar):
++            env['PYTHON_TARFILE_EXTRACTION_FILTER'] = ''
++            self.check_rh_default_behavior(tar, tempdir)
++
++    def test_bad_envvar(self):
++        with self.rh_config_context() as (tempdir, env, tar):
++            env['PYTHON_TARFILE_EXTRACTION_FILTER'] = 'unknown!'
++            with self.assertRaises(ValueError):
++                tar.extractall(tempdir / 'outdir')
++
++    def test_envvar_overrides_file(self):
++        lines = ['[tarfile]', 'PYTHON_TARFILE_EXTRACTION_FILTER=data']
++        with self.rh_config_context(lines) as (tempdir, env, tar):
++            env['PYTHON_TARFILE_EXTRACTION_FILTER'] = 'fully_trusted'
++            self.check_trusted_default(tar, tempdir)
++
++    def test_monkeypatch_overrides_envvar(self):
++        with self.rh_config_context(None) as (tempdir, env, tar):
++            env['PYTHON_TARFILE_EXTRACTION_FILTER'] = 'data'
++            with support.swap_attr(
++                    tarfile.TarFile, 'extraction_filter',
++                    staticmethod(tarfile.fully_trusted_filter)
++            ):
++                self.check_trusted_default(tar, tempdir)
++
++
+ class OverwriteTests(archiver_tests.OverwriteTests, unittest.TestCase):
+     testdir = os.path.join(TEMPDIR, "testoverwrite")
+ 
+-- 
+2.43.0
+

00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch

@@ -72,7 +72,7 @@ index 345b64001c..d693a9bc39 100644
  .. function:: parsedate(date)
  
 diff --git a/Lib/email/utils.py b/Lib/email/utils.py
-index 81da5394ea..43c3627fca 100644
+index aa949aa933..af2fb14754 100644
 --- a/Lib/email/utils.py
 +++ b/Lib/email/utils.py
 @@ -48,6 +48,7 @@
@@ -81,7 +81,7 @@ index 81da5394ea..43c3627fca 100644
  
 +
  def _has_surrogates(s):
-     """Return True if s contains surrogate-escaped binary data."""
+     """Return True if s may contain surrogate-escaped binary data."""
      # This check is based on the fact that unless there are surrogates, utf8
 @@ -106,12 +107,127 @@ def formataddr(pair, charset='utf-8'):
      return address
@@ -255,7 +255,7 @@ index 81da5394ea..43c3627fca 100644
  
  
 diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py
-index 2a237095b9..4672b790d8 100644
+index a373c53c7c..c616398eb1 100644
 --- a/Lib/test/test_email/test_email.py
 +++ b/Lib/test/test_email/test_email.py
 @@ -16,6 +16,7 @@
@@ -266,7 +266,7 @@ index 2a237095b9..4672b790d8 100644
  
  from email.charset import Charset
  from email.generator import Generator, DecodedGenerator, BytesGenerator
-@@ -3337,15 +3338,137 @@ def test_getaddresses_comma_in_name(self):
+@@ -3352,15 +3353,137 @@ def test_getaddresses_comma_in_name(self):
              ],
          )
  
@@ -412,7 +412,7 @@ index 2a237095b9..4672b790d8 100644
  
      def test_getaddresses_embedded_comment(self):
          """Test proper handling of a nested comment"""
-@@ -3536,6 +3659,54 @@ def test_mime_classes_policy_argument(self):
+@@ -3551,6 +3674,54 @@ def test_mime_classes_policy_argument(self):
                  m = cls(*constructor, policy=email.policy.default)
                  self.assertIs(m.policy, email.policy.default)
  

00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch

@@ -0,0 +1,63 @@
+From 60d40d7095983e0bc23a103b2050adc519dc7fe3 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Fri, 3 May 2024 14:17:48 +0200
+Subject: [PATCH] Expect failures in tests not working properly with expat with
+ a fixed CVE in RHEL
+
+---
+ Lib/test/test_pyexpat.py   | 1 +
+ Lib/test/test_sax.py       | 1 +
+ Lib/test/test_xml_etree.py | 3 +++
+ 3 files changed, 5 insertions(+)
+
+diff --git a/Lib/test/test_pyexpat.py b/Lib/test/test_pyexpat.py
+index 43cbd27..27b1502 100644
+--- a/Lib/test/test_pyexpat.py
++++ b/Lib/test/test_pyexpat.py
+@@ -793,6 +793,7 @@ class ReparseDeferralTest(unittest.TestCase):
+ 
+         self.assertEqual(started, ['doc'])
+ 
++    @unittest.expectedFailure
+     def test_reparse_deferral_disabled(self):
+         started = []
+ 
+diff --git a/Lib/test/test_sax.py b/Lib/test/test_sax.py
+index 9b3014a..646c92d 100644
+--- a/Lib/test/test_sax.py
++++ b/Lib/test/test_sax.py
+@@ -1240,6 +1240,7 @@ class ExpatReaderTest(XmlTestBase):
+ 
+         self.assertEqual(result.getvalue(), start + b"<doc></doc>")
+ 
++    @unittest.expectedFailure
+     def test_flush_reparse_deferral_disabled(self):
+         result = BytesIO()
+         xmlgen = XMLGenerator(result)
+diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py
+index 9c382d1..62f2871 100644
+--- a/Lib/test/test_xml_etree.py
++++ b/Lib/test/test_xml_etree.py
+@@ -1424,9 +1424,11 @@ class XMLPullParserTest(unittest.TestCase):
+         self.assert_event_tags(parser, [('end', 'root')])
+         self.assertIsNone(parser.close())
+ 
++    @unittest.expectedFailure
+     def test_simple_xml_chunk_1(self):
+         self.test_simple_xml(chunk_size=1, flush=True)
+ 
++    @unittest.expectedFailure
+     def test_simple_xml_chunk_5(self):
+         self.test_simple_xml(chunk_size=5, flush=True)
+ 
+@@ -1651,6 +1653,7 @@ class XMLPullParserTest(unittest.TestCase):
+ 
+         self.assert_event_tags(parser, [('end', 'doc')])
+ 
++    @unittest.expectedFailure
+     def test_flush_reparse_deferral_disabled(self):
+         parser = ET.XMLPullParser(events=('start', 'end'))
+ 
+-- 
+2.44.0
+

00425-only-check-for-test-wheeldata-when-it-s-actually-used.patch

@@ -0,0 +1,28 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Karolina Surma <ksurma@redhat.com>
+Date: Wed, 10 Apr 2024 15:35:04 +0200
+Subject: [PATCH] 00425: Only check for 'test/wheeldata' when it's actually
+ used
+
+We build Python in Fedora 39+ with option `--with-wheel-pkg-dir`
+pointing to a custom wheel directory and delete the contents of
+upstream's `test/wheeldata`. Don't include the directory in the test set
+if the wheels are used from a different location.
+---
+ Lib/test/test_tools/test_makefile.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/Lib/test/test_tools/test_makefile.py b/Lib/test/test_tools/test_makefile.py
+index 17a1a6d0d3..9ce874033d 100644
+--- a/Lib/test/test_tools/test_makefile.py
++++ b/Lib/test/test_tools/test_makefile.py
+@@ -66,6 +66,9 @@ def test_makefile_test_folders(self):
+                 )
+                 used.append(relpath)
+ 
++        if sysconfig.get_config_var('WHEEL_PKG_DIR'):
++            test_dirs.remove('test/wheeldata')
++
+         # Check that there are no extra entries:
+         unique_test_dirs = set(test_dirs)
+         self.assertSetEqual(unique_test_dirs, set(used))

python3.12.spec

@@ -16,12 +16,12 @@ URL: https://www.python.org/
 
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
-%global general_version %{pybasever}.1
+%global general_version %{pybasever}.3
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 3%{?dist}
-License: Python
+Release: 1%{?dist}
+License: Python-2.0.1
 
 
 # ==================================
@@ -66,18 +66,18 @@ License: Python
 # If the rpmwheels condition is disabled, we use the bundled wheel packages
 # from Python with the versions below.
 # This needs to be manually updated when we update Python.
-%global pip_version 23.2.1
+%global pip_version 24.0
 %global setuptools_version 67.6.1
 %global wheel_version 0.40.0
 # All of those also include a list of indirect bundled libs:
 # pip
 #  $ %%{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/ensurepip/_bundled/pip-*.whl pip/_vendor/vendor.txt)
 %global pip_bundled_provides %{expand:
-Provides: bundled(python3dist(cachecontrol)) = 0.12.11
-Provides: bundled(python3dist(certifi)) = 2023.5.7
+Provides: bundled(python3dist(cachecontrol)) = 0.13.1
+Provides: bundled(python3dist(certifi)) = 2023.7.22
 Provides: bundled(python3dist(chardet)) = 5.1
 Provides: bundled(python3dist(colorama)) = 0.4.6
-Provides: bundled(python3dist(distlib)) = 0.3.6
+Provides: bundled(python3dist(distlib)) = 0.3.8
 Provides: bundled(python3dist(distro)) = 1.8
 Provides: bundled(python3dist(idna)) = 3.4
 Provides: bundled(python3dist(msgpack)) = 1.0.5
@@ -93,8 +93,9 @@ Provides: bundled(python3dist(setuptools)) = 68
 Provides: bundled(python3dist(six)) = 1.16
 Provides: bundled(python3dist(tenacity)) = 8.2.2
 Provides: bundled(python3dist(tomli)) = 2.0.1
+Provides: bundled(python3dist(truststore)) = 0.8
 Provides: bundled(python3dist(typing-extensions)) = 4.7.1
-Provides: bundled(python3dist(urllib3)) = 1.26.16
+Provides: bundled(python3dist(urllib3)) = 1.26.17
 Provides: bundled(python3dist(webencodings)) = 0.5.1
 }
 # setuptools
@@ -116,7 +117,7 @@ Provides: bundled(python3dist(typing-extensions)) = 4.4
 Provides: bundled(python3dist(zipp)) = 3.7
 }
 # wheel
-#  $ %%{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/test/wheel-*.whl wheel/vendored/vendor.txt)
+#  $ %%{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/test/wheeldata/wheel-*.whl wheel/vendored/vendor.txt)
 %global wheel_bundled_provides %{expand:
 Provides: bundled(python3dist(packaging)) = 23
 }
@@ -370,6 +371,12 @@ Patch329: 00329-fips.patch
 # https://github.com/GrahamDumpleton/mod_wsgi/issues/730
 Patch371: 00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch
 
+# 00397 #
+# Red Hat configuration for tarfile extraction (CVE-2007-4559, PEP-706)
+# see KB for documentation:
+# - https://access.redhat.com/articles/7004769
+Patch397: 00397-tarfile-filter.patch
+
 # 00415 # 83e0fc3ec7bc38055c536f482578a10f6efcc08c
 # [CVE-2023-27043] gh-102988: Reject malformed addresses in email.parseaddr() (#111116)
 #
@@ -379,6 +386,22 @@ Patch371: 00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-g
 # Thomas Dwyer.
 Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch
 
+# 00422 # a353cebef737c41420dc7ae2469dd657371b8881
+# Fix tests for XMLPullParser with Expat 2.6.0
+#
+# Feeding the parser by too small chunks defers parsing to prevent
+# CVE-2023-52425. Future versions of Expat may be more reactive.
+Patch422: 00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch
+
+# 00425 # a563ac3076a00f0f48b3f94ff63d91d37cb4f1e9
+# Only check for 'test/wheeldata' when it's actually used
+#
+# We build Python in Fedora 39+ with option `--with-wheel-pkg-dir`
+# pointing to a custom wheel directory and delete the contents of
+# upstream's `test/wheeldata`. Don't include the directory in the test set
+# if the wheels are used from a different location.
+Patch425: 00425-only-check-for-test-wheeldata-when-it-s-actually-used.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -704,13 +727,13 @@ The debug runtime additionally supports debug builds of C-API extensions
 # setuptools.whl does not contain the vendored.txt files
 if [ -f %{_rpmconfigdir}/pythonbundles.py ]; then
   %{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/ensurepip/_bundled/pip-*.whl pip/_vendor/vendor.txt) --compare-with '%pip_bundled_provides'
-  %{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/test/wheel-*.whl wheel/vendored/vendor.txt) --compare-with '%wheel_bundled_provides'
+  %{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/test/wheeldata/wheel-*.whl wheel/vendored/vendor.txt) --compare-with '%wheel_bundled_provides'
 fi
 
 %if %{with rpmwheels}
 rm Lib/ensurepip/_bundled/pip-%{pip_version}-py3-none-any.whl
-rm Lib/test/setuptools-%{setuptools_version}-py3-none-any.whl
-rm Lib/test/wheel-%{wheel_version}-py3-none-any.whl
+rm Lib/test/wheeldata/setuptools-%{setuptools_version}-py3-none-any.whl
+rm Lib/test/wheeldata/wheel-%{wheel_version}-py3-none-any.whl
 %endif
 
 # Remove all exe files to ensure we are not shipping prebuilt binaries
@@ -1336,10 +1359,6 @@ CheckPython optimized
 %{dynload_dir}/termios.%{SOABI_optimized}.so
 %{dynload_dir}/unicodedata.%{SOABI_optimized}.so
 %{dynload_dir}/_uuid.%{SOABI_optimized}.so
-%{dynload_dir}/xxlimited.%{SOABI_optimized}.so
-%{dynload_dir}/xxlimited_35.%{SOABI_optimized}.so
-%{dynload_dir}/_xxsubinterpreters.%{SOABI_optimized}.so
-%{dynload_dir}/xxsubtype.%{SOABI_optimized}.so
 %{dynload_dir}/zlib.%{SOABI_optimized}.so
 %{dynload_dir}/_zoneinfo.%{SOABI_optimized}.so
 
@@ -1440,12 +1459,6 @@ CheckPython optimized
 
 %{pylibdir}/zoneinfo
 
-%dir %{pylibdir}/__phello__/
-%dir %{pylibdir}/__phello__/__pycache__/
-%{pylibdir}/__phello__/__init__.py
-%{pylibdir}/__phello__/spam.py
-%{pylibdir}/__phello__/__pycache__/*%{bytecode_suffixes}
-
 %if "%{_lib}" == "lib64"
 %attr(0755,root,root) %dir %{_prefix}/lib/python%{pybasever}
 %attr(0755,root,root) %dir %{_prefix}/lib/python%{pybasever}/site-packages
@@ -1540,7 +1553,17 @@ CheckPython optimized
 %{dynload_dir}/_testmultiphase.%{SOABI_optimized}.so
 %{dynload_dir}/_testsinglephase.%{SOABI_optimized}.so
 %{dynload_dir}/_xxinterpchannels.%{SOABI_optimized}.so
+%{dynload_dir}/_xxsubinterpreters.%{SOABI_optimized}.so
 %{dynload_dir}/_xxtestfuzz.%{SOABI_optimized}.so
+%{dynload_dir}/xxlimited.%{SOABI_optimized}.so
+%{dynload_dir}/xxlimited_35.%{SOABI_optimized}.so
+%{dynload_dir}/xxsubtype.%{SOABI_optimized}.so
+
+%dir %{pylibdir}/__phello__/
+%dir %{pylibdir}/__phello__/__pycache__/
+%{pylibdir}/__phello__/__init__.py
+%{pylibdir}/__phello__/spam.py
+%{pylibdir}/__phello__/__pycache__/*%{bytecode_suffixes}
 
 # We don't bother splitting the debug build out into further subpackages:
 # if you need it, you're probably a developer.
@@ -1622,10 +1645,6 @@ CheckPython optimized
 %{dynload_dir}/termios.%{SOABI_debug}.so
 %{dynload_dir}/unicodedata.%{SOABI_debug}.so
 %{dynload_dir}/_uuid.%{SOABI_debug}.so
-%{dynload_dir}/xxlimited.%{SOABI_debug}.so
-%{dynload_dir}/xxlimited_35.%{SOABI_debug}.so
-%{dynload_dir}/_xxsubinterpreters.%{SOABI_debug}.so
-%{dynload_dir}/xxsubtype.%{SOABI_debug}.so
 %{dynload_dir}/zlib.%{SOABI_debug}.so
 %{dynload_dir}/_zoneinfo.%{SOABI_debug}.so
 
@@ -1662,7 +1681,11 @@ CheckPython optimized
 %{dynload_dir}/_testmultiphase.%{SOABI_debug}.so
 %{dynload_dir}/_testsinglephase.%{SOABI_debug}.so
 %{dynload_dir}/_xxinterpchannels.%{SOABI_debug}.so
+%{dynload_dir}/_xxsubinterpreters.%{SOABI_debug}.so
 %{dynload_dir}/_xxtestfuzz.%{SOABI_debug}.so
+%{dynload_dir}/xxlimited.%{SOABI_debug}.so
+%{dynload_dir}/xxlimited_35.%{SOABI_debug}.so
+%{dynload_dir}/xxsubtype.%{SOABI_debug}.so
 
 %{pylibdir}/_sysconfigdata_%{ABIFLAGS_debug}_linux_%{platform_triplet}.py
 %{pylibdir}/__pycache__/_sysconfigdata_%{ABIFLAGS_debug}_linux_%{platform_triplet}%{bytecode_suffixes}
@@ -1690,6 +1713,28 @@ CheckPython optimized
 # ======================================================
 
 %changelog
+* Fri May 03 2024 Lumír Balhar <lbalhar@redhat.com> - 3.12.3-1
+- Update to 3.12.3
+Related: RHEL-33690
+
+* Fri May 03 2024 Lumír Balhar <lbalhar@redhat.com> - 3.12.2-3
+- Move all test modules to the python3-test package, namely:
+   - __phello__
+   - _xxsubinterpreters
+   - xxlimited
+   - xxlimited_35
+   - xxsubtype
+
+* Fri May 03 2024 Lumír Balhar <lbalhar@redhat.com> - 3.12.2-2
+- Fix tests for XMLPullParser with Expat with fixed CVE
+
+* Fri May 03 2024 Lumír Balhar <lbalhar@redhat.com> - 3.12.2-1
+- Update to 3.12.2
+Resolves: RHEL-33690
+
+* Mon Feb 19 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.12.1-4
+- Add Red Hat configuration for CVE-2007-4559
+
 * Thu Jan 18 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.12.1-3
 - Support OpenSSL FIPS mode
 - Disable the builtin hashlib hashes except blake2

sources

@@ -1,2 +1,2 @@
-SHA512 (Python-3.12.1.tar.xz) = 44cf06b89ade692d87ca3105d8e3de5c7ce3f5fb318690fff513cf56f909ff5e0d0f6a0b22ae270b12e1fe3051b1bde3ec786506ec87c810b1d02e92e45dff07
-SHA512 (Python-3.12.1.tar.xz.asc) = 1c85237b5921fbf940ded4e038d99c8d02682fcb357b5de761eb5bebf94142b308a11654fc6312129663727e2ce1f546fbb5a5a3747d7dc02fc7dced9cb968fd
+SHA512 (Python-3.12.3.tar.xz) = 4a2213b108e7f1f1525baa8348e68b2a2336d925e60d0a59f0225fc470768a2c8031edafc0b8243f94dbae18afda335ee5adf2785328c2218fd64cbb439f13a4
+SHA512 (Python-3.12.3.tar.xz.asc) = c291ec5b5e4f8deba867cc517624dd9a174745f04061ef737e58f3d52b9b30318264aec350e339fe88ccb493809ca1a90a378e86d86b8ec4a4f578b1a5843624