.gitignore

@@ -1 +1,3 @@
-SOURCES/Python-3.9.25.tar.xz
+/*.tar.*
+/*.src.rpm
+/results_python3*

.python3.9.metadata

@@ -1 +0,0 @@
-36c7257ec30dca042679626d0dff79715acd4efb SOURCES/Python-3.9.25.tar.xz

00478-cve-2026-4519.patch

@@ -0,0 +1,123 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: tomcruiseqi <tom33qi@gmail.com>
+Date: Wed, 25 Mar 2026 02:23:45 +0800
+Subject: 00478: CVE-2026-4519
+
+Reject leading dashes in webbrowser URLs (GH-143931) (GH-146359)
+
+Cherry-picked from Python 3.10: ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5
+
+(cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b)
+
+Co-authored-by: Seth Michael Larson <seth@python.org>
+---
+ Lib/test/test_webbrowser.py                        |  5 +++++
+ Lib/webbrowser.py                                  | 14 ++++++++++++++
+ .../2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst |  1 +
+ 3 files changed, 20 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
+
+diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
+index 519a9432ab..f8e9234db8 100644
+--- a/Lib/test/test_webbrowser.py
++++ b/Lib/test/test_webbrowser.py
+@@ -55,6 +55,11 @@ class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase):
+                    options=[],
+                    arguments=[URL])
+ 
++    def test_reject_dash_prefixes(self):
++        browser = self.browser_class(name=CMD_NAME)
++        with self.assertRaises(ValueError):
++            browser.open(f"--key=val {URL}")
++
+ 
+ class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
+ 
+diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
+index 6023c1e138..f5349dbce5 100755
+--- a/Lib/webbrowser.py
++++ b/Lib/webbrowser.py
+@@ -154,6 +154,12 @@ class BaseBrowser(object):
+     def open_new_tab(self, url):
+         return self.open(url, 2)
+ 
++    @staticmethod
++    def _check_url(url):
++        """Ensures that the URL is safe to pass to subprocesses as a parameter"""
++        if url and url.lstrip().startswith("-"):
++            raise ValueError(f"Invalid URL: {url}")
++
+ 
+ class GenericBrowser(BaseBrowser):
+     """Class for all browsers started with a command
+@@ -171,6 +177,7 @@ class GenericBrowser(BaseBrowser):
+ 
+     def open(self, url, new=0, autoraise=True):
+         sys.audit("webbrowser.open", url)
++        self._check_url(url)
+         cmdline = [self.name] + [arg.replace("%s", url)
+                                  for arg in self.args]
+         try:
+@@ -191,6 +198,7 @@ class BackgroundBrowser(GenericBrowser):
+         cmdline = [self.name] + [arg.replace("%s", url)
+                                  for arg in self.args]
+         sys.audit("webbrowser.open", url)
++        self._check_url(url)
+         try:
+             if sys.platform[:3] == 'win':
+                 p = subprocess.Popen(cmdline)
+@@ -256,6 +264,7 @@ class UnixBrowser(BaseBrowser):
+ 
+     def open(self, url, new=0, autoraise=True):
+         sys.audit("webbrowser.open", url)
++        self._check_url(url)
+         if new == 0:
+             action = self.remote_action
+         elif new == 1:
+@@ -357,6 +366,7 @@ class Konqueror(BaseBrowser):
+ 
+     def open(self, url, new=0, autoraise=True):
+         sys.audit("webbrowser.open", url)
++        self._check_url(url)
+         # XXX Currently I know no way to prevent KFM from opening a new win.
+         if new == 2:
+             action = "newTab"
+@@ -441,6 +451,7 @@ class Grail(BaseBrowser):
+ 
+     def open(self, url, new=0, autoraise=True):
+         sys.audit("webbrowser.open", url)
++        self._check_url(url)
+         if new:
+             ok = self._remote("LOADNEW " + url)
+         else:
+@@ -599,6 +610,7 @@ if sys.platform[:3] == "win":
+     class WindowsDefault(BaseBrowser):
+         def open(self, url, new=0, autoraise=True):
+             sys.audit("webbrowser.open", url)
++            self._check_url(url)
+             try:
+                 os.startfile(url)
+             except OSError:
+@@ -629,6 +641,7 @@ if sys.platform == 'darwin':
+ 
+         def open(self, url, new=0, autoraise=True):
+             sys.audit("webbrowser.open", url)
++            self._check_url(url)
+             assert "'" not in url
+             # hack for local urls
+             if not ':' in url:
+@@ -666,6 +679,7 @@ if sys.platform == 'darwin':
+             self._name = name
+ 
+         def open(self, url, new=0, autoraise=True):
++            self._check_url(url)
+             if self._name == 'default':
+                 script = 'open location "%s"' % url.replace('"', '%22') # opens in default browser
+             else:
+diff --git a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
+new file mode 100644
+index 0000000000..0f27eae99a
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
+@@ -0,0 +1 @@
++Reject leading dashes in URLs passed to :func:`webbrowser.open`

00480-cve-2026-4786.patch

@@ -0,0 +1,63 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stan Ulbrych <stan@python.org>
+Date: Mon, 13 Apr 2026 22:41:53 +0100
+Subject: 00480: CVE-2026-4786
+
+Fix webbrowser `%action` substitution bypass of dash-prefix check
+---
+ Lib/test/test_webbrowser.py                               | 8 ++++++++
+ Lib/webbrowser.py                                         | 5 +++--
+ .../2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst        | 2 ++
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
+
+diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
+index f8e9234db8..9156ceec60 100644
+--- a/Lib/test/test_webbrowser.py
++++ b/Lib/test/test_webbrowser.py
+@@ -95,6 +95,14 @@ class ChromeCommandTest(CommandTestMixin, unittest.TestCase):
+                    options=[],
+                    arguments=[URL])
+ 
++    def test_reject_action_dash_prefixes(self):
++        browser = self.browser_class(name=CMD_NAME)
++        with self.assertRaises(ValueError):
++            browser.open('%action--incognito')
++        # new=1: action is "--new-window", so "%action" itself expands to
++        # a dash-prefixed flag even with no dash in the original URL.
++        with self.assertRaises(ValueError):
++            browser.open('%action', new=1)
+ 
+ class MozillaCommandTest(CommandTestMixin, unittest.TestCase):
+ 
+diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
+index f5349dbce5..43ccddf330 100755
+--- a/Lib/webbrowser.py
++++ b/Lib/webbrowser.py
+@@ -264,7 +264,6 @@ class UnixBrowser(BaseBrowser):
+ 
+     def open(self, url, new=0, autoraise=True):
+         sys.audit("webbrowser.open", url)
+-        self._check_url(url)
+         if new == 0:
+             action = self.remote_action
+         elif new == 1:
+@@ -278,7 +277,9 @@ class UnixBrowser(BaseBrowser):
+             raise Error("Bad 'new' parameter to open(); " +
+                         "expected 0, 1, or 2, got %s" % new)
+ 
+-        args = [arg.replace("%s", url).replace("%action", action)
++        self._check_url(url.replace("%action", action))
++
++        args = [arg.replace("%action", action).replace("%s", url)
+                 for arg in self.remote_args]
+         args = [arg for arg in args if arg]
+         success = self._invoke(args, True, autoraise, url)
+diff --git a/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
+new file mode 100644
+index 0000000000..45cdeebe1b
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
+@@ -0,0 +1,2 @@
++A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass
++the dash-prefix safety check.

00482-cve-2026-6100.patch

@@ -0,0 +1,48 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stan Ulbrych <stan@python.org>
+Date: Mon, 13 Apr 2026 22:42:24 +0100
+Subject: 00482: CVE-2026-6100
+
+Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor
+---
+ .../Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst  | 5 +++++
+ Modules/_bz2module.c                                         | 1 +
+ Modules/_lzmamodule.c                                        | 1 +
+ 3 files changed, 7 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
+
+diff --git a/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
+new file mode 100644
+index 0000000000..b095329bd9
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
+@@ -0,0 +1,5 @@
++Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
++:class:`bz2.BZ2Decompressor`
++when memory allocation fails with :exc:`MemoryError`, which could let a
++subsequent :meth:`!decompress` call read or write through a stale pointer to
++the already-released caller buffer.
+diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c
+index 880632c623..9b17341e49 100644
+--- a/Modules/_bz2module.c
++++ b/Modules/_bz2module.c
+@@ -559,6 +559,7 @@ decompress(BZ2Decompressor *d, char *data, size_t len, Py_ssize_t max_length)
+     return result;
+ 
+ error:
++    bzs->next_in = NULL;
+     Py_XDECREF(result);
+     return NULL;
+ }
+diff --git a/Modules/_lzmamodule.c b/Modules/_lzmamodule.c
+index 2a62a68356..dde81238ef 100644
+--- a/Modules/_lzmamodule.c
++++ b/Modules/_lzmamodule.c
+@@ -1039,6 +1039,7 @@ decompress(Decompressor *d, uint8_t *data, size_t len, Py_ssize_t max_length)
+     return result;
+ 
+ error:
++    lzs->next_in = NULL;
+     Py_XDECREF(result);
+     return NULL;
+ }

SOURCES/Python-3.9.25.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmkFBpsACgkQsmmV4xAl
-BWgwbw//Tx78tZg3/tJ47YDzDCf68XurBPbdgSfmmGTRrveMt6nQbV+c7XKS5MKK
-6hP0jt4W8tP6zC/zRPTexqYwetTaM7+ZKuxzwXABXzi+rfmL/L6BtQQpzwK+vesE
-hSSkjl4R2FF3YBrTBNqG0ewf5j4Y41yc4V9UHJWXbmQt6sg/nF+lDvG3K3wzP6zV
-rs6LsayeO3AXhi7+c0q7d2oYTFhv/RPOGl6/fLy5j1bxNNE1i2yeIfcR9BqjqB9y
-Ue1Tea8RGjh3dSq06/8ubpcqf+tlE4cCDkLERqDWSafZnNA5X4eymAQP9urUoH2n
-78X8DXkGbKqyJ+3w97S6zqVnZvL2jSOog8R+yvT5snqzJDp+UK0lcbowPILsOGm4
-BE54dQTG5bT+1bUicvQZIbP4vOswZufl8LGmodkW06edSEcylwO8bHWNcY/gC5HO
-WcTbqTFyV+FtwAJxsfgkqKcI6xUyYHqeMhqCUvkpHFFMjsinVOBFVbow8fgiJGUV
-GIo3kMNPZPirqgl9bhc3F7qvdgVDQsCqnKJ8B1WegdIlKWxXBj3qQB0U4Qbecpdt
-2AhVQAmcOu4LzJYtatDp/0tw6KMr8nWGdofrLVJgzQuu6MmhGW+2cJ0e+wUAxw6v
-OBjQ0o42ylQKeS8VGP4yFbYv1umeeWHje26z9az3uOVUFaAoptk=
-=5qMt
------END PGP SIGNATURE-----

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

python3.9.rpmlintrc

@@ -0,0 +1,90 @@
+# KNOWN BUGS:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1489816
+addFilter(r'crypto-policy-non-compliance-openssl')
+
+
+# TESTS:
+addFilter(r'(zero-length|pem-certificate|uncompressed-zip) /usr/lib(64)?/python3\.\d+/test')
+
+
+# OTHER DELIBERATES:
+# chroot function
+addFilter(r'missing-call-to-chdir-with-chroot')
+
+# intentionally unversioned and selfobsoleted
+addFilter(r'unversioned-explicit-obsoletes python')
+addFilter(r'self-obsoletion python3\.\d+ obsoletes python3\.\d+')
+
+# intentionally hardcoded
+addFilter(r'hardcoded-library-path in %{_prefix}/lib/(debug/%{_libdir}|python%{pybasever})')
+
+# intentional for our pythonXY package
+addFilter(r'python3\.\d+\.[^:]+: (E|W): devel-file-in-non-devel-package')
+
+# we have non binary stuff, python files
+addFilter(r'only-non-binary-in-usr-lib')
+
+# some devel files that are deliberately needed
+addFilter(r'devel-file-in-non-devel-package /usr/include/python3\.\d+m?/pyconfig-(32|64)\.h')
+addFilter(r'devel-file-in-non-devel-package /usr/lib(64)?/python3\.\d+/distutils/tests/xxmodule\.c')
+
+# some bytecode is shipped without sources on purpose, as a space optimization
+# if this regex needs to be relaxed in the future, make sure it **does not** match pyc files in __pycache__
+addFilter(r'python-bytecode-without-source /usr/lib(64)?/python3\.\d+/(encodings|pydoc_data)/[^/]+.pyc')
+
+# SORRY, NOT SORRY:
+# manual pages
+addFilter(r'no-manual-page-for-binary (idle|pydoc|pyvenv|2to3|python3?-debug|pathfix|msgfmt|pygettext)')
+addFilter(r'no-manual-page-for-binary python3?.*-config$')
+addFilter(r'no-manual-page-for-binary python3\.\d+dm?$')
+
+# missing documentation from subpackages
+addFilter(r'^python3(\.\d+)?-(debug|tkinter|test|idle)\.[^:]+: (E|W): no-documentation')
+
+# platform python is obsoleted, but not provided
+addFilter(r'obsolete-not-provided platform-python')
+
+
+# RPMLINT IMPERFECTIONS
+# https://github.com/rpm-software-management/rpmlint/issues/123
+addFilter(r'python-bytecode-wrong-magic-value .* expected 33\d\d \(3\.7\), found 3393')
+# https://github.com/rpm-software-management/rpmlint/pull/133
+addFilter(r'python-bytecode-wrong-magic-value .* expected 33\d\d \(3\.7\), found 3394')
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=1550562
+# https://github.com/rpm-software-management/rpmlint/issues/128
+addFilter(r'python-bytecode-inconsistent-mtime .* 1970')
+
+# we provide python(abi) manually to be sure. createrepo will merge this with the automatic
+addFilter(r'python3(\.\d+)?\.[^:-]+: (E|W): useless-provides python\(abi\)')
+
+# debugsource
+addFilter(r'^python3(\.\d+)?-debugsource\.[^:]+: (E|W): no-documentation')
+
+# debuginfo
+addFilter(r'^python3(\.\d+)?-debuginfo\.[^:]+: (E|W): useless-provides debuginfo\(build-id\)')
+
+# this is OK for F28+
+addFilter(r'library-without-ldconfig-post')
+
+# debug package contains devel and non-devel files
+addFilter(r'python3(\.\d+)?-debug\.[^:]+: (E|W): (non-)?devel-file-in-(non-)?devel-package')
+
+# this goes to other subpackage, hence not actually dangling, the read error is bogus
+addFilter(r'dangling-relative-symlink /usr/lib(64)?/pkgconfig/python-3\.\d+dm?(-embed)?\.pc python-3\.\d+(-embed)?\.pc')
+addFilter(r'read-error /usr/lib(64)?/pkgconfig/python-3\.\d+dm?(-embed)?\.pc \[Errno 2\]')
+
+# the python-unversioned-command package contains dangling symlinks by design
+addFilter(r'^python-unversioned-command\.[^:]+: (E|W): dangling-relative-symlink '
+          r'(/usr/bin/python \./python3|/usr/share/man/man1/python\.1\S* ./python3\.1\S*)$')
+
+# we need this macro to evaluate, even if the line starts with #
+addFilter(r'macro-in-comment %\{_pyconfig(32|64)_h\}')
+
+# Python modules don't need to be linked against libc
+# Since 3.8 they are no longer linked against libpython3.8.so.1.0
+addFilter(r'E: library-not-linked-against-libc /usr/lib(64)?/python3\.\d+/lib-dynload/')
+addFilter(r'E: shared-lib-without-dependency-information /usr/lib(64)?/python3\.\d+/lib-dynload/')
+
+# SPELLING ERRORS
+addFilter(r'spelling-error .* en_US (bytecode|pyc|filename|tkinter|namespaces|pytest) ')

python3.9.spec

@@ -17,7 +17,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 5%{?dist}
+Release: 7%{?dist}
 License: Python
 
 
@@ -476,6 +476,26 @@ Patch475: 00475-cve-2025-15367.patch
 # gh-144125: email: verify headers are sound in BytesGenerator
 Patch476: 00476-cve-2026-1299.patch
 
+# 00478 # 88bb1e37c971fd1d6bda82a68b5ad873ed099f08
+# CVE-2026-4519
+#
+# Reject leading dashes in webbrowser URLs (GH-143931) (GH-146359)
+#
+# Cherry-picked from Python 3.10: ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5
+Patch478: 00478-cve-2026-4519.patch
+
+# 00480 # 9f4b1483ecfbc8c08117133c239fba544fcb42e7
+# CVE-2026-4786
+#
+# Fix webbrowser `%%action` substitution bypass of dash-prefix check
+Patch480: 00480-cve-2026-4786.patch
+
+# 00482 # 51e25e8a804257b707e2021655037d07dcfa9cd6
+# CVE-2026-6100
+#
+# Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor
+Patch482: 00482-cve-2026-6100.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -1887,6 +1907,14 @@ CheckPython optimized
 # ======================================================
 
 %changelog
+* Fri Apr 17 2026 Charalampos Stratakis <cstratak@redhat.com> - 3.9.25-7
+- Security fixes for CVE-2026-4786 and CVE-2026-6100
+Resolves: RHEL-167919, RHEL-168161
+
+* Thu Mar 26 2026 Lumír Balhar <lbalhar@redhat.com> - 3.9.25-6
+- Security fix for CVE-2026-4519
+Resolves: RHEL-158117
+
 * Mon Mar 09 2026 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.9.25-5
 - Rebuilding previous fixes for different build target
 Related: RHEL-143117, RHEL-143174, RHEL-144897

rpminspect.yaml

@@ -0,0 +1,32 @@
+# exclude test XML data (not always valid) from XML validity check:
+xml:
+    ignore:
+        - /usr/lib*/python*/test/xmltestdata/*
+        - /usr/lib*/python*/test/xmltestdata/*/*
+
+# exclude _socket from ipv4 only functions check, it has both ipv4 and ipv6 only
+badfuncs:
+    ignore:
+        - /usr/lib*/python*/lib-dynload/_socket.*
+
+# don't report changed content of compiled files
+# that is expected with every toolchain update and not reproducible yet
+changedfiles:
+    # note that this is a posix regex, so no \d
+    exclude_path: (\.so(\.[0-9]+(\.[0-9]+)?)?$|^/usr/bin/python[0-9]+\.[0-9]+d?m?$)
+
+# files change size all the time, we don't need to VERIFY it
+# however, the INFO is useful, so we don't disable the check entirely
+filesize:
+    # artificially large number, TODO a better way
+    size_threshold: 100000
+
+debuginfo:
+    ignore:
+        # libpython3.so doesn't contain compiled code
+        - /usr/lib/debug/usr/lib*/libpython3.so*debug
+
+# completely disabled inspections:
+inspections:
+    # we know about our patches, no need to report anything
+    patches: off

sources

@@ -0,0 +1,2 @@
+SHA512 (Python-3.9.25.tar.xz) = 33fd65952cc3ce5df83825aa32a103935815bdd5a016e5fd9896cafb068a3f89b3a6134458a2694e4f0f4f8a9fbe84739b53116264728b32cde0f03ab210cb19
+SHA512 (Python-3.9.25.tar.xz.asc) = 83f0a0e558aa89a106bdffeeb9b0fa2685fbd7be5c5954f9176c59c6c7023716207b07239f202b3508cbb98ca34572161955f0bfd3732fdb9265721cd6723dbe

tests/.fmf/version

@@ -0,0 +1 @@
+1

tests/provision.fmf

@@ -0,0 +1,4 @@
+---
+standard-inventory-qcow2:
+  qemu:
+    m: 3G  # Amount of VM memory

tests/tests.yml

@@ -0,0 +1,59 @@
+---
+- hosts: localhost
+  tags:
+    - classic
+  tasks:
+    - dnf:
+        name: "*"
+        state: latest
+    - dnf:
+        name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm"
+        state: installed
+    - dnf:
+        name: "https://dl.fedoraproject.org/pub/epel/epel-next-release-latest-9.noarch.rpm"
+        state: installed
+
+- hosts: localhost
+  roles:
+  - role: standard-test-basic
+    tags:
+    - classic
+    repositories:
+    - repo: "https://gitlab.com/redhat/centos-stream/tests/python.git"
+      dest: "python"
+    tests:
+    - smoke:
+        dir: python/smoke
+        run: VERSION=3.9 ./venv.sh
+    - debugsmoke:
+        dir: python/smoke
+        run: PYTHON=python3-debug TOX=false VERSION=3.9 ./venv.sh
+    - selftest:
+        dir: python/selftest
+        run: VERSION=3.9 X="-x test_wsgiref" ./parallel.sh
+    - debugtest:
+        dir: python/selftest
+        run: VERSION=3.9 PYTHON=python3-debug X="-x test_wsgiref" ./parallel.sh
+    - optimizedflags_self:
+        dir: python/flags
+        run: python3 ./assertflags.py -O3 PY_BUILTIN_MODULE_CFLAGS PY_CFLAGS_NODIST PY_CORE_CFLAGS PY_STDMODULE_CFLAGS
+    - optimizedflags_3rd:
+        dir: python/flags
+        run: python3 ./assertflags.py -O2 CFLAGS PY_CFLAGS
+    - debugflags:
+        dir: python/flags
+        run: python3-debug ./assertflags.py -O0
+    - marshalparser:
+        dir: python/marshalparser
+        run: VERSION=3.9 SAMPLE=10 test_marshalparser_compatibility.sh
+    required_packages:
+    - gcc  # for extension building in venv and selftest
+    - gdb  # for test_gdb
+    - python3.9  # the test subject
+    - python3-debug  # for leak testing
+    - python3-devel  # for extension building in venv and selftest
+    - python3-tkinter  # for selftest
+    - python3-test  # for selftest
+    - python3-tox  # for venv tests
+    - glibc-all-langpacks # for locale tests
+    - marshalparser  # for testing compatibility (magic numbers) with marshalparser