import CS python3.9-3.9.25-5.el9

import CS python3.9-3.9.23-2.el9
2026-03-30 10:03:03 -04:00 · 2025-09-15 12:36:59 +00:00
13 changed files with 579 additions and 160 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/Python-3.9.21.tar.xz
+SOURCES/Python-3.9.25.tar.xz
--- a/.python3.9.metadata
+++ b/.python3.9.metadata
@ -1 +1 @@
-d968a953f19c6fc3bf54b5ded5c06852197ebddc SOURCES/Python-3.9.21.tar.xz
+36c7257ec30dca042679626d0dff79715acd4efb SOURCES/Python-3.9.25.tar.xz
--- a/SOURCES/00189-use-rpm-wheels.patch
+++ b/SOURCES/00189-use-rpm-wheels.patch
@ -12,7 +12,7 @@ We might eventually pursuit upstream support, but it's low prio
 1 file changed, 26 insertions(+), 11 deletions(-)

 diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py
-index e510cc7..5bd16a6 100644
+index d61bb089e3..77d7ec5a65 100644
 --- a/Lib/ensurepip/__init__.py
 +++ b/Lib/ensurepip/__init__.py
@@ -1,3 +1,5 @@
@ -30,7 +30,7 @@ index e510cc7..5bd16a6 100644
 
 
 __all__ = ["version", "bootstrap"]
-_SETUPTOOLS_VERSION = "58.1.0"
+-_SETUPTOOLS_VERSION = "79.0.1"
 -_PIP_VERSION = "23.0.1"
 +
 +_WHEEL_DIR = "/usr/share/python-wheels/"
--- a/SOURCES/00397-tarfile-filter.patch
+++ b/SOURCES/00397-tarfile-filter.patch
@ -1,8 +1,8 @@
-From 8b70605b594b3831331a9340ba764ff751871612 Mon Sep 17 00:00:00 2001
+From fc3e5ff91495aaf9905bd38ac61db0c3279d17e0 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <encukou@gmail.com>
-Date: Mon, 6 Mar 2023 17:24:24 +0100
-Subject: [PATCH 2/2] CVE-2007-4559, PEP-706: Add filters for tarfile
- extraction (downstream)
+Date: Fri, 21 Nov 2025 14:30:02 +0100
+Subject: [PATCH] CVE-2007-4559, PEP-706: Add filters for tarfile extraction
+ (downstream)

 Add and test RHEL-specific ways of configuring the default behavior: environment
 variable and config file.
@ -13,7 +13,7 @@ variable and config file.
 3 files changed, 169 insertions(+), 4 deletions(-)

 diff --git a/Lib/tarfile.py b/Lib/tarfile.py
-index b6ad7dbe2a4..dc7050b2c63 100755
+index 209c206..fa3f922 100755
 --- a/Lib/tarfile.py
 +++ b/Lib/tarfile.py
@@ -72,6 +72,13 @@ __all__ = ["TarFile", "TarInfo", "is_tarfile", "TarError", "ReadError",
@ -30,7 +30,7 @@ index b6ad7dbe2a4..dc7050b2c63 100755
 
 #---------------------------------------------------------
 # tar constants
-@@ -2197,6 +2204,41 @@ class TarFile(object):
+@@ -2253,6 +2260,41 @@ class TarFile(object):
         if filter is None:
             filter = self.extraction_filter
             if filter is None:
@ -73,7 +73,7 @@ index b6ad7dbe2a4..dc7050b2c63 100755
             if isinstance(filter, str):
                 raise TypeError(
 diff --git a/Lib/test/test_shutil.py b/Lib/test/test_shutil.py
-index 9041e7aa368..1eb1116cc10 100644
+index 9041e7a..1eb1116 100644
 --- a/Lib/test/test_shutil.py
 +++ b/Lib/test/test_shutil.py
@@ -1613,7 +1613,8 @@ class TestArchives(BaseTest, unittest.TestCase):
@ -87,10 +87,10 @@ index 9041e7aa368..1eb1116cc10 100644
 
     def test_unpack_archive_tar(self):
 diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
-index a66f7efd2d6..6fd3c384b5c 100644
+index 17d2239..8b9aea2 100644
 --- a/Lib/test/test_tarfile.py
 +++ b/Lib/test/test_tarfile.py
-@@ -2,7 +2,7 @@ import sys
+@@ -3,7 +3,7 @@ import sys
 import os
 import io
 from hashlib import sha256
@ -99,7 +99,7 @@ index a66f7efd2d6..6fd3c384b5c 100644
 from random import Random
 import pathlib
 import shutil
-@@ -2929,7 +2929,11 @@ class NoneInfoExtractTests(ReadTest):
+@@ -2999,7 +2999,11 @@ class NoneInfoExtractTests(ReadTest):
         tar = tarfile.open(tarname, mode='r', encoding="iso8859-1")
         cls.control_dir = pathlib.Path(TEMPDIR) / "extractall_ctrl"
         tar.errorlevel = 0
@ -112,7 +112,7 @@ index a66f7efd2d6..6fd3c384b5c 100644
         tar.close()
         cls.control_paths = set(
             p.relative_to(cls.control_dir)
-@@ -3592,7 +3596,8 @@ class TestExtractionFilters(unittest.TestCase):
+@@ -4065,7 +4069,8 @@ class TestExtractionFilters(unittest.TestCase):
         """Ensure the default filter does not warn (like in 3.12)"""
         with ArchiveMaker() as arc:
             arc.add('foo')
@ -122,8 +122,8 @@ index a66f7efd2d6..6fd3c384b5c 100644
             with self.check_context(arc.open(), None):
                 self.expect_file('foo')
 
-@@ -3762,6 +3767,123 @@ class TestExtractionFilters(unittest.TestCase):
-             self.expect_exception(TypeError)  # errorlevel is not int
+@@ -4390,6 +4395,123 @@ class OffsetValidationTests(unittest.TestCase):
+             self.assertEqual(members[0].offset, expected_offset)
 
 
 +    @contextmanager
@ -247,5 +247,5 @@ index a66f7efd2d6..6fd3c384b5c 100644
     support.unlink(TEMPDIR)
     os.makedirs(TEMPDIR)
 -- 
-2.40.1
+2.51.1

--- a/SOURCES/00450-cve-2025-0938-disallow-square-brackets-and-in-domain-names-for-parsed-urls.patch
+++ b/SOURCES/00450-cve-2025-0938-disallow-square-brackets-and-in-domain-names-for-parsed-urls.patch
@ -1,119 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Seth Michael Larson <seth@python.org>
-Date: Fri, 31 Jan 2025 11:41:34 -0600
-Subject: [PATCH] 00450: CVE-2025-0938: Disallow square brackets ([ and ]) in
- domain names for parsed URLs
-
-Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
---
- Lib/test/test_urlparse.py                     | 37 ++++++++++++++++++-
- Lib/urllib/parse.py                           | 20 +++++++++-
- ...-01-28-14-08-03.gh-issue-105704.EnhHxu.rst |  4 ++
- 3 files changed, 58 insertions(+), 3 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst
-
-diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
-index 6f7d40c212..083d08b22e 100644
--- a/Lib/test/test_urlparse.py
-+++ b/Lib/test/test_urlparse.py
-@@ -1146,16 +1146,51 @@ class UrlParseTestCase(unittest.TestCase):
-         self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af::2309::fae7:1234]/Path?Query')
-         self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af:2309::fae7:1234:2342:438e:192.0.2.146]/Path?Query')
-         self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@]v6a.ip[/Path')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]/')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix/')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]?')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix?')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]/')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix/')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]?')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix?')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a1')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a1')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:1a')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:1a')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:/')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:?')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@prefix.[v6a.ip]')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@[v6a.ip].suffix')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip]')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip[')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip].suffix')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip[suffix')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[suffix')
- 
-     def test_splitting_bracketed_hosts(self):
-        p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]/path?query')
-+        p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]:1234/path?query')
-         self.assertEqual(p1.hostname, 'v6a.ip')
-         self.assertEqual(p1.username, 'user')
-         self.assertEqual(p1.path, '/path')
-+        self.assertEqual(p1.port, 1234)
-         p2 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7%test]/path?query')
-         self.assertEqual(p2.hostname, '0439:23af:2309::fae7%test')
-         self.assertEqual(p2.username, 'user')
-         self.assertEqual(p2.path, '/path')
-+        self.assertIs(p2.port, None)
-         p3 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7:1234:192.0.2.146%test]/path?query')
-         self.assertEqual(p3.hostname, '0439:23af:2309::fae7:1234:192.0.2.146%test')
-         self.assertEqual(p3.username, 'user')
-diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
-index 9d37dcaa90..fb8f7f1ea8 100644
--- a/Lib/urllib/parse.py
-+++ b/Lib/urllib/parse.py
-@@ -443,6 +443,23 @@ def _checknetloc(netloc):
-             raise ValueError("netloc '" + netloc + "' contains invalid " +
-                              "characters under NFKC normalization")
- 
-+def _check_bracketed_netloc(netloc):
-+    # Note that this function must mirror the splitting
-+    # done in NetlocResultMixins._hostinfo().
-+    hostname_and_port = netloc.rpartition('@')[2]
-+    before_bracket, have_open_br, bracketed = hostname_and_port.partition('[')
-+    if have_open_br:
-+        # No data is allowed before a bracket.
-+        if before_bracket:
-+            raise ValueError("Invalid IPv6 URL")
-+        hostname, _, port = bracketed.partition(']')
-+        # No data is allowed after the bracket but before the port delimiter.
-+        if port and not port.startswith(":"):
-+            raise ValueError("Invalid IPv6 URL")
-+    else:
-+        hostname, _, port = hostname_and_port.partition(':')
-+    _check_bracketed_host(hostname)
-+
- # Valid bracketed hosts are defined in
- # https://www.rfc-editor.org/rfc/rfc3986#page-49 and https://url.spec.whatwg.org/
- def _check_bracketed_host(hostname):
-@@ -506,8 +523,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
-                 (']' in netloc and '[' not in netloc)):
-             raise ValueError("Invalid IPv6 URL")
-         if '[' in netloc and ']' in netloc:
-            bracketed_host = netloc.partition('[')[2].partition(']')[0]
-            _check_bracketed_host(bracketed_host)
-+            _check_bracketed_netloc(netloc)
-     if allow_fragments and '#' in url:
-         url, fragment = url.split('#', 1)
-     if '?' in url:
-diff --git a/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst b/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst
-new file mode 100644
-index 0000000000..bff1bc6b0d
--- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst
-@@ -0,0 +1,4 @@
-+When using :func:`urllib.parse.urlsplit` and :func:`urllib.parse.urlparse` host
-+parsing would not reject domain names containing square brackets (``[`` and
-+``]``). Square brackets are only valid for IPv6 and IPvFuture hosts according to
-+`RFC 3986 Section 3.2.2 <https://www.rfc-editor.org/rfc/rfc3986#section-3.2.2>`__.
--- a/SOURCES/00471-cve-2025-12084.patch
+++ b/SOURCES/00471-cve-2025-12084.patch
@ -0,0 +1,140 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 22 Dec 2025 14:48:49 +0100
+Subject: 00471: CVE-2025-12084
+
+* gh-142145: Remove quadratic behavior in node ID cache clearing (GH-142146)
+* gh-142754: Ensure that Element & Attr instances have the ownerDocument attribute (GH-142794)
+(cherry picked from commit 1cc7551b3f9f71efbc88d96dce90f82de98b2454)
+(cherry picked from commit 08d8e18ad81cd45bc4a27d6da478b51ea49486e4)
+(cherry picked from commit 8d2d7bb2e754f8649a68ce4116271a4932f76907)
+
+Co-authored-by: Jacob Walls <38668450+jacobtylerwalls@users.noreply.github.com>
+Co-authored-by: Seth Michael Larson <seth@python.org>
+Co-authored-by: Petr Viktorin <encukou@gmail.com>
+Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
+Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
+Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
+Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
+Co-authored-by: Gregory P. Smith <greg@krypto.org>
+---
+ Lib/test/test_minidom.py                      | 33 ++++++++++++++++++-
+ Lib/xml/dom/minidom.py                        | 11 ++-----
+ ...-12-01-09-36-45.gh-issue-142145.tcAUhg.rst |  6 ++++
+ 3 files changed, 41 insertions(+), 9 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
+
+diff --git a/Lib/test/test_minidom.py b/Lib/test/test_minidom.py
+index 97620258d8..9f7f5b240e 100644
+--- a/Lib/test/test_minidom.py
+++ b/Lib/test/test_minidom.py
+@@ -2,6 +2,7 @@
+ 
+ import copy
+ import pickle
+import time
+ import io
+ from test import support
+ import unittest
+@@ -9,7 +10,7 @@ import unittest
+ import pyexpat
+ import xml.dom.minidom
+ 
+-from xml.dom.minidom import parse, Node, Document, parseString
+from xml.dom.minidom import parse, Attr, Node, Document, Element, parseString
+ from xml.dom.minidom import getDOMImplementation
+ from xml.parsers.expat import ExpatError
+ 
+@@ -163,6 +164,36 @@ class MinidomTest(unittest.TestCase):
+         self.confirm(dom.documentElement.childNodes[-1].data == "Hello")
+         dom.unlink()
+ 
+    @support.requires_resource('cpu')
+    def testAppendChildNoQuadraticComplexity(self):
+        impl = getDOMImplementation()
+
+        newdoc = impl.createDocument(None, "some_tag", None)
+        top_element = newdoc.documentElement
+        children = [newdoc.createElement(f"child-{i}") for i in range(1, 2 ** 15 + 1)]
+        element = top_element
+
+        start = time.monotonic()
+        for child in children:
+            element.appendChild(child)
+            element = child
+        end = time.monotonic()
+
+        # This example used to take at least 30 seconds.
+        # Conservative assertion due to the wide variety of systems and
+        # build configs timing based tests wind up run under.
+        # A --with-address-sanitizer --with-pydebug build on a rpi5 still
+        # completes this loop in <0.5 seconds.
+        self.assertLess(end - start, 4)
+
+    def testSetAttributeNodeWithoutOwnerDocument(self):
+        # regression test for gh-142754
+        elem = Element("test")
+        attr = Attr("id")
+        attr.value = "test-id"
+        elem.setAttributeNode(attr)
+        self.assertEqual(elem.getAttribute("id"), "test-id")
+
+     def testAppendChildFragment(self):
+         dom, orig, c1, c2, c3, frag = self._create_fragment_test_nodes()
+         dom.documentElement.appendChild(frag)
+diff --git a/Lib/xml/dom/minidom.py b/Lib/xml/dom/minidom.py
+index d09ef5e7d0..e4e8b42996 100644
+--- a/Lib/xml/dom/minidom.py
+++ b/Lib/xml/dom/minidom.py
+@@ -292,13 +292,6 @@ def _append_child(self, node):
+     childNodes.append(node)
+     node.parentNode = self
+ 
+-def _in_document(node):
+-    # return True iff node is part of a document tree
+-    while node is not None:
+-        if node.nodeType == Node.DOCUMENT_NODE:
+-            return True
+-        node = node.parentNode
+-    return False
+ 
+ def _write_data(writer, data):
+     "Writes datachars to writer."
+@@ -355,6 +348,7 @@ class Attr(Node):
+     def __init__(self, qName, namespaceURI=EMPTY_NAMESPACE, localName=None,
+                  prefix=None):
+         self.ownerElement = None
+        self.ownerDocument = None
+         self._name = qName
+         self.namespaceURI = namespaceURI
+         self._prefix = prefix
+@@ -678,6 +672,7 @@ class Element(Node):
+ 
+     def __init__(self, tagName, namespaceURI=EMPTY_NAMESPACE, prefix=None,
+                  localName=None):
+        self.ownerDocument = None
+         self.parentNode = None
+         self.tagName = self.nodeName = tagName
+         self.prefix = prefix
+@@ -1537,7 +1532,7 @@ def _clear_id_cache(node):
+     if node.nodeType == Node.DOCUMENT_NODE:
+         node._id_cache.clear()
+         node._id_search_stack = None
+-    elif _in_document(node):
+    elif node.ownerDocument:
+         node.ownerDocument._id_cache.clear()
+         node.ownerDocument._id_search_stack= None
+ 
+diff --git a/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst b/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
+new file mode 100644
+index 0000000000..05c7df35d1
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
+@@ -0,0 +1,6 @@
+Remove quadratic behavior in ``xml.minidom`` node ID cache clearing.  In order
+to do this without breaking existing users, we also add the *ownerDocument*
+attribute to :mod:`xml.dom.minidom` elements and attributes created by directly
+instantiating the ``Element`` or ``Attr`` class. Note that this way of creating
+nodes is not supported; creator functions like
+:py:meth:`xml.dom.Document.documentElement` should be used instead.
--- a/SOURCES/00473-cve-2026-0865.patch
+++ b/SOURCES/00473-cve-2026-0865.patch
@ -0,0 +1,90 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Sat, 17 Jan 2026 11:46:21 -0600
+Subject: 00473: CVE-2026-0865
+
+ gh-143916: Reject control characters in wsgiref.headers.Headers  (GH-143917)
+
+* Add 'test.support' fixture for C0 control characters
+* gh-143916: Reject control characters in wsgiref.headers.Headers
+---
+ Lib/test/support/__init__.py                         |  7 +++++++
+ Lib/test/test_wsgiref.py                             | 12 +++++++++++-
+ Lib/wsgiref/headers.py                               |  3 +++
+ .../2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst   |  2 ++
+ 4 files changed, 23 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst
+
+diff --git a/Lib/test/support/__init__.py b/Lib/test/support/__init__.py
+index e991426bd3..94446da6c9 100644
+--- a/Lib/test/support/__init__.py
+++ b/Lib/test/support/__init__.py
+@@ -3340,3 +3340,10 @@ def adjust_int_max_str_digits(max_digits):
+         yield
+     finally:
+         sys.set_int_max_str_digits(current)
+
+
+def control_characters_c0() -> list[str]:
+    """Returns a list of C0 control characters as strings.
+    C0 control characters defined as the byte range 0x00-0x1F, and 0x7F.
+    """
+    return [chr(c) for c in range(0x00, 0x20)] + ["\x7F"]
+diff --git a/Lib/test/test_wsgiref.py b/Lib/test/test_wsgiref.py
+index 3e76e01c65..d5d3f650a1 100644
+--- a/Lib/test/test_wsgiref.py
+++ b/Lib/test/test_wsgiref.py
+@@ -1,6 +1,6 @@
+ from unittest import mock
+ from test import support
+-from test.support import socket_helper
+from test.support import socket_helper, control_characters_c0
+ from test.test_httpservers import NoLogRequestHandler
+ from unittest import TestCase
+ from wsgiref.util import setup_testing_defaults
+@@ -526,6 +526,16 @@ class HeaderTests(TestCase):
+             '\r\n'
+         )
+ 
+    def testRaisesControlCharacters(self):
+        headers = Headers()
+        for c0 in control_characters_c0():
+            self.assertRaises(ValueError, headers.__setitem__, f"key{c0}", "val")
+            self.assertRaises(ValueError, headers.__setitem__, "key", f"val{c0}")
+            self.assertRaises(ValueError, headers.add_header, f"key{c0}", "val", param="param")
+            self.assertRaises(ValueError, headers.add_header, "key", f"val{c0}", param="param")
+            self.assertRaises(ValueError, headers.add_header, "key", "val", param=f"param{c0}")
+
+
+ class ErrorHandler(BaseCGIHandler):
+     """Simple handler subclass for testing BaseHandler"""
+ 
+diff --git a/Lib/wsgiref/headers.py b/Lib/wsgiref/headers.py
+index fab851c5a4..fd98e85d75 100644
+--- a/Lib/wsgiref/headers.py
+++ b/Lib/wsgiref/headers.py
+@@ -9,6 +9,7 @@ written by Barry Warsaw.
+ # existence of which force quoting of the parameter value.
+ import re
+ tspecials = re.compile(r'[ \(\)<>@,;:\\"/\[\]\?=]')
+_control_chars_re = re.compile(r'[\x00-\x1F\x7F]')
+ 
+ def _formatparam(param, value=None, quote=1):
+     """Convenience function to format and return a key=value pair.
+@@ -41,6 +42,8 @@ class Headers:
+     def _convert_string_type(self, value):
+         """Convert/check value type."""
+         if type(value) is str:
+            if _control_chars_re.search(value):
+                raise ValueError("Control characters not allowed in headers")
+             return value
+         raise AssertionError("Header names/values must be"
+             " of type str (got {0})".format(repr(value)))
+diff --git a/Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst b/Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst
+new file mode 100644
+index 0000000000..44bd0b2705
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-01-16-11-07-36.gh-issue-143916.dpWeOD.rst
+@@ -0,0 +1,2 @@
+Reject C0 control characters within wsgiref.headers.Headers fields, values,
+and parameters.
--- a/SOURCES/00474-cve-2025-15366.patch
+++ b/SOURCES/00474-cve-2025-15366.patch
@ -0,0 +1,61 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Tue, 20 Jan 2026 14:45:42 -0600
+Subject: 00474: CVE-2025-15366
+
+gh-143921: Reject control characters in IMAP commands
+
+(cherry-picked from commit 6262704b134db2a4ba12e85ecfbd968534f28b45)
+---
+ Lib/imaplib.py                                              | 4 +++-
+ Lib/test/test_imaplib.py                                    | 6 ++++++
+ .../Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst | 1 +
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst
+
+diff --git a/Lib/imaplib.py b/Lib/imaplib.py
+index ced7203e0c..be2fcb3c05 100644
+--- a/Lib/imaplib.py
+++ b/Lib/imaplib.py
+@@ -132,7 +132,7 @@ Untagged_status = re.compile(
+ # We compile these in _mode_xxx.
+ _Literal = br'.*{(?P<size>\d+)}$'
+ _Untagged_status = br'\* (?P<data>\d+) (?P<type>[A-Z-]+)( (?P<data2>.*))?'
+-
+_control_chars = re.compile(b'[\x00-\x1F\x7F]')
+ 
+ 
+ class IMAP4:
+@@ -994,6 +994,8 @@ class IMAP4:
+             if arg is None: continue
+             if isinstance(arg, str):
+                 arg = bytes(arg, self._encoding)
+            if _control_chars.search(arg):
+                raise ValueError("Control characters not allowed in commands")
+             data = data + b' ' + arg
+ 
+         literal = self.literal
+diff --git a/Lib/test/test_imaplib.py b/Lib/test/test_imaplib.py
+index 057e4e65f0..471325de1d 100644
+--- a/Lib/test/test_imaplib.py
+++ b/Lib/test/test_imaplib.py
+@@ -503,6 +503,12 @@ class NewIMAPTestsMixin():
+         self.assertEqual(data[0], b'LOGIN completed')
+         self.assertEqual(client.state, 'AUTH')
+ 
+    def test_control_characters(self):
+        client, _ = self._setup(SimpleIMAPHandler)
+        for c0 in support.control_characters_c0():
+            with self.assertRaises(ValueError):
+                client.login(f'user{c0}', 'pass')
+
+     def test_logout(self):
+         client, _ = self._setup(SimpleIMAPHandler)
+         typ, data = client.login('user', 'pass')
+diff --git a/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst b/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst
+new file mode 100644
+index 0000000000..4e13fe92bc
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst
+@@ -0,0 +1 @@
+Reject control characters in IMAP commands.
--- a/SOURCES/00475-cve-2025-15367.patch
+++ b/SOURCES/00475-cve-2025-15367.patch
@ -0,0 +1,61 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Tue, 20 Jan 2026 14:46:32 -0600
+Subject: 00475: CVE-2025-15367
+
+gh-143923: Reject control characters in POP3 commands
+
+(cherry-picked from commit b234a2b67539f787e191d2ef19a7cbdce32874e7)
+---
+ Lib/poplib.py                                             | 2 ++
+ Lib/test/test_poplib.py                                   | 8 ++++++++
+ .../2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst        | 1 +
+ 3 files changed, 11 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
+
+diff --git a/Lib/poplib.py b/Lib/poplib.py
+index 0f8587317c..f563030f7f 100644
+--- a/Lib/poplib.py
+++ b/Lib/poplib.py
+@@ -122,6 +122,8 @@ class POP3:
+     def _putcmd(self, line):
+         if self._debugging: print('*cmd*', repr(line))
+         line = bytes(line, self.encoding)
+        if re.search(b'[\x00-\x1F\x7F]', line):
+            raise ValueError('Control characters not allowed in commands')
+         self._putline(line)
+ 
+ 
+diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py
+index 5d9f557eef..7a0313f35a 100644
+--- a/Lib/test/test_poplib.py
+++ b/Lib/test/test_poplib.py
+@@ -14,6 +14,7 @@ import threading
+ import unittest
+ from unittest import TestCase, skipUnless
+ from test import support as test_support
+from test.support import control_characters_c0
+ from test.support import hashlib_helper
+ from test.support import socket_helper
+ 
+@@ -360,6 +361,13 @@ class TestPOP3Class(TestCase):
+         self.assertIsNone(self.client.sock)
+         self.assertIsNone(self.client.file)
+ 
+    def test_control_characters(self):
+        for c0 in control_characters_c0():
+            with self.assertRaises(ValueError):
+                self.client.user(f'user{c0}')
+            with self.assertRaises(ValueError):
+                self.client.pass_(f'{c0}pass')
+
+     @requires_ssl
+     def test_stls_capa(self):
+         capa = self.client.capa()
+diff --git a/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst b/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
+new file mode 100644
+index 0000000000..3cde4df3e0
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
+@@ -0,0 +1 @@
+Reject control characters in POP3 commands.
--- a/SOURCES/00476-cve-2026-1299.patch
+++ b/SOURCES/00476-cve-2026-1299.patch
@ -0,0 +1,108 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Sun, 25 Jan 2026 18:10:00 +0100
+Subject: 00476: CVE-2026-1299
+
+gh-144125: email: verify headers are sound in BytesGenerator
+(cherry picked from commit 052e55e7d44718fe46cbba0ca995cb8fcc359413)
+
+Co-authored-by: Seth Michael Larson <seth@python.org>
+Co-authored-by: Denis Ledoux <dle@odoo.com>
+Co-authored-by: Denis Ledoux <5822488+beledouxdenis@users.noreply.github.com>
+Co-authored-by: Petr Viktorin <302922+encukou@users.noreply.github.com>
+Co-authored-by: Bas Bloemsaat <1586868+basbloemsaat@users.noreply.github.com>
+---
+ Lib/email/generator.py                               | 12 +++++++++++-
+ Lib/test/test_email/test_generator.py                |  4 +++-
+ Lib/test/test_email/test_policy.py                   |  6 +++++-
+ .../2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst   |  4 ++++
+ 4 files changed, 23 insertions(+), 3 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst
+
+diff --git a/Lib/email/generator.py b/Lib/email/generator.py
+index 89224ae41c..98cc4a09c9 100644
+--- a/Lib/email/generator.py
+++ b/Lib/email/generator.py
+@@ -22,6 +22,7 @@ NL = '\n'  # XXX: no longer used by the code below.
+ NLCRE = re.compile(r'\r\n|\r|\n')
+ fcre = re.compile(r'^From ', re.MULTILINE)
+ NEWLINE_WITHOUT_FWSP = re.compile(r'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]')
+NEWLINE_WITHOUT_FWSP_BYTES = re.compile(br'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]')
+ 
+ 
+ 
+@@ -430,7 +431,16 @@ class BytesGenerator(Generator):
+         # This is almost the same as the string version, except for handling
+         # strings with 8bit bytes.
+         for h, v in msg.raw_items():
+-            self._fp.write(self.policy.fold_binary(h, v))
+            folded = self.policy.fold_binary(h, v)
+            if self.policy.verify_generated_headers:
+                linesep = self.policy.linesep.encode()
+                if not folded.endswith(linesep):
+                    raise HeaderWriteError(
+                        f'folded header does not end with {linesep!r}: {folded!r}')
+                if NEWLINE_WITHOUT_FWSP_BYTES.search(folded.removesuffix(linesep)):
+                    raise HeaderWriteError(
+                        f'folded header contains newline: {folded!r}')
+            self._fp.write(folded)
+         # A blank line always separates headers from body
+         self.write(self._NL)
+ 
+diff --git a/Lib/test/test_email/test_generator.py b/Lib/test/test_email/test_generator.py
+index d29400f0ed..a641f871dd 100644
+--- a/Lib/test/test_email/test_generator.py
+++ b/Lib/test/test_email/test_generator.py
+@@ -264,7 +264,7 @@ class TestGenerator(TestGeneratorBase, TestEmailBase):
+     typ = str
+ 
+     def test_verify_generated_headers(self):
+-        """gh-121650: by default the generator prevents header injection"""
+        # gh-121650: by default the generator prevents header injection
+         class LiteralHeader(str):
+             name = 'Header'
+             def fold(self, **kwargs):
+@@ -285,6 +285,8 @@ class TestGenerator(TestGeneratorBase, TestEmailBase):
+ 
+                 with self.assertRaises(email.errors.HeaderWriteError):
+                     message.as_string()
+                with self.assertRaises(email.errors.HeaderWriteError):
+                    message.as_bytes()
+ 
+ 
+ class TestBytesGenerator(TestGeneratorBase, TestEmailBase):
+diff --git a/Lib/test/test_email/test_policy.py b/Lib/test/test_email/test_policy.py
+index ff1ddf7d7a..d4a5eb3b59 100644
+--- a/Lib/test/test_email/test_policy.py
+++ b/Lib/test/test_email/test_policy.py
+@@ -279,7 +279,7 @@ class PolicyAPITests(unittest.TestCase):
+                     policy.fold("Subject", subject)
+ 
+     def test_verify_generated_headers(self):
+-        """Turning protection off allows header injection"""
+        # Turning protection off allows header injection
+         policy = email.policy.default.clone(verify_generated_headers=False)
+         for text in (
+             'Header: Value\r\nBad: Injection\r\n',
+@@ -302,6 +302,10 @@ class PolicyAPITests(unittest.TestCase):
+                     message.as_string(),
+                     f"{text}\nBody",
+                 )
+                self.assertEqual(
+                    message.as_bytes(),
+                    f"{text}\nBody".encode(),
+                )
+ 
+     # XXX: Need subclassing tests.
+     # For adding subclassed objects, make sure the usual rules apply (subclass
+diff --git a/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst b/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst
+new file mode 100644
+index 0000000000..e6333e7249
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst
+@@ -0,0 +1,4 @@
+:mod:`~email.generator.BytesGenerator` will now refuse to serialize (write) headers
+that are unsafely folded or delimited; see
+:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas
+Bloemsaat and Petr Viktorin in :gh:`121650`).
--- a/SOURCES/Python-3.9.21.tar.xz.asc
+++ b/SOURCES/Python-3.9.21.tar.xz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmdPScsACgkQsmmV4xAl
-BWgZtRAAiPehPRc94kRpNn4CuLw9hDFJmucXfG/Pjf9DdQkrmWAMvFS2kpigd9A0
-3QoDbgZPb8k9XtTrbpT4A0j/SYaqnLXOktXE7CEwM1vRTHbUDm62qxRSIa+RXO1d
-h/EqhF1Rpgl37I1GL3mAHew6KjIq3K/aNvJVTtKA+1xy8XpF5Dbk3feDeTucqYaM
-evtCu2SlwQXRvIbqFciMtRC2bmkNHgRVFpuxInjmp82ED0E6yZ/ecHXjb5Da7lDV
-8uRh9aEjMWY4LHTdl2tWaaerLqYZfvHSlz2xY8W5itSgOAzzJNn3dX8P6EKK5ab7
-IV85vqPX1oMcX0seZd3QlVdOxUPf1tKB7Eo7yHz3gV/KgWzFSAHSZFCwiqyfNfj8
-PibYYwtGG0+S7GJ7bZ2iCCgkqrFBoMQ8yOEDxE7Pt36JSXtZ2grtsFB8WAZqhCMa
-luIjiibGkOzzBRX/neW5RYT1HLNzi140G7XEZeRv3CXzuud66+ynLdOK7uFEr8jq
-W0t/fHbrqcSjyEo9L9VDP4Wd9VU/nwf6tb3Py6nPZKM93ZYqtlJNmzxmOyQOmn30
-bRGEQyzcYmEKMWg6zzO57In/WRytB4BgE7Dj7L876TbnJ8YoR8TVpuQ3sDKoSxwo
-gIdNR/6lcqP0HwDFtqBrcwSQ9Dew6wMz0Pp2EwX90EZLwnBvpeI=
-=taeu
-----END PGP SIGNATURE-----
--- a/SOURCES/Python-3.9.25.tar.xz.asc
+++ b/SOURCES/Python-3.9.25.tar.xz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmkFBpsACgkQsmmV4xAl
+BWgwbw//Tx78tZg3/tJ47YDzDCf68XurBPbdgSfmmGTRrveMt6nQbV+c7XKS5MKK
+6hP0jt4W8tP6zC/zRPTexqYwetTaM7+ZKuxzwXABXzi+rfmL/L6BtQQpzwK+vesE
+hSSkjl4R2FF3YBrTBNqG0ewf5j4Y41yc4V9UHJWXbmQt6sg/nF+lDvG3K3wzP6zV
+rs6LsayeO3AXhi7+c0q7d2oYTFhv/RPOGl6/fLy5j1bxNNE1i2yeIfcR9BqjqB9y
+Ue1Tea8RGjh3dSq06/8ubpcqf+tlE4cCDkLERqDWSafZnNA5X4eymAQP9urUoH2n
+78X8DXkGbKqyJ+3w97S6zqVnZvL2jSOog8R+yvT5snqzJDp+UK0lcbowPILsOGm4
+BE54dQTG5bT+1bUicvQZIbP4vOswZufl8LGmodkW06edSEcylwO8bHWNcY/gC5HO
+WcTbqTFyV+FtwAJxsfgkqKcI6xUyYHqeMhqCUvkpHFFMjsinVOBFVbow8fgiJGUV
+GIo3kMNPZPirqgl9bhc3F7qvdgVDQsCqnKJ8B1WegdIlKWxXBj3qQB0U4Qbecpdt
+2AhVQAmcOu4LzJYtatDp/0tw6KMr8nWGdofrLVJgzQuu6MmhGW+2cJ0e+wUAxw6v
+OBjQ0o42ylQKeS8VGP4yFbYv1umeeWHje26z9az3uOVUFaAoptk=
+=5qMt
+-----END PGP SIGNATURE-----
--- a/SPECS/python3.9.spec
+++ b/SPECS/python3.9.spec
@ -13,11 +13,11 @@ URL: https://www.python.org/

 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
-%global general_version %{pybasever}.21
+%global general_version %{pybasever}.25
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 2%{?dist}
+Release: 5%{?dist}
 License: Python


@ -269,6 +269,7 @@ BuildRequires: valgrind-devel
 BuildRequires: xz-devel
 BuildRequires: zlib-devel

+BuildRequires: systemtap-sdt-devel
 BuildRequires: /usr/bin/dtrace

 # workaround http://bugs.python.org/issue19804 (test_uuid requires ifconfig)
@ -320,7 +321,7 @@ Patch1: 00001-rpath.patch
 # See https://bugzilla.redhat.com/show_bug.cgi?id=556092
 Patch111: 00111-no-static-lib.patch

-# 00189 # d06cf137c00fd3907b436fdb92a8f007a7f2fb50
+# 00189 # 0c6dd5d318a22bbe89e09e1cd5513eaaca549aa5
 # Instead of bundled wheels, use our RPM packaged wheels
 #
 # We keep them in /usr/share/python-wheels
@ -333,7 +334,7 @@ Patch189: 00189-use-rpm-wheels.patch
 # When the bundled setuptools/pip wheel is updated, the patch no longer applies cleanly.
 # In such cases, the patch needs to be amended and the versions updated here:
 %global pip_version 23.0.1
-%global setuptools_version 58.1.0
+%global setuptools_version 79.0.1

 # 00251 # 1b1047c14ff98eae6d355b4aac4df3e388813f62
 # Change user install location
@ -437,9 +438,43 @@ Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-par
 # CVE-2023-52425. Future versions of Expat may be more reactive.
 Patch422: 00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch

-# 00450 # 4ab8663661748eb994c09e4ae89f59eb84c5d3ea
-# CVE-2025-0938: Disallow square brackets ([ and ]) in domain names for parsed URLs
-Patch450: 00450-cve-2025-0938-disallow-square-brackets-and-in-domain-names-for-parsed-urls.patch
+# 00471 # fc5f344f7e15c13dbf41824a1b7a82d92205f79d
+# CVE-2025-12084
+#
+# * gh-142145: Remove quadratic behavior in node ID cache clearing (GH-142146)
+# * gh-142754: Ensure that Element & Attr instances have the ownerDocument attribute (GH-142794)
+Patch471: 00471-cve-2025-12084.patch
+
+# 00473 # 7e68b796abe391a467dba42b6641053aac726d67
+# CVE-2026-0865
+#
+#  gh-143916: Reject control characters in wsgiref.headers.Headers  (GH-143917)
+#
+# * Add 'test.support' fixture for C0 control characters
+# * gh-143916: Reject control characters in wsgiref.headers.Headers
+Patch473: 00473-cve-2026-0865.patch
+
+# 00474 # 837ddca0372fa87ff9cee47142200caa21e77def
+# CVE-2025-15366
+#
+# gh-143921: Reject control characters in IMAP commands
+#
+# (cherry-picked from commit 6262704b134db2a4ba12e85ecfbd968534f28b45)
+Patch474: 00474-cve-2025-15366.patch
+
+# 00475 # 00384c03f44af74c955a44637eee0b66f717a487
+# CVE-2025-15367
+#
+# gh-143923: Reject control characters in POP3 commands
+#
+# (cherry-picked from commit b234a2b67539f787e191d2ef19a7cbdce32874e7)
+Patch475: 00475-cve-2025-15367.patch
+
+# 00476 # efbfd1798bf8c1a9845546a0ed9193f94661dd1b
+# CVE-2026-1299
+#
+# gh-144125: email: verify headers are sound in BytesGenerator
+Patch476: 00476-cve-2026-1299.patch

 # (New patches go here ^^^)
 #
@ -1497,6 +1532,10 @@ CheckPython optimized
 %dir %{pylibdir}/site-packages/
 %dir %{pylibdir}/site-packages/__pycache__/
 %{pylibdir}/site-packages/README.txt
+
+%exclude %{pylibdir}/_sysconfigdata_d_linux_%{platform_triplet}.py
+%exclude %{pylibdir}/__pycache__/_sysconfigdata_d_linux_%{platform_triplet}%{bytecode_suffixes}
+
 %{pylibdir}/*.py
 %dir %{pylibdir}/__pycache__/
 %{pylibdir}/__pycache__/*%{bytecode_suffixes}
@ -1822,6 +1861,9 @@ CheckPython optimized
 %{dynload_dir}/_testinternalcapi.%{SOABI_debug}.so
 %{dynload_dir}/_testmultiphase.%{SOABI_debug}.so

+%{pylibdir}/_sysconfigdata_d_linux_%{platform_triplet}.py
+%{pylibdir}/__pycache__/_sysconfigdata_d_linux_%{platform_triplet}%{bytecode_suffixes}
+
 %endif # with debug_build

 # We put the debug-gdb.py file inside /usr/lib/debug to avoid noise from ldconfig
@ -1845,6 +1887,42 @@ CheckPython optimized
 # ======================================================

 %changelog
+* Mon Mar 09 2026 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.9.25-5
+- Rebuilding previous fixes for different build target
+Related: RHEL-143117, RHEL-143174, RHEL-144897
+
+* Wed Feb 25 2026 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.9.25-4
+- Security fixes for CVE-2026-0865, CVE-2025-15366, CVE-2025-15367 and CVE-2026-1299
+Resolves: RHEL-143117
+Resolves: RHEL-143174
+Resolves: RHEL-144897
+
+* Wed Jan 14 2026 Lumír Balhar <lbalhar@redhat.com> - 3.9.25-3
+- Security fix for CVE-2025-12084
+Resolves: RHEL-135897
+
+* Mon Nov 10 2025 Tomas Orsava <torsava@redhat.com> - 3.9.25-2
+- Move _sysconfigdata_d_linux*.py to the debug subpackage
+
+* Mon Nov 03 2025 Karolina Surma <ksurma@redhat.com> - 3.9.25-1
+- Update to Python 3.9.25
+
+* Fri Oct 10 2025 Karolina Surma <ksurma@redhat.com> - 3.9.24-1
+- Update to Python 3.9.24
+
+* Tue Aug 19 2025 Lumír Balhar <lbalhar@redhat.com> - 3.9.23-2
+- Security fix for CVE-2025-8194
+Resolves: RHEL-106374
+
+* Fri Jun 27 2025 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.9.23-1
+- Update to 3.9.23
+- Security fixes for CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, CVE-2024-12718, CVE-2025-4435
+Resolves: RHEL-98051, RHEL-98024, RHEL-98242, RHEL-98193, RHEL-98218
+
+* Mon Jun 23 2025 Tobias Urdin <tobias.urdin@binero.com> - 3.9.21-3
+- Add systemtap-sdt-devel build dependency
+Resolves: RHEL-99500
+
 * Mon Feb 10 2025 Charalampos Stratakis <cstratak@redhat.com> - 3.9.21-2
 - Security fix for CVE-2025-0938
 Resolves: RHEL-77263
Author	SHA1	Message	Date
AlmaLinux RelEng Bot	ed5f99f713	import CS python3.9-3.9.25-5.el9	2026-03-30 10:03:03 -04:00
eabdullin	aac3bb2d7d	import CS python3.9-3.9.23-2.el9	2025-09-15 12:36:59 +00:00