import CS python3.9-3.9.21-2.el9

.gitignore

@@ -1 +1 @@
-SOURCES/Python-3.9.9.tar.xz
+SOURCES/Python-3.9.21.tar.xz

.python3.9.metadata

@@ -1 +1 @@
-6274e5631c520d75bf1f0a046640fd3996fe99f0 SOURCES/Python-3.9.9.tar.xz
+d968a953f19c6fc3bf54b5ded5c06852197ebddc SOURCES/Python-3.9.21.tar.xz

SOURCES/00189-use-rpm-wheels.patch

@@ -1,4 +1,4 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From 12b919396f3fd24521b5ded51e18beb55973f0ff Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
 Date: Wed, 15 Aug 2018 15:36:29 +0200
 Subject: [PATCH] 00189: Instead of bundled wheels, use our RPM packaged wheels
@@ -12,7 +12,7 @@ We might eventually pursuit upstream support, but it's low prio
  1 file changed, 26 insertions(+), 11 deletions(-)
 
 diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py
-index 2a140a2624..5bd16a6c59 100644
+index e510cc7..5bd16a6 100644
 --- a/Lib/ensurepip/__init__.py
 +++ b/Lib/ensurepip/__init__.py
 @@ -1,3 +1,5 @@
@@ -31,7 +31,7 @@ index 2a140a2624..5bd16a6c59 100644
  
  __all__ = ["version", "bootstrap"]
 -_SETUPTOOLS_VERSION = "58.1.0"
--_PIP_VERSION = "21.2.4"
+-_PIP_VERSION = "23.0.1"
 +
 +_WHEEL_DIR = "/usr/share/python-wheels/"
 +
@@ -73,3 +73,6 @@ index 2a140a2624..5bd16a6c59 100644
  
              additional_paths.append(os.path.join(tmpdir, wheel_name))
  
+-- 
+2.35.3
+

SOURCES/00251-change-user-install-location.patch

@@ -2,41 +2,61 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Michal Cyprian <m.cyprian@gmail.com>
 Date: Mon, 26 Jun 2017 16:32:56 +0200
 Subject: [PATCH] 00251: Change user install location
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
 
 Set values of prefix and exec_prefix in distutils install command
 to /usr/local if executable is /usr/bin/python* and RPM build
 is not detected to make pip and distutils install into separate location.
 
 Fedora Change: https://fedoraproject.org/wiki/Changes/Making_sudo_pip_safe
-Downstream only: Awaiting resources to work on upstream PEP
+Downstream only: Reworked in Fedora 36+/Python 3.10+ to follow https://bugs.python.org/issue43976
+
+pypa/distutils integration: https://github.com/pypa/distutils/pull/70
+
+Also set sysconfig._PIP_USE_SYSCONFIG = False, to force pip-upgraded-pip
+to respect this patched distutils install command.
+See https://bugzilla.redhat.com/show_bug.cgi?id=2014513
+
+Co-authored-by: Miro Hrončok <miro@hroncok.cz>
 ---
- Lib/distutils/command/install.py | 15 +++++++++++++--
+ Lib/distutils/command/install.py |  9 +++++++--
  Lib/site.py                      |  9 ++++++++-
- 2 files changed, 21 insertions(+), 3 deletions(-)
+ Lib/sysconfig.py                 | 17 +++++++++++++++++
+ 3 files changed, 32 insertions(+), 3 deletions(-)
 
 diff --git a/Lib/distutils/command/install.py b/Lib/distutils/command/install.py
-index aaa300efa9..f8d453912a 100644
+index aaa300efa9..18f01f10d4 100644
 --- a/Lib/distutils/command/install.py
 +++ b/Lib/distutils/command/install.py
-@@ -419,8 +419,19 @@ class install(Command):
+@@ -3,6 +3,7 @@
+ Implements the Distutils 'install' command."""
+ 
+ import sys
++import sysconfig
+ import os
+ 
+ from distutils import log
+@@ -142,6 +143,8 @@ class install(Command):
+ 
+     negative_opt = {'no-compile' : 'compile'}
+ 
++    # Allow Fedora to add components to the prefix
++    _prefix_addition = getattr(sysconfig, '_prefix_addition', '')
+ 
+     def initialize_options(self):
+         """Initializes options."""
+@@ -419,8 +422,10 @@ class install(Command):
                      raise DistutilsOptionError(
                            "must not supply exec-prefix without prefix")
  
 -                self.prefix = os.path.normpath(sys.prefix)
 -                self.exec_prefix = os.path.normpath(sys.exec_prefix)
-+                # self.prefix is set to sys.prefix + /local/
++                self.prefix = (
-+                # if neither RPM build nor virtual environment is
++                    os.path.normpath(sys.prefix) + self._prefix_addition)
-+                # detected to make pip and distutils install packages
++                self.exec_prefix = (
-+                # into the separate location.
++                    os.path.normpath(sys.exec_prefix) + self._prefix_addition)
-+                if (not (hasattr(sys, 'real_prefix') or
-+                    sys.prefix != sys.base_prefix) and
-+                    'RPM_BUILD_ROOT' not in os.environ):
-+                    addition = "/local"
-+                else:
-+                    addition = ""
-+
-+                self.prefix = os.path.normpath(sys.prefix) + addition
-+                self.exec_prefix = os.path.normpath(sys.exec_prefix) + addition
  
              else:
                  if self.exec_prefix is None:
@@ -60,3 +80,31 @@ index 9e617afb00..db14f715f9 100644
      for sitedir in getsitepackages(prefixes):
          if os.path.isdir(sitedir):
              addsitedir(sitedir, known_paths)
+diff --git a/Lib/sysconfig.py b/Lib/sysconfig.py
+index e3f79bfde5..e124104876 100644
+--- a/Lib/sysconfig.py
++++ b/Lib/sysconfig.py
+@@ -86,6 +86,23 @@ _INSTALL_SCHEMES = {
+         },
+     }
+ 
++# Force pip to use distutils paths instead of sysconfig
++# https://github.com/pypa/pip/issues/10647
++_PIP_USE_SYSCONFIG = False
++
++# This is used by distutils.command.install in the stdlib
++# as well as pypa/distutils (e.g. bundled in setuptools).
++# The self.prefix value is set to sys.prefix + /local/
++# if neither RPM build nor virtual environment is
++# detected to make distutils install packages
++# into the separate location.
++# https://fedoraproject.org/wiki/Changes/Making_sudo_pip_safe
++if (not (hasattr(sys, 'real_prefix') or
++    sys.prefix != sys.base_prefix) and
++    'RPM_BUILD_ROOT' not in os.environ):
++    _prefix_addition = "/local"
++
++
+ _SCHEME_KEYS = ('stdlib', 'platstdlib', 'purelib', 'platlib', 'include',
+                 'scripts', 'data')
+ 

SOURCES/00397-tarfile-filter.patch

@@ -0,0 +1,251 @@
+From 8b70605b594b3831331a9340ba764ff751871612 Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Mon, 6 Mar 2023 17:24:24 +0100
+Subject: [PATCH 2/2] CVE-2007-4559, PEP-706: Add filters for tarfile
+ extraction (downstream)
+
+Add and test RHEL-specific ways of configuring the default behavior: environment
+variable and config file.
+---
+ Lib/tarfile.py           |  42 +++++++++++++
+ Lib/test/test_shutil.py  |   3 +-
+ Lib/test/test_tarfile.py | 128 ++++++++++++++++++++++++++++++++++++++-
+ 3 files changed, 169 insertions(+), 4 deletions(-)
+
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index b6ad7dbe2a4..dc7050b2c63 100755
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -72,6 +72,13 @@ __all__ = ["TarFile", "TarInfo", "is_tarfile", "TarError", "ReadError",
+            "ENCODING", "USTAR_FORMAT", "GNU_FORMAT", "PAX_FORMAT",
+            "DEFAULT_FORMAT", "open"]
+ 
++# If true, use the safer (but backwards-incompatible) 'tar' extraction filter,
++# rather than 'fully_trusted', by default.
++# The emitted warning is changed to match.
++_RH_SAFER_DEFAULT = True
++
++# System-wide configuration file
++_CONFIG_FILENAME = '/etc/python/tarfile.cfg'
+ 
+ #---------------------------------------------------------
+ # tar constants
+@@ -2197,6 +2204,41 @@ class TarFile(object):
+         if filter is None:
+             filter = self.extraction_filter
+             if filter is None:
++                name = os.environ.get('PYTHON_TARFILE_EXTRACTION_FILTER')
++                if name is None:
++                    try:
++                        file = bltn_open(_CONFIG_FILENAME)
++                    except FileNotFoundError:
++                        pass
++                    else:
++                        import configparser
++                        conf = configparser.ConfigParser(
++                            interpolation=None,
++                            comment_prefixes=('#', ),
++                        )
++                        with file:
++                            conf.read_file(file)
++                        name = conf.get('tarfile',
++                                        'PYTHON_TARFILE_EXTRACTION_FILTER',
++                                        fallback='')
++                if name:
++                    try:
++                        filter = _NAMED_FILTERS[name]
++                    except KeyError:
++                        raise ValueError(f"filter {filter!r} not found") from None
++                    self.extraction_filter = filter
++                    return filter
++                if _RH_SAFER_DEFAULT:
++                    warnings.warn(
++                        'The default behavior of tarfile extraction has been '
++                        + 'changed to disallow common exploits '
++                        + '(including CVE-2007-4559). '
++                        + 'By default, absolute/parent paths are disallowed '
++                        + 'and some mode bits are cleared. '
++                        + 'See https://access.redhat.com/articles/7004769 '
++                        + 'for more details.',
++                        RuntimeWarning)
++                    return tar_filter
+                 return fully_trusted_filter
+             if isinstance(filter, str):
+                 raise TypeError(
+diff --git a/Lib/test/test_shutil.py b/Lib/test/test_shutil.py
+index 9041e7aa368..1eb1116cc10 100644
+--- a/Lib/test/test_shutil.py
++++ b/Lib/test/test_shutil.py
+@@ -1613,7 +1613,8 @@ class TestArchives(BaseTest, unittest.TestCase):
+     def check_unpack_tarball(self, format):
+         self.check_unpack_archive(format, filter='fully_trusted')
+         self.check_unpack_archive(format, filter='data')
+-        with warnings_helper.check_no_warnings(self):
++        with warnings_helper.check_warnings(
++                ('.*CVE-2007-4559', RuntimeWarning)):
+             self.check_unpack_archive(format)
+ 
+     def test_unpack_archive_tar(self):
+diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
+index a66f7efd2d6..6fd3c384b5c 100644
+--- a/Lib/test/test_tarfile.py
++++ b/Lib/test/test_tarfile.py
+@@ -2,7 +2,7 @@ import sys
+ import os
+ import io
+ from hashlib import sha256
+-from contextlib import contextmanager
++from contextlib import contextmanager, ExitStack
+ from random import Random
+ import pathlib
+ import shutil
+@@ -2929,7 +2929,11 @@ class NoneInfoExtractTests(ReadTest):
+         tar = tarfile.open(tarname, mode='r', encoding="iso8859-1")
+         cls.control_dir = pathlib.Path(TEMPDIR) / "extractall_ctrl"
+         tar.errorlevel = 0
+-        tar.extractall(cls.control_dir, filter=cls.extraction_filter)
++        with ExitStack() as cm:
++            if cls.extraction_filter is None:
++                cm.enter_context(warnings.catch_warnings())
++                warnings.simplefilter(action="ignore", category=RuntimeWarning)
++            tar.extractall(cls.control_dir, filter=cls.extraction_filter)
+         tar.close()
+         cls.control_paths = set(
+             p.relative_to(cls.control_dir)
+@@ -3592,7 +3596,8 @@ class TestExtractionFilters(unittest.TestCase):
+         """Ensure the default filter does not warn (like in 3.12)"""
+         with ArchiveMaker() as arc:
+             arc.add('foo')
+-        with warnings_helper.check_no_warnings(self):
++        with warnings_helper.check_warnings(
++                ('.*CVE-2007-4559', RuntimeWarning)):
+             with self.check_context(arc.open(), None):
+                 self.expect_file('foo')
+ 
+@@ -3762,6 +3767,123 @@ class TestExtractionFilters(unittest.TestCase):
+             self.expect_exception(TypeError)  # errorlevel is not int
+ 
+ 
++    @contextmanager
++    def rh_config_context(self, config_lines=None):
++        """Set up for testing various ways of overriding the default filter
++
++        return a triple with:
++        - temporary directory
++        - EnvironmentVarGuard()
++        - a test archive for use with check_* methods below
++
++        If config_lines is given, write them to the config file. Otherwise
++        the config file is missing.
++        """
++        tempdir = pathlib.Path(TEMPDIR) / 'tmp'
++        configfile = tempdir / 'tarfile.cfg'
++        with ArchiveMaker() as arc:
++            arc.add('good')
++            arc.add('ugly', symlink_to='/etc/passwd')
++            arc.add('../bad')
++        with (
++                support.temp_dir(tempdir),
++                support.swap_attr(tarfile, '_CONFIG_FILENAME', str(configfile)),
++                support.EnvironmentVarGuard() as env,
++                arc.open() as tar,
++        ):
++            if config_lines is not None:
++                with configfile.open('w') as f:
++                    for line in config_lines:
++                        print(line, file=f)
++            yield tempdir, env, tar
++
++    def check_rh_default_behavior(self, tar, tempdir):
++        """Check RH default: warn and refuse to extract dangerous files."""
++        with (
++                warnings_helper.check_warnings(
++                    ('.*CVE-2007-4559', RuntimeWarning)),
++                self.assertRaises(tarfile.OutsideDestinationError),
++        ):
++            tar.extractall(tempdir / 'outdir')
++
++    def check_trusted_default(self, tar, tempdir):
++        """Check 'fully_trusted' is configured as the default filter."""
++        with (
++                warnings_helper.check_no_warnings(self),
++        ):
++            tar.extractall(tempdir / 'outdir')
++            self.assertTrue((tempdir / 'outdir/good').exists())
++            self.assertEqual((tempdir / 'outdir/ugly').readlink(),
++                             pathlib.Path('/etc/passwd'))
++            self.assertTrue((tempdir / 'bad').exists())
++
++    def test_rh_default_no_conf(self):
++        with self.rh_config_context() as (tempdir, env, tar):
++            self.check_rh_default_behavior(tar, tempdir)
++
++    def test_rh_default_from_file(self):
++        lines = ['[tarfile]', 'PYTHON_TARFILE_EXTRACTION_FILTER=fully_trusted']
++        with self.rh_config_context(lines) as (tempdir, env, tar):
++            self.check_trusted_default(tar, tempdir)
++
++    def test_rh_empty_config_file(self):
++        """Empty config file -> default behavior"""
++        lines = []
++        with self.rh_config_context(lines) as (tempdir, env, tar):
++            self.check_rh_default_behavior(tar, tempdir)
++
++    def test_empty_config_section(self):
++        """Empty section in config file -> default behavior"""
++        lines = ['[tarfile]']
++        with self.rh_config_context(lines) as (tempdir, env, tar):
++            self.check_rh_default_behavior(tar, tempdir)
++
++    def test_rh_default_empty_config_option(self):
++        """Empty option value in config file -> default behavior"""
++        lines = ['[tarfile]', 'PYTHON_TARFILE_EXTRACTION_FILTER=']
++        with self.rh_config_context(lines) as (tempdir, env, tar):
++            self.check_rh_default_behavior(tar, tempdir)
++
++    def test_bad_config_option(self):
++        """Bad option value in config file -> ValueError"""
++        lines = ['[tarfile]', 'PYTHON_TARFILE_EXTRACTION_FILTER=unknown!']
++        with self.rh_config_context(lines) as (tempdir, env, tar):
++            with self.assertRaises(ValueError):
++                tar.extractall(tempdir / 'outdir')
++
++    def test_default_from_envvar(self):
++        with self.rh_config_context() as (tempdir, env, tar):
++            env['PYTHON_TARFILE_EXTRACTION_FILTER'] = 'fully_trusted'
++            self.check_trusted_default(tar, tempdir)
++
++    def test_empty_envvar(self):
++        """Empty env variable -> default behavior"""
++        with self.rh_config_context() as (tempdir, env, tar):
++            env['PYTHON_TARFILE_EXTRACTION_FILTER'] = ''
++            self.check_rh_default_behavior(tar, tempdir)
++
++    def test_bad_envvar(self):
++        with self.rh_config_context() as (tempdir, env, tar):
++            env['PYTHON_TARFILE_EXTRACTION_FILTER'] = 'unknown!'
++            with self.assertRaises(ValueError):
++                tar.extractall(tempdir / 'outdir')
++
++    def test_envvar_overrides_file(self):
++        lines = ['[tarfile]', 'PYTHON_TARFILE_EXTRACTION_FILTER=data']
++        with self.rh_config_context(lines) as (tempdir, env, tar):
++            env['PYTHON_TARFILE_EXTRACTION_FILTER'] = 'fully_trusted'
++            self.check_trusted_default(tar, tempdir)
++
++    def test_monkeypatch_overrides_envvar(self):
++        with self.rh_config_context(None) as (tempdir, env, tar):
++            env['PYTHON_TARFILE_EXTRACTION_FILTER'] = 'data'
++            with support.swap_attr(
++                    tarfile.TarFile, 'extraction_filter',
++                    staticmethod(tarfile.fully_trusted_filter)
++            ):
++                self.check_trusted_default(tar, tempdir)
++
++
+ def setUpModule():
+     support.unlink(TEMPDIR)
+     os.makedirs(TEMPDIR)
+-- 
+2.40.1
+

SOURCES/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch

@@ -0,0 +1,248 @@
+From 4df4fad359c280f2328b98ea9b4414f244624a58 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Mon, 18 Dec 2023 20:15:33 +0100
+Subject: [PATCH] Make it possible to disable strict parsing in email module
+
+---
+ Doc/library/email.utils.rst       | 26 +++++++++++
+ Lib/email/utils.py                | 54 ++++++++++++++++++++++-
+ Lib/test/test_email/test_email.py | 72 ++++++++++++++++++++++++++++++-
+ 3 files changed, 149 insertions(+), 3 deletions(-)
+
+diff --git a/Doc/library/email.utils.rst b/Doc/library/email.utils.rst
+index d1e1898591..7aef773b5f 100644
+--- a/Doc/library/email.utils.rst
++++ b/Doc/library/email.utils.rst
+@@ -69,6 +69,19 @@ of the new API.
+ 
+    If *strict* is true, use a strict parser which rejects malformed inputs.
+ 
++   The default setting for *strict* is set to ``True``, but you can override
++   it by setting the environment variable ``PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING``
++   to non-empty string.
++
++   Additionally, you can permanently set the default value for *strict* to
++   ``False`` by creating the configuration file ``/etc/python/email.cfg``
++   with the following content:
++
++   .. code-block:: ini
++
++      [email_addr_parsing]
++      PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true
++
+    .. versionchanged:: 3.9.20
+       Add *strict* optional parameter and reject malformed inputs by default.
+ 
+@@ -97,6 +110,19 @@ of the new API.
+ 
+    If *strict* is true, use a strict parser which rejects malformed inputs.
+ 
++   The default setting for *strict* is set to ``True``, but you can override
++   it by setting the environment variable ``PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING``
++   to non-empty string.
++
++   Additionally, you can permanently set the default value for *strict* to
++   ``False`` by creating the configuration file ``/etc/python/email.cfg``
++   with the following content:
++
++   .. code-block:: ini
++
++      [email_addr_parsing]
++      PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true
++
+    Here's a simple example that gets all the recipients of a message::
+ 
+       from email.utils import getaddresses
+diff --git a/Lib/email/utils.py b/Lib/email/utils.py
+index f83b7e5d7e..b8e90ceb8e 100644
+--- a/Lib/email/utils.py
++++ b/Lib/email/utils.py
+@@ -48,6 +48,46 @@ TICK = "'"
+ specialsre = re.compile(r'[][\\()<>@,:;".]')
+ escapesre = re.compile(r'[\\"]')
+ 
++_EMAIL_CONFIG_FILE = "/etc/python/email.cfg"
++_cached_strict_addr_parsing = None
++
++
++def _use_strict_email_parsing():
++    """"Cache implementation for _cached_strict_addr_parsing"""
++    global _cached_strict_addr_parsing
++    if _cached_strict_addr_parsing is None:
++        _cached_strict_addr_parsing = _use_strict_email_parsing_impl()
++    return _cached_strict_addr_parsing
++
++
++def _use_strict_email_parsing_impl():
++    """Returns True if strict email parsing is not disabled by
++    config file or env variable.
++    """
++    disabled = bool(os.environ.get("PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING"))
++    if disabled:
++        return False
++
++    try:
++        file = open(_EMAIL_CONFIG_FILE)
++    except FileNotFoundError:
++        pass
++    else:
++        with file:
++            import configparser
++            config = configparser.ConfigParser(
++                interpolation=None,
++                comment_prefixes=('#', ),
++
++            )
++            config.read_file(file)
++            disabled = config.getboolean('email_addr_parsing', "PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING", fallback=None)
++
++    if disabled:
++        return False
++
++    return True
++
+ 
+ def _has_surrogates(s):
+     """Return True if s contains surrogate-escaped binary data."""
+@@ -149,7 +189,7 @@ def _strip_quoted_realnames(addr):
+ 
+ supports_strict_parsing = True
+ 
+-def getaddresses(fieldvalues, *, strict=True):
++def getaddresses(fieldvalues, *, strict=None):
+     """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
+ 
+     When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
+@@ -158,6 +198,11 @@ def getaddresses(fieldvalues, *, strict=True):
+     If strict is true, use a strict parser which rejects malformed inputs.
+     """
+ 
++    # If default is used, it's True unless disabled
++    # by env variable or config file.
++    if strict == None:
++        strict = _use_strict_email_parsing()
++
+     # If strict is true, if the resulting list of parsed addresses is greater
+     # than the number of fieldvalues in the input list, a parsing error has
+     # occurred and consequently a list containing a single empty 2-tuple [('',
+@@ -330,7 +375,7 @@ def parsedate_to_datetime(data):
+             tzinfo=datetime.timezone(datetime.timedelta(seconds=tz)))
+ 
+ 
+-def parseaddr(addr, *, strict=True):
++def parseaddr(addr, *, strict=None):
+     """
+     Parse addr into its constituent realname and email address parts.
+ 
+@@ -339,6 +384,11 @@ def parseaddr(addr, *, strict=True):
+ 
+     If strict is True, use a strict parser which rejects malformed inputs.
+     """
++    # If default is used, it's True unless disabled
++    # by env variable or config file.
++    if strict == None:
++        strict = _use_strict_email_parsing()
++
+     if not strict:
+         addrs = _AddressList(addr).addresslist
+         if not addrs:
+diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py
+index ce36efc1b1..05ea201b68 100644
+--- a/Lib/test/test_email/test_email.py
++++ b/Lib/test/test_email/test_email.py
+@@ -7,6 +7,9 @@ import time
+ import base64
+ import unittest
+ import textwrap
++import contextlib
++import tempfile
++import os
+ 
+ from io import StringIO, BytesIO
+ from itertools import chain
+@@ -41,7 +44,7 @@ from email import iterators
+ from email import base64mime
+ from email import quoprimime
+ 
+-from test.support import unlink, start_threads
++from test.support import unlink, start_threads, EnvironmentVarGuard, swap_attr
+ from test.test_email import openfile, TestEmailBase
+ 
+ # These imports are documented to work, but we are testing them using a
+@@ -3313,6 +3316,73 @@ Foo
+         # Test email.utils.supports_strict_parsing attribute
+         self.assertEqual(email.utils.supports_strict_parsing, True)
+ 
++    def test_parsing_errors_strict_set_via_env_var(self):
++        address = 'alice@example.org )Alice('
++        empty = ('', '')
++
++        # Reset cached default value to make the function
++        # reload the config file provided below.
++        utils._cached_strict_addr_parsing = None
++
++        # Strict disabled via env variable, old behavior expected
++        with EnvironmentVarGuard() as environ:
++            environ["PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING"] = "1"
++
++            self.assertEqual(utils.getaddresses([address]),
++                             [('', 'alice@example.org'), ('', ''), ('', 'Alice')])
++            self.assertEqual(utils.parseaddr([address]), ('', address))
++
++        # Clear cache again
++        utils._cached_strict_addr_parsing = None
++
++        # Default strict=True, empty result expected
++        self.assertEqual(utils.getaddresses([address]), [empty])
++        self.assertEqual(utils.parseaddr([address]), empty)
++
++        # Clear cache again
++        utils._cached_strict_addr_parsing = None
++
++        # Empty string in env variable = strict parsing enabled (default)
++        with EnvironmentVarGuard() as environ:
++            environ["PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING"] = ""
++
++            # Default strict=True, empty result expected
++            self.assertEqual(utils.getaddresses([address]), [empty])
++            self.assertEqual(utils.parseaddr([address]), empty)
++
++    @contextlib.contextmanager
++    def _email_strict_parsing_conf(self):
++        """Context for the given email strict parsing configured in config file"""
++        with tempfile.TemporaryDirectory() as tmpdirname:
++            filename = os.path.join(tmpdirname, 'conf.cfg')
++            with swap_attr(utils, "_EMAIL_CONFIG_FILE", filename):
++                with open(filename, 'w') as file:
++                    file.write('[email_addr_parsing]\n')
++                    file.write('PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true')
++                utils._EMAIL_CONFIG_FILE = filename
++                yield
++
++    def test_parsing_errors_strict_disabled_via_config_file(self):
++        address = 'alice@example.org )Alice('
++        empty = ('', '')
++
++        # Reset cached default value to make the function
++        # reload the config file provided below.
++        utils._cached_strict_addr_parsing = None
++
++        # Strict disabled via config file, old results expected
++        with self._email_strict_parsing_conf():
++            self.assertEqual(utils.getaddresses([address]),
++                             [('', 'alice@example.org'), ('', ''), ('', 'Alice')])
++            self.assertEqual(utils.parseaddr([address]), ('', address))
++
++        # Clear cache again
++        utils._cached_strict_addr_parsing = None
++
++        # Default strict=True, empty result expected
++        self.assertEqual(utils.getaddresses([address]), [empty])
++        self.assertEqual(utils.parseaddr([address]), empty)
++
+     def test_getaddresses_nasty(self):
+         for addresses, expected in (
+             (['"Sürname, Firstname" <to@example.com>'],
+-- 
+2.43.0
+

SOURCES/00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch

@@ -0,0 +1,63 @@
+From 60d40d7095983e0bc23a103b2050adc519dc7fe3 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Fri, 3 May 2024 14:17:48 +0200
+Subject: [PATCH] Expect failures in tests not working properly with expat with
+ a fixed CVE in RHEL
+
+---
+ Lib/test/test_pyexpat.py   | 1 +
+ Lib/test/test_sax.py       | 1 +
+ Lib/test/test_xml_etree.py | 3 +++
+ 3 files changed, 5 insertions(+)
+
+diff --git a/Lib/test/test_pyexpat.py b/Lib/test/test_pyexpat.py
+index 43cbd27..27b1502 100644
+--- a/Lib/test/test_pyexpat.py
++++ b/Lib/test/test_pyexpat.py
+@@ -793,6 +793,7 @@ class ReparseDeferralTest(unittest.TestCase):
+ 
+         self.assertEqual(started, ['doc'])
+ 
++    @unittest.expectedFailure
+     def test_reparse_deferral_disabled(self):
+         started = []
+ 
+diff --git a/Lib/test/test_sax.py b/Lib/test/test_sax.py
+index 9b3014a..646c92d 100644
+--- a/Lib/test/test_sax.py
++++ b/Lib/test/test_sax.py
+@@ -1240,6 +1240,7 @@ class ExpatReaderTest(XmlTestBase):
+ 
+         self.assertEqual(result.getvalue(), start + b"<doc></doc>")
+ 
++    @unittest.expectedFailure
+     def test_flush_reparse_deferral_disabled(self):
+         result = BytesIO()
+         xmlgen = XMLGenerator(result)
+diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py
+index 9c382d1..62f2871 100644
+--- a/Lib/test/test_xml_etree.py
++++ b/Lib/test/test_xml_etree.py
+@@ -1424,9 +1424,11 @@ class XMLPullParserTest(unittest.TestCase):
+         self.assert_event_tags(parser, [('end', 'root')])
+         self.assertIsNone(parser.close())
+ 
++    @unittest.expectedFailure
+     def test_simple_xml_chunk_1(self):
+         self.test_simple_xml(chunk_size=1, flush=True)
+ 
++    @unittest.expectedFailure
+     def test_simple_xml_chunk_5(self):
+         self.test_simple_xml(chunk_size=5, flush=True)
+ 
+@@ -1651,6 +1653,7 @@ class XMLPullParserTest(unittest.TestCase):
+ 
+         self.assert_event_tags(parser, [('end', 'doc')])
+ 
++    @unittest.expectedFailure
+     def test_flush_reparse_deferral_disabled(self):
+         parser = ET.XMLPullParser(events=('start', 'end'))
+ 
+-- 
+2.44.0
+

SOURCES/00450-cve-2025-0938-disallow-square-brackets-and-in-domain-names-for-parsed-urls.patch

@@ -0,0 +1,119 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Fri, 31 Jan 2025 11:41:34 -0600
+Subject: [PATCH] 00450: CVE-2025-0938: Disallow square brackets ([ and ]) in
+ domain names for parsed URLs
+
+Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
+---
+ Lib/test/test_urlparse.py                     | 37 ++++++++++++++++++-
+ Lib/urllib/parse.py                           | 20 +++++++++-
+ ...-01-28-14-08-03.gh-issue-105704.EnhHxu.rst |  4 ++
+ 3 files changed, 58 insertions(+), 3 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst
+
+diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
+index 6f7d40c212..083d08b22e 100644
+--- a/Lib/test/test_urlparse.py
++++ b/Lib/test/test_urlparse.py
+@@ -1146,16 +1146,51 @@ class UrlParseTestCase(unittest.TestCase):
+         self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af::2309::fae7:1234]/Path?Query')
+         self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af:2309::fae7:1234:2342:438e:192.0.2.146]/Path?Query')
+         self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@]v6a.ip[/Path')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]/')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix/')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]?')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix?')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]/')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix/')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]?')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix?')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a1')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a1')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:1a')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:1a')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:/')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:?')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@prefix.[v6a.ip]')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@[v6a.ip].suffix')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip]')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip[')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip].suffix')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip[suffix')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[suffix')
+ 
+     def test_splitting_bracketed_hosts(self):
+-        p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]/path?query')
++        p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]:1234/path?query')
+         self.assertEqual(p1.hostname, 'v6a.ip')
+         self.assertEqual(p1.username, 'user')
+         self.assertEqual(p1.path, '/path')
++        self.assertEqual(p1.port, 1234)
+         p2 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7%test]/path?query')
+         self.assertEqual(p2.hostname, '0439:23af:2309::fae7%test')
+         self.assertEqual(p2.username, 'user')
+         self.assertEqual(p2.path, '/path')
++        self.assertIs(p2.port, None)
+         p3 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7:1234:192.0.2.146%test]/path?query')
+         self.assertEqual(p3.hostname, '0439:23af:2309::fae7:1234:192.0.2.146%test')
+         self.assertEqual(p3.username, 'user')
+diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
+index 9d37dcaa90..fb8f7f1ea8 100644
+--- a/Lib/urllib/parse.py
++++ b/Lib/urllib/parse.py
+@@ -443,6 +443,23 @@ def _checknetloc(netloc):
+             raise ValueError("netloc '" + netloc + "' contains invalid " +
+                              "characters under NFKC normalization")
+ 
++def _check_bracketed_netloc(netloc):
++    # Note that this function must mirror the splitting
++    # done in NetlocResultMixins._hostinfo().
++    hostname_and_port = netloc.rpartition('@')[2]
++    before_bracket, have_open_br, bracketed = hostname_and_port.partition('[')
++    if have_open_br:
++        # No data is allowed before a bracket.
++        if before_bracket:
++            raise ValueError("Invalid IPv6 URL")
++        hostname, _, port = bracketed.partition(']')
++        # No data is allowed after the bracket but before the port delimiter.
++        if port and not port.startswith(":"):
++            raise ValueError("Invalid IPv6 URL")
++    else:
++        hostname, _, port = hostname_and_port.partition(':')
++    _check_bracketed_host(hostname)
++
+ # Valid bracketed hosts are defined in
+ # https://www.rfc-editor.org/rfc/rfc3986#page-49 and https://url.spec.whatwg.org/
+ def _check_bracketed_host(hostname):
+@@ -506,8 +523,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
+                 (']' in netloc and '[' not in netloc)):
+             raise ValueError("Invalid IPv6 URL")
+         if '[' in netloc and ']' in netloc:
+-            bracketed_host = netloc.partition('[')[2].partition(']')[0]
+-            _check_bracketed_host(bracketed_host)
++            _check_bracketed_netloc(netloc)
+     if allow_fragments and '#' in url:
+         url, fragment = url.split('#', 1)
+     if '?' in url:
+diff --git a/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst b/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst
+new file mode 100644
+index 0000000000..bff1bc6b0d
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst
+@@ -0,0 +1,4 @@
++When using :func:`urllib.parse.urlsplit` and :func:`urllib.parse.urlparse` host
++parsing would not reject domain names containing square brackets (``[`` and
++``]``). Square brackets are only valid for IPv6 and IPvFuture hosts according to
++`RFC 3986 Section 3.2.2 <https://www.rfc-editor.org/rfc/rfc3986#section-3.2.2>`__.

SOURCES/Python-3.9.21.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmdPScsACgkQsmmV4xAl
+BWgZtRAAiPehPRc94kRpNn4CuLw9hDFJmucXfG/Pjf9DdQkrmWAMvFS2kpigd9A0
+3QoDbgZPb8k9XtTrbpT4A0j/SYaqnLXOktXE7CEwM1vRTHbUDm62qxRSIa+RXO1d
+h/EqhF1Rpgl37I1GL3mAHew6KjIq3K/aNvJVTtKA+1xy8XpF5Dbk3feDeTucqYaM
+evtCu2SlwQXRvIbqFciMtRC2bmkNHgRVFpuxInjmp82ED0E6yZ/ecHXjb5Da7lDV
+8uRh9aEjMWY4LHTdl2tWaaerLqYZfvHSlz2xY8W5itSgOAzzJNn3dX8P6EKK5ab7
+IV85vqPX1oMcX0seZd3QlVdOxUPf1tKB7Eo7yHz3gV/KgWzFSAHSZFCwiqyfNfj8
+PibYYwtGG0+S7GJ7bZ2iCCgkqrFBoMQ8yOEDxE7Pt36JSXtZ2grtsFB8WAZqhCMa
+luIjiibGkOzzBRX/neW5RYT1HLNzi140G7XEZeRv3CXzuud66+ynLdOK7uFEr8jq
+W0t/fHbrqcSjyEo9L9VDP4Wd9VU/nwf6tb3Py6nPZKM93ZYqtlJNmzxmOyQOmn30
+bRGEQyzcYmEKMWg6zzO57In/WRytB4BgE7Dj7L876TbnJ8YoR8TVpuQ3sDKoSxwo
+gIdNR/6lcqP0HwDFtqBrcwSQ9Dew6wMz0Pp2EwX90EZLwnBvpeI=
+=taeu
+-----END PGP SIGNATURE-----

SOURCES/Python-3.9.9.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmGSq04ACgkQsmmV4xAl
-BWjtXQ/8CggiE692fd0jq3sVMNdAarUwWPWTVblm3H0zkwrpkrLAOTZfb+6UMini
-XbXgFBIAERLffO5XHumJgXKR9pkJmYxQ5gjz+9YA5hBswQzj6x6nFqANYj3Jes7N
-GUTohgVgmhfTW8EsJwE+bfRuJfpQaWDS1YHErjvfH+iywpJdagNGoHlxjoFFY4LQ
-pOxO9fe6WqCCqGcGoniyRrGOpoyo59eMezVc9bCOeuvsEhOxcxAJq8bEMrphL0AJ
-EOAsb5AZYsQFZhxbdN//f5CPMJ1eskqYN0ho1LGhL/z0JcRUDpAb4h5YQHcCgQN+
-rNM6keTfFtNEa19ByW74f1fJJw/VgqBHNm6AVnvw9WOJvhlwSei0xeZHZtSL5VtH
-WsJtZuhYqRWCrokjt2HOVD4b8vvAegaEqEPR+SFPBqJJbiHJ/LQTOv+fweQnyo+F
-EXKof0ZXbax7Q/ADIVhd2y3C0hYrpzRKVEk1u643ns0V+wZ2VuilL/k5aB/LaOoy
-Z9O2WoxSw0SMm0etegVyefT5+gj5l/8euXwKWqxKFPhue7pWngwzMPzjkMDcvfYb
-4o21d9vbTFvGAHJ5SCqHPLy5iIf40pfLLZreEXtSMLM1mGMlfGnt270UasUIIxWE
-TxHYHthQX0M2hMW77dc5hcVcRrUNKmf8P7XbnDjc61eSlRgTJaE=
-=2zA6
------END PGP SIGNATURE-----

SPECS/python3.9.spec

@@ -13,7 +13,7 @@ URL: https://www.python.org/
 
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
-%global general_version %{pybasever}.9
+%global general_version %{pybasever}.21
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
@@ -195,6 +195,13 @@ License: Python
 %global py_INSTSONAME_optimized libpython%{LDVERSION_optimized}.so.%{py_SOVERSION}
 %global py_INSTSONAME_debug     libpython%{LDVERSION_debug}.so.%{py_SOVERSION}
 
+# The -O flag for the compiler, optimized builds
+# https://fedoraproject.org/wiki/Changes/Python_built_with_gcc_O3
+%global optflags_optimized -O3
+# The -O flag for the compiler, debug builds
+# -Wno-cpp avoids some warnings with -O0
+%global optflags_debug -O0 -Wno-cpp
+
 # Disable automatic bytecompilation. The python3 binary is not yet be
 # available in /usr/bin when Python is built. Also, the bytecompilation fails
 # on files that test invalid syntax.
@@ -325,10 +332,10 @@ Patch189: 00189-use-rpm-wheels.patch
 # The versions are written in Lib/ensurepip/__init__.py, this patch removes them.
 # When the bundled setuptools/pip wheel is updated, the patch no longer applies cleanly.
 # In such cases, the patch needs to be amended and the versions updated here:
-%global pip_version 21.2.4
+%global pip_version 23.0.1
 %global setuptools_version 58.1.0
 
-# 00251 # 2eabd04356402d488060bc8fe316ad13fc8a3356
+# 00251 # 1b1047c14ff98eae6d355b4aac4df3e388813f62
 # Change user install location
 #
 # Set values of prefix and exec_prefix in distutils install command
@@ -336,7 +343,13 @@ Patch189: 00189-use-rpm-wheels.patch
 # is not detected to make pip and distutils install into separate location.
 #
 # Fedora Change: https://fedoraproject.org/wiki/Changes/Making_sudo_pip_safe
-# Downstream only: Awaiting resources to work on upstream PEP
+# Downstream only: Reworked in Fedora 36+/Python 3.10+ to follow https://bugs.python.org/issue43976
+#
+# pypa/distutils integration: https://github.com/pypa/distutils/pull/70
+#
+# Also set sysconfig._PIP_USE_SYSCONFIG = False, to force pip-upgraded-pip
+# to respect this patched distutils install command.
+# See https://bugzilla.redhat.com/show_bug.cgi?id=2014513
 Patch251: 00251-change-user-install-location.patch
 
 # 00328 # 367fdcb5a075f083aea83ac174999272a8faf75c
@@ -363,8 +376,9 @@ Patch328: 00328-pyc-timestamp-invalidation-mode.patch
 # - In FIPS mode, the blake2 hashes use OpenSSL wrappers
 #   and do not offer extended functionality (keys, tree hashing, custom digest size)
 #
-# - The patch, in its current state, is in a preliminary form to set the groundwork
+# - In FIPS mode, hmac.HMAC can only be instantiated with an OpenSSL wrapper
-#   for refining Python's FIPS compatibility until OpenSSL is FIPS ready.
+#   or a string with OpenSSL hash name as the "digestmod" argument.
+#   The argument must be specified (instead of defaulting to ‘md5’).
 Patch329: 00329-fips.patch
 
 # 00353 # ab4cc97b643cfe99f567e3a03e5617b507183771
@@ -392,6 +406,41 @@ Patch329: 00329-fips.patch
 # a nightmare because it's basically a binary file.
 Patch353: 00353-architecture-names-upstream-downstream.patch
 
+# 00397 #
+# Add filters for tarfile extraction (CVE-2007-4559, PEP-706)
+# First patch fixes determination of symlink targets, which were treated
+# as relative to the root of the archive,
+# rather than the directory containing the symlink.
+# Not yet upstream as of this writing.
+# The second patch is Red Hat configuration, see KB for documentation:
+# - https://access.redhat.com/articles/7004769
+Patch397: 00397-tarfile-filter.patch
+
+# 00415 #
+# [CVE-2023-27043] gh-102988: Reject malformed addresses in email.parseaddr() (#111116)
+#
+# Detect email address parsing errors and return empty tuple to
+# indicate the parsing error (old API). Add an optional 'strict'
+# parameter to getaddresses() and parseaddr() functions. Patch by
+# Thomas Dwyer.
+#
+# Upstream PR: https://github.com/python/cpython/pull/111116
+#
+# This patch implements the possibility to restore the old behavior via
+# config file or environment variable.
+Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch
+
+# 00422 # a353cebef737c41420dc7ae2469dd657371b8881
+# Fix tests for XMLPullParser with Expat 2.6.0
+#
+# Feeding the parser by too small chunks defers parsing to prevent
+# CVE-2023-52425. Future versions of Expat may be more reactive.
+Patch422: 00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch
+
+# 00450 # 4ab8663661748eb994c09e4ae89f59eb84c5d3ea
+# CVE-2025-0938: Disallow square brackets ([ and ]) in domain names for parsed URLs
+Patch450: 00450-cve-2025-0938-disallow-square-brackets-and-in-domain-names-for-parsed-urls.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -768,6 +817,9 @@ version once Python %{pybasever} is stable.
 %autopatch -M 188
 
 %if %{with rpmwheels}
+# Temporary workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1954999
+%{?!apply_patch:%define apply_patch(qp:m:) {%__apply_patch %**}}
+
 %apply_patch -q %{PATCH189}
 rm Lib/ensurepip/_bundled/*.whl
 %endif
@@ -854,6 +906,7 @@ BuildPython() {
   ConfName=$1
   ExtraConfigArgs=$2
   MoreCFlags=$3
+  MoreCFlagsNodist=$4
 
   # Each build is done in its own directory
   ConfDir=build/$ConfName
@@ -888,7 +941,7 @@ BuildPython() {
   $ExtraConfigArgs \
   %{nil}
 
-%global flags_override EXTRA_CFLAGS="$MoreCFlags" CFLAGS_NODIST="$CFLAGS_NODIST $MoreCFlags"
+%global flags_override EXTRA_CFLAGS="$MoreCFlags" CFLAGS_NODIST="$CFLAGS_NODIST $MoreCFlags $MoreCFlagsNodist"
 
 %if %{without bootstrap}
   # Regenerate generated files (needs python3)
@@ -911,12 +964,14 @@ BuildPython() {
 # See also: https://bugzilla.redhat.com/show_bug.cgi?id=1818857
 BuildPython debug \
   "--without-ensurepip --with-pydebug" \
-  "-O0 -Wno-cpp"
+  "%{optflags_debug}" \
+  ""
 %endif # with debug_build
 
 BuildPython optimized \
   "--without-ensurepip %{optimizations_flag}" \
-  ""
+  "" \
+  "%{optflags_optimized}"
 
 # ======================================================
 # Installing the built code:
@@ -1015,7 +1070,7 @@ EOF
 %if %{with debug_build}
 InstallPython debug \
   %{py_INSTSONAME_debug} \
-  -O0 \
+  "%{optflags_debug}" \
   %{LDVERSION_debug}
 %endif # with debug_build
 
@@ -1790,6 +1845,113 @@ CheckPython optimized
 # ======================================================
 
 %changelog
+* Mon Feb 10 2025 Charalampos Stratakis <cstratak@redhat.com> - 3.9.21-2
+- Security fix for CVE-2025-0938
+Resolves: RHEL-77263
+
+* Wed Dec 04 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.9.21-1
+- Update to 3.9.21
+- Security fix for CVE-2024-11168 and CVE-2024-9287
+Resolves: RHEL-64889
+Resolves: RHEL-69942
+
+* Mon Sep 09 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.9.20-1
+- Update to 3.9.20
+Resolves: RHEL-57422
+
+* Fri Aug 23 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.9.19-8
+- Security fix for CVE-2024-8088
+Resolves: RHEL-55967
+
+* Tue Aug 13 2024 Lumír Balhar <lbalhar@redhat.com> - 3.9.19-7
+- Security fix for CVE-2024-6923
+Resolves: RHEL-53045
+
+* Thu Aug 01 2024 Miro Hrončok <mhroncok@redhat.com> - 3.9.19-6
+- Ensure 3rd party extension modules for the debug build use the -O0 flag
+
+* Thu Jul 25 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.9.19-5
+- Properly propagate the optimization flags to C extensions
+
+* Thu Jul 18 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.9.19-4
+- Build Python with -O3
+- https://fedoraproject.org/wiki/Changes/Python_built_with_gcc_O3
+
+* Thu Jul 18 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.9.19-3
+- Security fix for CVE-2024-4032
+Resolves: RHEL-44107
+
+* Tue Jun 11 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.9.19-2
+- Enable importing of hash-based .pyc files under FIPS mode
+Resolves: RHEL-40750
+
+* Mon Apr 22 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.9.19-1
+- Update to 3.9.19
+- Security fixes for CVE-2023-6597 and CVE-2024-0450
+- Fix tests for XMLPullParser with Expat with fixed CVE
+Resolves: RHEL-33679, RHEL-33691
+
+* Wed Jan 24 2024 Lumír Balhar <lbalhar@redhat.com> - 3.9.18-3
+- Fix tests on s390x with hw acceleration
+Resolves: RHEL-13043
+
+* Thu Jan 04 2024 Lumír Balhar <lbalhar@redhat.com> - 3.9.18-2
+- Security fix for CVE-2023-27043
+Resolves: RHEL-20613
+
+* Thu Sep 07 2023 Charalampos Stratakis <cstratak@redhat.com> - 3.9.18-1
+- Update to 3.9.18
+- Security fix for CVE-2023-40217
+Resolves: RHEL-3043
+
+* Wed Aug 09 2023 Petr Viktorin <pviktori@redhat.com> - 3.9.17-2
+- Fix symlink handling in the fix for CVE-2023-24329
+Resolves: rhbz#263261
+
+* Mon Jun 26 2023 Charalampos Stratakis <cstratak@redhat.com> - 3.9.17-1
+- Update to 3.9.17
+- Security fix for CVE-2023-24329
+Resolves: rhbz#2173917
+
+* Tue Mar 07 2023 Petr Viktorin <pviktori@redhat.com> - 3.9.16-2
+- Add filters for tarfile extraction (CVE-2007-4559, PEP-706)
+Resolves: rhbz#263261
+
+* Thu Dec 08 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.9.16-1
+- Update to 3.9.16
+- Security fixes for CVE-2022-42919 and CVE-2022-45061
+Resolves: rhbz#2138705, rhbz#2144072
+
+* Wed Sep 21 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.9.14-1
+- Update to 3.9.14
+- Security fixes for CVE-2020-10735 and CVE-2021-28861
+Resolves: rhbz#2120642, rhbz#1834423, rhbz#2128249
+
+* Mon Jul 25 2022 Lumír Balhar <lbalhar@redhat.com> - 3.9.13-3
+- Fix test_get_ciphers in test_ssl.py for FIPS mode
+Resolves: rhbz#2058233
+
+* Thu Jun 09 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.9.13-2
+- Security fix for CVE-2015-20107
+Resolves: rhbz#2075390
+
+* Wed Jun 01 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.9.13-1
+- Update to 3.9.13
+Resolves: rhbz#2054702, rhbz#2059951
+
+* Wed Feb 09 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.9.10-2
+- Fix undefined behavior in Modules/_hashopenssl.c
+Resolves: rhbz#1942527
+
+* Mon Jan 17 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.9.10-1
+- Update to 3.9.10
+- Support OpenSSL FIPS mode
+Resolves: rhbz#1942527, rhbz#1835169
+
+* Sat Jan 08 2022 Miro Hrončok <mhroncok@redhat.com> - 3.9.9-4
+- Instruct pip to use distutils
+- Instruct pypa/distutils to add /local/ addition to prefix
+
 * Mon Nov 22 2021 Tomas Orsava <torsava@redhat.com> - 3.9.9-2
 - Read pre-packaged Python wheels from a newly versioned directory
   /usr/share/python3-wheels