.gitignore

@@ -1 +1 @@
-SOURCES/Python-3.9.25.tar.xz
+SOURCES/Python-3.9.13.tar.xz

.python39.metadata

@@ -1 +0,0 @@
-36c7257ec30dca042679626d0dff79715acd4efb SOURCES/Python-3.9.25.tar.xz

00001-rpath.patch

@@ -1,10 +1,9 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: David Malcolm <dmalcolm@redhat.com>
 Date: Wed, 13 Jan 2010 21:25:18 +0000
-Subject: 00001: Fixup distutils/unixccompiler.py to remove standard library
+Subject: [PATCH] 00001: Fixup distutils/unixccompiler.py to remove standard
- path from rpath
+ library path from rpath Was Patch0 in ivazquez' python3000 specfile
 
-Was Patch0 in ivazquez' python3000 specfile
 ---
  Lib/distutils/unixccompiler.py | 9 +++++++++
  1 file changed, 9 insertions(+)

00111-no-static-lib.patch

@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: David Malcolm <dmalcolm@redhat.com>
 Date: Mon, 18 Jan 2010 17:59:07 +0000
-Subject: 00111: Don't try to build a libpythonMAJOR.MINOR.a
+Subject: [PATCH] 00111: Don't try to build a libpythonMAJOR.MINOR.a
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

00189-use-rpm-wheels.patch

@@ -1,7 +1,7 @@
 From 2c91575950d4de95d308e30cc4ab20d032b1aceb Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
 Date: Wed, 15 Aug 2018 15:36:29 +0200
-Subject: 00189: Instead of bundled wheels, use our RPM packaged wheels
+Subject: [PATCH] 00189: Instead of bundled wheels, use our RPM packaged wheels
 
 We keep them in /usr/share/python-wheels
 
@@ -12,7 +12,7 @@ We might eventually pursuit upstream support, but it's low prio
  1 file changed, 26 insertions(+), 11 deletions(-)
 
 diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py
-index d61bb089e3..77d7ec5a65 100644
+index e510cc7..8de2e55 100644
 --- a/Lib/ensurepip/__init__.py
 +++ b/Lib/ensurepip/__init__.py
 @@ -1,3 +1,5 @@
@@ -30,8 +30,8 @@ index d61bb089e3..77d7ec5a65 100644
  
  
  __all__ = ["version", "bootstrap"]
--_SETUPTOOLS_VERSION = "79.0.1"
+-_SETUPTOOLS_VERSION = "58.1.0"
--_PIP_VERSION = "23.0.1"
+-_PIP_VERSION = "22.0.4"
 +
 +_WHEEL_DIR = "/usr/share/python39-wheels/"
 +

00251-change-user-install-location.patch

@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Michal Cyprian <m.cyprian@gmail.com>
 Date: Mon, 26 Jun 2017 16:32:56 +0200
-Subject: 00251: Change user install location
+Subject: [PATCH] 00251: Change user install location
 
 Set values of prefix and exec_prefix in distutils install command
 to /usr/local if executable is /usr/bin/python* and RPM build

00329-fips.patch

@@ -1,4 +1,4 @@
-From 4cef6c756055a15dc33a475c1f405676fa69410c Mon Sep 17 00:00:00 2001
+From 37aa11f4c57e08bd3859c0de1c22f1d5296b6fdc Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <encukou@gmail.com>
 Date: Wed, 11 Aug 2021 16:51:03 +0200
 Subject: [PATCH 01/10] Backport PyModule_AddObjectRef as
@@ -71,10 +71,10 @@ index 13482c6..fca1083 100644
  PyModule_AddIntConstant(PyObject *m, const char *name, long value)
  {
 -- 
-2.45.0
+2.35.3
 
 
-From a115773e979f968edaed8a3419f3ccc34eef8320 Mon Sep 17 00:00:00 2001
+From 3fc28233b7244bb891499a974c3f3cda42454760 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <encukou@gmail.com>
 Date: Fri, 13 Aug 2021 13:16:43 +0200
 Subject: [PATCH 02/10] _hashopenssl: Uncomment and use initialization function
@@ -144,10 +144,10 @@ index 4db058c..56dfff9 100644
  
      return m;
 -- 
-2.45.0
+2.35.3
 
 
-From 28506af69b2b005bb7a8931624f97273269458a1 Mon Sep 17 00:00:00 2001
+From 309e06621a9a8b8220c8f83d588cc76e1fa2380d Mon Sep 17 00:00:00 2001
 From: Christian Heimes <christian@python.org>
 Date: Sat, 27 Mar 2021 14:55:03 +0100
 Subject: [PATCH 03/10] bpo-40645: use C implementation of HMAC (GH-24920,
@@ -927,10 +927,10 @@ index 68aa765..4466ec4 100644
 -/*[clinic end generated code: output=b6b280e46bf0b139 input=a9049054013a1b77]*/
 +/*[clinic end generated code: output=7ff9aad0bd53e7ce input=a9049054013a1b77]*/
 -- 
-2.45.0
+2.35.3
 
 
-From 1f5f7d3892febb68cf96ef151beab06eae1792ce Mon Sep 17 00:00:00 2001
+From 2656f4998c17d8a63b5b45462a2dae5b1b3d520f Mon Sep 17 00:00:00 2001
 From: Charalampos Stratakis <cstratak@redhat.com>
 Date: Thu, 12 Dec 2019 16:58:31 +0100
 Subject: [PATCH 04/10] Expose blake2b and blake2s hashes from OpenSSL
@@ -944,7 +944,7 @@ used under FIPS.
  3 files changed, 148 insertions(+), 1 deletion(-)
 
 diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
-index bc11a8d..9a07499 100644
+index f845c7a..7aaeb76 100644
 --- a/Lib/test/test_hashlib.py
 +++ b/Lib/test/test_hashlib.py
 @@ -363,6 +363,12 @@ class HashLibTestCase(unittest.TestCase):
@@ -1137,10 +1137,10 @@ index 4466ec4..54c22b2 100644
 -/*[clinic end generated code: output=7ff9aad0bd53e7ce input=a9049054013a1b77]*/
 +/*[clinic end generated code: output=fab05055e982f112 input=a9049054013a1b77]*/
 -- 
-2.45.0
+2.35.3
 
 
-From 842bd1c8c8a62c342fed848e5a5f0f1d97daeaba Mon Sep 17 00:00:00 2001
+From 652264a57ab6564bfe775d88502776df95cd897d Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <pviktori@redhat.com>
 Date: Thu, 1 Aug 2019 17:57:05 +0200
 Subject: [PATCH 05/10] Use a stronger hash in multiprocessing handshake
@@ -1152,7 +1152,7 @@ https://bugs.python.org/issue17258
  1 file changed, 6 insertions(+), 2 deletions(-)
 
 diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py
-index 8e2facf..bb4acb6 100644
+index 510e4b5..b68f2fb 100644
 --- a/Lib/multiprocessing/connection.py
 +++ b/Lib/multiprocessing/connection.py
 @@ -42,6 +42,10 @@ BUFSIZE = 8192
@@ -1166,7 +1166,7 @@ index 8e2facf..bb4acb6 100644
  _mmap_counter = itertools.count()
  
  default_family = 'AF_INET'
-@@ -736,7 +740,7 @@ def deliver_challenge(connection, authkey):
+@@ -741,7 +745,7 @@ def deliver_challenge(connection, authkey):
              "Authkey must be bytes, not {0!s}".format(type(authkey)))
      message = os.urandom(MESSAGE_LENGTH)
      connection.send_bytes(CHALLENGE + message)
@@ -1175,7 +1175,7 @@ index 8e2facf..bb4acb6 100644
      response = connection.recv_bytes(256)        # reject large message
      if response == digest:
          connection.send_bytes(WELCOME)
-@@ -752,7 +756,7 @@ def answer_challenge(connection, authkey):
+@@ -757,7 +761,7 @@ def answer_challenge(connection, authkey):
      message = connection.recv_bytes(256)         # reject large message
      assert message[:len(CHALLENGE)] == CHALLENGE, 'message = %r' % message
      message = message[len(CHALLENGE):]
@@ -1185,10 +1185,10 @@ index 8e2facf..bb4acb6 100644
      response = connection.recv_bytes(256)        # reject large message
      if response != WELCOME:
 -- 
-2.45.0
+2.35.3
 
 
-From 0390f1ea33f8a604467829733541791a29cee4da Mon Sep 17 00:00:00 2001
+From 4a8637f114196b1ab19435ea64c19c7acf77776c Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <pviktori@redhat.com>
 Date: Thu, 25 Jul 2019 17:19:06 +0200
 Subject: [PATCH 06/10] Disable Python's hash implementations in FIPS mode,
@@ -1231,7 +1231,7 @@ index ffa3be0..3e3f4dd 100644
  def __get_builtin_constructor(name):
      cache = __builtin_constructor_cache
 diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
-index 9a07499..56dfbaa 100644
+index 7aaeb76..fa4a8d7 100644
 --- a/Lib/test/test_hashlib.py
 +++ b/Lib/test/test_hashlib.py
 @@ -35,14 +35,15 @@ else:
@@ -1446,10 +1446,10 @@ index 0bec170..479f4b5 100644
              ))
  
 -- 
-2.45.0
+2.35.3
 
 
-From 667781e01425308ae95f062f8596866a5af76f77 Mon Sep 17 00:00:00 2001
+From 165bcd0377075dbac9fa3f988ed5189668597ab6 Mon Sep 17 00:00:00 2001
 From: Charalampos Stratakis <cstratak@redhat.com>
 Date: Fri, 29 Jan 2021 14:16:21 +0100
 Subject: [PATCH 07/10] Use python's fall back crypto implementations only if
@@ -1565,7 +1565,7 @@ index 3e3f4dd..b842f5f 100644
  
  for __func_name in __always_supported:
 diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
-index 56dfbaa..05f4a54 100644
+index fa4a8d7..ec6c883 100644
 --- a/Lib/test/test_hashlib.py
 +++ b/Lib/test/test_hashlib.py
 @@ -171,7 +171,13 @@ class HashLibTestCase(unittest.TestCase):
@@ -1604,7 +1604,7 @@ index 56dfbaa..05f4a54 100644
      def test_get_builtin_constructor(self):
          get_builtin_constructor = getattr(hashlib,
                                            '__get_builtin_constructor')
-@@ -1070,6 +1090,7 @@ class KDFTests(unittest.TestCase):
+@@ -1061,6 +1081,7 @@ class KDFTests(unittest.TestCase):
                  iterations=1, dklen=None)
              self.assertEqual(out, self.pbkdf2_results['sha1'][0][0])
  
@@ -1613,10 +1613,10 @@ index 56dfbaa..05f4a54 100644
      def test_pbkdf2_hmac_py(self):
          self._test_pbkdf2_hmac(builtin_hashlib.pbkdf2_hmac, builtin_hashes)
 -- 
-2.45.0
+2.35.3
 
 
-From e36df0297eca09ca1826163f39a812b45558f690 Mon Sep 17 00:00:00 2001
+From f4383a6e0be8b75db2380fdcf0174b09709b613f Mon Sep 17 00:00:00 2001
 From: Charalampos Stratakis <cstratak@redhat.com>
 Date: Wed, 31 Jul 2019 15:43:43 +0200
 Subject: [PATCH 08/10] Test equivalence of hashes for the various digests with
@@ -1659,7 +1659,7 @@ index 0000000..1f99dd7
 +if __name__ == "__main__":
 +    unittest.main()
 diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
-index 05f4a54..980c773 100644
+index ec6c883..0fd036f 100644
 --- a/Lib/test/test_hashlib.py
 +++ b/Lib/test/test_hashlib.py
 @@ -20,6 +20,7 @@ import warnings
@@ -1755,7 +1755,7 @@ index 05f4a54..980c773 100644
                  return
  
              m = hash_object_constructor(data, **kwargs)
-@@ -983,6 +998,15 @@ class HashLibTestCase(unittest.TestCase):
+@@ -974,6 +989,15 @@ class HashLibTestCase(unittest.TestCase):
          ):
              HASHXOF()
  
@@ -1772,10 +1772,10 @@ index 05f4a54..980c773 100644
  class KDFTests(unittest.TestCase):
  
 -- 
-2.45.0
+2.35.3
 
 
-From 8fc0216da1d6e148bf086c8c137ddc19a33ab642 Mon Sep 17 00:00:00 2001
+From 5ecf11d53225bbe04e35970a834bcc90cd944391 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <pviktori@redhat.com>
 Date: Mon, 26 Aug 2019 19:39:48 +0200
 Subject: [PATCH 09/10] Guard against Python HMAC in FIPS mode
@@ -1889,43 +1889,287 @@ index adf52ad..41e6a14 100644
      def test_realcopy_old(self):
          # Testing if the copy method created a real copy.
 -- 
-2.45.0
+2.35.3
 
 
-From 4271e404c9aa918368d397654d60e4e845dfc844 Mon Sep 17 00:00:00 2001
+From 532ce8649bf743c029aa5ddb25d74604d9798da9 Mon Sep 17 00:00:00 2001
-From: Nikita Sobolev <mail@sobolevn.me>
+From: Petr Viktorin <encukou@gmail.com>
-Date: Thu, 24 Nov 2022 01:47:31 +0300
+Date: Wed, 25 Aug 2021 16:44:43 +0200
-Subject: [PATCH 10/10] closes gh-99508: fix `TypeError` in
+Subject: [PATCH 10/10] Disable hash-based PYCs in FIPS mode
- `Lib/importlib/_bootstrap_external.py` (GH-99635)
 
+If FIPS mode is on, we can't use siphash-based HMAC
+(_Py_KeyedHash), so:
+
+- Unchecked hash PYCs can be imported, but not created
+- Checked hash PYCs can not be imported nor created
+- The default mode is timestamp-based PYCs, even if
+  SOURCE_DATE_EPOCH is set.
+
+If FIPS mode is off, there are no changes in behavior.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1835169
 ---
- Lib/importlib/_bootstrap_external.py                           | 3 ++-
+ Lib/py_compile.py                             |  2 ++
- .../next/Library/2022-11-21-10-45-54.gh-issue-99508.QqVbby.rst | 2 ++
+ Lib/test/support/__init__.py                  | 14 +++++++++++++
- 2 files changed, 4 insertions(+), 1 deletion(-)
+ Lib/test/test_cmd_line_script.py              |  2 ++
- create mode 100644 Misc/NEWS.d/next/Library/2022-11-21-10-45-54.gh-issue-99508.QqVbby.rst
+ Lib/test/test_compileall.py                   | 11 +++++++++-
+ Lib/test/test_imp.py                          |  2 ++
+ .../test_importlib/source/test_file_loader.py |  6 ++++++
+ Lib/test/test_py_compile.py                   | 11 ++++++++--
+ Lib/test/test_zipimport.py                    |  2 ++
+ Python/import.c                               | 20 +++++++++++++++++++
+ 9 files changed, 67 insertions(+), 3 deletions(-)
 
-diff --git a/Lib/importlib/_bootstrap_external.py b/Lib/importlib/_bootstrap_external.py
+diff --git a/Lib/py_compile.py b/Lib/py_compile.py
-index f0c9f8e..cccf6b2 100644
+index bba3642..02db901 100644
---- a/Lib/importlib/_bootstrap_external.py
+--- a/Lib/py_compile.py
-+++ b/Lib/importlib/_bootstrap_external.py
++++ b/Lib/py_compile.py
-@@ -986,7 +986,8 @@ class SourceLoader(_LoaderBasics):
+@@ -70,7 +70,9 @@ class PycInvalidationMode(enum.Enum):
-                 source_mtime is not None):
+ 
-             if hash_based:
+ 
-                 if source_hash is None:
+ def _get_default_invalidation_mode():
--                    source_hash = _imp.source_hash(source_bytes)
++    import _hashlib
-+                    source_hash = _imp.source_hash(_RAW_MAGIC_NUMBER,
+     if (os.environ.get('SOURCE_DATE_EPOCH') and not
-+                                                   source_bytes)
++            _hashlib.get_fips_mode() and not
-                 data = _code_to_hash_pyc(code_object, source_hash, check_source)
+             os.environ.get('RPM_BUILD_ROOT')):
-             else:
+         return PycInvalidationMode.CHECKED_HASH
-                 data = _code_to_timestamp_pyc(code_object, source_mtime,
+     else:
-diff --git a/Misc/NEWS.d/next/Library/2022-11-21-10-45-54.gh-issue-99508.QqVbby.rst b/Misc/NEWS.d/next/Library/2022-11-21-10-45-54.gh-issue-99508.QqVbby.rst
+diff --git a/Lib/test/support/__init__.py b/Lib/test/support/__init__.py
-new file mode 100644
+index 86ac8f0..dc042f7 100644
-index 0000000..82720d1
+--- a/Lib/test/support/__init__.py
---- /dev/null
++++ b/Lib/test/support/__init__.py
-+++ b/Misc/NEWS.d/next/Library/2022-11-21-10-45-54.gh-issue-99508.QqVbby.rst
+@@ -3294,3 +3294,17 @@ def clear_ignored_deprecations(*tokens: object) -> None:
-@@ -0,0 +1,2 @@
+     if warnings.filters != new_filters:
-+Fix ``TypeError`` in ``Lib/importlib/_bootstrap_external.py`` while calling
+         warnings.filters[:] = new_filters
-+``_imp.source_hash()``.
+         warnings._filters_mutated()
++
++
++def fails_in_fips_mode(expected_error):
++    import _hashlib
++    if _hashlib.get_fips_mode():
++        def _decorator(func):
++            def _wrapper(self, *args, **kwargs):
++                with self.assertRaises(expected_error):
++                    func(self, *args, **kwargs)
++            return _wrapper
++    else:
++        def _decorator(func):
++            return func
++    return _decorator
+diff --git a/Lib/test/test_cmd_line_script.py b/Lib/test/test_cmd_line_script.py
+index 7cb1370..61df232 100644
+--- a/Lib/test/test_cmd_line_script.py
++++ b/Lib/test/test_cmd_line_script.py
+@@ -282,6 +282,7 @@ class CmdLineTest(unittest.TestCase):
+             self._check_script(zip_name, run_name, zip_name, zip_name, '',
+                                zipimport.zipimporter)
+ 
++    @support.fails_in_fips_mode(ImportError)
+     def test_zipfile_compiled_checked_hash(self):
+         with support.temp_dir() as script_dir:
+             script_name = _make_test_script(script_dir, '__main__')
+@@ -292,6 +293,7 @@ class CmdLineTest(unittest.TestCase):
+             self._check_script(zip_name, run_name, zip_name, zip_name, '',
+                                zipimport.zipimporter)
+ 
++    @support.fails_in_fips_mode(ImportError)
+     def test_zipfile_compiled_unchecked_hash(self):
+         with support.temp_dir() as script_dir:
+             script_name = _make_test_script(script_dir, '__main__')
+diff --git a/Lib/test/test_compileall.py b/Lib/test/test_compileall.py
+index ab647d6..7d50f07 100644
+--- a/Lib/test/test_compileall.py
++++ b/Lib/test/test_compileall.py
+@@ -758,14 +758,23 @@ class CommandLineTestsBase:
+         out = self.assertRunOK('badfilename')
+         self.assertRegex(out, b"Can't list 'badfilename'")
+ 
+-    def test_pyc_invalidation_mode(self):
++    @support.fails_in_fips_mode(AssertionError)
++    def test_pyc_invalidation_mode_checked(self):
+         script_helper.make_script(self.pkgdir, 'f1', '')
+         pyc = importlib.util.cache_from_source(
+             os.path.join(self.pkgdir, 'f1.py'))
++
+         self.assertRunOK('--invalidation-mode=checked-hash', self.pkgdir)
+         with open(pyc, 'rb') as fp:
+             data = fp.read()
+         self.assertEqual(int.from_bytes(data[4:8], 'little'), 0b11)
++
++    @support.fails_in_fips_mode(AssertionError)
++    def test_pyc_invalidation_mode_unchecked(self):
++        script_helper.make_script(self.pkgdir, 'f1', '')
++        pyc = importlib.util.cache_from_source(
++            os.path.join(self.pkgdir, 'f1.py'))
++
+         self.assertRunOK('--invalidation-mode=unchecked-hash', self.pkgdir)
+         with open(pyc, 'rb') as fp:
+             data = fp.read()
+diff --git a/Lib/test/test_imp.py b/Lib/test/test_imp.py
+index fe394dc..802f0e8 100644
+--- a/Lib/test/test_imp.py
++++ b/Lib/test/test_imp.py
+@@ -343,6 +343,7 @@ class ImportTests(unittest.TestCase):
+         import _frozen_importlib
+         self.assertEqual(_frozen_importlib.__spec__.origin, "frozen")
+ 
++    @support.fails_in_fips_mode(ImportError)
+     def test_source_hash(self):
+         self.assertEqual(_imp.source_hash(42, b'hi'), b'\xc6\xe7Z\r\x03:}\xab')
+         self.assertEqual(_imp.source_hash(43, b'hi'), b'\x85\x9765\xf8\x9a\x8b9')
+@@ -362,6 +363,7 @@ class ImportTests(unittest.TestCase):
+             res = script_helper.assert_python_ok(*args)
+             self.assertEqual(res.out.strip().decode('utf-8'), expected)
+ 
++    @support.fails_in_fips_mode(ImportError)
+     def test_find_and_load_checked_pyc(self):
+         # issue 34056
+         with support.temp_cwd():
+diff --git a/Lib/test/test_importlib/source/test_file_loader.py b/Lib/test/test_importlib/source/test_file_loader.py
+index ab44722..480cc81 100644
+--- a/Lib/test/test_importlib/source/test_file_loader.py
++++ b/Lib/test/test_importlib/source/test_file_loader.py
+@@ -17,6 +17,7 @@ import types
+ import unittest
+ import warnings
+ 
++from test import support
+ from test.support import make_legacy_pyc, unload
+ 
+ from test.test_py_compile import without_source_date_epoch
+@@ -239,6 +240,7 @@ class SimpleTest(abc.LoaderTests):
+                 loader.load_module('bad name')
+ 
+     @util.writes_bytecode_files
++    @support.fails_in_fips_mode(ImportError)
+     def test_checked_hash_based_pyc(self):
+         with util.create_modules('_temp') as mapping:
+             source = mapping['_temp']
+@@ -270,6 +272,7 @@ class SimpleTest(abc.LoaderTests):
+             )
+ 
+     @util.writes_bytecode_files
++    @support.fails_in_fips_mode(ImportError)
+     def test_overridden_checked_hash_based_pyc(self):
+         with util.create_modules('_temp') as mapping, \
+              unittest.mock.patch('_imp.check_hash_based_pycs', 'never'):
+@@ -295,6 +298,7 @@ class SimpleTest(abc.LoaderTests):
+             self.assertEqual(mod.state, 'old')
+ 
+     @util.writes_bytecode_files
++    @support.fails_in_fips_mode(ImportError)
+     def test_unchecked_hash_based_pyc(self):
+         with util.create_modules('_temp') as mapping:
+             source = mapping['_temp']
+@@ -325,6 +329,7 @@ class SimpleTest(abc.LoaderTests):
+             )
+ 
+     @util.writes_bytecode_files
++    @support.fails_in_fips_mode(ImportError)
+     def test_overridden_unchecked_hash_based_pyc(self):
+         with util.create_modules('_temp') as mapping, \
+              unittest.mock.patch('_imp.check_hash_based_pycs', 'always'):
+@@ -434,6 +439,7 @@ class BadBytecodeTest:
+                                                del_source=del_source)
+             test('_temp', mapping, bc_path)
+ 
++    @support.fails_in_fips_mode(ImportError)
+     def _test_partial_hash(self, test, *, del_source=False):
+         with util.create_modules('_temp') as mapping:
+             bc_path = self.manipulate_bytecode(
+diff --git a/Lib/test/test_py_compile.py b/Lib/test/test_py_compile.py
+index b2d3dcf..7e4b0c5 100644
+--- a/Lib/test/test_py_compile.py
++++ b/Lib/test/test_py_compile.py
+@@ -141,13 +141,16 @@ class PyCompileTestsBase:
+             importlib.util.cache_from_source(bad_coding)))
+ 
+     def test_source_date_epoch(self):
++        import _hashlib
+         py_compile.compile(self.source_path, self.pyc_path)
+         self.assertTrue(os.path.exists(self.pyc_path))
+         self.assertFalse(os.path.exists(self.cache_path))
+         with open(self.pyc_path, 'rb') as fp:
+             flags = importlib._bootstrap_external._classify_pyc(
+                 fp.read(), 'test', {})
+-        if os.environ.get('SOURCE_DATE_EPOCH'):
++        if _hashlib.get_fips_mode():
++            expected_flags = 0b00
++        elif os.environ.get('SOURCE_DATE_EPOCH'):
+             expected_flags = 0b11
+         else:
+             expected_flags = 0b00
+@@ -178,7 +181,8 @@ class PyCompileTestsBase:
+         # Specifying optimized bytecode should lead to a path reflecting that.
+         self.assertIn('opt-2', py_compile.compile(self.source_path, optimize=2))
+ 
+-    def test_invalidation_mode(self):
++    @support.fails_in_fips_mode(ImportError)
++    def test_invalidation_mode_checked(self):
+         py_compile.compile(
+             self.source_path,
+             invalidation_mode=py_compile.PycInvalidationMode.CHECKED_HASH,
+@@ -187,6 +191,9 @@ class PyCompileTestsBase:
+             flags = importlib._bootstrap_external._classify_pyc(
+                 fp.read(), 'test', {})
+         self.assertEqual(flags, 0b11)
++
++    @support.fails_in_fips_mode(ImportError)
++    def test_invalidation_mode_unchecked(self):
+         py_compile.compile(
+             self.source_path,
+             invalidation_mode=py_compile.PycInvalidationMode.UNCHECKED_HASH,
+diff --git a/Lib/test/test_zipimport.py b/Lib/test/test_zipimport.py
+index b7347a3..09ea990 100644
+--- a/Lib/test/test_zipimport.py
++++ b/Lib/test/test_zipimport.py
+@@ -186,6 +186,7 @@ class UncompressedZipImportTestCase(ImportHooksBaseTestCase):
+                  TESTMOD + pyc_ext: (NOW, test_pyc)}
+         self.doTest(pyc_ext, files, TESTMOD)
+ 
++    @support.fails_in_fips_mode(ImportError)
+     def testUncheckedHashBasedPyc(self):
+         source = b"state = 'old'"
+         source_hash = importlib.util.source_hash(source)
+@@ -200,6 +201,7 @@ class UncompressedZipImportTestCase(ImportHooksBaseTestCase):
+             self.assertEqual(mod.state, 'old')
+         self.doTest(None, files, TESTMOD, call=check)
+ 
++    @support.fails_in_fips_mode(ImportError)
+     @unittest.mock.patch('_imp.check_hash_based_pycs', 'always')
+     def test_checked_hash_based_change_pyc(self):
+         source = b"state = 'old'"
+diff --git a/Python/import.c b/Python/import.c
+index 8358d70..1b7fb85 100644
+--- a/Python/import.c
++++ b/Python/import.c
+@@ -2354,6 +2354,26 @@ static PyObject *
+ _imp_source_hash_impl(PyObject *module, long key, Py_buffer *source)
+ /*[clinic end generated code: output=edb292448cf399ea input=9aaad1e590089789]*/
+ {
++    PyObject *_hashlib = PyImport_ImportModule("_hashlib");
++    if (_hashlib == NULL) {
++        return NULL;
++    }
++    PyObject *fips_mode_obj = PyObject_CallMethod(_hashlib, "get_fips_mode", NULL);
++    Py_DECREF(_hashlib);
++    if (fips_mode_obj == NULL) {
++        return NULL;
++    }
++    int fips_mode = PyObject_IsTrue(fips_mode_obj);
++    Py_DECREF(fips_mode_obj);
++    if (fips_mode < 0) {
++        return NULL;
++    }
++    if (fips_mode) {
++        PyErr_SetString(
++            PyExc_ImportError,
++            "hash-based PYC validation (siphash24) not available in FIPS mode");
++        return NULL;
++    };
+     union {
+         uint64_t x;
+         char data[sizeof(uint64_t)];
 -- 
-2.45.0
+2.35.3
 

00353-architecture-names-upstream-downstream.patch

@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Tue, 4 Aug 2020 12:04:03 +0200
-Subject: 00353: Original names for architectures with different names
+Subject: [PATCH] 00353: Original names for architectures with different names
  downstream
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8

00382-cve-2015-20107.patch

@@ -0,0 +1,150 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Fri, 3 Jun 2022 11:43:35 +0200
+Subject: [PATCH] 00382: CVE-2015-20107
+
+Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
+
+Upstream: https://github.com/python/cpython/issues/68966
+
+Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
+---
+ Doc/library/mailcap.rst                       | 12 +++++++++
+ Lib/mailcap.py                                | 26 +++++++++++++++++--
+ Lib/test/test_mailcap.py                      |  8 ++++--
+ ...2-04-27-18-25-30.gh-issue-68966.gjS8zs.rst |  4 +++
+ 4 files changed, 46 insertions(+), 4 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
+
+diff --git a/Doc/library/mailcap.rst b/Doc/library/mailcap.rst
+index a22b5b9c9e..7aa3380fec 100644
+--- a/Doc/library/mailcap.rst
++++ b/Doc/library/mailcap.rst
+@@ -60,6 +60,18 @@ standard.  However, mailcap files are supported on most Unix systems.
+    use) to determine whether or not the mailcap line applies.  :func:`findmatch`
+    will automatically check such conditions and skip the entry if the check fails.
+ 
++   .. versionchanged:: 3.11
++
++      To prevent security issues with shell metacharacters (symbols that have
++      special effects in a shell command line), ``findmatch`` will refuse
++      to inject ASCII characters other than alphanumerics and ``@+=:,./-_``
++      into the returned command line.
++
++      If a disallowed character appears in *filename*, ``findmatch`` will always
++      return ``(None, None)`` as if no entry was found.
++      If such a character appears elsewhere (a value in *plist* or in *MIMEtype*),
++      ``findmatch`` will ignore all mailcap entries which use that value.
++      A :mod:`warning <warnings>` will be raised in either case.
+ 
+ .. function:: getcaps()
+ 
+diff --git a/Lib/mailcap.py b/Lib/mailcap.py
+index ae416a8e9f..444c6408b5 100644
+--- a/Lib/mailcap.py
++++ b/Lib/mailcap.py
+@@ -2,6 +2,7 @@
+ 
+ import os
+ import warnings
++import re
+ 
+ __all__ = ["getcaps","findmatch"]
+ 
+@@ -13,6 +14,11 @@ def lineno_sort_key(entry):
+     else:
+         return 1, 0
+ 
++_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search
++
++class UnsafeMailcapInput(Warning):
++    """Warning raised when refusing unsafe input"""
++
+ 
+ # Part 1: top-level interface.
+ 
+@@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]):
+     entry to use.
+ 
+     """
++    if _find_unsafe(filename):
++        msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)
++        warnings.warn(msg, UnsafeMailcapInput)
++        return None, None
+     entries = lookup(caps, MIMEtype, key)
+     # XXX This code should somehow check for the needsterminal flag.
+     for e in entries:
+         if 'test' in e:
+             test = subst(e['test'], filename, plist)
++            if test is None:
++                continue
+             if test and os.system(test) != 0:
+                 continue
+         command = subst(e[key], MIMEtype, filename, plist)
+-        return command, e
++        if command is not None:
++            return command, e
+     return None, None
+ 
+ def lookup(caps, MIMEtype, key=None):
+@@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, plist=[]):
+             elif c == 's':
+                 res = res + filename
+             elif c == 't':
++                if _find_unsafe(MIMEtype):
++                    msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)
++                    warnings.warn(msg, UnsafeMailcapInput)
++                    return None
+                 res = res + MIMEtype
+             elif c == '{':
+                 start = i
+@@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, plist=[]):
+                     i = i+1
+                 name = field[start:i]
+                 i = i+1
+-                res = res + findparam(name, plist)
++                param = findparam(name, plist)
++                if _find_unsafe(param):
++                    msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)
++                    warnings.warn(msg, UnsafeMailcapInput)
++                    return None
++                res = res + param
+             # XXX To do:
+             # %n == number of parts if type is multipart/*
+             # %F == list of alternating type and filename for parts
+diff --git a/Lib/test/test_mailcap.py b/Lib/test/test_mailcap.py
+index c08423c670..920283d9a2 100644
+--- a/Lib/test/test_mailcap.py
++++ b/Lib/test/test_mailcap.py
+@@ -121,7 +121,8 @@ class HelperFunctionTest(unittest.TestCase):
+             (["", "audio/*", "foo.txt"], ""),
+             (["echo foo", "audio/*", "foo.txt"], "echo foo"),
+             (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"),
+-            (["echo %t", "audio/*", "foo.txt"], "echo audio/*"),
++            (["echo %t", "audio/*", "foo.txt"], None),
++            (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"),
+             (["echo \\%t", "audio/*", "foo.txt"], "echo %t"),
+             (["echo foo", "audio/*", "foo.txt", plist], "echo foo"),
+             (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3")
+@@ -205,7 +206,10 @@ class FindmatchTest(unittest.TestCase):
+              ('"An audio fragment"', audio_basic_entry)),
+             ([c, "audio/*"],
+              {"filename": fname},
+-             ("/usr/local/bin/showaudio audio/*", audio_entry)),
++             (None, None)),
++            ([c, "audio/wav"],
++             {"filename": fname},
++             ("/usr/local/bin/showaudio audio/wav", audio_entry)),
+             ([c, "message/external-body"],
+              {"plist": plist},
+              ("showexternal /dev/null default john python.org     /tmp foo bar", message_entry))
+diff --git a/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
+new file mode 100644
+index 0000000000..da81a1f699
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
+@@ -0,0 +1,4 @@
++The deprecated mailcap module now refuses to inject unsafe text (filenames,
++MIME types, parameters) into shell commands. Instead of using such text, it
++will warn and act as if a match was not found (or for test commands, as if
++the test failed).

Python-3.9.13.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmKDr+sACgkQsmmV4xAl
+BWib8A/+I+Gm2Gjf1lTFasrDIQb68gus7q9MjgjWG7HRY64gGqDBq6VcNrhVg+3g
+lGL0Xr6QHkFCIJVlobDAL4UgmNkO0+I2fNhUybKPGT6BOVa4IXHkuWlJX0OBRjY+
+uOw7nCEyLzEA/FbwZXb+0PKJm74s3opjUbu9/9uY7QIqWIiD77UfQ61SDsnRLaQW
+oEULPWFNLbdpMhTn7M/WVUwcxbyrCzjeFJ8rDiEbux3C1AhagTW49NTxOVW722yS
+3mzjuYeyfXBIfaaU9ZHW6Z7B1hbuNVF0AvOcI3nKFUjHYs5hhchM7QnZhdFG6mMN
+7REmBhssGkzWBtsWVbyChHhgVIqv81qUv6tywYMWaZtKfmrgzx2UNg9rx609c5gs
+1dzXWBrh2PFWLUf8U1noSOEz/Q6/fbgdHFj4AUsr+c3zr74FNABbH5VOHS6QP79X
+ic0a9+zBirrSVnLlsHkEO+aXju9ITcU/DUxPIUZxgmOImL4Vx1lsjYaw00csMzA3
+YItkoMwp4Hi7+Tvr/jGaTpKpmW+r00LyQfTfQmst7STDVY9EjlC3Mk2hzqgtFx5Z
+hzb4EtMQNSjwPCvSXVWFFZWsLRu70n81uWfnXRBX7tRAWZoxC44jiOGjEhTJwzs4
+sZAhimk17t3agM0Jf0fTFMPly0mVLQMjbE7OK8GIgv/q4O5R5lc=
+=RYbS
+-----END PGP SIGNATURE-----

SOURCES/00397-tarfile-filter.patch

@@ -1,251 +0,0 @@
-From fc3e5ff91495aaf9905bd38ac61db0c3279d17e0 Mon Sep 17 00:00:00 2001
-From: Petr Viktorin <encukou@gmail.com>
-Date: Fri, 21 Nov 2025 14:30:02 +0100
-Subject: [PATCH] CVE-2007-4559, PEP-706: Add filters for tarfile extraction
- (downstream)
-
-Add and test RHEL-specific ways of configuring the default behavior: environment
-variable and config file.
----
- Lib/tarfile.py           |  42 +++++++++++++
- Lib/test/test_shutil.py  |   3 +-
- Lib/test/test_tarfile.py | 128 ++++++++++++++++++++++++++++++++++++++-
- 3 files changed, 169 insertions(+), 4 deletions(-)
-
-diff --git a/Lib/tarfile.py b/Lib/tarfile.py
-index 209c206..fa3f922 100755
---- a/Lib/tarfile.py
-+++ b/Lib/tarfile.py
-@@ -72,6 +72,13 @@ __all__ = ["TarFile", "TarInfo", "is_tarfile", "TarError", "ReadError",
-            "ENCODING", "USTAR_FORMAT", "GNU_FORMAT", "PAX_FORMAT",
-            "DEFAULT_FORMAT", "open"]
- 
-+# If true, use the safer (but backwards-incompatible) 'tar' extraction filter,
-+# rather than 'fully_trusted', by default.
-+# The emitted warning is changed to match.
-+_RH_SAFER_DEFAULT = True
-+
-+# System-wide configuration file
-+_CONFIG_FILENAME = '/etc/python/tarfile.cfg'
- 
- #---------------------------------------------------------
- # tar constants
-@@ -2253,6 +2260,41 @@ class TarFile(object):
-         if filter is None:
-             filter = self.extraction_filter
-             if filter is None:
-+                name = os.environ.get('PYTHON_TARFILE_EXTRACTION_FILTER')
-+                if name is None:
-+                    try:
-+                        file = bltn_open(_CONFIG_FILENAME)
-+                    except FileNotFoundError:
-+                        pass
-+                    else:
-+                        import configparser
-+                        conf = configparser.ConfigParser(
-+                            interpolation=None,
-+                            comment_prefixes=('#', ),
-+                        )
-+                        with file:
-+                            conf.read_file(file)
-+                        name = conf.get('tarfile',
-+                                        'PYTHON_TARFILE_EXTRACTION_FILTER',
-+                                        fallback='')
-+                if name:
-+                    try:
-+                        filter = _NAMED_FILTERS[name]
-+                    except KeyError:
-+                        raise ValueError(f"filter {filter!r} not found") from None
-+                    self.extraction_filter = filter
-+                    return filter
-+                if _RH_SAFER_DEFAULT:
-+                    warnings.warn(
-+                        'The default behavior of tarfile extraction has been '
-+                        + 'changed to disallow common exploits '
-+                        + '(including CVE-2007-4559). '
-+                        + 'By default, absolute/parent paths are disallowed '
-+                        + 'and some mode bits are cleared. '
-+                        + 'See https://access.redhat.com/articles/7004769 '
-+                        + 'for more details.',
-+                        RuntimeWarning)
-+                    return tar_filter
-                 return fully_trusted_filter
-             if isinstance(filter, str):
-                 raise TypeError(
-diff --git a/Lib/test/test_shutil.py b/Lib/test/test_shutil.py
-index 9041e7a..1eb1116 100644
---- a/Lib/test/test_shutil.py
-+++ b/Lib/test/test_shutil.py
-@@ -1613,7 +1613,8 @@ class TestArchives(BaseTest, unittest.TestCase):
-     def check_unpack_tarball(self, format):
-         self.check_unpack_archive(format, filter='fully_trusted')
-         self.check_unpack_archive(format, filter='data')
--        with warnings_helper.check_no_warnings(self):
-+        with warnings_helper.check_warnings(
-+                ('.*CVE-2007-4559', RuntimeWarning)):
-             self.check_unpack_archive(format)
- 
-     def test_unpack_archive_tar(self):
-diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
-index 17d2239..8b9aea2 100644
---- a/Lib/test/test_tarfile.py
-+++ b/Lib/test/test_tarfile.py
-@@ -3,7 +3,7 @@ import sys
- import os
- import io
- from hashlib import sha256
--from contextlib import contextmanager
-+from contextlib import contextmanager, ExitStack
- from random import Random
- import pathlib
- import shutil
-@@ -2999,7 +2999,11 @@ class NoneInfoExtractTests(ReadTest):
-         tar = tarfile.open(tarname, mode='r', encoding="iso8859-1")
-         cls.control_dir = pathlib.Path(TEMPDIR) / "extractall_ctrl"
-         tar.errorlevel = 0
--        tar.extractall(cls.control_dir, filter=cls.extraction_filter)
-+        with ExitStack() as cm:
-+            if cls.extraction_filter is None:
-+                cm.enter_context(warnings.catch_warnings())
-+                warnings.simplefilter(action="ignore", category=RuntimeWarning)
-+            tar.extractall(cls.control_dir, filter=cls.extraction_filter)
-         tar.close()
-         cls.control_paths = set(
-             p.relative_to(cls.control_dir)
-@@ -4065,7 +4069,8 @@ class TestExtractionFilters(unittest.TestCase):
-         """Ensure the default filter does not warn (like in 3.12)"""
-         with ArchiveMaker() as arc:
-             arc.add('foo')
--        with warnings_helper.check_no_warnings(self):
-+        with warnings_helper.check_warnings(
-+                ('.*CVE-2007-4559', RuntimeWarning)):
-             with self.check_context(arc.open(), None):
-                 self.expect_file('foo')
- 
-@@ -4390,6 +4395,123 @@ class OffsetValidationTests(unittest.TestCase):
-             self.assertEqual(members[0].offset, expected_offset)
- 
- 
-+    @contextmanager
-+    def rh_config_context(self, config_lines=None):
-+        """Set up for testing various ways of overriding the default filter
-+
-+        return a triple with:
-+        - temporary directory
-+        - EnvironmentVarGuard()
-+        - a test archive for use with check_* methods below
-+
-+        If config_lines is given, write them to the config file. Otherwise
-+        the config file is missing.
-+        """
-+        tempdir = pathlib.Path(TEMPDIR) / 'tmp'
-+        configfile = tempdir / 'tarfile.cfg'
-+        with ArchiveMaker() as arc:
-+            arc.add('good')
-+            arc.add('ugly', symlink_to='/etc/passwd')
-+            arc.add('../bad')
-+        with (
-+                support.temp_dir(tempdir),
-+                support.swap_attr(tarfile, '_CONFIG_FILENAME', str(configfile)),
-+                support.EnvironmentVarGuard() as env,
-+                arc.open() as tar,
-+        ):
-+            if config_lines is not None:
-+                with configfile.open('w') as f:
-+                    for line in config_lines:
-+                        print(line, file=f)
-+            yield tempdir, env, tar
-+
-+    def check_rh_default_behavior(self, tar, tempdir):
-+        """Check RH default: warn and refuse to extract dangerous files."""
-+        with (
-+                warnings_helper.check_warnings(
-+                    ('.*CVE-2007-4559', RuntimeWarning)),
-+                self.assertRaises(tarfile.OutsideDestinationError),
-+        ):
-+            tar.extractall(tempdir / 'outdir')
-+
-+    def check_trusted_default(self, tar, tempdir):
-+        """Check 'fully_trusted' is configured as the default filter."""
-+        with (
-+                warnings_helper.check_no_warnings(self),
-+        ):
-+            tar.extractall(tempdir / 'outdir')
-+            self.assertTrue((tempdir / 'outdir/good').exists())
-+            self.assertEqual((tempdir / 'outdir/ugly').readlink(),
-+                             pathlib.Path('/etc/passwd'))
-+            self.assertTrue((tempdir / 'bad').exists())
-+
-+    def test_rh_default_no_conf(self):
-+        with self.rh_config_context() as (tempdir, env, tar):
-+            self.check_rh_default_behavior(tar, tempdir)
-+
-+    def test_rh_default_from_file(self):
-+        lines = ['[tarfile]', 'PYTHON_TARFILE_EXTRACTION_FILTER=fully_trusted']
-+        with self.rh_config_context(lines) as (tempdir, env, tar):
-+            self.check_trusted_default(tar, tempdir)
-+
-+    def test_rh_empty_config_file(self):
-+        """Empty config file -> default behavior"""
-+        lines = []
-+        with self.rh_config_context(lines) as (tempdir, env, tar):
-+            self.check_rh_default_behavior(tar, tempdir)
-+
-+    def test_empty_config_section(self):
-+        """Empty section in config file -> default behavior"""
-+        lines = ['[tarfile]']
-+        with self.rh_config_context(lines) as (tempdir, env, tar):
-+            self.check_rh_default_behavior(tar, tempdir)
-+
-+    def test_rh_default_empty_config_option(self):
-+        """Empty option value in config file -> default behavior"""
-+        lines = ['[tarfile]', 'PYTHON_TARFILE_EXTRACTION_FILTER=']
-+        with self.rh_config_context(lines) as (tempdir, env, tar):
-+            self.check_rh_default_behavior(tar, tempdir)
-+
-+    def test_bad_config_option(self):
-+        """Bad option value in config file -> ValueError"""
-+        lines = ['[tarfile]', 'PYTHON_TARFILE_EXTRACTION_FILTER=unknown!']
-+        with self.rh_config_context(lines) as (tempdir, env, tar):
-+            with self.assertRaises(ValueError):
-+                tar.extractall(tempdir / 'outdir')
-+
-+    def test_default_from_envvar(self):
-+        with self.rh_config_context() as (tempdir, env, tar):
-+            env['PYTHON_TARFILE_EXTRACTION_FILTER'] = 'fully_trusted'
-+            self.check_trusted_default(tar, tempdir)
-+
-+    def test_empty_envvar(self):
-+        """Empty env variable -> default behavior"""
-+        with self.rh_config_context() as (tempdir, env, tar):
-+            env['PYTHON_TARFILE_EXTRACTION_FILTER'] = ''
-+            self.check_rh_default_behavior(tar, tempdir)
-+
-+    def test_bad_envvar(self):
-+        with self.rh_config_context() as (tempdir, env, tar):
-+            env['PYTHON_TARFILE_EXTRACTION_FILTER'] = 'unknown!'
-+            with self.assertRaises(ValueError):
-+                tar.extractall(tempdir / 'outdir')
-+
-+    def test_envvar_overrides_file(self):
-+        lines = ['[tarfile]', 'PYTHON_TARFILE_EXTRACTION_FILTER=data']
-+        with self.rh_config_context(lines) as (tempdir, env, tar):
-+            env['PYTHON_TARFILE_EXTRACTION_FILTER'] = 'fully_trusted'
-+            self.check_trusted_default(tar, tempdir)
-+
-+    def test_monkeypatch_overrides_envvar(self):
-+        with self.rh_config_context(None) as (tempdir, env, tar):
-+            env['PYTHON_TARFILE_EXTRACTION_FILTER'] = 'data'
-+            with support.swap_attr(
-+                    tarfile.TarFile, 'extraction_filter',
-+                    staticmethod(tarfile.fully_trusted_filter)
-+            ):
-+                self.check_trusted_default(tar, tempdir)
-+
-+
- def setUpModule():
-     support.unlink(TEMPDIR)
-     os.makedirs(TEMPDIR)
--- 
-2.51.1
-

SOURCES/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch

@@ -1,248 +0,0 @@
-From 4df4fad359c280f2328b98ea9b4414f244624a58 Mon Sep 17 00:00:00 2001
-From: Lumir Balhar <lbalhar@redhat.com>
-Date: Mon, 18 Dec 2023 20:15:33 +0100
-Subject: [PATCH] Make it possible to disable strict parsing in email module
-
----
- Doc/library/email.utils.rst       | 26 +++++++++++
- Lib/email/utils.py                | 54 ++++++++++++++++++++++-
- Lib/test/test_email/test_email.py | 72 ++++++++++++++++++++++++++++++-
- 3 files changed, 149 insertions(+), 3 deletions(-)
-
-diff --git a/Doc/library/email.utils.rst b/Doc/library/email.utils.rst
-index d1e1898591..7aef773b5f 100644
---- a/Doc/library/email.utils.rst
-+++ b/Doc/library/email.utils.rst
-@@ -69,6 +69,19 @@ of the new API.
- 
-    If *strict* is true, use a strict parser which rejects malformed inputs.
- 
-+   The default setting for *strict* is set to ``True``, but you can override
-+   it by setting the environment variable ``PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING``
-+   to non-empty string.
-+
-+   Additionally, you can permanently set the default value for *strict* to
-+   ``False`` by creating the configuration file ``/etc/python/email.cfg``
-+   with the following content:
-+
-+   .. code-block:: ini
-+
-+      [email_addr_parsing]
-+      PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true
-+
-    .. versionchanged:: 3.9.20
-       Add *strict* optional parameter and reject malformed inputs by default.
- 
-@@ -97,6 +110,19 @@ of the new API.
- 
-    If *strict* is true, use a strict parser which rejects malformed inputs.
- 
-+   The default setting for *strict* is set to ``True``, but you can override
-+   it by setting the environment variable ``PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING``
-+   to non-empty string.
-+
-+   Additionally, you can permanently set the default value for *strict* to
-+   ``False`` by creating the configuration file ``/etc/python/email.cfg``
-+   with the following content:
-+
-+   .. code-block:: ini
-+
-+      [email_addr_parsing]
-+      PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true
-+
-    Here's a simple example that gets all the recipients of a message::
- 
-       from email.utils import getaddresses
-diff --git a/Lib/email/utils.py b/Lib/email/utils.py
-index f83b7e5d7e..b8e90ceb8e 100644
---- a/Lib/email/utils.py
-+++ b/Lib/email/utils.py
-@@ -48,6 +48,46 @@ TICK = "'"
- specialsre = re.compile(r'[][\\()<>@,:;".]')
- escapesre = re.compile(r'[\\"]')
- 
-+_EMAIL_CONFIG_FILE = "/etc/python/email.cfg"
-+_cached_strict_addr_parsing = None
-+
-+
-+def _use_strict_email_parsing():
-+    """"Cache implementation for _cached_strict_addr_parsing"""
-+    global _cached_strict_addr_parsing
-+    if _cached_strict_addr_parsing is None:
-+        _cached_strict_addr_parsing = _use_strict_email_parsing_impl()
-+    return _cached_strict_addr_parsing
-+
-+
-+def _use_strict_email_parsing_impl():
-+    """Returns True if strict email parsing is not disabled by
-+    config file or env variable.
-+    """
-+    disabled = bool(os.environ.get("PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING"))
-+    if disabled:
-+        return False
-+
-+    try:
-+        file = open(_EMAIL_CONFIG_FILE)
-+    except FileNotFoundError:
-+        pass
-+    else:
-+        with file:
-+            import configparser
-+            config = configparser.ConfigParser(
-+                interpolation=None,
-+                comment_prefixes=('#', ),
-+
-+            )
-+            config.read_file(file)
-+            disabled = config.getboolean('email_addr_parsing', "PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING", fallback=None)
-+
-+    if disabled:
-+        return False
-+
-+    return True
-+
- 
- def _has_surrogates(s):
-     """Return True if s contains surrogate-escaped binary data."""
-@@ -149,7 +189,7 @@ def _strip_quoted_realnames(addr):
- 
- supports_strict_parsing = True
- 
--def getaddresses(fieldvalues, *, strict=True):
-+def getaddresses(fieldvalues, *, strict=None):
-     """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
- 
-     When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
-@@ -158,6 +198,11 @@ def getaddresses(fieldvalues, *, strict=True):
-     If strict is true, use a strict parser which rejects malformed inputs.
-     """
- 
-+    # If default is used, it's True unless disabled
-+    # by env variable or config file.
-+    if strict == None:
-+        strict = _use_strict_email_parsing()
-+
-     # If strict is true, if the resulting list of parsed addresses is greater
-     # than the number of fieldvalues in the input list, a parsing error has
-     # occurred and consequently a list containing a single empty 2-tuple [('',
-@@ -330,7 +375,7 @@ def parsedate_to_datetime(data):
-             tzinfo=datetime.timezone(datetime.timedelta(seconds=tz)))
- 
- 
--def parseaddr(addr, *, strict=True):
-+def parseaddr(addr, *, strict=None):
-     """
-     Parse addr into its constituent realname and email address parts.
- 
-@@ -339,6 +384,11 @@ def parseaddr(addr, *, strict=True):
- 
-     If strict is True, use a strict parser which rejects malformed inputs.
-     """
-+    # If default is used, it's True unless disabled
-+    # by env variable or config file.
-+    if strict == None:
-+        strict = _use_strict_email_parsing()
-+
-     if not strict:
-         addrs = _AddressList(addr).addresslist
-         if not addrs:
-diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py
-index ce36efc1b1..05ea201b68 100644
---- a/Lib/test/test_email/test_email.py
-+++ b/Lib/test/test_email/test_email.py
-@@ -7,6 +7,9 @@ import time
- import base64
- import unittest
- import textwrap
-+import contextlib
-+import tempfile
-+import os
- 
- from io import StringIO, BytesIO
- from itertools import chain
-@@ -41,7 +44,7 @@ from email import iterators
- from email import base64mime
- from email import quoprimime
- 
--from test.support import unlink, start_threads
-+from test.support import unlink, start_threads, EnvironmentVarGuard, swap_attr
- from test.test_email import openfile, TestEmailBase
- 
- # These imports are documented to work, but we are testing them using a
-@@ -3313,6 +3316,73 @@ Foo
-         # Test email.utils.supports_strict_parsing attribute
-         self.assertEqual(email.utils.supports_strict_parsing, True)
- 
-+    def test_parsing_errors_strict_set_via_env_var(self):
-+        address = 'alice@example.org )Alice('
-+        empty = ('', '')
-+
-+        # Reset cached default value to make the function
-+        # reload the config file provided below.
-+        utils._cached_strict_addr_parsing = None
-+
-+        # Strict disabled via env variable, old behavior expected
-+        with EnvironmentVarGuard() as environ:
-+            environ["PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING"] = "1"
-+
-+            self.assertEqual(utils.getaddresses([address]),
-+                             [('', 'alice@example.org'), ('', ''), ('', 'Alice')])
-+            self.assertEqual(utils.parseaddr([address]), ('', address))
-+
-+        # Clear cache again
-+        utils._cached_strict_addr_parsing = None
-+
-+        # Default strict=True, empty result expected
-+        self.assertEqual(utils.getaddresses([address]), [empty])
-+        self.assertEqual(utils.parseaddr([address]), empty)
-+
-+        # Clear cache again
-+        utils._cached_strict_addr_parsing = None
-+
-+        # Empty string in env variable = strict parsing enabled (default)
-+        with EnvironmentVarGuard() as environ:
-+            environ["PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING"] = ""
-+
-+            # Default strict=True, empty result expected
-+            self.assertEqual(utils.getaddresses([address]), [empty])
-+            self.assertEqual(utils.parseaddr([address]), empty)
-+
-+    @contextlib.contextmanager
-+    def _email_strict_parsing_conf(self):
-+        """Context for the given email strict parsing configured in config file"""
-+        with tempfile.TemporaryDirectory() as tmpdirname:
-+            filename = os.path.join(tmpdirname, 'conf.cfg')
-+            with swap_attr(utils, "_EMAIL_CONFIG_FILE", filename):
-+                with open(filename, 'w') as file:
-+                    file.write('[email_addr_parsing]\n')
-+                    file.write('PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true')
-+                utils._EMAIL_CONFIG_FILE = filename
-+                yield
-+
-+    def test_parsing_errors_strict_disabled_via_config_file(self):
-+        address = 'alice@example.org )Alice('
-+        empty = ('', '')
-+
-+        # Reset cached default value to make the function
-+        # reload the config file provided below.
-+        utils._cached_strict_addr_parsing = None
-+
-+        # Strict disabled via config file, old results expected
-+        with self._email_strict_parsing_conf():
-+            self.assertEqual(utils.getaddresses([address]),
-+                             [('', 'alice@example.org'), ('', ''), ('', 'Alice')])
-+            self.assertEqual(utils.parseaddr([address]), ('', address))
-+
-+        # Clear cache again
-+        utils._cached_strict_addr_parsing = None
-+
-+        # Default strict=True, empty result expected
-+        self.assertEqual(utils.getaddresses([address]), [empty])
-+        self.assertEqual(utils.parseaddr([address]), empty)
-+
-     def test_getaddresses_nasty(self):
-         for addresses, expected in (
-             (['"Sürname, Firstname" <to@example.com>'],
--- 
-2.43.0
-

SOURCES/00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch

@@ -1,63 +0,0 @@
-From 60d40d7095983e0bc23a103b2050adc519dc7fe3 Mon Sep 17 00:00:00 2001
-From: Lumir Balhar <lbalhar@redhat.com>
-Date: Fri, 3 May 2024 14:17:48 +0200
-Subject: [PATCH] Expect failures in tests not working properly with expat with
- a fixed CVE in RHEL
-
----
- Lib/test/test_pyexpat.py   | 1 +
- Lib/test/test_sax.py       | 1 +
- Lib/test/test_xml_etree.py | 3 +++
- 3 files changed, 5 insertions(+)
-
-diff --git a/Lib/test/test_pyexpat.py b/Lib/test/test_pyexpat.py
-index 43cbd27..27b1502 100644
---- a/Lib/test/test_pyexpat.py
-+++ b/Lib/test/test_pyexpat.py
-@@ -793,6 +793,7 @@ class ReparseDeferralTest(unittest.TestCase):
- 
-         self.assertEqual(started, ['doc'])
- 
-+    @unittest.expectedFailure
-     def test_reparse_deferral_disabled(self):
-         started = []
- 
-diff --git a/Lib/test/test_sax.py b/Lib/test/test_sax.py
-index 9b3014a..646c92d 100644
---- a/Lib/test/test_sax.py
-+++ b/Lib/test/test_sax.py
-@@ -1240,6 +1240,7 @@ class ExpatReaderTest(XmlTestBase):
- 
-         self.assertEqual(result.getvalue(), start + b"<doc></doc>")
- 
-+    @unittest.expectedFailure
-     def test_flush_reparse_deferral_disabled(self):
-         result = BytesIO()
-         xmlgen = XMLGenerator(result)
-diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py
-index 9c382d1..62f2871 100644
---- a/Lib/test/test_xml_etree.py
-+++ b/Lib/test/test_xml_etree.py
-@@ -1424,9 +1424,11 @@ class XMLPullParserTest(unittest.TestCase):
-         self.assert_event_tags(parser, [('end', 'root')])
-         self.assertIsNone(parser.close())
- 
-+    @unittest.expectedFailure
-     def test_simple_xml_chunk_1(self):
-         self.test_simple_xml(chunk_size=1, flush=True)
- 
-+    @unittest.expectedFailure
-     def test_simple_xml_chunk_5(self):
-         self.test_simple_xml(chunk_size=5, flush=True)
- 
-@@ -1651,6 +1653,7 @@ class XMLPullParserTest(unittest.TestCase):
- 
-         self.assert_event_tags(parser, [('end', 'doc')])
- 
-+    @unittest.expectedFailure
-     def test_flush_reparse_deferral_disabled(self):
-         parser = ET.XMLPullParser(events=('start', 'end'))
- 
--- 
-2.44.0
-

SOURCES/00452-properly-apply-exported-cflags-for-dtrace-systemtap-builds.patch

@@ -1,51 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: "Miss Islington (bot)"
- <31488909+miss-islington@users.noreply.github.com>
-Date: Mon, 31 Mar 2025 20:29:04 +0200
-Subject: 00452: Properly apply exported CFLAGS for dtrace/systemtap builds
-
-When using --with-dtrace the resulting object file could be missing
-specific CFLAGS exported by the build system due to the systemtap
-script using specific defaults.
-
-Exporting the CC and CFLAGS variables before the dtrace invocation
-allows us to properly apply CFLAGS exported by the build system
-even when cross-compiling.
-
-Co-authored-by: stratakis <cstratak@redhat.com>
----
- Makefile.pre.in                                               | 4 ++--
- .../next/Build/2025-03-31-19-22-41.gh-issue-131865.PIJy7X.rst | 2 ++
- 2 files changed, 4 insertions(+), 2 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Build/2025-03-31-19-22-41.gh-issue-131865.PIJy7X.rst
-
-diff --git a/Makefile.pre.in b/Makefile.pre.in
-index 568018827b..b401724d92 100644
---- a/Makefile.pre.in
-+++ b/Makefile.pre.in
-@@ -989,7 +989,7 @@ Python/frozen.o: $(srcdir)/Python/importlib.h $(srcdir)/Python/importlib_externa
- # an include guard, so we can't use a pipeline to transform its output.
- Include/pydtrace_probes.h: $(srcdir)/Include/pydtrace.d
- 	$(MKDIR_P) Include
--	$(DTRACE) $(DFLAGS) -o $@ -h -s $<
-+	CC="$(CC)" CFLAGS="$(CFLAGS)" $(DTRACE) $(DFLAGS) -o $@ -h -s $<
- 	: sed in-place edit with POSIX-only tools
- 	sed 's/PYTHON_/PyDTrace_/' $@ > $@.tmp
- 	mv $@.tmp $@
-@@ -999,7 +999,7 @@ Python/import.o: $(srcdir)/Include/pydtrace.h
- Modules/gcmodule.o: $(srcdir)/Include/pydtrace.h
- 
- Python/pydtrace.o: $(srcdir)/Include/pydtrace.d $(DTRACE_DEPS)
--	$(DTRACE) $(DFLAGS) -o $@ -G -s $< $(DTRACE_DEPS)
-+	CC="$(CC)" CFLAGS="$(CFLAGS)" $(DTRACE) $(DFLAGS) -o $@ -G -s $< $(DTRACE_DEPS)
- 
- Objects/typeobject.o: Objects/typeslots.inc
- 
-diff --git a/Misc/NEWS.d/next/Build/2025-03-31-19-22-41.gh-issue-131865.PIJy7X.rst b/Misc/NEWS.d/next/Build/2025-03-31-19-22-41.gh-issue-131865.PIJy7X.rst
-new file mode 100644
-index 0000000000..a287e0b228
---- /dev/null
-+++ b/Misc/NEWS.d/next/Build/2025-03-31-19-22-41.gh-issue-131865.PIJy7X.rst
-@@ -0,0 +1,2 @@
-+The DTrace build now properly passes the ``CC`` and ``CFLAGS`` variables
-+to the ``dtrace`` command when utilizing SystemTap on Linux.

SOURCES/Python-3.9.25.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmkFBpsACgkQsmmV4xAl
-BWgwbw//Tx78tZg3/tJ47YDzDCf68XurBPbdgSfmmGTRrveMt6nQbV+c7XKS5MKK
-6hP0jt4W8tP6zC/zRPTexqYwetTaM7+ZKuxzwXABXzi+rfmL/L6BtQQpzwK+vesE
-hSSkjl4R2FF3YBrTBNqG0ewf5j4Y41yc4V9UHJWXbmQt6sg/nF+lDvG3K3wzP6zV
-rs6LsayeO3AXhi7+c0q7d2oYTFhv/RPOGl6/fLy5j1bxNNE1i2yeIfcR9BqjqB9y
-Ue1Tea8RGjh3dSq06/8ubpcqf+tlE4cCDkLERqDWSafZnNA5X4eymAQP9urUoH2n
-78X8DXkGbKqyJ+3w97S6zqVnZvL2jSOog8R+yvT5snqzJDp+UK0lcbowPILsOGm4
-BE54dQTG5bT+1bUicvQZIbP4vOswZufl8LGmodkW06edSEcylwO8bHWNcY/gC5HO
-WcTbqTFyV+FtwAJxsfgkqKcI6xUyYHqeMhqCUvkpHFFMjsinVOBFVbow8fgiJGUV
-GIo3kMNPZPirqgl9bhc3F7qvdgVDQsCqnKJ8B1WegdIlKWxXBj3qQB0U4Qbecpdt
-2AhVQAmcOu4LzJYtatDp/0tw6KMr8nWGdofrLVJgzQuu6MmhGW+2cJ0e+wUAxw6v
-OBjQ0o42ylQKeS8VGP4yFbYv1umeeWHje26z9az3uOVUFaAoptk=
-=5qMt
------END PGP SIGNATURE-----

python39.spec

@@ -13,11 +13,11 @@ URL: https://www.python.org/
 
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
-%global general_version %{pybasever}.25
+%global general_version %{pybasever}.13
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 2%{?dist}
+Release: 1%{?dist}
 License: Python
 
 # Exclude i686 arch. Due to a modularity issue it's being added to the
@@ -182,13 +182,6 @@ ExcludeArch: i686
 %global py_INSTSONAME_optimized libpython%{LDVERSION_optimized}.so.%{py_SOVERSION}
 %global py_INSTSONAME_debug     libpython%{LDVERSION_debug}.so.%{py_SOVERSION}
 
-# The -O flag for the compiler, optimized builds
-# https://fedoraproject.org/wiki/Changes/Python_built_with_gcc_O3
-%global optflags_optimized -O3
-# The -O flag for the compiler, debug builds
-# -Wno-cpp avoids some warnings with -O0
-%global optflags_debug -O0 -Wno-cpp
-
 # Disable automatic bytecompilation. The python3 binary is not yet be
 # available in /usr/bin when Python is built. Also, the bytecompilation fails
 # on files that test invalid syntax.
@@ -237,7 +230,6 @@ BuildRequires: libnsl2-devel
 BuildRequires: libtirpc-devel
 BuildRequires: libGL-devel
 BuildRequires: libuuid-devel
-BuildRequires: libxcrypt-devel
 BuildRequires: libX11-devel
 BuildRequires: make
 BuildRequires: ncurses-devel
@@ -250,9 +242,9 @@ BuildRequires: sqlite-devel
 BuildRequires: gdb
 
 BuildRequires: tar
-BuildRequires: tcl-devel < 1:9
+BuildRequires: tcl-devel
 BuildRequires: tix-devel
-BuildRequires: tk-devel < 1:9
+BuildRequires: tk-devel
 BuildRequires: tzdata
 
 %if %{with valgrind}
@@ -304,7 +296,6 @@ Source11: idle3.appdata.xml
 
 # 00001 # d06a8853cf4bae9e115f45e1d531d2dc152c5cc8
 # Fixup distutils/unixccompiler.py to remove standard library path from rpath
-#
 # Was Patch0 in ivazquez' python3000 specfile
 Patch1: 00001-rpath.patch
 
@@ -316,7 +307,7 @@ Patch1: 00001-rpath.patch
 # See https://bugzilla.redhat.com/show_bug.cgi?id=556092
 Patch111: 00111-no-static-lib.patch
 
-# 00189 # 0c6dd5d318a22bbe89e09e1cd5513eaaca549aa5
+# 00189 # 4242864a6a12f1f4cf9fd63a6699a73f35261aa3
 # Instead of bundled wheels, use our RPM packaged wheels
 #
 # We keep them in /usr/share/python-wheels
@@ -328,8 +319,8 @@ Patch189: 00189-use-rpm-wheels.patch
 # The versions are written in Lib/ensurepip/__init__.py, this patch removes them.
 # When the bundled setuptools/pip wheel is updated, the patch no longer applies cleanly.
 # In such cases, the patch needs to be amended and the versions updated here:
-%global pip_version 23.0.1
+%global pip_version 21.2.3
-%global setuptools_version 79.0.1
+%global setuptools_version 57.4.0
 
 # 00251 # 2eabd04356402d488060bc8fe316ad13fc8a3356
 # Change user install location
@@ -424,48 +415,15 @@ Patch353: 00353-architecture-names-upstream-downstream.patch
 # Upstream: https://bugs.python.org/issue46811
 Patch378: 00378-support-expat-2-4-5.patch
 
-# 00397 #
+# 00382 # 9e275dcdf3934b827994ecc3247d583d5bab7985
-# Add filters for tarfile extraction (CVE-2007-4559, PEP-706)
+# CVE-2015-20107
-# First patch fixes determination of symlink targets, which were treated
-# as relative to the root of the archive,
-# rather than the directory containing the symlink.
-# Not yet upstream as of this writing.
-# The second patch is Red Hat configuration, see KB for documentation:
-# - https://access.redhat.com/articles/7004769
-Patch397: 00397-tarfile-filter.patch
-
-# 00415 #
-# [CVE-2023-27043] gh-102988: Reject malformed addresses in email.parseaddr() (#111116)
 #
-# Detect email address parsing errors and return empty tuple to
+# Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
-# indicate the parsing error (old API). Add an optional 'strict'
-# parameter to getaddresses() and parseaddr() functions. Patch by
-# Thomas Dwyer.
 #
-# Upstream PR: https://github.com/python/cpython/pull/111116
+# Upstream: https://github.com/python/cpython/issues/68966
 #
-# This patch implements the possibility to restore the old behavior via
+# Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
-# config file or environment variable.
+Patch382: 00382-cve-2015-20107.patch
-Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch
-
-# 00422 # a353cebef737c41420dc7ae2469dd657371b8881
-# Fix tests for XMLPullParser with Expat 2.6.0
-#
-# Feeding the parser by too small chunks defers parsing to prevent
-# CVE-2023-52425. Future versions of Expat may be more reactive.
-Patch422: 00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch
-
-# 00452 # eb11d070c5af7d1b5e47f4e02186152d08eaf793
-# Properly apply exported CFLAGS for dtrace/systemtap builds
-#
-# When using --with-dtrace the resulting object file could be missing
-# specific CFLAGS exported by the build system due to the systemtap
-# script using specific defaults.
-#
-# Exporting the CC and CFLAGS variables before the dtrace invocation
-# allows us to properly apply CFLAGS exported by the build system
-# even when cross-compiling.
-Patch452: 00452-properly-apply-exported-cflags-for-dtrace-systemtap-builds.patch
 
 # (New patches go here ^^^)
 #
@@ -878,10 +836,7 @@ rm Lib/ensurepip/_bundled/*.whl
 %apply_patch -q %{PATCH329}
 %apply_patch -q %{PATCH353}
 %apply_patch -q %{PATCH378}
-%apply_patch -q %{PATCH397}
+%apply_patch -q %{PATCH382}
-%apply_patch -q %{PATCH415}
-%apply_patch -q %{PATCH422}
-%apply_patch -q %{PATCH452}
 
 # Remove all exe files to ensure we are not shipping prebuilt binaries
 # note that those are only used to create Microsoft Windows installers
@@ -958,7 +913,6 @@ BuildPython() {
   ConfName=$1
   ExtraConfigArgs=$2
   MoreCFlags=$3
-  MoreCFlagsNodist=$4
 
   # Each build is done in its own directory
   ConfDir=build/$ConfName
@@ -993,7 +947,7 @@ BuildPython() {
   $ExtraConfigArgs \
   %{nil}
 
-%global flags_override EXTRA_CFLAGS="$MoreCFlags" CFLAGS_NODIST="$CFLAGS_NODIST $MoreCFlags $MoreCFlagsNodist"
+%global flags_override EXTRA_CFLAGS="$MoreCFlags" CFLAGS_NODIST="$CFLAGS_NODIST $MoreCFlags"
 
 %if %{without bootstrap}
   # Regenerate generated files (needs python3)
@@ -1016,14 +970,12 @@ BuildPython() {
 # See also: https://bugzilla.redhat.com/show_bug.cgi?id=1818857
 BuildPython debug \
   "--without-ensurepip --with-pydebug" \
-  "%{optflags_debug}" \
+  "-O0 -Wno-cpp"
-  ""
 %endif # with debug_build
 
 BuildPython optimized \
   "--without-ensurepip %{optimizations_flag}" \
-  "" \
+  ""
-  "%{optflags_optimized}"
 
 # ======================================================
 # Installing the built code:
@@ -1122,7 +1074,7 @@ EOF
 %if %{with debug_build}
 InstallPython debug \
   %{py_INSTSONAME_debug} \
-  "%{optflags_debug}" \
+  -O0 \
   %{LDVERSION_debug}
 %endif # with debug_build
 
@@ -1322,11 +1274,6 @@ touch %{buildroot}%{_bindir}/python3-config
 touch %{buildroot}%{_bindir}/python3-debug
 touch %{buildroot}%{_bindir}/python3-debug-config
 
-# Strip the LTO bytecode from python.o
-# Based on the fedora brp-strip-lto scriptlet
-# https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/9dd5528cf9805ebfe31cff04fe7828ad06a6023f/f/brp-strip-lto
-find %{buildroot} -type f -name 'python.o' -print0 | xargs -0 \
-bash -c "strip -p -R .gnu.lto_* -R .gnu.debuglto_* -N __gnu_lto_v1 \"\$@\"" ARG0
 
 # ======================================================
 # Checks for packaging issues
@@ -1703,10 +1650,6 @@ fi
 %dir %{pylibdir}/site-packages/
 %dir %{pylibdir}/site-packages/__pycache__/
 %{pylibdir}/site-packages/README.txt
-
-%exclude %{pylibdir}/_sysconfigdata_d_linux_%{platform_triplet}.py
-%exclude %{pylibdir}/__pycache__/_sysconfigdata_d_linux_%{platform_triplet}%{bytecode_suffixes}
-
 %{pylibdir}/*.py
 %dir %{pylibdir}/__pycache__/
 %{pylibdir}/__pycache__/*%{bytecode_suffixes}
@@ -2037,9 +1980,6 @@ fi
 %{dynload_dir}/_testinternalcapi.%{SOABI_debug}.so
 %{dynload_dir}/_testmultiphase.%{SOABI_debug}.so
 
-%{pylibdir}/_sysconfigdata_d_linux_%{platform_triplet}.py
-%{pylibdir}/__pycache__/_sysconfigdata_d_linux_%{platform_triplet}%{bytecode_suffixes}
-
 %endif # with debug_build
 
 # We put the debug-gdb.py file inside /usr/lib/debug to avoid noise from ldconfig
@@ -2063,100 +2003,6 @@ fi
 # ======================================================
 
 %changelog
-* Mon Nov 24 2025 Lumír Balhar <lbalhar@redhat.com> - 3.9.25-2
-- Add explicit BR: libxcrypt-devel
-- Properly apply exported CFLAGS for dtrace/systemtap builds
-- Update to Python 3.9.25
-- Move _sysconfigdata_d_linux*.py to the debug subpackage
-- Fedora contributions by:
-      Björn Esser <besser82@fedoraproject.org>
-      Charalampos Stratakis <cstratak@redhat.com>
-      Karolina Surma <ksurma@redhat.com>
-      Tomas Orsava <torsava@redhat.com>
-      Tomáš Hrnčiar <thrnciar@redhat.com>
-Resolves: RHEL-128539
-
-* Tue Aug 19 2025 Lumír Balhar <lbalhar@redhat.com> - 3.9.20-2
-- Security fix for CVE-2025-8194
-Resolves: RHEL-106359
-
-* Mon Sep 09 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.9.20-1
-- Update to 3.9.20
-Resolves: RHEL-60007
-
-* Fri Aug 23 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.9.19-7
-- Security fix for CVE-2024-8088
-Resolves: RHEL-55954
-
-* Tue Aug 13 2024 Lumír Balhar <lbalhar@redhat.com> - 3.9.19-6
-- Security fix for CVE-2024-6923
-Resolves: RHEL-53102
-
-* Thu Jul 25 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.9.19-5
-- Properly propagate the optimization flags to C extensions
-
-* Thu Jul 18 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.9.19-4
-- Build Python with -O3
-- https://fedoraproject.org/wiki/Changes/Python_built_with_gcc_O3
-
-* Thu Jul 18 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.9.19-3
-- Security fix for CVE-2024-4032
-Resolves: RHEL-44094
-
-* Tue Jun 11 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.9.19-2
-- Enable importing of hash-based .pyc files under FIPS mode
-Resolves: RHEL-40786
-
-* Mon Apr 22 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.9.19-1
-- Update to 3.9.19
-- Security fixes for CVE-2023-6597 and CVE-2024-0450
-- Fix tests for XMLPullParser with Expat with fixed CVE
-Resolves: RHEL-33676, RHEL-33688
-
-* Wed Jan 17 2024 Lumír Balhar <lbalhar@redhat.com> - 3.9.18-3
-- Skip tests failing on s390x
-Resolves: RHEL-21905
-
-* Tue Jan 16 2024 Lumír Balhar <lbalhar@redhat.com> - 3.9.18-2
-- Security fix for CVE-2023-27043
-Resolves: RHEL-5561
-
-* Thu Sep 07 2023 Charalampos Stratakis <cstratak@redhat.com> - 3.9.18-1
-- Update to 3.9.18
-- Security fix for CVE-2023-40217
-Resolves: RHEL-3238
-
-* Wed Aug 09 2023 Petr Viktorin <pviktori@redhat.com> - 3.9.17-2
-- Fix symlink handling in the fix for CVE-2023-24329
-Resolves: rhbz#263261
-
-* Mon Jul 17 2023 Charalampos Stratakis <cstratak@redhat.com> - 3.9.17-1
-- Rebase to 3.9.17
-- Security fix for CVE-2023-24329
-Resolves: rhbz#2173917
-
-* Wed Jul 12 2023 Charalampos Stratakis <cstratak@redhat.com> - 3.9.16-3
-- Strip the LTO bytecode from python.o
-Resolves: rhbz#2213527
-
-* Mon Jun 19 2023 Petr Viktorin <pviktori@redhat.com> - 3.9.16-2
-- Add filters for tarfile extraction (CVE-2007-4559, PEP-706)
-Resolves: rhbz#263261
-
-* Tue Dec 13 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.9.16-1
-- Update to 3.9.16
-- Security fix for CVE-2022-45061
-Resolves: rhbz#2144072
-
-* Mon Nov 07 2022 Lumír Balhar <lbalhar@redhat.com> - 3.9.14-2
-- Fix for CVE-2022-42919
-Resolves: rhbz#2138705
-
-* Mon Sep 12 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.9.14-1
-- Update to 3.9.14
-- Security fixes for CVE-2020-10735 and CVE-2021-28861
-Resolves: rhbz#1834423, rhbz#2120642
-
 * Tue Jun 14 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.9.13-1
 - Update to 3.9.13
 - Security fix for CVE-2015-20107

sources

@@ -0,0 +1 @@
+SHA512 (Python-3.9.13.tar.xz) = e9664e7f908092df11236b22465d217531d6f0378e88d889108d19fe77f28f46ffb629b8733f84b41409e255367321893a2b1bd64518930d9d8cae5d1b774d23