diff --git a/python3x-pip.spec b/python3x-pip.spec
index 7de5463..a7061d4 100644
--- a/python3x-pip.spec
+++ b/python3x-pip.spec
@@ -19,7 +19,7 @@
 
 Name:           python3x-%{srcname}
 Version:        %{base_version}%{?prerel:~%{prerel}}
-Release:        8%{?dist}
+Release:        9%{?dist}
 Summary:        A tool for installing and managing Python packages
 
 # We bundle a lot of libraries with pip, which itself is under MIT license.
@@ -231,7 +231,9 @@ Recommends:     python%{python3_pkgversion}-setuptools
 # Require alternatives version that implements the --keep-foreign flag
 Requires(postun): alternatives >= 1.19.1-1
 # python39 installs the alternatives master symlink to which we attach a slave
-Requires: python%{python3_pkgversion}
+# pip has to require explicit version of python that provides
+# filters in tarfile module (fix for CVE-2007-4559).
+Requires: python%{python3_pkgversion} >= 3.9.17-2
 Requires(post): python%{python3_pkgversion}
 Requires(postun): python%{python3_pkgversion}
 
@@ -260,6 +262,7 @@ A documentation for a tool for installing and managing Python packages
 %package -n python%{python3_pkgversion}-%{srcname}-wheel
 Summary:        The pip wheel
 Requires:       ca-certificates
+Conflicts:      python%{python3_pkgversion} < 3.9.17-2
 
 # Virtual provides for the packages bundled by pip:
 %{bundled %{python3_version}}
@@ -467,6 +470,10 @@ fi
 %{python_wheeldir}/%{python_wheelname}
 
 %changelog
+* Wed Feb 14 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 20.2.4-9
+- Require Python with tarfile filters
+Resolves: RHEL-25457
+
 * Tue Aug 08 2023 Petr Viktorin <pviktori@redhat.com> - 20.2.4-8
 - Use tarfile.data_filter for extracting (CVE-2007-4559, PEP-721, PEP-706)
 Resolves: RHBZ#2218275