diff --git a/python311.changes b/python311.changes
index aa6f5b9..9934ec1 100644
--- a/python311.changes
+++ b/python311.changes
@@ -5,6 +5,9 @@ Sun Apr 30 18:13:16 UTC 2023 - Matej Cepl <mcepl@suse.com>
 - Add 103213-fetch-CONFIG_ARGS.patch (gh#python/cpython#103053).
 - Add skip_if_buildbot-extend.patch to avoid the bug altogether
   (extending what skip_if_buildbot covers).
+- Add CVE-2007-4559-filter-tarfile_extractall.patch to fix
+  bsc#1203750 (CVE-2007-4559) and implementing "PEP 706 – Filter
+  for tarfile.extractall".
 
 -------------------------------------------------------------------
 Thu Apr 27 21:57:15 UTC 2023 - Matej Cepl <mcepl@suse.com>
@@ -15,9 +18,6 @@ Thu Apr 27 21:57:15 UTC 2023 - Matej Cepl <mcepl@suse.com>
       and macOS binary release builds to 1.1.1t to address
       CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 per the
       OpenSSL 2023-02-07 security advisory.
-    - gh-101283: subprocess.Popen now uses a safer approach to
-      find cmd.exe when launching with shell=True. Patch by Eryk
-      Sun, based on a patch by Oleg Iarygin.
   - Core and Builtins
     - gh-101975: Fixed stacktop value on tracing entries to avoid
       corruption on garbage collection.