diff --git a/CVE-2019-9674-zip-bomb.patch b/CVE-2019-9674-zip-bomb.patch
new file mode 100644
index 0000000..1ea9d99
--- /dev/null
+++ b/CVE-2019-9674-zip-bomb.patch
@@ -0,0 +1,69 @@
+From b73fe12d4d85fc92e4b9658e417046b68fb68ecc Mon Sep 17 00:00:00 2001
+From: nick sung <sungboss2004@gmail.com>
+Date: Fri, 17 May 2019 15:45:31 +0800
+Subject: [PATCH 1/4] bpo-36260: Add pitfalls to zipfile module documentation
+
+We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file.
+This gave us the idea of documentation improvement.
+
+So, we moved a little bit forward :P
+And the doc patch can be found (pr).
+---
+ Doc/library/zipfile.rst | 29 +++++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+--- a/Doc/library/zipfile.rst
++++ b/Doc/library/zipfile.rst
+@@ -553,5 +553,47 @@ Command-line options
+ 
+    Test whether the zipfile is valid or not.
+ 
++Decompression pitfalls
++----------------------
+ 
++The extraction in zipfile module might fail due to some pitfalls
++listed below.
++
++From file itself
++~~~~~~~~~~~~~~~~
++
++Decompression may fail due to incorrect password / CRC checksum
++/ ZIP format or unsupported compression method / decryption.
++
++File System limitations
++~~~~~~~~~~~~~~~~~~~~~~~
++
++Exceeding limitations on different file systems can cause
++decompression failed. Such as allowable characters in the
++directory entries, length of the file name, length of the
++pathname, size of a single file, and number of files, etc.
++
++Resources limitations
++~~~~~~~~~~~~~~~~~~~~~
++
++The lack of memory or disk volume would lead to decompression
++failed. For example, decompression bombs (aka `ZIP bomb`_) apply
++to zipfile library that can cause disk volume exhaustion.
++
++Interruption
++~~~~~~~~~~~~
++
++Interruption during the decompression, such as pressing control-C
++or killing the decompression process may result in incomplete
++decompression of the archive.
++
++Default behaviors of extraction
++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
++
++Not knowing the default extraction behaviors can cause unexpected
++decompression results. For example, when extracting the same
++archive twice, it overwrites files without asking.
++
++
++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
+ .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT
+--- /dev/null
++++ b/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
+@@ -0,0 +1 @@
++Add decompression pitfalls to zipfile module documentation.
+\ No newline at end of file
diff --git a/python-base.spec b/python-base.spec
index 3c763ee..39396d2 100644
--- a/python-base.spec
+++ b/python-base.spec
@@ -91,6 +91,9 @@ Patch57:        python-2.7.17-switch-off-failing-SSL-tests.patch
 # Fixes Python urrlib allowed an HTTP server to conduct Regular
 # Expression Denial of Service (ReDoS)
 Patch58:        CVE-2020-8492-urllib-ReDoS.patch
+# PATCH-FIX-UPSTREAM CVE-2019-9674-zip-bomb.patch bsc#1162825 mcepl@suse.com
+# Improve documentation warning against the possible zip bombs
+Patch59:        CVE-2019-9674-zip-bomb.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@@ -215,6 +218,7 @@ other applications.
 %patch55 -p1
 %patch56 -p1
 %patch58 -p1
+%patch59 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
diff --git a/python-doc.changes b/python-doc.changes
index 48fd0c3..b935f47 100644
--- a/python-doc.changes
+++ b/python-doc.changes
@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Sat Feb  8 22:30:51 CET 2020 - Matej Cepl <mcepl@suse.com>
+
+- Change to Requires: libpython%{so_version} == %{version}-%{release}
+  to python-base to keep both packages always synchronized (add
+  %{so_version}) (bsc#1162224).
+
+-------------------------------------------------------------------
+Thu Feb  6 23:14:47 CET 2020 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug
+  "Python urrlib allowed an HTTP server to conduct Regular
+  Expression Denial of Service (ReDoS)" (bsc#1162367)
+
 -------------------------------------------------------------------
 Mon Feb  3 19:30:31 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>
 
diff --git a/python-doc.spec b/python-doc.spec
index 2a9d992..12bd25a 100644
--- a/python-doc.spec
+++ b/python-doc.spec
@@ -85,6 +85,13 @@ Patch55:        bpo36302-sort-module-sources.patch
 Patch56:        adapted-from-F00251-change-user-install-location.patch
 # Switch couple of tests failing on acient SLE-12
 Patch57:        python-2.7.17-switch-off-failing-SSL-tests.patch
+# PATCH-FIX-UPSTREAM CVE-2020-8492-urllib-ReDoS.patch bsc#1162367 mcepl@suse.com
+# Fixes Python urrlib allowed an HTTP server to conduct Regular
+# Expression Denial of Service (ReDoS)
+Patch58:        CVE-2020-8492-urllib-ReDoS.patch
+# PATCH-FIX-UPSTREAM CVE-2019-9674-zip-bomb.patch bsc#1162825 mcepl@suse.com
+# Improve documentation warning against the possible zip bombs
+Patch59:        CVE-2019-9674-zip-bomb.patch
 # COMMON-PATCH-END
 Provides:       pyth_doc
 Provides:       pyth_ps
@@ -149,6 +156,8 @@ Python, and Macintosh Module Reference in PDF format.
 %patch51 -p1
 %patch55 -p1
 %patch56 -p1
+%patch58 -p1
+%patch59 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
diff --git a/python.changes b/python.changes
index 48fd0c3..b935f47 100644
--- a/python.changes
+++ b/python.changes
@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Sat Feb  8 22:30:51 CET 2020 - Matej Cepl <mcepl@suse.com>
+
+- Change to Requires: libpython%{so_version} == %{version}-%{release}
+  to python-base to keep both packages always synchronized (add
+  %{so_version}) (bsc#1162224).
+
+-------------------------------------------------------------------
+Thu Feb  6 23:14:47 CET 2020 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug
+  "Python urrlib allowed an HTTP server to conduct Regular
+  Expression Denial of Service (ReDoS)" (bsc#1162367)
+
 -------------------------------------------------------------------
 Mon Feb  3 19:30:31 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>
 
diff --git a/python.spec b/python.spec
index 9ab49f0..1fb2188 100644
--- a/python.spec
+++ b/python.spec
@@ -89,6 +89,13 @@ Patch55:        bpo36302-sort-module-sources.patch
 Patch56:        adapted-from-F00251-change-user-install-location.patch
 # Switch couple of tests failing on acient SLE-12
 Patch57:        python-2.7.17-switch-off-failing-SSL-tests.patch
+# PATCH-FIX-UPSTREAM CVE-2020-8492-urllib-ReDoS.patch bsc#1162367 mcepl@suse.com
+# Fixes Python urrlib allowed an HTTP server to conduct Regular
+# Expression Denial of Service (ReDoS)
+Patch58:        CVE-2020-8492-urllib-ReDoS.patch
+# PATCH-FIX-UPSTREAM CVE-2019-9674-zip-bomb.patch bsc#1162825 mcepl@suse.com
+# Improve documentation warning against the possible zip bombs
+Patch59:        CVE-2019-9674-zip-bomb.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@@ -267,6 +274,8 @@ that rely on earlier non-verification behavior.
 %patch51 -p1
 %patch55 -p1
 %patch56 -p1
+%patch58 -p1
+%patch59 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac