diff --git a/python-doc.changes b/python-doc.changes
index d46c8e7..144c344 100644
--- a/python-doc.changes
+++ b/python-doc.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Feb  9 16:49:52 UTC 2022 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
+  (bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
+  containing ASCII newline and tabs in urlparse.
+
 -------------------------------------------------------------------
 Sun Feb  6 07:43:11 UTC 2022 - Matej Cepl <mcepl@suse.com>
 
diff --git a/python-doc.spec b/python-doc.spec
index 032beca..de8e30a 100644
--- a/python-doc.spec
+++ b/python-doc.spec
@@ -124,6 +124,10 @@ Patch67:        CVE-2020-26116-httplib-header-injection.patch
 # PATCH-FIX-UPSTREAM CVE-2021-4189-ftplib-trust-PASV-resp.patch bsc#1194146 mcepl@suse.com
 # Make ftplib not trust the PASV response. (gh#python/cpython#24838)
 Patch68:        CVE-2021-4189-ftplib-trust-PASV-resp.patch
+# PATCH-FIX-UPSTREAM CVE-2022-0391-urllib_parse-newline-parsing.patch bsc#1195396 mcepl@suse.com
+# whole long discussion is on bpo#43882
+# fix for santization URLs containing ASCII newline and tabs in urllib.parse
+Patch69:        CVE-2022-0391-urllib_parse-newline-parsing.patch
 # COMMON-PATCH-END
 Provides:       pyth_doc = %{version}
 Provides:       pyth_ps = %{version}
@@ -199,6 +203,7 @@ Python, and Macintosh Module Reference in PDF format.
 %patch66 -p1
 %patch67 -p1
 %patch68 -p1
+%patch69 -p1
 
 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar
diff --git a/python.changes b/python.changes
index d46c8e7..144c344 100644
--- a/python.changes
+++ b/python.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Feb  9 16:49:52 UTC 2022 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
+  (bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
+  containing ASCII newline and tabs in urlparse.
+
 -------------------------------------------------------------------
 Sun Feb  6 07:43:11 UTC 2022 - Matej Cepl <mcepl@suse.com>
 
diff --git a/python.spec b/python.spec
index 384e6f1..d6fe97a 100644
--- a/python.spec
+++ b/python.spec
@@ -124,6 +124,10 @@ Patch67:        CVE-2020-26116-httplib-header-injection.patch
 # PATCH-FIX-UPSTREAM CVE-2021-4189-ftplib-trust-PASV-resp.patch bsc#1194146 mcepl@suse.com
 # Make ftplib not trust the PASV response. (gh#python/cpython#24838)
 Patch68:        CVE-2021-4189-ftplib-trust-PASV-resp.patch
+# PATCH-FIX-UPSTREAM CVE-2022-0391-urllib_parse-newline-parsing.patch bsc#1195396 mcepl@suse.com
+# whole long discussion is on bpo#43882
+# fix for santization URLs containing ASCII newline and tabs in urllib.parse
+Patch69:        CVE-2022-0391-urllib_parse-newline-parsing.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@@ -313,6 +317,7 @@ that rely on earlier non-verification behavior.
 %patch66 -p1
 %patch67 -p1
 %patch68 -p1
+%patch69 -p1
 
 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar