Update to 3.13.11

CVE-2025-6075-expandvars-perf-degrad.patch

@@ -1,373 +0,0 @@
-From 4fc21099da844f85b799d3c4c8b1b5936faa4cdc Mon Sep 17 00:00:00 2001
-From: Serhiy Storchaka <storchaka@gmail.com>
-Date: Fri, 31 Oct 2025 15:49:51 +0200
-Subject: [PATCH 1/2] [3.13] gh-136065: Fix quadratic complexity in
- os.path.expandvars() (GH-134952) (cherry picked from commit
- f029e8db626ddc6e3a3beea4eff511a71aaceb5c)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
-Co-authored-by: Łukasz Langa <lukasz@langa.pl>
----
- Lib/ntpath.py                                                            |  126 +++-------
- Lib/posixpath.py                                                         |   43 +--
- Lib/test/test_genericpath.py                                             |   21 +
- Lib/test/test_ntpath.py                                                  |   22 +
- Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst |    1 
- 5 files changed, 96 insertions(+), 117 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
-
-Index: Python-3.13.9/Lib/ntpath.py
-===================================================================
---- Python-3.13.9.orig/Lib/ntpath.py	2025-10-14 15:52:31.000000000 +0200
-+++ Python-3.13.9/Lib/ntpath.py	2025-11-14 01:47:08.155405483 +0100
-@@ -400,17 +400,23 @@
- # XXX With COMMAND.COM you can use any characters in a variable name,
- # XXX except '^|<>='.
- 
-+_varpattern = r"'[^']*'?|%(%|[^%]*%?)|\$(\$|[-\w]+|\{[^}]*\}?)"
-+_varsub = None
-+_varsubb = None
-+
- def expandvars(path):
-     """Expand shell variables of the forms $var, ${var} and %var%.
- 
-     Unknown variables are left unchanged."""
-     path = os.fspath(path)
-+    global _varsub, _varsubb
-     if isinstance(path, bytes):
-         if b'$' not in path and b'%' not in path:
-             return path
--        import string
--        varchars = bytes(string.ascii_letters + string.digits + '_-', 'ascii')
--        quote = b'\''
-+        if not _varsubb:
-+            import re
-+            _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub
-+        sub = _varsubb
-         percent = b'%'
-         brace = b'{'
-         rbrace = b'}'
-@@ -419,94 +425,44 @@
-     else:
-         if '$' not in path and '%' not in path:
-             return path
--        import string
--        varchars = string.ascii_letters + string.digits + '_-'
--        quote = '\''
-+        if not _varsub:
-+            import re
-+            _varsub = re.compile(_varpattern, re.ASCII).sub
-+        sub = _varsub
-         percent = '%'
-         brace = '{'
-         rbrace = '}'
-         dollar = '$'
-         environ = os.environ
--    res = path[:0]
--    index = 0
--    pathlen = len(path)
--    while index < pathlen:
--        c = path[index:index+1]
--        if c == quote:   # no expansion within single quotes
--            path = path[index + 1:]
--            pathlen = len(path)
--            try:
--                index = path.index(c)
--                res += c + path[:index + 1]
--            except ValueError:
--                res += c + path
--                index = pathlen - 1
--        elif c == percent:  # variable or '%'
--            if path[index + 1:index + 2] == percent:
--                res += c
--                index += 1
--            else:
--                path = path[index+1:]
--                pathlen = len(path)
--                try:
--                    index = path.index(percent)
--                except ValueError:
--                    res += percent + path
--                    index = pathlen - 1
--                else:
--                    var = path[:index]
--                    try:
--                        if environ is None:
--                            value = os.fsencode(os.environ[os.fsdecode(var)])
--                        else:
--                            value = environ[var]
--                    except KeyError:
--                        value = percent + var + percent
--                    res += value
--        elif c == dollar:  # variable or '$$'
--            if path[index + 1:index + 2] == dollar:
--                res += c
--                index += 1
--            elif path[index + 1:index + 2] == brace:
--                path = path[index+2:]
--                pathlen = len(path)
--                try:
--                    index = path.index(rbrace)
--                except ValueError:
--                    res += dollar + brace + path
--                    index = pathlen - 1
--                else:
--                    var = path[:index]
--                    try:
--                        if environ is None:
--                            value = os.fsencode(os.environ[os.fsdecode(var)])
--                        else:
--                            value = environ[var]
--                    except KeyError:
--                        value = dollar + brace + var + rbrace
--                    res += value
--            else:
--                var = path[:0]
--                index += 1
--                c = path[index:index + 1]
--                while c and c in varchars:
--                    var += c
--                    index += 1
--                    c = path[index:index + 1]
--                try:
--                    if environ is None:
--                        value = os.fsencode(os.environ[os.fsdecode(var)])
--                    else:
--                        value = environ[var]
--                except KeyError:
--                    value = dollar + var
--                res += value
--                if c:
--                    index -= 1
-+
-+    def repl(m):
-+        lastindex = m.lastindex
-+        if lastindex is None:
-+            return m[0]
-+        name = m[lastindex]
-+        if lastindex == 1:
-+            if name == percent:
-+                return name
-+            if not name.endswith(percent):
-+                return m[0]
-+            name = name[:-1]
-         else:
--            res += c
--        index += 1
--    return res
-+            if name == dollar:
-+                return name
-+            if name.startswith(brace):
-+                if not name.endswith(rbrace):
-+                    return m[0]
-+                name = name[1:-1]
-+
-+        try:
-+            if environ is None:
-+                return os.fsencode(os.environ[os.fsdecode(name)])
-+            else:
-+                return environ[name]
-+        except KeyError:
-+            return m[0]
-+
-+    return sub(repl, path)
- 
- 
- # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A\B.
-Index: Python-3.13.9/Lib/posixpath.py
-===================================================================
---- Python-3.13.9.orig/Lib/posixpath.py	2025-10-14 15:52:31.000000000 +0200
-+++ Python-3.13.9/Lib/posixpath.py	2025-11-14 01:47:08.155728503 +0100
-@@ -284,42 +284,41 @@
- # This expands the forms $variable and ${variable} only.
- # Non-existent variables are left unchanged.
- 
--_varprog = None
--_varprogb = None
-+_varpattern = r'\$(\w+|\{[^}]*\}?)'
-+_varsub = None
-+_varsubb = None
- 
- def expandvars(path):
-     """Expand shell variables of form $var and ${var}.  Unknown variables
-     are left unchanged."""
-     path = os.fspath(path)
--    global _varprog, _varprogb
-+    global _varsub, _varsubb
-     if isinstance(path, bytes):
-         if b'$' not in path:
-             return path
--        if not _varprogb:
-+        if not _varsubb:
-             import re
--            _varprogb = re.compile(br'\$(\w+|\{[^}]*\})', re.ASCII)
--        search = _varprogb.search
-+            _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub
-+        sub = _varsubb
-         start = b'{'
-         end = b'}'
-         environ = getattr(os, 'environb', None)
-     else:
-         if '$' not in path:
-             return path
--        if not _varprog:
-+        if not _varsub:
-             import re
--            _varprog = re.compile(r'\$(\w+|\{[^}]*\})', re.ASCII)
--        search = _varprog.search
-+            _varsub = re.compile(_varpattern, re.ASCII).sub
-+        sub = _varsub
-         start = '{'
-         end = '}'
-         environ = os.environ
--    i = 0
--    while True:
--        m = search(path, i)
--        if not m:
--            break
--        i, j = m.span(0)
--        name = m.group(1)
--        if name.startswith(start) and name.endswith(end):
-+
-+    def repl(m):
-+        name = m[1]
-+        if name.startswith(start):
-+            if not name.endswith(end):
-+                return m[0]
-             name = name[1:-1]
-         try:
-             if environ is None:
-@@ -327,13 +326,11 @@
-             else:
-                 value = environ[name]
-         except KeyError:
--            i = j
-+            return m[0]
-         else:
--            tail = path[j:]
--            path = path[:i] + value
--            i = len(path)
--            path += tail
--    return path
-+            return value
-+
-+    return sub(repl, path)
- 
- 
- # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A/B.
-Index: Python-3.13.9/Lib/test/test_genericpath.py
-===================================================================
---- Python-3.13.9.orig/Lib/test/test_genericpath.py	2025-10-14 15:52:31.000000000 +0200
-+++ Python-3.13.9/Lib/test/test_genericpath.py	2025-11-14 01:47:08.157575687 +0100
-@@ -7,9 +7,9 @@
- import sys
- import unittest
- import warnings
--from test.support import (
--    is_apple, is_emscripten, os_helper, warnings_helper
--)
-+from test import support
-+from test.support import os_helper, is_emscripten
-+from test.support import warnings_helper
- from test.support.script_helper import assert_python_ok
- from test.support.os_helper import FakePath
- 
-@@ -446,6 +446,19 @@
-                   os.fsencode('$bar%s bar' % nonascii))
-             check(b'$spam}bar', os.fsencode('%s}bar' % nonascii))
- 
-+    @support.requires_resource('cpu')
-+    def test_expandvars_large(self):
-+        expandvars = self.pathmodule.expandvars
-+        with os_helper.EnvironmentVarGuard() as env:
-+            env.clear()
-+            env["A"] = "B"
-+            n = 100_000
-+            self.assertEqual(expandvars('$A'*n), 'B'*n)
-+            self.assertEqual(expandvars('${A}'*n), 'B'*n)
-+            self.assertEqual(expandvars('$A!'*n), 'B!'*n)
-+            self.assertEqual(expandvars('${A}A'*n), 'BA'*n)
-+            self.assertEqual(expandvars('${'*10*n), '${'*10*n)
-+
-     def test_abspath(self):
-         self.assertIn("foo", self.pathmodule.abspath("foo"))
-         with warnings.catch_warnings():
-@@ -503,7 +516,7 @@
-             # directory (when the bytes name is used).
-             and sys.platform not in {
-                 "win32", "emscripten", "wasi"
--            } and not is_apple
-+            } and not support.is_apple
-         ):
-             name = os_helper.TESTFN_UNDECODABLE
-         elif os_helper.TESTFN_NONASCII:
-Index: Python-3.13.9/Lib/test/test_ntpath.py
-===================================================================
---- Python-3.13.9.orig/Lib/test/test_ntpath.py	2025-10-14 15:52:31.000000000 +0200
-+++ Python-3.13.9/Lib/test/test_ntpath.py	2025-11-14 01:47:08.156225429 +0100
-@@ -8,8 +8,7 @@
- import warnings
- from ntpath import ALLOW_MISSING
- from test import support
--from test.support import cpython_only, os_helper
--from test.support import TestFailed, is_emscripten
-+from test.support import os_helper, is_emscripten
- from test.support.os_helper import FakePath
- from test import test_genericpath
- from tempfile import TemporaryFile
-@@ -59,7 +58,7 @@
-     fn = fn.replace("\\", "\\\\")
-     gotResult = eval(fn)
-     if wantResult != gotResult and _norm(wantResult) != _norm(gotResult):
--        raise TestFailed("%s should return: %s but returned: %s" \
-+        raise support.TestFailed("%s should return: %s but returned: %s" \
-               %(str(fn), str(wantResult), str(gotResult)))
- 
-     # then with bytes
-@@ -75,7 +74,7 @@
-         warnings.simplefilter("ignore", DeprecationWarning)
-         gotResult = eval(fn)
-     if _norm(wantResult) != _norm(gotResult):
--        raise TestFailed("%s should return: %s but returned: %s" \
-+        raise support.TestFailed("%s should return: %s but returned: %s" \
-               %(str(fn), str(wantResult), repr(gotResult)))
- 
- 
-@@ -1022,6 +1021,19 @@
-             check('%spam%bar', '%sbar' % nonascii)
-             check('%{}%bar'.format(nonascii), 'ham%sbar' % nonascii)
- 
-+    @support.requires_resource('cpu')
-+    def test_expandvars_large(self):
-+        expandvars = ntpath.expandvars
-+        with os_helper.EnvironmentVarGuard() as env:
-+            env.clear()
-+            env["A"] = "B"
-+            n = 100_000
-+            self.assertEqual(expandvars('%A%'*n), 'B'*n)
-+            self.assertEqual(expandvars('%A%A'*n), 'BA'*n)
-+            self.assertEqual(expandvars("''"*n + '%%'), "''"*n + '%')
-+            self.assertEqual(expandvars("%%"*n), "%"*n)
-+            self.assertEqual(expandvars("$$"*n), "$"*n)
-+
-     def test_expanduser(self):
-         tester('ntpath.expanduser("test")', 'test')
- 
-@@ -1440,7 +1452,7 @@
-         self.assertTrue(os.path.exists(r"\\.\CON"))
- 
-     @unittest.skipIf(sys.platform != 'win32', "Fast paths are only for win32")
--    @cpython_only
-+    @support.cpython_only
-     def test_fast_paths_in_use(self):
-         # There are fast paths of these functions implemented in posixmodule.c.
-         # Confirm that they are being used, and not the Python fallbacks in
-Index: Python-3.13.9/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
-===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ Python-3.13.9/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst	2025-11-14 01:47:08.156533642 +0100
-@@ -0,0 +1 @@
-+Fix quadratic complexity in :func:`os.path.expandvars`.

CVE-2025-8291-consistency-zip64.patch

@@ -1,307 +0,0 @@
-From 1f2e4ec73cf7ece0a8c0a7a85cb73ec9ec0ef85a Mon Sep 17 00:00:00 2001
-From: Serhiy Storchaka <storchaka@gmail.com>
-Date: Tue, 7 Oct 2025 20:15:26 +0300
-Subject: [PATCH] [3.13] gh-139700: Check consistency of the zip64 end of
- central directory record (GH-139702)
-
-Support records with "zip64 extensible data" if there are no bytes
-prepended to the ZIP file.
-(cherry picked from commit 162997bb70e067668c039700141770687bc8f267)
-
-Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
----
- Lib/test/test_zipfile/test_core.py            | 82 ++++++++++++++++++-
- Lib/zipfile/__init__.py                       | 51 +++++++-----
- ...-10-07-19-31-34.gh-issue-139700.vNHU1O.rst |  3 +
- 3 files changed, 113 insertions(+), 23 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst
-
-diff --git a/Lib/test/test_zipfile/test_core.py b/Lib/test/test_zipfile/test_core.py
-index 41ec6a437ba917..2212d9c91dc899 100644
---- a/Lib/test/test_zipfile/test_core.py
-+++ b/Lib/test/test_zipfile/test_core.py
-@@ -884,6 +884,8 @@ def make_zip64_file(
-         self, file_size_64_set=False, file_size_extra=False,
-         compress_size_64_set=False, compress_size_extra=False,
-         header_offset_64_set=False, header_offset_extra=False,
-+        extensible_data=b'',
-+        end_of_central_dir_size=None, offset_to_end_of_central_dir=None,
-     ):
-         """Generate bytes sequence for a zip with (incomplete) zip64 data.
- 
-@@ -937,6 +939,12 @@ def make_zip64_file(
- 
-         central_dir_size = struct.pack('<Q', 58 + 8 * len(central_zip64_fields))
-         offset_to_central_dir = struct.pack('<Q', 50 + 8 * len(local_zip64_fields))
-+        if end_of_central_dir_size is None:
-+            end_of_central_dir_size = 44 + len(extensible_data)
-+        if offset_to_end_of_central_dir is None:
-+            offset_to_end_of_central_dir = (108
-+                                            + 8 * len(local_zip64_fields)
-+                                            + 8 * len(central_zip64_fields))
- 
-         local_extra_length = struct.pack("<H", 4 + 8 * len(local_zip64_fields))
-         central_extra_length = struct.pack("<H", 4 + 8 * len(central_zip64_fields))
-@@ -965,14 +973,17 @@ def make_zip64_file(
-             + filename
-             + central_extra
-             # Zip64 end of central directory
--            + b"PK\x06\x06,\x00\x00\x00\x00\x00\x00\x00-\x00-"
--            + b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"
-+            + b"PK\x06\x06"
-+            + struct.pack('<Q', end_of_central_dir_size)
-+            + b"-\x00-\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"
-             + b"\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
-             + central_dir_size
-             + offset_to_central_dir
-+            + extensible_data
-             # Zip64 end of central directory locator
--            + b"PK\x06\x07\x00\x00\x00\x00l\x00\x00\x00\x00\x00\x00\x00\x01"
--            + b"\x00\x00\x00"
-+            + b"PK\x06\x07\x00\x00\x00\x00"
-+            + struct.pack('<Q', offset_to_end_of_central_dir)
-+            + b"\x01\x00\x00\x00"
-             # end of central directory
-             + b"PK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00:\x00\x00\x002\x00"
-             + b"\x00\x00\x00\x00"
-@@ -1003,6 +1014,7 @@ def test_bad_zip64_extra(self):
-         with self.assertRaises(zipfile.BadZipFile) as e:
-             zipfile.ZipFile(io.BytesIO(missing_file_size_extra))
-         self.assertIn('file size', str(e.exception).lower())
-+        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_file_size_extra)))
- 
-         # zip64 file size present, zip64 compress size present, one field in
-         # extra, expecting two, equals missing compress size.
-@@ -1014,6 +1026,7 @@ def test_bad_zip64_extra(self):
-         with self.assertRaises(zipfile.BadZipFile) as e:
-             zipfile.ZipFile(io.BytesIO(missing_compress_size_extra))
-         self.assertIn('compress size', str(e.exception).lower())
-+        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_compress_size_extra)))
- 
-         # zip64 compress size present, no fields in extra, expecting one,
-         # equals missing compress size.
-@@ -1023,6 +1036,7 @@ def test_bad_zip64_extra(self):
-         with self.assertRaises(zipfile.BadZipFile) as e:
-             zipfile.ZipFile(io.BytesIO(missing_compress_size_extra))
-         self.assertIn('compress size', str(e.exception).lower())
-+        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_compress_size_extra)))
- 
-         # zip64 file size present, zip64 compress size present, zip64 header
-         # offset present, two fields in extra, expecting three, equals missing
-@@ -1037,6 +1051,7 @@ def test_bad_zip64_extra(self):
-         with self.assertRaises(zipfile.BadZipFile) as e:
-             zipfile.ZipFile(io.BytesIO(missing_header_offset_extra))
-         self.assertIn('header offset', str(e.exception).lower())
-+        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_header_offset_extra)))
- 
-         # zip64 compress size present, zip64 header offset present, one field
-         # in extra, expecting two, equals missing header offset
-@@ -1049,6 +1064,7 @@ def test_bad_zip64_extra(self):
-         with self.assertRaises(zipfile.BadZipFile) as e:
-             zipfile.ZipFile(io.BytesIO(missing_header_offset_extra))
-         self.assertIn('header offset', str(e.exception).lower())
-+        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_header_offset_extra)))
- 
-         # zip64 file size present, zip64 header offset present, one field in
-         # extra, expecting two, equals missing header offset
-@@ -1061,6 +1077,7 @@ def test_bad_zip64_extra(self):
-         with self.assertRaises(zipfile.BadZipFile) as e:
-             zipfile.ZipFile(io.BytesIO(missing_header_offset_extra))
-         self.assertIn('header offset', str(e.exception).lower())
-+        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_header_offset_extra)))
- 
-         # zip64 header offset present, no fields in extra, expecting one,
-         # equals missing header offset
-@@ -1072,6 +1089,63 @@ def test_bad_zip64_extra(self):
-         with self.assertRaises(zipfile.BadZipFile) as e:
-             zipfile.ZipFile(io.BytesIO(missing_header_offset_extra))
-         self.assertIn('header offset', str(e.exception).lower())
-+        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_header_offset_extra)))
-+
-+    def test_bad_zip64_end_of_central_dir(self):
-+        zipdata = self.make_zip64_file(end_of_central_dir_size=0)
-+        with self.assertRaisesRegex(zipfile.BadZipFile, 'Corrupt.*record'):
-+            zipfile.ZipFile(io.BytesIO(zipdata))
-+        self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
-+
-+        zipdata = self.make_zip64_file(end_of_central_dir_size=100)
-+        with self.assertRaisesRegex(zipfile.BadZipFile, 'Corrupt.*record'):
-+            zipfile.ZipFile(io.BytesIO(zipdata))
-+        self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
-+
-+        zipdata = self.make_zip64_file(offset_to_end_of_central_dir=0)
-+        with self.assertRaisesRegex(zipfile.BadZipFile, 'Corrupt.*record'):
-+            zipfile.ZipFile(io.BytesIO(zipdata))
-+        self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
-+
-+        zipdata = self.make_zip64_file(offset_to_end_of_central_dir=1000)
-+        with self.assertRaisesRegex(zipfile.BadZipFile, 'Corrupt.*locator'):
-+            zipfile.ZipFile(io.BytesIO(zipdata))
-+        self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
-+
-+    def test_zip64_end_of_central_dir_record_not_found(self):
-+        zipdata = self.make_zip64_file()
-+        zipdata = zipdata.replace(b"PK\x06\x06", b'\x00'*4)
-+        with self.assertRaisesRegex(zipfile.BadZipFile, 'record not found'):
-+            zipfile.ZipFile(io.BytesIO(zipdata))
-+        self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
-+
-+        zipdata = self.make_zip64_file(
-+            extensible_data=b'\xca\xfe\x04\x00\x00\x00data')
-+        zipdata = zipdata.replace(b"PK\x06\x06", b'\x00'*4)
-+        with self.assertRaisesRegex(zipfile.BadZipFile, 'record not found'):
-+            zipfile.ZipFile(io.BytesIO(zipdata))
-+        self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
-+
-+    def test_zip64_extensible_data(self):
-+        # These values are what is set in the make_zip64_file method.
-+        expected_file_size = 8
-+        expected_compress_size = 8
-+        expected_header_offset = 0
-+        expected_content = b"test1234"
-+
-+        zipdata = self.make_zip64_file(
-+            extensible_data=b'\xca\xfe\x04\x00\x00\x00data')
-+        with zipfile.ZipFile(io.BytesIO(zipdata)) as zf:
-+            zinfo = zf.infolist()[0]
-+            self.assertEqual(zinfo.file_size, expected_file_size)
-+            self.assertEqual(zinfo.compress_size, expected_compress_size)
-+            self.assertEqual(zinfo.header_offset, expected_header_offset)
-+            self.assertEqual(zf.read(zinfo), expected_content)
-+        self.assertTrue(zipfile.is_zipfile(io.BytesIO(zipdata)))
-+
-+        with self.assertRaisesRegex(zipfile.BadZipFile, 'record not found'):
-+            zipfile.ZipFile(io.BytesIO(b'prepended' + zipdata))
-+        self.assertFalse(zipfile.is_zipfile(io.BytesIO(b'prepended' + zipdata)))
- 
-     def test_generated_valid_zip64_extra(self):
-         # These values are what is set in the make_zip64_file method.
-diff --git a/Lib/zipfile/__init__.py b/Lib/zipfile/__init__.py
-index 05f387a950ba0a..c01f13729e1c99 100644
---- a/Lib/zipfile/__init__.py
-+++ b/Lib/zipfile/__init__.py
-@@ -245,7 +245,7 @@ def is_zipfile(filename):
-         else:
-             with open(filename, "rb") as fp:
-                 result = _check_zipfile(fp)
--    except OSError:
-+    except (OSError, BadZipFile):
-         pass
-     return result
- 
-@@ -253,16 +253,15 @@ def _EndRecData64(fpin, offset, endrec):
-     """
-     Read the ZIP64 end-of-archive records and use that to update endrec
-     """
--    try:
--        fpin.seek(offset - sizeEndCentDir64Locator, 2)
--    except OSError:
--        # If the seek fails, the file is not large enough to contain a ZIP64
-+    offset -= sizeEndCentDir64Locator
-+    if offset < 0:
-+        # The file is not large enough to contain a ZIP64
-         # end-of-archive record, so just return the end record we were given.
-         return endrec
--
-+    fpin.seek(offset)
-     data = fpin.read(sizeEndCentDir64Locator)
-     if len(data) != sizeEndCentDir64Locator:
--        return endrec
-+        raise OSError("Unknown I/O error")
-     sig, diskno, reloff, disks = struct.unpack(structEndArchive64Locator, data)
-     if sig != stringEndArchive64Locator:
-         return endrec
-@@ -270,16 +269,33 @@ def _EndRecData64(fpin, offset, endrec):
-     if diskno != 0 or disks > 1:
-         raise BadZipFile("zipfiles that span multiple disks are not supported")
- 
--    # Assume no 'zip64 extensible data'
--    fpin.seek(offset - sizeEndCentDir64Locator - sizeEndCentDir64, 2)
-+    offset -= sizeEndCentDir64
-+    if reloff > offset:
-+        raise BadZipFile("Corrupt zip64 end of central directory locator")
-+    # First, check the assumption that there is no prepended data.
-+    fpin.seek(reloff)
-+    extrasz = offset - reloff
-     data = fpin.read(sizeEndCentDir64)
-     if len(data) != sizeEndCentDir64:
--        return endrec
-+        raise OSError("Unknown I/O error")
-+    if not data.startswith(stringEndArchive64) and reloff != offset:
-+        # Since we already have seen the Zip64 EOCD Locator, it's
-+        # possible we got here because there is prepended data.
-+        # Assume no 'zip64 extensible data'
-+        fpin.seek(offset)
-+        extrasz = 0
-+        data = fpin.read(sizeEndCentDir64)
-+        if len(data) != sizeEndCentDir64:
-+            raise OSError("Unknown I/O error")
-+    if not data.startswith(stringEndArchive64):
-+        raise BadZipFile("Zip64 end of central directory record not found")
-+
-     sig, sz, create_version, read_version, disk_num, disk_dir, \
-         dircount, dircount2, dirsize, diroffset = \
-         struct.unpack(structEndArchive64, data)
--    if sig != stringEndArchive64:
--        return endrec
-+    if (diroffset + dirsize != reloff or
-+        sz + 12 != sizeEndCentDir64 + extrasz):
-+        raise BadZipFile("Corrupt zip64 end of central directory record")
- 
-     # Update the original endrec using data from the ZIP64 record
-     endrec[_ECD_SIGNATURE] = sig
-@@ -289,6 +305,7 @@ def _EndRecData64(fpin, offset, endrec):
-     endrec[_ECD_ENTRIES_TOTAL] = dircount2
-     endrec[_ECD_SIZE] = dirsize
-     endrec[_ECD_OFFSET] = diroffset
-+    endrec[_ECD_LOCATION] = offset - extrasz
-     return endrec
- 
- 
-@@ -322,7 +339,7 @@ def _EndRecData(fpin):
-         endrec.append(filesize - sizeEndCentDir)
- 
-         # Try to read the "Zip64 end of central directory" structure
--        return _EndRecData64(fpin, -sizeEndCentDir, endrec)
-+        return _EndRecData64(fpin, filesize - sizeEndCentDir, endrec)
- 
-     # Either this is not a ZIP file, or it is a ZIP file with an archive
-     # comment.  Search the end of the file for the "end of central directory"
-@@ -346,8 +363,7 @@ def _EndRecData(fpin):
-         endrec.append(maxCommentStart + start)
- 
-         # Try to read the "Zip64 end of central directory" structure
--        return _EndRecData64(fpin, maxCommentStart + start - filesize,
--                             endrec)
-+        return _EndRecData64(fpin, maxCommentStart + start, endrec)
- 
-     # Unable to find a valid end of central directory structure
-     return None
-@@ -1458,9 +1474,6 @@ def _RealGetContents(self):
- 
-         # "concat" is zero, unless zip was concatenated to another file
-         concat = endrec[_ECD_LOCATION] - size_cd - offset_cd
--        if endrec[_ECD_SIGNATURE] == stringEndArchive64:
--            # If Zip64 extension structures are present, account for them
--            concat -= (sizeEndCentDir64 + sizeEndCentDir64Locator)
- 
-         if self.debug > 2:
-             inferred = concat + offset_cd
-@@ -2082,7 +2095,7 @@ def _write_end_record(self):
-                                    " would require ZIP64 extensions")
-             zip64endrec = struct.pack(
-                 structEndArchive64, stringEndArchive64,
--                44, 45, 45, 0, 0, centDirCount, centDirCount,
-+                sizeEndCentDir64 - 12, 45, 45, 0, 0, centDirCount, centDirCount,
-                 centDirSize, centDirOffset)
-             self.fp.write(zip64endrec)
- 
-diff --git a/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst b/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst
-new file mode 100644
-index 00000000000000..a8e7a1f1878c6b
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst
-@@ -0,0 +1,3 @@
-+Check consistency of the zip64 end of central directory record. Support
-+records with "zip64 extensible data" if there are no bytes prepended to the
-+ZIP file.

Python-3.13.11.tar.xz.sigstore

@@ -0,0 +1 @@
+{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICyTCCAk+gAwIBAgIUMZ9OrU89PmgWXWiYxq/s1e8xVkkwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUxMjA1MTY1NjU1WhcNMjUxMjA1MTcwNjU1WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQ3Wq/mhAIwL1ZNOiCgOmVYXqwl8rWBi+hwTYY+NJLvmuRW7wblbWyTJ1RSZrS9dVGhVdWZP7tT2hvkt56ibycaOCAW4wggFqMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUCukYhSJA3LGmELdmyGSLM/sNqPowHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0RAQH/BBUwE4ERdGhvbWFzQHB5dGhvbi5vcmcwKQYKKwYBBAGDvzABAQQbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMCsGCisGAQQBg78wAQgEHQwbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMIGJBgorBgEEAdZ5AgQCBHsEeQB3AHUA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGa73H4UAAABAMARjBEAiAoqadI7BCu3G3jmK140KSkRC+uTKIS7K/yAUtT8zfdiwIgV51hPZZYKSjHglktFhqcxzHLdRyb96/caoR4m+DHvT8wCgYIKoZIzj0EAwMDaAAwZQIwSuCW4+VibjHM96ArSncpYew+tvp7bMlc21AHsgr12ZO6p//IiSdjJlqOTpYwCWtFAjEA0BxY6Y7zl4+baG4+BZ+EEiwDwoCOVTR7ORMuDYeZ/Dy6g47hohxRqtssCYdRKRZq"}, "tlogEntries": [{"logIndex": "743450012", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1764953815", "inclusionPromise": {"signedEntryTimestamp": "MEQCIFAmMfakwQScJ3jGB7ufmmWcvXbT/sQYyb/iIbRyJXYmAiB25k62mSSsvteAacdB4SjQJ100UGRI02mHOZykKqirrQ=="}, "inclusionProof": {"logIndex": "621545750", "rootHash": "lTjgILAqSIIoraXAj/bseL/7BMbChIzmHVo5P84pPO8=", "treeSize": "621545755", "hashes": ["FqRC4Ydg7KClKWZIe5BLdSoxPOl3L+wXnnctnBbxa5E=", "hyHMJXZjRrPr7N8JDpms6tqWbIuqgBLKkoDomNSzO8g=", "XV5KmKAmcumiCPrjB89usazCvsWagxoKoI5P3Rn5mDQ=", "FKJNSf/yPWGSGCwEZ4ybeMVy+zECYaK/u2yKEboKDQs=", "4wbyhSYvHHiszMmrsBtjXwOt9um81zByZQLFAXJAu0g=", "q0tC4xtUswgodVV8T7OYpkNlp/XC4qAM541kvTHkq4o=", "se5pDnKcF+idDdO0PdbWjF+rFNUWlCzxj+pSmkASRQU=", "YYvp7Leoq6lF3zEs+Bux7BQt/UrxFbOOJAwVroBevek=", "pQtmpjszxrel2u+2I5HrLBwlwvhc19nfAUsa5EHZAe4=", "0jEq6eagxqoSOor9OR//fY6uOsPzLaE1q1n9tZRzfSc=", "ZmUkYkHBy1B723JrEgiKvepTdHYrP6y2a4oODYvi5VY=", "T4DqWD42hAtN+vX8jKCWqoC4meE4JekI9LxYGCcPy1M="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n621545755\nlTjgILAqSIIoraXAj/bseL/7BMbChIzmHVo5P84pPO8=\n\n\u2014 rekor.sigstore.dev wNI9ajBEAiAS9t8HEV2fPKq2rB20KvscWBUzqlzyZr6asuXxp8whiAIgUxc+PuVjTYduOZ2zKNeaSos22BXxAn7hKgxBroQmIkE=\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIxNmVkZTdiYjdjZGJmYTg5NWQxMWIwNjQyZmEwZTUyM2YyOTFlNjQ4NzE5NGQ1M2NmNmQzYjMzOGMzYTE3ZWEyIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUURENENYVTNMNGlMSkVCb0xFSVlnVU5kTXhjN3VENWdMcUgyeXRFNFQxTnd3SWdKbHBhMHJFbDV0MGdtbTlTYzRoQnpFOG9QK2JLSlVZeExUTmd4dEdnSmo0PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjVWRU5EUVdzclowRjNTVUpCWjBsVlRWbzVUM0pWT0RsUWJXZFhXRmRwV1hoeEwzTXhaVGg0Vm10cmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZlRTFxUVRGTlZGa3hUbXBWTVZkb1kwNU5hbFY0VFdwQk1VMVVZM2RPYWxVeFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZSTTFkeEwyMW9RVWwzVERGYVRrOXBRMmRQYlZaWldIRjNiRGh5VjBKcEsyaDNWRmtLV1N0T1NreDJiWFZTVnpkM1lteGlWM2xVU2pGU1UxcHlVemxrVmtkb1ZtUlhXbEEzZEZReWFIWnJkRFUyYVdKNVkyRlBRMEZYTkhkblowWnhUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZEZFd0WkNtaFRTa0V6VEVkdFJVeGtiWGxIVTB4TkwzTk9jVkJ2ZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoM1dVUldVakJTUVZGSUwwSkNWWGRGTkVWU1pFZG9kbUpYUm5wUlNFSTFaRWRvZG1KcE5YWmpiV04zUzFGWlMwdDNXVUpDUVVkRWRucEJRZ3BCVVZGaVlVaFNNR05JVFRaTWVUbG9XVEpPZG1SWE5UQmplVFZ1WWpJNWJtSkhWWFZaTWpsMFRVTnpSME5wYzBkQlVWRkNaemM0ZDBGUlowVklVWGRpQ21GSVVqQmpTRTAyVEhrNWFGa3lUblprVnpVd1kzazFibUl5T1c1aVIxVjFXVEk1ZEUxSlIwcENaMjl5UW1kRlJVRmtXalZCWjFGRFFraHpSV1ZSUWpNS1FVaFZRVE5VTUhkaGMySklSVlJLYWtkU05HTnRWMk16UVhGS1MxaHlhbVZRU3pNdmFEUndlV2RET0hBM2J6UkJRVUZIWVRjelNEUlZRVUZCUWtGTlFRcFNha0pGUVdsQmIzRmhaRWszUWtOMU0wY3phbTFMTVRRd1MxTnJVa01yZFZSTFNWTTNTeTk1UVZWMFZEaDZabVJwZDBsblZqVXhhRkJhV2xsTFUycElDbWRzYTNSR2FIRmplSHBJVEdSU2VXSTVOaTlqWVc5U05HMHJSRWgyVkRoM1EyZFpTVXR2V2tsNmFqQkZRWGROUkdGQlFYZGFVVWwzVTNWRFZ6UXJWbWtLWW1wSVRUazJRWEpUYm1Od1dXVjNLM1IyY0RkaVRXeGpNakZCU0hObmNqRXlXazgyY0M4dlNXbFRaR3BLYkhGUFZIQlpkME5YZEVaQmFrVkJNRUo0V1FvMldUZDZiRFFyWW1GSE5DdENXaXRGUldsM1JIZHZRMDlXVkZJM1QxSk5kVVJaWlZvdlJIazJaelEzYUc5b2VGSnhkSE56UTFsa1VrdFNXbkVLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}], "timestampVerificationData": {}}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "Fu3nu3zb+oldEbBkL6DlI/KR5khxlNU89tOzOMOhfqI="}, "signature": "MEUCIQDD4CXU3L4iLJEBoLEIYgUNdMxc7uD5gLqH2ytE4T1NwwIgJlpa0rEl5t0gmm9Sc4hBzE8oP+bKJUYxLTNgxtGgJj4="}}

doc-py38-to-py36.patch

@@ -27,10 +27,10 @@
  Doc/tools/extensions/pydoc_topics.py          |   22 +++++-----
  18 files changed, 159 insertions(+), 130 deletions(-)
 
-Index: Python-3.13.9/Doc/Makefile
+Index: Python-3.13.11/Doc/Makefile
 ===================================================================
---- Python-3.13.9.orig/Doc/Makefile	2025-10-14 15:52:31.000000000 +0200
-+++ Python-3.13.9/Doc/Makefile	2025-11-20 01:09:35.814292408 +0100
+--- Python-3.13.11.orig/Doc/Makefile	2025-12-05 17:06:33.000000000 +0100
++++ Python-3.13.11/Doc/Makefile	2025-12-18 23:36:11.845184450 +0100
 @@ -14,15 +14,15 @@
  SOURCES      =
  DISTVERSION  = $(shell $(PYTHON) tools/extensions/patchlevel.py)
@@ -51,10 +51,10 @@ Index: Python-3.13.9/Doc/Makefile
                  $(PAPEROPT_$(PAPER)) \
                  $(SPHINXOPTS) $(SPHINXERRORHANDLING) \
                  . build/$(BUILDER) $(SOURCES)
-Index: Python-3.13.9/Doc/c-api/arg.rst
+Index: Python-3.13.11/Doc/c-api/arg.rst
 ===================================================================
---- Python-3.13.9.orig/Doc/c-api/arg.rst	2025-10-14 15:52:31.000000000 +0200
-+++ Python-3.13.9/Doc/c-api/arg.rst	2025-11-20 01:07:59.902914275 +0100
+--- Python-3.13.11.orig/Doc/c-api/arg.rst	2025-12-05 17:06:33.000000000 +0100
++++ Python-3.13.11/Doc/c-api/arg.rst	2025-12-18 23:36:11.845570257 +0100
 @@ -334,7 +334,6 @@
     should raise an exception and leave the content of *address* unmodified.
  
@@ -63,10 +63,10 @@ Index: Python-3.13.9/Doc/c-api/arg.rst
  
     If the *converter* returns :c:macro:`!Py_CLEANUP_SUPPORTED`, it may get called a
     second time if the argument parsing eventually fails, giving the converter a
-Index: Python-3.13.9/Doc/c-api/typeobj.rst
+Index: Python-3.13.11/Doc/c-api/typeobj.rst
 ===================================================================
---- Python-3.13.9.orig/Doc/c-api/typeobj.rst	2025-10-14 15:52:31.000000000 +0200
-+++ Python-3.13.9/Doc/c-api/typeobj.rst	2025-11-20 01:07:59.903382829 +0100
+--- Python-3.13.11.orig/Doc/c-api/typeobj.rst	2025-12-05 17:06:33.000000000 +0100
++++ Python-3.13.11/Doc/c-api/typeobj.rst	2025-12-18 23:36:11.846211337 +0100
 @@ -610,7 +610,7 @@
     Functions like :c:func:`PyObject_NewVar` will take the value of N as an
     argument, and store in the instance's :c:member:`~PyVarObject.ob_size` field.
@@ -97,10 +97,10 @@ Index: Python-3.13.9/Doc/c-api/typeobj.rst
     include :c:type:`PyObject` or :c:type:`PyVarObject` (depending on
     whether :c:member:`~PyVarObject.ob_size` should be included). These are
     usually defined by the macro :c:macro:`PyObject_HEAD` or
-Index: Python-3.13.9/Doc/conf.py
+Index: Python-3.13.11/Doc/conf.py
 ===================================================================
---- Python-3.13.9.orig/Doc/conf.py	2025-11-20 01:07:14.944126757 +0100
-+++ Python-3.13.9/Doc/conf.py	2025-11-20 01:07:59.903974303 +0100
+--- Python-3.13.11.orig/Doc/conf.py	2025-12-05 17:06:33.000000000 +0100
++++ Python-3.13.11/Doc/conf.py	2025-12-18 23:36:11.846742416 +0100
 @@ -11,6 +11,8 @@
  from importlib import import_module
  from importlib.util import find_spec
@@ -127,7 +127,7 @@ Index: Python-3.13.9/Doc/conf.py
  '''
  
  manpages_url = 'https://manpages.debian.org/{path}'
-@@ -92,7 +94,7 @@
+@@ -96,7 +98,7 @@
  
  # Minimum version of sphinx required
  # Keep this version in sync with ``Doc/requirements.txt``.
@@ -136,7 +136,7 @@ Index: Python-3.13.9/Doc/conf.py
  
  # Create table of contents entries for domain objects (e.g. functions, classes,
  # attributes, etc.). Default is True.
-@@ -257,6 +259,9 @@
+@@ -246,6 +248,9 @@
  # Avoid a warning with Sphinx >= 4.0
  root_doc = 'contents'
  
@@ -146,7 +146,7 @@ Index: Python-3.13.9/Doc/conf.py
  # Allow translation of index directives
  gettext_additional_targets = [
      'index',
-@@ -296,7 +301,7 @@
+@@ -285,7 +290,7 @@
  # (See .readthedocs.yml and https://docs.readthedocs.io/en/stable/reference/environment-variables.html)
  is_deployment_preview = os.getenv("READTHEDOCS_VERSION_TYPE") == "external"
  repository_url = os.getenv("READTHEDOCS_GIT_CLONE_URL", "")
@@ -155,7 +155,7 @@ Index: Python-3.13.9/Doc/conf.py
  html_context = {
      "is_deployment_preview": is_deployment_preview,
      "repository_url": repository_url or None,
-@@ -607,6 +612,16 @@
+@@ -551,6 +556,16 @@
  }
  extlinks_detect_hardcoded_links = True
  
@@ -172,10 +172,10 @@ Index: Python-3.13.9/Doc/conf.py
  # Options for c_annotations extension
  # -----------------------------------
  
-Index: Python-3.13.9/Doc/library/doctest.rst
+Index: Python-3.13.11/Doc/library/doctest.rst
 ===================================================================
---- Python-3.13.9.orig/Doc/library/doctest.rst	2025-10-14 15:52:31.000000000 +0200
-+++ Python-3.13.9/Doc/library/doctest.rst	2025-11-20 01:07:59.904511686 +0100
+--- Python-3.13.11.orig/Doc/library/doctest.rst	2025-12-05 17:06:33.000000000 +0100
++++ Python-3.13.11/Doc/library/doctest.rst	2025-12-18 23:36:11.847131855 +0100
 @@ -310,7 +310,6 @@
  .. currentmodule:: None
  
@@ -184,10 +184,10 @@ Index: Python-3.13.9/Doc/library/doctest.rst
  
  .. currentmodule:: doctest
  
-Index: Python-3.13.9/Doc/library/email.compat32-message.rst
+Index: Python-3.13.11/Doc/library/email.compat32-message.rst
 ===================================================================
---- Python-3.13.9.orig/Doc/library/email.compat32-message.rst	2025-10-14 15:52:31.000000000 +0200
-+++ Python-3.13.9/Doc/library/email.compat32-message.rst	2025-11-20 01:07:59.905009154 +0100
+--- Python-3.13.11.orig/Doc/library/email.compat32-message.rst	2025-12-05 17:06:33.000000000 +0100
++++ Python-3.13.11/Doc/library/email.compat32-message.rst	2025-12-18 23:36:11.847579332 +0100
 @@ -7,7 +7,6 @@
     :synopsis: The base class representing email messages in a fashion
                backward compatible with Python 3.2
@@ -196,10 +196,10 @@ Index: Python-3.13.9/Doc/library/email.compat32-message.rst
  
  
  The :class:`Message` class is very similar to the
-Index: Python-3.13.9/Doc/library/xml.etree.elementtree.rst
+Index: Python-3.13.11/Doc/library/xml.etree.elementtree.rst
 ===================================================================
---- Python-3.13.9.orig/Doc/library/xml.etree.elementtree.rst	2025-10-14 15:52:31.000000000 +0200
-+++ Python-3.13.9/Doc/library/xml.etree.elementtree.rst	2025-11-20 01:07:59.905273001 +0100
+--- Python-3.13.11.orig/Doc/library/xml.etree.elementtree.rst	2025-12-05 17:06:33.000000000 +0100
++++ Python-3.13.11/Doc/library/xml.etree.elementtree.rst	2025-12-18 23:36:11.847865126 +0100
 @@ -873,7 +873,6 @@
  
  .. module:: xml.etree.ElementTree
@@ -208,10 +208,10 @@ Index: Python-3.13.9/Doc/library/xml.etree.elementtree.rst
  
  .. class:: Element(tag, attrib={}, **extra)
  
-Index: Python-3.13.9/Doc/tools/check-warnings.py
+Index: Python-3.13.11/Doc/tools/check-warnings.py
 ===================================================================
---- Python-3.13.9.orig/Doc/tools/check-warnings.py	2025-10-14 15:52:31.000000000 +0200
-+++ Python-3.13.9/Doc/tools/check-warnings.py	2025-11-20 01:07:59.905613002 +0100
+--- Python-3.13.11.orig/Doc/tools/check-warnings.py	2025-12-05 17:06:33.000000000 +0100
++++ Python-3.13.11/Doc/tools/check-warnings.py	2025-12-18 23:36:11.848175434 +0100
 @@ -228,7 +228,8 @@
              print(filename)
              for warning in warnings:
@@ -231,10 +231,10 @@ Index: Python-3.13.9/Doc/tools/check-warnings.py
          for warning in warnings
          if "Doc/" in warning
      }
-Index: Python-3.13.9/Doc/tools/extensions/audit_events.py
+Index: Python-3.13.11/Doc/tools/extensions/audit_events.py
 ===================================================================
---- Python-3.13.9.orig/Doc/tools/extensions/audit_events.py	2025-10-14 15:52:31.000000000 +0200
-+++ Python-3.13.9/Doc/tools/extensions/audit_events.py	2025-11-20 01:08:35.819222654 +0100
+--- Python-3.13.11.orig/Doc/tools/extensions/audit_events.py	2025-12-05 17:06:33.000000000 +0100
++++ Python-3.13.11/Doc/tools/extensions/audit_events.py	2025-12-18 23:36:11.848442160 +0100
 @@ -1,9 +1,6 @@
  """Support for documenting audit events."""
  
@@ -370,10 +370,10 @@ Index: Python-3.13.9/Doc/tools/extensions/audit_events.py
      ) -> nodes.row:
          row = nodes.row()
          name_node = nodes.paragraph("", nodes.Text(name))
-Index: Python-3.13.9/Doc/tools/extensions/availability.py
+Index: Python-3.13.11/Doc/tools/extensions/availability.py
 ===================================================================
---- Python-3.13.9.orig/Doc/tools/extensions/availability.py	2025-10-14 15:52:31.000000000 +0200
-+++ Python-3.13.9/Doc/tools/extensions/availability.py	2025-11-20 01:07:59.906156697 +0100
+--- Python-3.13.11.orig/Doc/tools/extensions/availability.py	2025-12-05 17:06:33.000000000 +0100
++++ Python-3.13.11/Doc/tools/extensions/availability.py	2025-12-18 23:36:11.848697922 +0100
 @@ -1,8 +1,6 @@
  """Support for documenting platform availability"""
  
@@ -427,10 +427,10 @@ Index: Python-3.13.9/Doc/tools/extensions/availability.py
      app.add_directive("availability", Availability)
  
      return {
-Index: Python-3.13.9/Doc/tools/extensions/c_annotations.py
+Index: Python-3.13.11/Doc/tools/extensions/c_annotations.py
 ===================================================================
---- Python-3.13.9.orig/Doc/tools/extensions/c_annotations.py	2025-10-14 15:52:31.000000000 +0200
-+++ Python-3.13.9/Doc/tools/extensions/c_annotations.py	2025-11-20 01:07:59.906354780 +0100
+--- Python-3.13.11.orig/Doc/tools/extensions/c_annotations.py	2025-12-05 17:06:33.000000000 +0100
++++ Python-3.13.11/Doc/tools/extensions/c_annotations.py	2025-12-18 23:37:01.590377119 +0100
 @@ -9,22 +9,26 @@
  * Set ``stable_abi_file`` to the path to stable ABI list.
  """
@@ -525,7 +525,7 @@ Index: Python-3.13.9/Doc/tools/extensions/c_annotations.py
              if ROLE_TO_OBJECT_TYPE[record.role] != objtype:
                  msg = (
                      f"Object type mismatch in limited API annotation for {name}: "
-@@ -234,7 +241,7 @@
+@@ -256,7 +263,7 @@
      )
  
  
@@ -534,7 +534,7 @@ Index: Python-3.13.9/Doc/tools/extensions/c_annotations.py
      classes = ["refcount"]
      if result_refs is None:
          rc = sphinx_gettext("Return value: Always NULL.")
-@@ -254,7 +261,7 @@
+@@ -276,7 +283,7 @@
      optional_arguments = 0
      final_argument_whitespace = True
  
@@ -543,7 +543,7 @@ Index: Python-3.13.9/Doc/tools/extensions/c_annotations.py
          state = self.env.domaindata["c_annotations"]
          content = [
              f"* :c:{record.role}:`{record.name}`"
-@@ -277,13 +284,23 @@
+@@ -344,7 +351,7 @@
      )
  
  
@@ -552,6 +552,7 @@ Index: Python-3.13.9/Doc/tools/extensions/c_annotations.py
      app.add_config_value("refcount_file", "", "env", types={str})
      app.add_config_value("stable_abi_file", "", "env", types={str})
      app.add_directive("limited-api-list", LimitedAPIList)
+@@ -352,6 +359,16 @@
      app.connect("builder-inited", init_annotations)
      app.connect("doctree-read", add_annotations)
  
@@ -568,10 +569,10 @@ Index: Python-3.13.9/Doc/tools/extensions/c_annotations.py
      return {
          "version": "1.0",
          "parallel_read_safe": True,
-Index: Python-3.13.9/Doc/tools/extensions/changes.py
+Index: Python-3.13.11/Doc/tools/extensions/changes.py
 ===================================================================
---- Python-3.13.9.orig/Doc/tools/extensions/changes.py	2025-10-14 15:52:31.000000000 +0200
-+++ Python-3.13.9/Doc/tools/extensions/changes.py	2025-11-20 01:07:59.906539198 +0100
+--- Python-3.13.11.orig/Doc/tools/extensions/changes.py	2025-12-05 17:06:33.000000000 +0100
++++ Python-3.13.11/Doc/tools/extensions/changes.py	2025-12-18 23:36:11.849240594 +0100
 @@ -1,7 +1,5 @@
  """Support for documenting version of changes, additions, deprecations."""
  
@@ -607,10 +608,10 @@ Index: Python-3.13.9/Doc/tools/extensions/changes.py
      # Override Sphinx's directives with support for 'next'
      app.add_directive("versionadded", PyVersionChange, override=True)
      app.add_directive("versionchanged", PyVersionChange, override=True)
-Index: Python-3.13.9/Doc/tools/extensions/glossary_search.py
+Index: Python-3.13.11/Doc/tools/extensions/glossary_search.py
 ===================================================================
---- Python-3.13.9.orig/Doc/tools/extensions/glossary_search.py	2025-10-14 15:52:31.000000000 +0200
-+++ Python-3.13.9/Doc/tools/extensions/glossary_search.py	2025-11-20 01:07:59.906696224 +0100
+--- Python-3.13.11.orig/Doc/tools/extensions/glossary_search.py	2025-12-05 17:06:33.000000000 +0100
++++ Python-3.13.11/Doc/tools/extensions/glossary_search.py	2025-12-18 23:36:11.849448932 +0100
 @@ -1,21 +1,27 @@
  """Feature search results for glossary items prominently."""
  
@@ -654,10 +655,10 @@ Index: Python-3.13.9/Doc/tools/extensions/glossary_search.py
      app.connect('doctree-resolved', process_glossary_nodes)
      app.connect('build-finished', write_glossary_json)
  
-Index: Python-3.13.9/Doc/tools/extensions/implementation_detail.py
+Index: Python-3.13.11/Doc/tools/extensions/implementation_detail.py
 ===================================================================
---- Python-3.13.9.orig/Doc/tools/extensions/implementation_detail.py	2025-10-14 15:52:31.000000000 +0200
-+++ Python-3.13.9/Doc/tools/extensions/implementation_detail.py	2025-11-20 01:07:59.906853200 +0100
+--- Python-3.13.11.orig/Doc/tools/extensions/implementation_detail.py	2025-12-05 17:06:33.000000000 +0100
++++ Python-3.13.11/Doc/tools/extensions/implementation_detail.py	2025-12-18 23:36:11.849650427 +0100
 @@ -1,17 +1,10 @@
  """Support for marking up implementation details."""
  
@@ -708,10 +709,10 @@ Index: Python-3.13.9/Doc/tools/extensions/implementation_detail.py
      app.add_directive("impl-detail", ImplementationDetail)
  
      return {
-Index: Python-3.13.9/Doc/tools/extensions/issue_role.py
+Index: Python-3.13.11/Doc/tools/extensions/issue_role.py
 ===================================================================
---- Python-3.13.9.orig/Doc/tools/extensions/issue_role.py	2025-10-14 15:52:31.000000000 +0200
-+++ Python-3.13.9/Doc/tools/extensions/issue_role.py	2025-11-20 01:07:59.907010386 +0100
+--- Python-3.13.11.orig/Doc/tools/extensions/issue_role.py	2025-12-05 17:06:33.000000000 +0100
++++ Python-3.13.11/Doc/tools/extensions/issue_role.py	2025-12-18 23:36:11.849838302 +0100
 @@ -1,22 +1,18 @@
  """Support for referencing issues in the tracker."""
  
@@ -757,10 +758,10 @@ Index: Python-3.13.9/Doc/tools/extensions/issue_role.py
      app.add_role("issue", BPOIssue())
      app.add_role("gh", GitHubIssue())
  
-Index: Python-3.13.9/Doc/tools/extensions/misc_news.py
+Index: Python-3.13.11/Doc/tools/extensions/misc_news.py
 ===================================================================
---- Python-3.13.9.orig/Doc/tools/extensions/misc_news.py	2025-10-14 15:52:31.000000000 +0200
-+++ Python-3.13.9/Doc/tools/extensions/misc_news.py	2025-11-20 01:07:59.907170899 +0100
+--- Python-3.13.11.orig/Doc/tools/extensions/misc_news.py	2025-12-05 17:06:33.000000000 +0100
++++ Python-3.13.11/Doc/tools/extensions/misc_news.py	2025-12-18 23:36:11.850033510 +0100
 @@ -1,7 +1,5 @@
  """Support for including Misc/NEWS."""
  
@@ -813,10 +814,10 @@ Index: Python-3.13.9/Doc/tools/extensions/misc_news.py
      app.add_directive("miscnews", MiscNews)
  
      return {
-Index: Python-3.13.9/Doc/tools/extensions/patchlevel.py
+Index: Python-3.13.11/Doc/tools/extensions/patchlevel.py
 ===================================================================
---- Python-3.13.9.orig/Doc/tools/extensions/patchlevel.py	2025-10-14 15:52:31.000000000 +0200
-+++ Python-3.13.9/Doc/tools/extensions/patchlevel.py	2025-11-20 01:07:59.907494228 +0100
+--- Python-3.13.11.orig/Doc/tools/extensions/patchlevel.py	2025-12-05 17:06:33.000000000 +0100
++++ Python-3.13.11/Doc/tools/extensions/patchlevel.py	2025-12-18 23:36:11.850217264 +0100
 @@ -3,7 +3,7 @@
  import re
  import sys
@@ -854,10 +855,10 @@ Index: Python-3.13.9/Doc/tools/extensions/patchlevel.py
      version = f"{info.major}.{info.minor}"
      release = f"{info.major}.{info.minor}.{info.micro}"
      if info.releaselevel != "final":
-Index: Python-3.13.9/Doc/tools/extensions/pydoc_topics.py
+Index: Python-3.13.11/Doc/tools/extensions/pydoc_topics.py
 ===================================================================
---- Python-3.13.9.orig/Doc/tools/extensions/pydoc_topics.py	2025-10-14 15:52:31.000000000 +0200
-+++ Python-3.13.9/Doc/tools/extensions/pydoc_topics.py	2025-11-20 01:07:59.907684617 +0100
+--- Python-3.13.11.orig/Doc/tools/extensions/pydoc_topics.py	2025-12-05 17:06:33.000000000 +0100
++++ Python-3.13.11/Doc/tools/extensions/pydoc_topics.py	2025-12-18 23:36:11.850437755 +0100
 @@ -1,21 +1,23 @@
  """Support for building "topic help" for pydoc."""
  

gh139257-Support-docutils-0.22.patch

@@ -4,33 +4,145 @@ Date: Tue, 23 Sep 2025 10:20:16 +0200
 Subject: [PATCH 1/2] gh-139257: Support docutils >= 0.22
 
 ---
- Doc/tools/extensions/pyspecific.py | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
+ Doc/tools/extensions/pyspecific.py |   69 +++++++++++++++++++++++++------------
+ 1 file changed, 47 insertions(+), 22 deletions(-)
 
-Index: Python-3.13.7/Doc/tools/extensions/pyspecific.py
+Index: Python-3.13.11/Doc/tools/extensions/pyspecific.py
 ===================================================================
---- Python-3.13.7.orig/Doc/tools/extensions/pyspecific.py
-+++ Python-3.13.7/Doc/tools/extensions/pyspecific.py
-@@ -25,11 +25,21 @@ from sphinx.util.docutils import SphinxD
- SOURCE_URI = 'https://github.com/python/cpython/tree/3.13/%s'
+--- Python-3.13.11.orig/Doc/tools/extensions/pyspecific.py	2025-12-05 17:06:33.000000000 +0100
++++ Python-3.13.11/Doc/tools/extensions/pyspecific.py	2025-12-18 23:38:44.804668556 +0100
+@@ -1,12 +1,12 @@
+ # -*- coding: utf-8 -*-
+ """
+-    pyspecific.py
+-    ~~~~~~~~~~~~~
++pyspecific.py
++~~~~~~~~~~~~~
  
- # monkey-patch reST parser to disable alphabetic and roman enumerated lists
+-    Sphinx extension with Python doc-specific markup.
++Sphinx extension with Python doc-specific markup.
+ 
+-    :copyright: 2008-2014 by Georg Brandl.
+-    :license: Python license.
++:copyright: 2008-2014 by Georg Brandl.
++:license: Python license.
+ """
+ 
+ import re
+@@ -22,30 +22,50 @@
+ from sphinx.util.docutils import SphinxDirective
+ 
+ # Used in conf.py and updated here by python/release-tools/run_release.py
+-SOURCE_URI = 'https://github.com/python/cpython/tree/3.13/%s'
++SOURCE_URI = "https://github.com/python/cpython/tree/3.13/%s"
++
++
++# monkey-patch reST parser to disable alphabetic and roman enumerated lists
 +def _disable_alphabetic_and_roman(text):
 +    try:
 +        # docutils >= 0.22
 +        from docutils.parsers.rst.states import InvalidRomanNumeralError
++
 +        raise InvalidRomanNumeralError(text)
 +    except ImportError:
 +        # docutils < 0.22
 +        return None
 +
 +
- from docutils.parsers.rst.states import Body
- Body.enum.converters['loweralpha'] = \
-     Body.enum.converters['upperalpha'] = \
-     Body.enum.converters['lowerroman'] = \
--    Body.enum.converters['upperroman'] = lambda x: None
-+    Body.enum.converters['upperroman'] = _disable_alphabetic_and_roman
- 
++from docutils.parsers.rst.states import Body
++
++Body.enum.converters["loweralpha"] = Body.enum.converters["upperalpha"] = (
++    Body.enum.converters["lowerroman"]
++) = Body.enum.converters["upperroman"] = _disable_alphabetic_and_roman
++
  
  class PyAwaitableMixin(object):
+     def handle_signature(self, sig, signode):
+         ret = super(PyAwaitableMixin, self).handle_signature(sig, signode)
+-        signode.insert(0, addnodes.desc_annotation('awaitable ', 'awaitable '))
++        signode.insert(0, addnodes.desc_annotation("awaitable ", "awaitable "))
+         return ret
+ 
+ 
+ class PyAwaitableFunction(PyAwaitableMixin, PyFunction):
+     def run(self):
+-        self.name = 'py:function'
++        self.name = "py:function"
+         return PyFunction.run(self)
+ 
+ 
+ class PyAwaitableMethod(PyAwaitableMixin, PyMethod):
+     def run(self):
+-        self.name = 'py:method'
++        self.name = "py:method"
+         return PyMethod.run(self)
+ 
+ 
+ # Support for documenting Opcodes
+ 
+-opcode_sig_re = re.compile(r'(\w+(?:\+\d)?)(?:\s*\((.*)\))?')
++opcode_sig_re = re.compile(r"(\w+(?:\+\d)?)(?:\s*\((.*)\))?")
+ 
+ 
+ def parse_opcode_signature(env, sig, signode):
+@@ -64,7 +84,7 @@
+ 
+ # Support for documenting pdb commands
+ 
+-pdbcmd_sig_re = re.compile(r'([a-z()!]+)\s*(.*)')
++pdbcmd_sig_re = re.compile(r"([a-z()!]+)\s*(.*)")
+ 
+ # later...
+ # pdbargs_tokens_re = re.compile(r'''[a-zA-Z]+  |  # identifiers
+@@ -80,16 +100,16 @@
+     if m is None:
+         raise ValueError
+     name, args = m.groups()
+-    fullname = name.replace('(', '').replace(')', '')
++    fullname = name.replace("(", "").replace(")", "")
+     signode += addnodes.desc_name(name, name)
+     if args:
+-        signode += addnodes.desc_addname(' '+args, ' '+args)
++        signode += addnodes.desc_addname(" " + args, " " + args)
+     return fullname
+ 
+ 
+ def parse_monitoring_event(env, sig, signode):
+     """Transform a monitoring event signature into RST nodes."""
+-    signode += addnodes.desc_addname('sys.monitoring.events.', 'sys.monitoring.events.')
++    signode += addnodes.desc_addname("sys.monitoring.events.", "sys.monitoring.events.")
+     signode += addnodes.desc_name(sig, sig)
+     return sig
+ 
+@@ -102,7 +122,7 @@
+     As such, we link this to ``env-check-consistency``, even though it has
+     nothing to do with the environment consistency check.
+     """
+-    if app.builder.name != 'gettext':
++    if app.builder.name != "gettext":
+         return
+ 
+     # allow translating deprecated index entries
+@@ -119,10 +139,15 @@
+ 
+ 
+ def setup(app):
+-    app.add_object_type('opcode', 'opcode', '%s (opcode)', parse_opcode_signature)
+-    app.add_object_type('pdbcommand', 'pdbcmd', '%s (pdb command)', parse_pdb_command)
+-    app.add_object_type('monitoring-event', 'monitoring-event', '%s (monitoring event)', parse_monitoring_event)
+-    app.add_directive_to_domain('py', 'awaitablefunction', PyAwaitableFunction)
+-    app.add_directive_to_domain('py', 'awaitablemethod', PyAwaitableMethod)
+-    app.connect('env-check-consistency', patch_pairindextypes)
+-    return {'version': '1.0', 'parallel_read_safe': True}
++    app.add_object_type("opcode", "opcode", "%s (opcode)", parse_opcode_signature)
++    app.add_object_type("pdbcommand", "pdbcmd", "%s (pdb command)", parse_pdb_command)
++    app.add_object_type(
++        "monitoring-event",
++        "monitoring-event",
++        "%s (monitoring event)",
++        parse_monitoring_event,
++    )
++    app.add_directive_to_domain("py", "awaitablefunction", PyAwaitableFunction)
++    app.add_directive_to_domain("py", "awaitablemethod", PyAwaitableMethod)
++    app.connect("env-check-consistency", patch_pairindextypes)
++    return {"version": "1.0", "parallel_read_safe": True}

python313.changes

@@ -1,3 +1,299 @@
+-------------------------------------------------------------------
+Thu Dec 11 21:36:09 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Update to 3.13.11:
+    - gh-142145: Remove quadratic behavior in xml.minidom node ID
+      cache clearing (CVE-2025-12084, bsc#1254997).
+    - gh-119451: Fix a potential memory denial of service in the
+      http.client module. When connecting to a malicious server,
+      it could cause an arbitrary amount of memory to be
+      allocated. This could have led to symptoms including
+      a MemoryError, swapping, out of memory (OOM) killed
+      processes or containers, or even system crashes
+      (bsc#1254400, CVE-2025-13836).
+    - gh-119452: Fix a potential memory denial of service in the
+      http.server module. When a malicious user is connected to
+      the CGI server on Windows, it could cause an arbitrary
+      amount of memory to be allocated. This could have led to
+      symptoms including a MemoryError, swapping, out of memory
+      (OOM) killed processes or containers, or even system
+      crashes.
+- Library
+    - gh-140797: Revert changes to the undocumented re.Scanner
+      class. Capturing groups are still allowed for backward
+      compatibility, although using them can lead to incorrect
+      result. They will be forbidden in future Python versions.
+    - gh-142206: The resource tracker in the multiprocessing
+      module now uses the original communication protocol, as in
+      Python 3.14.0 and below, by default. This avoids issues
+      with upgrading Python while it is running. (Note that such
+      ‘in-place’ upgrades are not tested.) The tracker remains
+      compatible with subprocesses that use new protocol (that
+      is, subprocesses using Python 3.13.10, 3.14.1 and 3.15).
+- Core and Builtins
+    - gh-142218: Fix crash when inserting into a split table
+      dictionary with a non str key that matches an existing key.
+- Update to 3.13.10:
+- Tools/Demos
+    - gh-141442: The iOS testbed now correctly handles test
+      arguments that contain spaces.
+- Tests
+    - gh-140482: Preserve and restore the state of stty echo as
+      part of the test environment.
+    - gh-140082: Update python -m test to set FORCE_COLOR=1 when
+      being run with color enabled so that unittest which is run
+      by it with redirected output will output in color.
+    - gh-136442: Use exitcode 1 instead of 5 if
+      unittest.TestCase.setUpClass() raises an exception
+- Security
+    - gh-139700: Check consistency of the zip64 end of central
+      directory record. Support records with “zip64 extensible
+      data” if there are no bytes prepended to the ZIP file.
+      (CVE-2025-8291, bsc#1251305)
+    - gh-137836: Add support of the “plaintext” element, RAWTEXT
+      elements “xmp”, “iframe”, “noembed” and “noframes”, and
+      optionally RAWTEXT element “noscript” in
+      html.parser.HTMLParser.
+    - gh-136063: email.message: ensure linear complexity for
+      legacy HTTP parameters parsing. Patch by Bénédikt Tran.
+    - gh-136065: Fix quadratic complexity in
+      os.path.expandvars() (CVE-2025-6075, bsc#1252974).
+    - gh-119342: Fix a potential memory denial of service in the
+      plistlib module. When reading a Plist file received from
+      untrusted source, it could cause an arbitrary amount of
+      memory to be allocated. This could have led to symptoms
+      including a MemoryError, swapping, out of memory (OOM)
+      killed processes or containers, or even system crashes
+      (CVE-2025-13837, bsc#1254401).
+- Library
+    - gh-74389: When the stdin being used by a subprocess.Popen
+      instance is closed, this is now ignored in
+      subprocess.Popen.communicate() instead of leaving the class
+      in an inconsistent state.
+    - gh-87512: Fix subprocess.Popen.communicate() timeout
+      handling on Windows when writing large input. Previously,
+      the timeout was ignored during stdin writing, causing the
+      method to block indefinitely if the child process did not
+      consume input quickly. The stdin write is now performed in
+      a background thread, allowing the timeout to be properly
+      enforced.
+    - gh-141473: When subprocess.Popen.communicate() was called
+      with input and a timeout and is called for a second time
+      after a TimeoutExpired exception before the process has
+      died, it should no longer hang.
+    - gh-59000: Fix pdb breakpoint resolution for class methods
+      when the module defining the class is not imported.
+    - gh-141570: Support file-like object raising OSError from
+      fileno() in color detection (_colorize.can_colorize()).
+      This can occur when sys.stdout is redirected.
+    - gh-141659: Fix bad file descriptor errors from
+      _posixsubprocess on AIX.
+    - gh-141497: ipaddress: ensure that the methods
+      IPv4Network.hosts() and IPv6Network.hosts() always return
+      an iterator.
+    - gh-140938: The statistics.stdev() and statistics.pstdev()
+      functions now raise a ValueError when the input contains an
+      infinity or a NaN.
+    - gh-124111: Updated Tcl threading configuration in _tkinter
+      to assume that threads are always available in Tcl 9 and
+      later.
+    - gh-137109: The os.fork and related forking APIs will no
+      longer warn in the common case where Linux or macOS
+      platform APIs return the number of threads in a process and
+      find the answer to be 1 even when a os.register_at_fork()
+      after_in_parent= callback (re)starts a thread.
+    - gh-141314: Fix assertion failure in io.TextIOWrapper.tell()
+      when reading files with standalone carriage return (\r)
+      line endings.
+    - gh-141311: Fix assertion failure in io.BytesIO.readinto()
+      and undefined behavior arising when read position is above
+      capcity in io.BytesIO.
+    - gh-141141: Fix a thread safety issue with
+      base64.b85decode(). Contributed by Benel Tayar.
+    - gh-140911: collections: Ensure that the methods
+      UserString.rindex() and UserString.index() accept
+      collections.UserString instances as the sub argument.
+    - gh-140797: The undocumented re.Scanner class now forbids
+      regular expressions containing capturing groups in its
+      lexicon patterns. Patterns using capturing groups could
+      previously lead to crashes with segmentation fault. Use
+      non-capturing groups (?:…) instead.
+    - gh-140815: faulthandler now detects if a frame or a code
+      object is invalid or freed. Patch by Victor Stinner.
+    - gh-100218: Correctly set errno when socket.if_nametoindex()
+      or socket.if_indextoname() raise an OSError. Patch by
+      Bénédikt Tran.
+    - gh-140875: Fix handling of unclosed character references
+      (named and numerical) followed by the end of file in
+      html.parser.HTMLParser with convert_charrefs=False.
+    - gh-140734: multiprocessing: fix off-by-one error when
+      checking the length of a temporary socket file path. Patch
+      by Bénédikt Tran.
+    - gh-140874: Bump the version of pip bundled in ensurepip to
+      version 25.3
+    - gh-140691: In urllib.request, when opening a FTP URL fails
+      because a data connection cannot be made, the control
+      connection’s socket is now closed to avoid
+      a ResourceWarning.
+    - gh-103847: Fix hang when cancelling process created by
+      asyncio.create_subprocess_exec() or
+      asyncio.create_subprocess_shell(). Patch by Kumar Aditya.
+    - gh-140590: Fix arguments checking for the
+      functools.partial.__setstate__() that may lead to internal
+      state corruption and crash. Patch by Sergey Miryanov.
+    - gh-140634: Fix a reference counting bug in
+      os.sched_param.__reduce__().
+    - gh-140633: Ignore AttributeError when setting a module’s
+      __file__ attribute when loading an extension module
+      packaged as Apple Framework.
+    - gh-140593: xml.parsers.expat: Fix a memory leak that could
+      affect users with ElementDeclHandler() set to a custom
+      element declaration handler. Patch by Sebastian Pipping.
+    - gh-140607: Inside io.RawIOBase.read(), validate that the
+      count of bytes returned by io.RawIOBase.readinto() is valid
+      (inside the provided buffer).
+    - gh-138162: Fix logging.LoggerAdapter with merge_extra=True
+      and without the extra argument.
+    - gh-140474: Fix memory leak in array.array when creating
+      arrays from an empty str and the u type code.
+    - gh-140272: Fix memory leak in the clear() method of the
+      dbm.gnu database.
+    - gh-140041: Fix import of ctypes on Android and Cygwin when
+      ABI flags are present.
+    - gh-139905: Add suggestion to error message for
+      typing.Generic subclasses when cls.__parameters__ is
+      missing due to a parent class failing to call
+      super().__init_subclass__() in its __init_subclass__.
+    - gh-139845: Fix to not print KeyboardInterrupt twice in
+      default asyncio REPL.
+    - gh-139783: Fix inspect.getsourcelines() for the case when
+      a decorator is followed by a comment or an empty line.
+    - gh-70765: http.server: fix default handling of HTTP/0.9
+      requests in BaseHTTPRequestHandler. Previously,
+      BaseHTTPRequestHandler.parse_request() incorrectly waited
+      for headers in the request although those are not supported
+      in HTTP/0.9. Patch by Bénédikt Tran.
+    - gh-139391: Fix an issue when, on non-Windows platforms, it
+      was not possible to gracefully exit a python -m asyncio
+      process suspended by Ctrl+Z and later resumed by fg other
+      than with kill.
+    - gh-101828: Fix 'shift_jisx0213', 'shift_jis_2004',
+      'euc_jisx0213' and 'euc_jis_2004' codecs truncating null
+      chars as they were treated as part of multi-character
+      sequences.
+    - gh-139246: fix: paste zero-width in default repl width is
+      wrong.
+    - gh-90949: Add SetAllocTrackerActivationThreshold() and
+      SetAllocTrackerMaximumAmplification() to xmlparser objects
+      to prevent use of disproportional amounts of dynamic memory
+      from within an Expat parser. Patch by Bénédikt Tran.
+    - gh-139065: Fix trailing space before a wrapped long word if
+      the line length is exactly width in textwrap.
+    - gh-138993: Dedent credits text.
+    - gh-138859: Fix generic type parameterization raising
+      a TypeError when omitting a ParamSpec that has a default
+      which is not a list of types.
+    - gh-138775: Use of python -m with base64 has been fixed to
+      detect input from a terminal so that it properly notices
+      EOF.
+    - gh-98896: Fix a failure in multiprocessing resource_tracker
+      when SharedMemory names contain colons. Patch by Rani
+      Pinchuk.
+    - gh-75989: tarfile.TarFile.extractall() and
+      tarfile.TarFile.extract() now overwrite symlinks when
+      extracting hardlinks. (Contributed by Alexander Enrique
+      Urieles Nieto in gh-75989.)
+    - gh-83424: Allows creating a ctypes.CDLL without name when
+      passing a handle as an argument.
+    - gh-136234: Fix asyncio.WriteTransport.writelines() to be
+      robust to connection failure, by using the same behavior as
+      write().
+    - gh-136057: Fixed the bug in pdb and bdb where next and step
+      can’t go over the line if a loop exists in the line.
+    - gh-135307: email: Fix exception in set_content() when
+      encoding text and max_line_length is set to 0 or None
+      (unlimited).
+    - gh-134453: Fixed subprocess.Popen.communicate() input=
+      handling of memoryview instances that were non-byte shaped
+      on POSIX platforms. Those are now properly cast to a byte
+      shaped view instead of truncating the input. Windows
+      platforms did not have this bug.
+    - gh-102431: Clarify constraints for “logical” arguments in
+      methods of decimal.Context.
+- IDLE
+    - gh-96491: Deduplicate version number in IDLE shell title
+      bar after saving to a file.
+- Documentation
+    - gh-141994: xml.sax.handler: Make Documentation of
+      xml.sax.handler.feature_external_ges warn of opening up to
+      external entity attacks. Patch by Sebastian Pipping.
+    - gh-140578: Remove outdated sencence in the documentation
+      for multiprocessing, that implied that
+      concurrent.futures.ThreadPoolExecutor did not exist.
+- Core and Builtins
+    - gh-142048: Fix quadratically increasing garbage collection
+      delays in free-threaded build.
+    - gh-141930: When importing a module, use Python’s regular
+      file object to ensure that writes to .pyc files are
+      complete or an appropriate error is raised.
+    - gh-120158: Fix inconsistent state when enabling or
+      disabling monitoring events too many times.
+    - gh-141579: Fix sys.activate_stack_trampoline() to properly
+      support the perf_jit backend. Patch by Pablo Galindo.
+    - gh-141312: Fix the assertion failure in the __setstate__
+      method of the range iterator when a non-integer argument is
+      passed. Patch by Sergey Miryanov.
+    - gh-140939: Fix memory leak when bytearray or bytes is
+      formated with the
+      %*b format with a large width that results in
+      %a MemoryError.
+    - gh-140530: Fix a reference leak when raise exc from cause
+      fails. Patch by Bénédikt Tran.
+    - gh-140576: Fixed crash in tokenize.generate_tokens() in
+      case of specific incorrect input. Patch by Mikhail Efimov.
+    - gh-140551: Fixed crash in dict if dict.clear() is called at
+      the lookup stage. Patch by Mikhail Efimov and Inada Naoki.
+    - gh-140471: Fix potential buffer overflow in ast.AST node
+      initialization when encountering malformed _fields
+      containing non-str.
+    - gh-140406: Fix memory leak when an object’s __hash__()
+      method returns an object that isn’t an int.
+    - gh-140306: Fix memory leaks in cross-interpreter channel
+      operations and shared namespace handling.
+    - gh-140301: Fix memory leak of PyConfig in subinterpreters.
+    - gh-140000: Fix potential memory leak when a reference cycle
+      exists between an instance of typing.TypeAliasType,
+      typing.TypeVar, typing.ParamSpec, or typing.TypeVarTuple
+      and its __name__ attribute. Patch by Mikhail Efimov.
+    - gh-139748: Fix reference leaks in error branches of
+      functions accepting path strings or bytes such as compile()
+      and os.system(). Patch by Bénédikt Tran.
+    - gh-139516: Fix lambda colon erroneously start format spec
+      in f-string in tokenizer.
+    - gh-139640: Fix swallowing some syntax warnings in different
+      modules if they accidentally have the same message and are
+      emitted from the same line. Fix duplicated warnings in the
+      finally block.
+    - gh-137400: Fix a crash in the free threading build when
+      disabling profiling or tracing across all threads with
+      PyEval_SetProfileAllThreads() or
+      PyEval_SetTraceAllThreads() or their Python equivalents
+      threading.settrace_all_threads() and
+      threading.setprofile_all_threads().
+    - gh-133400: Fixed Ctrl+D (^D) behavior in _pyrepl module to
+      match old pre-3.13 REPL behavior.
+- C API
+    - gh-140042: Removed the sqlite3_shutdown call that could
+      cause closing connections for sqlite when used with
+      multiple sub interpreters.
+    - gh-140487: Fix Py_RETURN_NOTIMPLEMENTED in limited C API
+      3.11 and older: don’t treat Py_NotImplemented as immortal.
+      Patch by Victor Stinner.
+- Remove upstreamed patches:
+  - CVE-2025-13836-http-resp-cont-len.patch
+  - CVE-2025-8291-consistency-zip64.patch
+  - CVE-2025-6075-expandvars-perf-degrad.patch
+
 -------------------------------------------------------------------
 Wed Nov 19 19:21:41 UTC 2025 - Matej Cepl <mcepl@suse.com>
 

python313.spec

@@ -167,7 +167,7 @@
 # _md5.cpython-38m-x86_64-linux-gnu.so
 %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
 Name:           %{python_pkg_name}%{psuffix}
-Version:        3.13.9
+Version:        3.13.11
 %define         tarversion %{version}
 %define         tarname    Python-%{tarversion}
 Release:        0
@@ -235,12 +235,6 @@ Patch43:        bsc1243155-sphinx-non-determinism.patch
 Patch44:        gh138131-exclude-pycache-from-digest.patch
 # PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com
 Patch45:        gh139257-Support-docutils-0.22.patch
-# PATCH-FIX-UPSTREAM CVE-2025-8291-consistency-zip64.patch bsc#1251305 mcepl@suse.com
-# Check consistency of the zip64 end of central directory record
-Patch46:        CVE-2025-8291-consistency-zip64.patch
-# PATCH-FIX-UPSTREAM CVE-2025-6075-expandvars-perf-degrad.patch bsc#1252974 mcepl@suse.com
-# Avoid potential quadratic complexity vulnerabilities in path modules
-Patch47:        CVE-2025-6075-expandvars-perf-degrad.patch
 # PATCH-FIX-UPSTREAM pass-test_write_read_limited_history.patch bsc#[0-9]+ mcepl@suse.com
 # Fix readline history truncation when length is reduced
 Patch48:        pass-test_write_read_limited_history.patch