diff --git a/CVE-2023-52425-libexpat-2.6.0-backport.patch b/CVE-2023-52425-libexpat-2.6.0-backport.patch
index 1acc25a..f5724e9 100644
--- a/CVE-2023-52425-libexpat-2.6.0-backport.patch
+++ b/CVE-2023-52425-libexpat-2.6.0-backport.patch
@@ -6,10 +6,10 @@
  Lib/test/test_xml_etree.py   |   12 ------------
  5 files changed, 37 insertions(+), 44 deletions(-)
 
-Index: Python-3.11.12/Lib/test/support/__init__.py
+Index: Python-3.11.14/Lib/test/support/__init__.py
 ===================================================================
---- Python-3.11.12.orig/Lib/test/support/__init__.py	2025-04-11 10:52:43.191010503 +0200
-+++ Python-3.11.12/Lib/test/support/__init__.py	2025-04-11 10:52:44.802161741 +0200
+--- Python-3.11.14.orig/Lib/test/support/__init__.py	2025-11-11 22:19:39.694606976 +0100
++++ Python-3.11.14/Lib/test/support/__init__.py	2025-11-11 22:19:43.416608482 +0100
 @@ -8,6 +8,7 @@
  import functools
  import os
@@ -27,7 +27,7 @@ Index: Python-3.11.12/Lib/test/support/__init__.py
      ]
  
  
-@@ -2244,6 +2245,17 @@
+@@ -2279,6 +2280,17 @@
          }
      return ignored
  
@@ -46,10 +46,10 @@ Index: Python-3.11.12/Lib/test/support/__init__.py
 +fails_with_expat_2_6_0 = (unittest.expectedFailure
 +                          if is_expat_2_6_0
 +                          else lambda test: test)
-Index: Python-3.11.12/Lib/test/test_minidom.py
+Index: Python-3.11.14/Lib/test/test_minidom.py
 ===================================================================
---- Python-3.11.12.orig/Lib/test/test_minidom.py	2025-04-11 10:52:21.907086938 +0200
-+++ Python-3.11.12/Lib/test/test_minidom.py	2025-04-11 10:52:44.802522893 +0200
+--- Python-3.11.14.orig/Lib/test/test_minidom.py	2025-11-11 22:19:20.357789592 +0100
++++ Python-3.11.14/Lib/test/test_minidom.py	2025-11-11 22:19:43.417174481 +0100
 @@ -6,7 +6,6 @@
  from test import support
  import unittest
@@ -94,10 +94,10 @@ Index: Python-3.11.12/Lib/test/test_minidom.py
              parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
  
      def testDocRemoveChild(self):
-Index: Python-3.11.12/Lib/test/test_pyexpat.py
+Index: Python-3.11.14/Lib/test/test_pyexpat.py
 ===================================================================
---- Python-3.11.12.orig/Lib/test/test_pyexpat.py	2025-04-11 10:52:22.076696906 +0200
-+++ Python-3.11.12/Lib/test/test_pyexpat.py	2025-04-11 10:52:44.803228085 +0200
+--- Python-3.11.14.orig/Lib/test/test_pyexpat.py	2025-11-11 22:19:20.528295478 +0100
++++ Python-3.11.14/Lib/test/test_pyexpat.py	2025-11-11 22:19:43.417558052 +0100
 @@ -14,8 +14,7 @@
  from xml.parsers import expat
  from xml.parsers.expat import errors
@@ -108,7 +108,7 @@ Index: Python-3.11.12/Lib/test/test_pyexpat.py
  
  class SetAttributeTest(unittest.TestCase):
      def setUp(self):
-@@ -770,9 +769,8 @@
+@@ -806,9 +805,8 @@
          self.assertIs(parser.GetReparseDeferralEnabled(), enabled)
  
      def test_reparse_deferral_enabled(self):
@@ -120,7 +120,7 @@ Index: Python-3.11.12/Lib/test/test_pyexpat.py
  
          started = []
  
-@@ -801,9 +799,9 @@
+@@ -837,9 +835,9 @@
  
          parser = expat.ParserCreate()
          parser.StartElementHandler = start_element
@@ -132,10 +132,10 @@ Index: Python-3.11.12/Lib/test/test_pyexpat.py
  
          for chunk in (b'<doc', b'/>'):
              parser.Parse(chunk, False)
-Index: Python-3.11.12/Lib/test/test_sax.py
+Index: Python-3.11.14/Lib/test/test_sax.py
 ===================================================================
---- Python-3.11.12.orig/Lib/test/test_sax.py	2025-04-11 10:52:22.111440337 +0200
-+++ Python-3.11.12/Lib/test/test_sax.py	2025-04-11 10:52:44.803567098 +0200
+--- Python-3.11.14.orig/Lib/test/test_sax.py	2025-11-11 22:19:20.561791922 +0100
++++ Python-3.11.14/Lib/test/test_sax.py	2025-11-11 22:19:43.417906074 +0100
 @@ -19,13 +19,11 @@
  from io import BytesIO, StringIO
  import codecs
@@ -187,10 +187,10 @@ Index: Python-3.11.12/Lib/test/test_sax.py
  
          self.assertFalse(parser._parser.GetReparseDeferralEnabled())
  
-Index: Python-3.11.12/Lib/test/test_xml_etree.py
+Index: Python-3.11.14/Lib/test/test_xml_etree.py
 ===================================================================
---- Python-3.11.12.orig/Lib/test/test_xml_etree.py	2025-04-11 10:52:22.425637912 +0200
-+++ Python-3.11.12/Lib/test/test_xml_etree.py	2025-04-11 10:52:44.804234785 +0200
+--- Python-3.11.14.orig/Lib/test/test_xml_etree.py	2025-11-11 22:19:20.877591822 +0100
++++ Python-3.11.14/Lib/test/test_xml_etree.py	2025-11-11 22:19:43.418467184 +0100
 @@ -13,7 +13,6 @@
  import operator
  import os
diff --git a/CVE-2023-52425-remove-reparse_deferral-tests.patch b/CVE-2023-52425-remove-reparse_deferral-tests.patch
index 553bdf8..4bd433e 100644
--- a/CVE-2023-52425-remove-reparse_deferral-tests.patch
+++ b/CVE-2023-52425-remove-reparse_deferral-tests.patch
@@ -4,9 +4,11 @@
  Lib/test/test_xml_etree.py |    2 ++
  3 files changed, 6 insertions(+)
 
---- a/Lib/test/test_pyexpat.py
-+++ b/Lib/test/test_pyexpat.py
-@@ -768,6 +768,7 @@ class ReparseDeferralTest(unittest.TestC
+Index: Python-3.11.14/Lib/test/test_pyexpat.py
+===================================================================
+--- Python-3.11.14.orig/Lib/test/test_pyexpat.py	2025-11-11 22:19:43.417558052 +0100
++++ Python-3.11.14/Lib/test/test_pyexpat.py	2025-11-11 22:19:46.300106206 +0100
+@@ -804,6 +804,7 @@
          parser.SetReparseDeferralEnabled(True)
          self.assertIs(parser.GetReparseDeferralEnabled(), enabled)
  
@@ -14,7 +16,7 @@
      def test_reparse_deferral_enabled(self):
          if not is_expat_2_6_0:
              self.skipTest("Linked libexpat doesn't support reparse deferral")
-@@ -791,6 +792,7 @@ class ReparseDeferralTest(unittest.TestC
+@@ -827,6 +828,7 @@
  
          self.assertEqual(started, ['doc'])
  
@@ -22,9 +24,11 @@
      def test_reparse_deferral_disabled(self):
          started = []
  
---- a/Lib/test/test_sax.py
-+++ b/Lib/test/test_sax.py
-@@ -1213,6 +1213,7 @@ class ExpatReaderTest(XmlTestBase):
+Index: Python-3.11.14/Lib/test/test_sax.py
+===================================================================
+--- Python-3.11.14.orig/Lib/test/test_sax.py	2025-11-11 22:19:43.417906074 +0100
++++ Python-3.11.14/Lib/test/test_sax.py	2025-11-11 22:19:46.300752803 +0100
+@@ -1213,6 +1213,7 @@
  
          self.assertEqual(result.getvalue(), start + b"<doc>text</doc>")
  
@@ -32,7 +36,7 @@
      def test_flush_reparse_deferral_enabled(self):
          if not is_expat_2_6_0:
              self.skipTest("Linked libexpat doesn't support reparse deferral")
-@@ -1238,6 +1239,7 @@ class ExpatReaderTest(XmlTestBase):
+@@ -1238,6 +1239,7 @@
  
          self.assertEqual(result.getvalue(), start + b"<doc></doc>")
  
@@ -40,9 +44,11 @@
      def test_flush_reparse_deferral_disabled(self):
          if not is_expat_2_6_0:
              self.skipTest("Linked libexpat doesn't support reparse deferral")
---- a/Lib/test/test_xml_etree.py
-+++ b/Lib/test/test_xml_etree.py
-@@ -1620,6 +1620,7 @@ class XMLPullParserTest(unittest.TestCas
+Index: Python-3.11.14/Lib/test/test_xml_etree.py
+===================================================================
+--- Python-3.11.14.orig/Lib/test/test_xml_etree.py	2025-11-11 22:19:43.418467184 +0100
++++ Python-3.11.14/Lib/test/test_xml_etree.py	2025-11-11 22:19:46.301413227 +0100
+@@ -1620,6 +1620,7 @@
          with self.assertRaises(ValueError):
              ET.XMLPullParser(events=('start', 'end', 'bogus'))
  
@@ -50,7 +56,7 @@
      def test_flush_reparse_deferral_enabled(self):
          parser = ET.XMLPullParser(events=('start', 'end'))
  
-@@ -1641,6 +1642,7 @@ class XMLPullParserTest(unittest.TestCas
+@@ -1641,6 +1642,7 @@
  
          self.assert_event_tags(parser, [('end', 'doc')])
  
diff --git a/CVE-2025-8291-consistency-zip64.patch b/CVE-2025-8291-consistency-zip64.patch
new file mode 100644
index 0000000..d8cb664
--- /dev/null
+++ b/CVE-2025-8291-consistency-zip64.patch
@@ -0,0 +1,24 @@
+From d8a71bec60ca197650bd93196a804083ba529b53 Mon Sep 17 00:00:00 2001
+From: Serhiy Storchaka <storchaka@gmail.com>
+Date: Tue, 7 Oct 2025 20:55:44 +0300
+Subject: [PATCH] [3.13] gh-139700: Check consistency of the zip64 end of
+ central directory record (GH-139702) (GH-139708) (cherry picked from commit
+ 333d4a6f4967d3ace91492a39ededbcf3faa76a6)
+
+Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
+Support records with "zip64 extensible data" if there are no bytes
+prepended to the ZIP file.
+(cherry picked from commit 162997bb70e067668c039700141770687bc8f267)
+---
+ Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst |    3 +++
+ 1 file changed, 3 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst
+
+Index: Python-3.9.24/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ Python-3.9.24/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst	2025-11-10 01:01:51.449057588 +0100
+@@ -0,0 +1,3 @@
++Check consistency of the zip64 end of central directory record. Support
++records with "zip64 extensible data" if there are no bytes prepended to the
++ZIP file.
diff --git a/fix_configure_rst.patch b/fix_configure_rst.patch
index a5fe82c..0a3dc4a 100644
--- a/fix_configure_rst.patch
+++ b/fix_configure_rst.patch
@@ -3,9 +3,11 @@
  Misc/NEWS               |    2 +-
  2 files changed, 1 insertion(+), 4 deletions(-)
 
---- a/Doc/using/configure.rst
-+++ b/Doc/using/configure.rst
-@@ -43,7 +43,6 @@ General Options
+Index: Python-3.11.14/Doc/using/configure.rst
+===================================================================
+--- Python-3.11.14.orig/Doc/using/configure.rst	2025-10-09 18:16:55.000000000 +0200
++++ Python-3.11.14/Doc/using/configure.rst	2025-11-11 22:19:35.846411673 +0100
+@@ -43,7 +43,6 @@
  
     See :data:`sys.int_info.bits_per_digit <sys.int_info>`.
  
@@ -13,7 +15,7 @@
  .. option:: --with-cxx-main=COMPILER
  
     Compile the Python ``main()`` function and link Python executable with C++
-@@ -529,13 +528,11 @@ macOS Options
+@@ -529,13 +528,11 @@
  
  See ``Mac/README.rst``.
  
@@ -27,9 +29,11 @@
  .. option:: --enable-framework=INSTALLDIR
  
     Create a Python.framework rather than a traditional Unix install. Optional
---- a/Misc/NEWS
-+++ b/Misc/NEWS
-@@ -9911,7 +9911,7 @@ C API
+Index: Python-3.11.14/Misc/NEWS
+===================================================================
+--- Python-3.11.14.orig/Misc/NEWS	2025-10-09 18:16:55.000000000 +0200
++++ Python-3.11.14/Misc/NEWS	2025-11-11 22:19:35.850828264 +0100
+@@ -9987,7 +9987,7 @@
  - bpo-40939: Removed documentation for the removed ``PyParser_*`` C API.
  
  - bpo-43795: The list in :ref:`limited-api-list` now shows the public name
diff --git a/python311.changes b/python311.changes
index 5c5eef1..02ff519 100644
--- a/python311.changes
+++ b/python311.changes
@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Tue Nov  4 16:44:05 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2025-8291-consistency-zip64.patch which checks
+  consistency of the zip64 end of central directory record, and
+  preventing obfuscation of the payload, i.e., you scanning for
+  malicious content in a ZIP file with one ZIP parser (let's say
+  a Rust one) then unpack it in production with another (e.g.,
+  the Python one) and get malicious content that the other parser
+  did not see (CVE-2025-8291, bsc#1251305)
+- Readjust patches while synchronizing between openSUSE and SLE trees:
+  - CVE-2023-52425-libexpat-2.6.0-backport.patch
+  - CVE-2023-52425-remove-reparse_deferral-tests.patch
+  - fix_configure_rst.patch
+  - skip_if_buildbot-extend.patch
+
 -------------------------------------------------------------------
 Wed Oct 15 08:52:35 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
 
diff --git a/python311.spec b/python311.spec
index c558683..26f7e8d 100644
--- a/python311.spec
+++ b/python311.spec
@@ -188,6 +188,9 @@ Patch22:        gh120226-fix-sendfile-test-kernel-610.patch
 Patch24:        add-loongarch64-support.patch
 # PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com
 Patch25:        gh139257-Support-docutils-0.22.patch
+# PATCH-FIX-UPSTREAM CVE-2025-8291-consistency-zip64.patch bsc#1251305 mcepl@suse.com
+# Check consistency of the zip64 end of central directory record
+Patch26:        CVE-2025-8291-consistency-zip64.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  crypto-policies-scripts
diff --git a/skip_if_buildbot-extend.patch b/skip_if_buildbot-extend.patch
index fd9a584..0cfcdd3 100644
--- a/skip_if_buildbot-extend.patch
+++ b/skip_if_buildbot-extend.patch
@@ -2,9 +2,11 @@
  Lib/test/support/__init__.py |    2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
---- a/Lib/test/support/__init__.py
-+++ b/Lib/test/support/__init__.py
-@@ -384,7 +384,7 @@ def skip_if_buildbot(reason=None):
+Index: Python-3.11.14/Lib/test/support/__init__.py
+===================================================================
+--- Python-3.11.14.orig/Lib/test/support/__init__.py	2025-11-11 22:19:19.440964849 +0100
++++ Python-3.11.14/Lib/test/support/__init__.py	2025-11-11 22:19:39.694606976 +0100
+@@ -394,7 +394,7 @@
      if not reason:
          reason = 'not suitable for buildbots'
      try: