Update to 3.11.15:

- Security
    - gh-144125: BytesGenerator will now refuse to serialize
      (write) headers that are unsafely folded or delimited; see
      verify_generated_headers. (Contributed by Bas Bloemsaat and
      Petr Viktorin in gh-121650).
    - gh-143935: Fixed a bug in the folding of comments when
      flattening an email message using a modern email policy.
      Comments consisting of a very long sequence of non-foldable
      characters could trigger a forced line wrap that omitted
      the required leading space on the continuation line,
      causing the remainder of the comment to be interpreted as
      a new header field. This enabled header injection with
      carefully crafted inputs (bsc#1257029 CVE-2025-11468).
    - gh-143925: Reject control characters in data: URL media
      types (bsc#1257046, CVE-2025-15282).
    - gh-143919: Reject control characters in http.cookies.Morsel
      fields and values (bsc#1257031, CVE-2026-0672).
    - gh-143916: Reject C0 control characters within
      wsgiref.headers.Headers fields, values, and parameters
      (bsc#1257042, CVE-2026-0865).
    - gh-142145: Remove quadratic behavior in xml.minidom node ID
      cache clearing. In order to do this without breaking
      existing users, we also add the ownerDocument attribute to
      xml.dom.minidom elements and attributes created by directly
      instantiating the Element or Attr class. Note that this way
      of creating nodes is not supported; creator functions like
      xml.dom.Document.documentElement() should be used instead
      (bsc#1254997, CVE-2025-12084).
    - gh-137836: Add support of the “plaintext” element, RAWTEXT
      elements “xmp”, “iframe”, “noembed” and “noframes”, and
      optionally RAWTEXT element “noscript” in
      html.parser.HTMLParser.
    - gh-136063: email.message: ensure linear complexity for
      legacy HTTP parameters parsing. Patch by Bénédikt Tran.
    - gh-136065: Fix quadratic complexity in
      os.path.expandvars() (bsc#1252974, CVE-2025-6075).
    - gh-119451: Fix a potential memory denial of service in the
      http.client module. When connecting to a malicious server,
      it could cause an arbitrary amount of memory to be
      allocated. This could have led to symptoms including
      a MemoryError, swapping, out of memory (OOM) killed
      processes or containers, or even system crashes
      (CVE-2025-13836, bsc#1254400).
    - gh-119452: Fix a potential memory denial of service in the
      http.server module. When a malicious user is connected to
      the CGI server on Windows, it could cause an arbitrary
      amount of memory to be allocated. This could have led to
      symptoms including a MemoryError, swapping, out of memory
      (OOM) killed processes or containers, or even system
      crashes.
    - gh-119342: Fix a potential memory denial of service in the
      plistlib module. When reading a Plist file received from
      untrusted source, it could cause an arbitrary amount of
      memory to be allocated. This could have led to symptoms
      including a MemoryError, swapping, out of memory (OOM)
      killed processes or containers, or even system crashes
      (bsc#1254401, CVE-2025-13837).
  - Library
    - gh-144833: Fixed a use-after-free in ssl when SSL_new()
      returns NULL in newPySSLSocket(). The error was reported
      via a dangling pointer after the object had already been
      freed.
    - gh-144363: Update bundled libexpat to 2.7.4
    - gh-90949: Add SetAllocTrackerActivationThreshold() and
      SetAllocTrackerMaximumAmplification() to xmlparser objects
      to prevent use of disproportional amounts of dynamic memory
      from within an Expat parser. Patch by Bénédikt Tran.
  - Core and Builtins
    - gh-120384: Fix an array out of bounds crash in
      list_ass_subscript, which could be invoked via some
      specificly tailored input: including concurrent
      modification of a list object, where one thread assigns
      a slice and another clears it.
    - gh-120298: Fix use-after free in list_richcompare_impl
      which can be invoked via some specificly tailored evil
      input.
Remove upstreamed patches:
  - CVE-2025-11468-email-hdr-fold-comment.patch
  - CVE-2025-12084-minidom-quad-search.patch
  - CVE-2025-13836-http-resp-cont-len.patch
  - CVE-2025-13837-plistlib-mailicious-length.patch
  - CVE-2025-6075-expandvars-perf-degrad.patch
  - CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
  - CVE-2026-0865-wsgiref-ctrl-chars.patch
  - CVE-2025-15282-urllib-ctrl-chars.patch

CVE-2023-52425-libexpat-2.6.0-backport.patch

@@ -1,15 +1,15 @@
 ---
- Lib/test/support/__init__.py |   16 ++++++++++++++--
+ Lib/test/support/__init__.py |   22 ++++++++++++++++------
  Lib/test/test_minidom.py     |   23 +++++++++--------------
  Lib/test/test_pyexpat.py     |   12 +++++-------
  Lib/test/test_sax.py         |   18 +++++++++---------
  Lib/test/test_xml_etree.py   |   12 ------------
- 5 files changed, 37 insertions(+), 44 deletions(-)
+ 5 files changed, 39 insertions(+), 48 deletions(-)
 
-Index: Python-3.11.12/Lib/test/support/__init__.py
+Index: Python-3.11.15/Lib/test/support/__init__.py
 ===================================================================
---- Python-3.11.12.orig/Lib/test/support/__init__.py	2025-04-11 10:52:43.191010503 +0200
+--- Python-3.11.15.orig/Lib/test/support/__init__.py	2026-03-09 00:22:05.833623479 +0100
-+++ Python-3.11.12/Lib/test/support/__init__.py	2025-04-11 10:52:44.802161741 +0200
++++ Python-3.11.15/Lib/test/support/__init__.py	2026-03-09 00:25:45.751482485 +0100
 @@ -8,6 +8,7 @@
  import functools
  import os
@@ -18,7 +18,7 @@ Index: Python-3.11.12/Lib/test/support/__init__.py
  import stat
  import sys
  import sysconfig
-@@ -56,7 +57,7 @@
+@@ -56,10 +57,9 @@
      "run_with_tz", "PGO", "missing_compiler_executable",
      "ALWAYS_EQ", "NEVER_EQ", "LARGEST", "SMALLEST",
      "LOOPBACK_TIMEOUT", "INTERNET_TIMEOUT", "SHORT_TIMEOUT", "LONG_TIMEOUT",
@@ -26,39 +26,48 @@ Index: Python-3.11.12/Lib/test/support/__init__.py
 +    "skip_on_s390x", "fails_with_expat_2_6_0", "is_expat_2_6_0"
      ]
  
- 
+-
-@@ -2244,6 +2245,17 @@
+ # Timeout in seconds for tests using a network server listening on the network
+ # local loopback interface like 127.0.0.1.
+ #
+@@ -2279,10 +2279,20 @@
          }
      return ignored
  
 -#Windows doesn't have os.uname() but it doesn't support s390x.
-+
+-skip_on_s390x = unittest.skipIf(hasattr(os, 'uname') and os.uname().machine == 's390x',
+-                                'skipped on s390x')
+-
 +# Windows doesn't have os.uname() but it doesn't support s390x.
- skip_on_s390x = unittest.skipIf(hasattr(os, 'uname') and os.uname().machine == 's390x',
++skip_on_s390x = unittest.skipIf(
-                                 'skipped on s390x')
++        hasattr(os, 'uname') and os.uname().machine == 's390x',
-+
++        'skipped on s390x')
 +
 +@functools.lru_cache
 +def _is_expat_2_6_0():
 +    return hasattr(pyexpat.ParserCreate(), 'SetReparseDeferralEnabled')
++
 +is_expat_2_6_0 = _is_expat_2_6_0()
 +
 +fails_with_expat_2_6_0 = (unittest.expectedFailure
 +                          if is_expat_2_6_0
 +                          else lambda test: test)
-Index: Python-3.11.12/Lib/test/test_minidom.py
+ 
+ def control_characters_c0() -> list[str]:
+     """Returns a list of C0 control characters as strings.
+Index: Python-3.11.15/Lib/test/test_minidom.py
 ===================================================================
---- Python-3.11.12.orig/Lib/test/test_minidom.py	2025-04-11 10:52:21.907086938 +0200
+--- Python-3.11.15.orig/Lib/test/test_minidom.py	2026-03-09 00:22:01.870138109 +0100
-+++ Python-3.11.12/Lib/test/test_minidom.py	2025-04-11 10:52:44.802522893 +0200
++++ Python-3.11.15/Lib/test/test_minidom.py	2026-03-09 00:22:05.864561664 +0100
-@@ -6,7 +6,6 @@
+@@ -7,7 +7,6 @@
  from test import support
  import unittest
  
 -import pyexpat
  import xml.dom.minidom
  
- from xml.dom.minidom import parse, Attr, Node, Document, parseString
+ from xml.dom.minidom import parse, Attr, Node, Document, Element, parseString
-@@ -1163,13 +1162,11 @@
+@@ -1194,13 +1193,11 @@
  
          # Verify that character decoding errors raise exceptions instead
          # of crashing
@@ -77,7 +86,7 @@ Index: Python-3.11.12/Lib/test/test_minidom.py
                  b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>')
  
          doc.unlink()
-@@ -1631,12 +1628,10 @@
+@@ -1662,12 +1659,10 @@
          self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE)
  
      def testExceptionOnSpacesInXMLNSValue(self):
@@ -94,11 +103,11 @@ Index: Python-3.11.12/Lib/test/test_minidom.py
              parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
  
      def testDocRemoveChild(self):
-Index: Python-3.11.12/Lib/test/test_pyexpat.py
+Index: Python-3.11.15/Lib/test/test_pyexpat.py
 ===================================================================
---- Python-3.11.12.orig/Lib/test/test_pyexpat.py	2025-04-11 10:52:22.076696906 +0200
+--- Python-3.11.15.orig/Lib/test/test_pyexpat.py	2026-03-09 00:22:02.085337730 +0100
-+++ Python-3.11.12/Lib/test/test_pyexpat.py	2025-04-11 10:52:44.803228085 +0200
++++ Python-3.11.15/Lib/test/test_pyexpat.py	2026-03-09 00:22:21.434819111 +0100
-@@ -14,8 +14,7 @@
+@@ -18,8 +18,7 @@
  from xml.parsers import expat
  from xml.parsers.expat import errors
  
@@ -108,7 +117,7 @@ Index: Python-3.11.12/Lib/test/test_pyexpat.py
  
  class SetAttributeTest(unittest.TestCase):
      def setUp(self):
-@@ -770,9 +769,8 @@
+@@ -810,9 +809,8 @@
          self.assertIs(parser.GetReparseDeferralEnabled(), enabled)
  
      def test_reparse_deferral_enabled(self):
@@ -120,7 +129,7 @@ Index: Python-3.11.12/Lib/test/test_pyexpat.py
  
          started = []
  
-@@ -801,9 +799,9 @@
+@@ -841,9 +839,9 @@
  
          parser = expat.ParserCreate()
          parser.StartElementHandler = start_element
@@ -132,10 +141,10 @@ Index: Python-3.11.12/Lib/test/test_pyexpat.py
  
          for chunk in (b'<doc', b'/>'):
              parser.Parse(chunk, False)
-Index: Python-3.11.12/Lib/test/test_sax.py
+Index: Python-3.11.15/Lib/test/test_sax.py
 ===================================================================
---- Python-3.11.12.orig/Lib/test/test_sax.py	2025-04-11 10:52:22.111440337 +0200
+--- Python-3.11.15.orig/Lib/test/test_sax.py	2026-03-09 00:22:02.128712585 +0100
-+++ Python-3.11.12/Lib/test/test_sax.py	2025-04-11 10:52:44.803567098 +0200
++++ Python-3.11.15/Lib/test/test_sax.py	2026-03-09 00:22:21.434819111 +0100
 @@ -19,13 +19,11 @@
  from io import BytesIO, StringIO
  import codecs
@@ -187,10 +196,10 @@ Index: Python-3.11.12/Lib/test/test_sax.py
  
          self.assertFalse(parser._parser.GetReparseDeferralEnabled())
  
-Index: Python-3.11.12/Lib/test/test_xml_etree.py
+Index: Python-3.11.15/Lib/test/test_xml_etree.py
 ===================================================================
---- Python-3.11.12.orig/Lib/test/test_xml_etree.py	2025-04-11 10:52:22.425637912 +0200
+--- Python-3.11.15.orig/Lib/test/test_xml_etree.py	2026-03-09 00:22:02.529714798 +0100
-+++ Python-3.11.12/Lib/test/test_xml_etree.py	2025-04-11 10:52:44.804234785 +0200
++++ Python-3.11.15/Lib/test/test_xml_etree.py	2026-03-09 00:22:21.434819111 +0100
 @@ -13,7 +13,6 @@
  import operator
  import os

CVE-2023-52425-remove-reparse_deferral-tests.patch

@@ -4,9 +4,11 @@
  Lib/test/test_xml_etree.py |    2 ++
  3 files changed, 6 insertions(+)
 
---- a/Lib/test/test_pyexpat.py
+Index: Python-3.11.15/Lib/test/test_pyexpat.py
-+++ b/Lib/test/test_pyexpat.py
+===================================================================
-@@ -768,6 +768,7 @@ class ReparseDeferralTest(unittest.TestC
+--- Python-3.11.15.orig/Lib/test/test_pyexpat.py	2026-03-06 16:07:07.713428031 +0100
++++ Python-3.11.15/Lib/test/test_pyexpat.py	2026-03-06 18:23:34.307976750 +0100
+@@ -808,6 +808,7 @@
          parser.SetReparseDeferralEnabled(True)
          self.assertIs(parser.GetReparseDeferralEnabled(), enabled)
  
@@ -14,7 +16,7 @@
      def test_reparse_deferral_enabled(self):
          if not is_expat_2_6_0:
              self.skipTest("Linked libexpat doesn't support reparse deferral")
-@@ -791,6 +792,7 @@ class ReparseDeferralTest(unittest.TestC
+@@ -831,6 +832,7 @@
  
          self.assertEqual(started, ['doc'])
  
@@ -22,9 +24,11 @@
      def test_reparse_deferral_disabled(self):
          started = []
  
---- a/Lib/test/test_sax.py
+Index: Python-3.11.15/Lib/test/test_sax.py
-+++ b/Lib/test/test_sax.py
+===================================================================
-@@ -1213,6 +1213,7 @@ class ExpatReaderTest(XmlTestBase):
+--- Python-3.11.15.orig/Lib/test/test_sax.py	2026-03-06 16:07:07.713855947 +0100
++++ Python-3.11.15/Lib/test/test_sax.py	2026-03-06 18:23:34.309155833 +0100
+@@ -1213,6 +1213,7 @@
  
          self.assertEqual(result.getvalue(), start + b"<doc>text</doc>")
  
@@ -32,7 +36,7 @@
      def test_flush_reparse_deferral_enabled(self):
          if not is_expat_2_6_0:
              self.skipTest("Linked libexpat doesn't support reparse deferral")
-@@ -1238,6 +1239,7 @@ class ExpatReaderTest(XmlTestBase):
+@@ -1238,6 +1239,7 @@
  
          self.assertEqual(result.getvalue(), start + b"<doc></doc>")
  
@@ -40,9 +44,11 @@
      def test_flush_reparse_deferral_disabled(self):
          if not is_expat_2_6_0:
              self.skipTest("Linked libexpat doesn't support reparse deferral")
---- a/Lib/test/test_xml_etree.py
+Index: Python-3.11.15/Lib/test/test_xml_etree.py
-+++ b/Lib/test/test_xml_etree.py
+===================================================================
-@@ -1620,6 +1620,7 @@ class XMLPullParserTest(unittest.TestCas
+--- Python-3.11.15.orig/Lib/test/test_xml_etree.py	2026-03-06 16:07:07.714503769 +0100
++++ Python-3.11.15/Lib/test/test_xml_etree.py	2026-03-06 18:23:34.309977052 +0100
+@@ -1620,6 +1620,7 @@
          with self.assertRaises(ValueError):
              ET.XMLPullParser(events=('start', 'end', 'bogus'))
  
@@ -50,7 +56,7 @@
      def test_flush_reparse_deferral_enabled(self):
          parser = ET.XMLPullParser(events=('start', 'end'))
  
-@@ -1641,6 +1642,7 @@ class XMLPullParserTest(unittest.TestCas
+@@ -1641,6 +1642,7 @@
  
          self.assert_event_tags(parser, [('end', 'doc')])
  

CVE-2025-12781-b64decode-alt-chars.patch

@@ -0,0 +1,193 @@
+From f922c02c529d25d61aa9c28a8192639c1fce8d4d Mon Sep 17 00:00:00 2001
+From: Serhiy Storchaka <storchaka@gmail.com>
+Date: Wed, 5 Nov 2025 20:12:31 +0200
+Subject: [PATCH] gh-125346: Add more base64 tests
+
+Add more tests for the altchars argument of b64decode() and for the map01
+argument of b32decode().
+---
+ Doc/library/base64.rst                                                  |   18 +++-
+ Lib/base64.py                                                           |   40 ++++++++-
+ Lib/test/test_base64.py                                                 |   42 +++++++++-
+ Misc/NEWS.d/next/Library/2025-11-06-12-03-29.gh-issue-125346.7Gfpgw.rst |    5 +
+ 4 files changed, 91 insertions(+), 14 deletions(-)
+
+Index: Python-3.11.15/Doc/library/base64.rst
+===================================================================
+--- Python-3.11.15.orig/Doc/library/base64.rst	2026-03-03 01:52:57.000000000 +0100
++++ Python-3.11.15/Doc/library/base64.rst	2026-03-06 19:52:36.492967768 +0100
+@@ -74,15 +74,20 @@
+    A :exc:`binascii.Error` exception is raised
+    if *s* is incorrectly padded.
+ 
+-   If *validate* is ``False`` (the default), characters that are neither
++   If *validate* is false (the default), characters that are neither
+    in the normal base-64 alphabet nor the alternative alphabet are
+-   discarded prior to the padding check.  If *validate* is ``True``,
+-   these non-alphabet characters in the input result in a
+-   :exc:`binascii.Error`.
++   discarded prior to the padding check, but the ``+`` and ``/`` characters
++   keep their meaning if they are not in *altchars* (they will be discarded
++   in future Python versions).
++   If *validate* is true, these non-alphabet characters in the input
++   result in a :exc:`binascii.Error`.
+ 
+    For more information about the strict base64 check, see :func:`binascii.a2b_base64`
+ 
+-   May assert or raise a :exc:`ValueError` if the length of *altchars* is not 2.
++   .. deprecated:: next
++      Accepting the ``+`` and ``/`` characters with an alternative alphabet
++      is now deprecated.
++
+ 
+ .. function:: standard_b64encode(s)
+ 
+@@ -113,6 +118,9 @@
+    ``/`` in the standard Base64 alphabet, and return the decoded
+    :class:`bytes`.
+ 
++   .. deprecated:: next
++      Accepting the ``+`` and ``/`` characters is now deprecated.
++
+ 
+ .. function:: b32encode(s)
+ 
+Index: Python-3.11.15/Lib/base64.py
+===================================================================
+--- Python-3.11.15.orig/Lib/base64.py	2026-03-06 16:06:30.195774827 +0100
++++ Python-3.11.15/Lib/base64.py	2026-03-06 19:52:36.493488040 +0100
+@@ -71,20 +71,39 @@
+     The result is returned as a bytes object.  A binascii.Error is raised if
+     s is incorrectly padded.
+ 
+-    If validate is False (the default), characters that are neither in the
++    If validate is false (the default), characters that are neither in the
+     normal base-64 alphabet nor the alternative alphabet are discarded prior
+-    to the padding check.  If validate is True, these non-alphabet characters
++    to the padding check.  If validate is true, these non-alphabet characters
+     in the input result in a binascii.Error.
+     For more information about the strict base64 check, see:
+ 
+     https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
+     """
+     s = _bytes_from_decode_data(s)
++    badchar = None
+     if altchars is not None:
+         altchars = _bytes_from_decode_data(altchars)
+-        assert len(altchars) == 2, repr(altchars)
++        if len(altchars) != 2:
++            raise ValueError(f'invalid altchars: {altchars!r}')
++        for b in b'+/':
++            if b not in altchars and b in s:
++                badchar = b
++                break
+         s = s.translate(bytes.maketrans(altchars, b'+/'))
+-    return binascii.a2b_base64(s, strict_mode=validate)
++    result = binascii.a2b_base64(s, strict_mode=validate)
++    if badchar is not None:
++        import warnings
++        if validate:
++            warnings.warn(f'invalid character {chr(badchar)!a} in Base64 data '
++                          f'with altchars={altchars!r} and validate=True '
++                          f'will be an error in future Python versions',
++                          DeprecationWarning, stacklevel=2)
++        else:
++            warnings.warn(f'invalid character {chr(badchar)!a} in Base64 data '
++                          f'with altchars={altchars!r} and validate=False '
++                          f'will be discarded in future Python versions',
++                          FutureWarning, stacklevel=2)
++    return result
+ 
+ 
+ def standard_b64encode(s):
+@@ -129,8 +148,19 @@
+     The alphabet uses '-' instead of '+' and '_' instead of '/'.
+     """
+     s = _bytes_from_decode_data(s)
++    badchar = None
++    for b in b'+/':
++        if b in s:
++            badchar = b
++            break
+     s = s.translate(_urlsafe_decode_translation)
+-    return b64decode(s)
++    result = binascii.a2b_base64(s, strict_mode=False)
++    if badchar is not None:
++        import warnings
++        warnings.warn(f'invalid character {chr(badchar)!a} in URL-safe Base64 data '
++                      f'will be discarded in future Python versions',
++                      FutureWarning, stacklevel=2)
++    return result
+ 
+ 
+ 
+Index: Python-3.11.15/Lib/test/test_base64.py
+===================================================================
+--- Python-3.11.15.orig/Lib/test/test_base64.py	2026-03-06 16:06:32.552854037 +0100
++++ Python-3.11.15/Lib/test/test_base64.py	2026-03-06 19:52:36.494050069 +0100
+@@ -228,6 +228,25 @@
+                                b'\xd3V\xbeo\xf7\x1d')
+         self.check_decode_type_errors(base64.urlsafe_b64decode)
+ 
++    def test_b64decode_altchars(self):
++        # Test with arbitrary alternative characters
++        eq = self.assertEqual
++        res = b'\xd3V\xbeo\xf7\x1d'
++        for altchars in b'*$', b'+/', b'/+', b'+_', b'-+', b'-/', b'/_':
++            data = b'01a%cb%ccd' % tuple(altchars)
++            data_str = data.decode('ascii')
++            altchars_str = altchars.decode('ascii')
++
++            eq(base64.b64decode(data, altchars=altchars), res)
++            eq(base64.b64decode(data_str, altchars=altchars), res)
++            eq(base64.b64decode(data, altchars=altchars_str), res)
++            eq(base64.b64decode(data_str, altchars=altchars_str), res)
++
++        self.assertRaises(ValueError, base64.b64decode, b'', altchars=b'+')
++        self.assertRaises(ValueError, base64.b64decode, b'', altchars=b'+/-')
++        self.assertRaises(ValueError, base64.b64decode, '', altchars='+')
++        self.assertRaises(ValueError, base64.b64decode, '', altchars='+/-')
++
+     def test_b64decode_padding_error(self):
+         self.assertRaises(binascii.Error, base64.b64decode, b'abc')
+         self.assertRaises(binascii.Error, base64.b64decode, 'abc')
+@@ -259,10 +278,25 @@
+             with self.assertRaises(binascii.Error):
+                 base64.b64decode(bstr.decode('ascii'), validate=True)
+ 
+-        # Normal alphabet characters not discarded when alternative given
+-        res = b'\xFB\xEF\xBE\xFF\xFF\xFF'
+-        self.assertEqual(base64.b64decode(b'++[[//]]', b'[]'), res)
+-        self.assertEqual(base64.urlsafe_b64decode(b'++--//__'), res)
++        # Normal alphabet characters will be discarded when alternative given
++        with self.assertWarns(FutureWarning):
++            self.assertEqual(base64.b64decode(b'++++', altchars=b'-_'),
++                             b'\xfb\xef\xbe')
++        with self.assertWarns(FutureWarning):
++            self.assertEqual(base64.b64decode(b'////', altchars=b'-_'),
++                             b'\xff\xff\xff')
++        with self.assertWarns(DeprecationWarning):
++            self.assertEqual(base64.b64decode(b'++++', altchars=b'-_', validate=True),
++                             b'\xfb\xef\xbe')
++        with self.assertWarns(DeprecationWarning):
++            self.assertEqual(base64.b64decode(b'////', altchars=b'-_', validate=True),
++                             b'\xff\xff\xff')
++        with self.assertWarns(FutureWarning):
++            self.assertEqual(base64.urlsafe_b64decode(b'++++'), b'\xfb\xef\xbe')
++        with self.assertWarns(FutureWarning):
++            self.assertEqual(base64.urlsafe_b64decode(b'////'), b'\xff\xff\xff')
++        with self.assertRaises(binascii.Error):
++            base64.b64decode(b'+/!', altchars=b'-_')
+ 
+     def test_b32encode(self):
+         eq = self.assertEqual
+Index: Python-3.11.15/Misc/NEWS.d/next/Library/2025-11-06-12-03-29.gh-issue-125346.7Gfpgw.rst
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ Python-3.11.15/Misc/NEWS.d/next/Library/2025-11-06-12-03-29.gh-issue-125346.7Gfpgw.rst	2026-03-06 19:52:36.494404708 +0100
+@@ -0,0 +1,5 @@
++Accepting ``+`` and ``/`` characters with an alternative alphabet in
++:func:`base64.b64decode` and :func:`base64.urlsafe_b64decode` is now
++deprecated.
++In future Python versions they will be errors in the strict mode and
++discarded in the non-strict mode.

CVE-2025-15366-imap-ctrl-chars.patch

@@ -0,0 +1,38 @@
+From 7485ee5e2cf81d3e5ad0d9c3be73cecd2ab4eec7 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Fri, 16 Jan 2026 10:54:09 -0600
+Subject: [PATCH 1/2] Add 'test.support' fixture for C0 control characters
+
+---
+ Lib/imaplib.py                                                           |    4 +++-
+ Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst |    1 +
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+Index: Python-3.11.15/Lib/imaplib.py
+===================================================================
+--- Python-3.11.15.orig/Lib/imaplib.py	2026-03-06 16:06:31.545110864 +0100
++++ Python-3.11.15/Lib/imaplib.py	2026-03-06 19:51:51.838695961 +0100
+@@ -132,7 +132,7 @@
+ # We compile these in _mode_xxx.
+ _Literal = br'.*{(?P<size>\d+)}$'
+ _Untagged_status = br'\* (?P<data>\d+) (?P<type>[A-Z-]+)( (?P<data2>.*))?'
+-
++_control_chars = re.compile(b'[\x00-\x1F\x7F]')
+ 
+ 
+ class IMAP4:
+@@ -994,6 +994,8 @@
+             if arg is None: continue
+             if isinstance(arg, str):
+                 arg = bytes(arg, self._encoding)
++            if _control_chars.search(arg):
++                raise ValueError("Control characters not allowed in commands")
+             data = data + b' ' + arg
+ 
+         literal = self.literal
+Index: Python-3.11.15/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ Python-3.11.15/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst	2026-03-06 19:51:51.839096617 +0100
+@@ -0,0 +1 @@
++Reject control characters in IMAP commands.

CVE-2025-15367-poplib-ctrl-chars.patch

@@ -0,0 +1,56 @@
+From b6f733b285b1c4f27dacb5c2e1f292c914e8b933 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Fri, 16 Jan 2026 10:54:09 -0600
+Subject: [PATCH 1/2] Add 'test.support' fixture for C0 control characters
+
+---
+ Lib/poplib.py                                                            |    2 ++
+ Lib/test/test_poplib.py                                                  |    8 ++++++++
+ Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst |    1 +
+ 3 files changed, 11 insertions(+)
+
+Index: Python-3.11.15/Lib/poplib.py
+===================================================================
+--- Python-3.11.15.orig/Lib/poplib.py	2026-03-06 16:06:32.025693538 +0100
++++ Python-3.11.15/Lib/poplib.py	2026-03-06 19:52:31.051258464 +0100
+@@ -122,6 +122,8 @@
+     def _putcmd(self, line):
+         if self._debugging: print('*cmd*', repr(line))
+         line = bytes(line, self.encoding)
++        if re.search(b'[\x00-\x1F\x7F]', line):
++            raise ValueError('Control characters not allowed in commands')
+         self._putline(line)
+ 
+ 
+Index: Python-3.11.15/Lib/test/test_poplib.py
+===================================================================
+--- Python-3.11.15.orig/Lib/test/test_poplib.py	2026-03-06 16:06:33.708669394 +0100
++++ Python-3.11.15/Lib/test/test_poplib.py	2026-03-06 19:52:31.052258474 +0100
+@@ -16,6 +16,7 @@
+ from test.support import socket_helper
+ from test.support import threading_helper
+ from test.support import warnings_helper
++from test.support import control_characters_c0
+ 
+ 
+ asynchat = warnings_helper.import_deprecated('asynchat')
+@@ -367,6 +368,13 @@
+         self.assertIsNone(self.client.sock)
+         self.assertIsNone(self.client.file)
+ 
++    def test_control_characters(self):
++        for c0 in control_characters_c0():
++            with self.assertRaises(ValueError):
++                self.client.user(f'user{c0}')
++            with self.assertRaises(ValueError):
++                self.client.pass_(f'{c0}pass')
++
+     @requires_ssl
+     def test_stls_capa(self):
+         capa = self.client.capa()
+Index: Python-3.11.15/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ Python-3.11.15/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst	2026-03-06 19:52:31.053950556 +0100
+@@ -0,0 +1 @@
++Reject control characters in POP3 commands.

bso1227999-reproducible-builds.patch

@@ -12,9 +12,11 @@ for the definition of this variable.
  Doc/library/functions.rst |    2 +-
  2 files changed, 3 insertions(+), 2 deletions(-)
 
---- a/Doc/conf.py
+Index: Python-3.11.15/Doc/conf.py
-+++ b/Doc/conf.py
+===================================================================
-@@ -316,7 +316,8 @@ html_context = {
+--- Python-3.11.15.orig/Doc/conf.py	2026-03-03 01:52:57.000000000 +0100
++++ Python-3.11.15/Doc/conf.py	2026-03-06 18:23:39.828089970 +0100
+@@ -316,7 +316,8 @@
  }
  
  # This 'Last updated on:' timestamp is inserted at the bottom of every page.
@@ -24,9 +26,11 @@ for the definition of this variable.
  
  # Path to find HTML templates.
  templates_path = ['tools/templates']
---- a/Doc/library/functions.rst
+Index: Python-3.11.15/Doc/library/functions.rst
-+++ b/Doc/library/functions.rst
+===================================================================
-@@ -1356,7 +1356,7 @@ are always available.  They are listed h
+--- Python-3.11.15.orig/Doc/library/functions.rst	2026-03-03 01:52:57.000000000 +0100
++++ Python-3.11.15/Doc/library/functions.rst	2026-03-06 18:23:39.829089979 +0100
+@@ -1356,7 +1356,7 @@
     (where :func:`open` is declared), :mod:`os`, :mod:`os.path`, :mod:`tempfile`,
     and :mod:`shutil`.
  

fix_configure_rst.patch

@@ -3,9 +3,11 @@
  Misc/NEWS               |    2 +-
  2 files changed, 1 insertion(+), 4 deletions(-)
 
---- a/Doc/using/configure.rst
+Index: Python-3.11.15/Doc/using/configure.rst
-+++ b/Doc/using/configure.rst
+===================================================================
-@@ -43,7 +43,6 @@ General Options
+--- Python-3.11.15.orig/Doc/using/configure.rst	2026-03-06 16:06:43.304945441 +0100
++++ Python-3.11.15/Doc/using/configure.rst	2026-03-06 16:06:55.576758292 +0100
+@@ -43,7 +43,6 @@
  
     See :data:`sys.int_info.bits_per_digit <sys.int_info>`.
  
@@ -13,7 +15,7 @@
  .. option:: --with-cxx-main=COMPILER
  
     Compile the Python ``main()`` function and link Python executable with C++
-@@ -529,13 +528,11 @@ macOS Options
+@@ -529,13 +528,11 @@
  
  See ``Mac/README.rst``.
  
@@ -27,9 +29,11 @@
  .. option:: --enable-framework=INSTALLDIR
  
     Create a Python.framework rather than a traditional Unix install. Optional
---- a/Misc/NEWS
+Index: Python-3.11.15/Misc/NEWS
-+++ b/Misc/NEWS
+===================================================================
-@@ -9911,7 +9911,7 @@ C API
+--- Python-3.11.15.orig/Misc/NEWS	2026-03-06 16:06:43.304945441 +0100
++++ Python-3.11.15/Misc/NEWS	2026-03-06 16:06:55.580059032 +0100
+@@ -10081,7 +10081,7 @@
  - bpo-40939: Removed documentation for the removed ``PyParser_*`` C API.
  
  - bpo-43795: The list in :ref:`limited-api-list` now shows the public name

python311.changes

@@ -1,3 +1,145 @@
+-------------------------------------------------------------------
+Fri Mar  6 18:54:51 UTC 2026 - Matej Cepl <mcepl@cepl.eu>
+
+- Update to 3.11.15:
+  - Security
+    - gh-144125: BytesGenerator will now refuse to serialize
+      (write) headers that are unsafely folded or delimited; see
+      verify_generated_headers. (Contributed by Bas Bloemsaat and
+      Petr Viktorin in gh-121650).
+    - gh-143935: Fixed a bug in the folding of comments when
+      flattening an email message using a modern email policy.
+      Comments consisting of a very long sequence of non-foldable
+      characters could trigger a forced line wrap that omitted
+      the required leading space on the continuation line,
+      causing the remainder of the comment to be interpreted as
+      a new header field. This enabled header injection with
+      carefully crafted inputs (bsc#1257029 CVE-2025-11468).
+    - gh-143925: Reject control characters in data: URL media
+      types (bsc#1257046, CVE-2025-15282).
+    - gh-143919: Reject control characters in http.cookies.Morsel
+      fields and values (bsc#1257031, CVE-2026-0672).
+    - gh-143916: Reject C0 control characters within
+      wsgiref.headers.Headers fields, values, and parameters
+      (bsc#1257042, CVE-2026-0865).
+    - gh-142145: Remove quadratic behavior in xml.minidom node ID
+      cache clearing. In order to do this without breaking
+      existing users, we also add the ownerDocument attribute to
+      xml.dom.minidom elements and attributes created by directly
+      instantiating the Element or Attr class. Note that this way
+      of creating nodes is not supported; creator functions like
+      xml.dom.Document.documentElement() should be used instead
+      (bsc#1254997, CVE-2025-12084).
+    - gh-137836: Add support of the “plaintext” element, RAWTEXT
+      elements “xmp”, “iframe”, “noembed” and “noframes”, and
+      optionally RAWTEXT element “noscript” in
+      html.parser.HTMLParser.
+    - gh-136063: email.message: ensure linear complexity for
+      legacy HTTP parameters parsing. Patch by Bénédikt Tran.
+    - gh-136065: Fix quadratic complexity in
+      os.path.expandvars() (bsc#1252974, CVE-2025-6075).
+    - gh-119451: Fix a potential memory denial of service in the
+      http.client module. When connecting to a malicious server,
+      it could cause an arbitrary amount of memory to be
+      allocated. This could have led to symptoms including
+      a MemoryError, swapping, out of memory (OOM) killed
+      processes or containers, or even system crashes
+      (CVE-2025-13836, bsc#1254400).
+    - gh-119452: Fix a potential memory denial of service in the
+      http.server module. When a malicious user is connected to
+      the CGI server on Windows, it could cause an arbitrary
+      amount of memory to be allocated. This could have led to
+      symptoms including a MemoryError, swapping, out of memory
+      (OOM) killed processes or containers, or even system
+      crashes.
+    - gh-119342: Fix a potential memory denial of service in the
+      plistlib module. When reading a Plist file received from
+      untrusted source, it could cause an arbitrary amount of
+      memory to be allocated. This could have led to symptoms
+      including a MemoryError, swapping, out of memory (OOM)
+      killed processes or containers, or even system crashes
+      (bsc#1254401, CVE-2025-13837).
+  - Library
+    - gh-144833: Fixed a use-after-free in ssl when SSL_new()
+      returns NULL in newPySSLSocket(). The error was reported
+      via a dangling pointer after the object had already been
+      freed.
+    - gh-144363: Update bundled libexpat to 2.7.4
+    - gh-90949: Add SetAllocTrackerActivationThreshold() and
+      SetAllocTrackerMaximumAmplification() to xmlparser objects
+      to prevent use of disproportional amounts of dynamic memory
+      from within an Expat parser. Patch by Bénédikt Tran.
+  - Core and Builtins
+    - gh-120384: Fix an array out of bounds crash in
+      list_ass_subscript, which could be invoked via some
+      specificly tailored input: including concurrent
+      modification of a list object, where one thread assigns
+      a slice and another clears it.
+    - gh-120298: Fix use-after free in list_richcompare_impl
+      which can be invoked via some specificly tailored evil
+      input.
+Remove upstreamed patches:
+  - CVE-2025-11468-email-hdr-fold-comment.patch
+  - CVE-2025-12084-minidom-quad-search.patch
+  - CVE-2025-13836-http-resp-cont-len.patch
+  - CVE-2025-13837-plistlib-mailicious-length.patch
+  - CVE-2025-6075-expandvars-perf-degrad.patch
+  - CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
+  - CVE-2026-0865-wsgiref-ctrl-chars.patch
+  - CVE-2025-15282-urllib-ctrl-chars.patch
+
+-------------------------------------------------------------------
+Wed Feb 11 19:09:06 CET 2026 - Matej Cepl <mcepl@suse.com>
+
+- CVE-2025-11468: preserving parens when folding comments in
+  email headers (bsc#1257029, gh#python/cpython#143935).
+  CVE-2025-11468-email-hdr-fold-comment.patch
+- CVE-2026-0672: rejects control characters in http cookies.
+  (bsc#1257031, gh#python/cpython#143919)
+  CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
+- CVE-2026-0865: rejecting control characters in
+  wsgiref.headers.Headers, which could be abused for injecting
+  false HTTP headers. (bsc#1257042, gh#python/cpython#143916)
+  CVE-2026-0865-wsgiref-ctrl-chars.patch
+- CVE-2025-15366: basically the same as the previous patch for
+  IMAP protocol. (bsc#1257044, gh#python/cpython#143921)
+  CVE-2025-15366-imap-ctrl-chars.patch
+- CVE-2025-15282: basically the same as the previous patch for
+  urllib library. (bsc#1257046, gh#python/cpython#143925)
+  CVE-2025-15282-urllib-ctrl-chars.patch
+- CVE-2025-15367: basically the same as the previous patch for
+  poplib library. (bsc#1257041, gh#python/cpython#143923)
+  CVE-2025-15367-poplib-ctrl-chars.patch
+- CVE-2025-12781: fix decoding with non-standard Base64 alphabet
+  (bsc#1257108, gh#python/cpython#125346)
+  CVE-2025-12781-b64decode-alt-chars.patch
+
+-------------------------------------------------------------------
+Thu Dec 18 10:33:44 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400,
+  CVE-2025-13836) to prevent reading an HTTP response from
+  a server, if no read amount is specified, with using
+  Content-Length per default as the length.
+- Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic
+  behavior in node ID cache clearing (CVE-2025-12084,
+  bsc#1254997).
+- Add CVE-2025-13837-plistlib-mailicious-length.patch protect
+  against OOM when loading malicious content (CVE-2025-13837,
+  bsc#1254401).
+
+-------------------------------------------------------------------
+Thu Nov 13 17:13:03 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple
+  quadratic complexity vulnerabilities of os.path.expandvars()
+  (CVE-2025-6075, bsc#1252974).
+- Readjusted patches:
+  - CVE-2023-52425-libexpat-2.6.0-backport.patch
+  - CVE-2023-52425-remove-reparse_deferral-tests.patch
+  - fix_configure_rst.patch
+  - skip_if_buildbot-extend.patch
+
 -------------------------------------------------------------------
 Wed Oct 15 08:52:35 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
 

python311.spec

@@ -107,7 +107,7 @@
 # _md5.cpython-38m-x86_64-linux-gnu.so
 %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
 Name:           %{python_pkg_name}%{psuffix}
-Version:        3.11.14
+Version:        3.11.15
 Release:        0
 Summary:        Python 3 Interpreter
 License:        Python-2.0
@@ -188,6 +188,16 @@ Patch22:        gh120226-fix-sendfile-test-kernel-610.patch
 Patch24:        add-loongarch64-support.patch
 # PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com
 Patch25:        gh139257-Support-docutils-0.22.patch
+# PATCH-FIX-UPSTREAM CVE-2025-15366-imap-ctrl-chars.patch bsc#1257044 mcepl@suse.com
+# Reject control characters in wsgiref.headers.Headers
+Patch33:        CVE-2025-15366-imap-ctrl-chars.patch
+# PATCH-FIX-UPSTREAM CVE-2025-15367-poplib-ctrl-chars.patch bsc#1257041 mcepl@suse.com
+# Reject control characters in poplib
+Patch35:        CVE-2025-15367-poplib-ctrl-chars.patch
+# PATCH-FIX-UPSTREAM CVE-2025-12781-b64decode-alt-chars.patch bsc#1257108 mcepl@suse.com
+# Fix decoding with non-standard Base64 alphabet gh#python/cpython#125346
+Patch36:        CVE-2025-12781-b64decode-alt-chars.patch
+### END OF PATCHES
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  crypto-policies-scripts
@@ -543,6 +553,9 @@ LD_LIBRARY_PATH=.:$LD_LIBRARY_PATH \
 %check
 export SUSE_VERSION="0%{?suse_version}"
 export SLE_VERSION="0%{?sle_version}"
+echo "Show the openssl version"
+openssl version -a
+echo ""
 %if %{with general}
 # exclude test_gdb -- it doesn't run in buildservice anyway, and fails on missing debuginfos
 # when you install gdb into your test env

skip_if_buildbot-extend.patch

@@ -2,9 +2,11 @@
  Lib/test/support/__init__.py |    2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
---- a/Lib/test/support/__init__.py
+Index: Python-3.11.14/Lib/test/support/__init__.py
-+++ b/Lib/test/support/__init__.py
+===================================================================
-@@ -384,7 +384,7 @@ def skip_if_buildbot(reason=None):
+--- Python-3.11.14.orig/Lib/test/support/__init__.py	2025-11-15 19:14:54.049952478 +0100
++++ Python-3.11.14/Lib/test/support/__init__.py	2025-11-15 19:15:08.449938538 +0100
+@@ -394,7 +394,7 @@
      if not reason:
          reason = 'not suitable for buildbots'
      try: