diff --git a/CVE-2025-6069-quad-complex-HTMLParser.patch b/CVE-2025-6069-quad-complex-HTMLParser.patch
deleted file mode 100644
index 3336e74..0000000
--- a/CVE-2025-6069-quad-complex-HTMLParser.patch
+++ /dev/null
@@ -1,247 +0,0 @@
-From 9043edabc7e2f0dd655146e0a4571e2a0b2906af Mon Sep 17 00:00:00 2001
-From: Serhiy Storchaka
-Date: Fri, 13 Jun 2025 19:57:48 +0300
-Subject: [PATCH] gh-135462: Fix quadratic complexity in processing special
- input in HTMLParser (GH-135464)
-
-End-of-file errors are now handled according to the HTML5 specs --
-comments and declarations are automatically closed, tags are ignored.
-(cherry picked from commit 6eb6c5dbfb528bd07d77b60fd71fd05d81d45c41)
-
-Co-authored-by: Serhiy Storchaka
----
- Lib/html/parser.py | 41 +++-
- Lib/test/test_htmlparser.py | 97 +++++++---
- Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst | 4
- 3 files changed, 111 insertions(+), 31 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst
-
-Index: Python-3.13.5/Lib/html/parser.py
-===================================================================
---- Python-3.13.5.orig/Lib/html/parser.py 2025-06-11 17:36:57.000000000 +0200
-+++ Python-3.13.5/Lib/html/parser.py 2025-07-02 16:49:52.020175099 +0200
-@@ -27,6 +27,7 @@
- attr_charref = re.compile(r'&(#[0-9]+|#[xX][0-9a-fA-F]+|[a-zA-Z][a-zA-Z0-9]*)[;=]?')
-
- starttagopen = re.compile('<[a-zA-Z]')
-+endtagopen = re.compile('')
- commentclose = re.compile(r'--\s*>')
- # Note:
-@@ -195,7 +196,7 @@
- k = self.parse_pi(i)
- elif startswith("', i + 1)
-- if k < 0:
-- k = rawdata.find('<', i + 1)
-- if k < 0:
-- k = i + 1
-+ if starttagopen.match(rawdata, i): # < + letter
-+ pass
-+ elif startswith("'),
-- ('comment', '/img'),
-- ('endtag', 'html<')])
-+ ('data', '\n')])
-
- def test_starttag_junk_chars(self):
-+ self._run_check("<", [('data', '<')])
-+ self._run_check("<>", [('data', '<>')])
-+ self._run_check("< >", [('data', '< >')])
-+ self._run_check("< ", [('data', '< ')])
- self._run_check("", [])
-+ self._run_check("<$>", [('data', '<$>')])
- self._run_check("", [('comment', '$')])
- self._run_check("", [('endtag', 'a')])
-+ self._run_check("", [('starttag', 'a", [('endtag', 'a'", [('data', "'", [])
-+ self._run_check("", [('starttag', 'a$b', [])])
- self._run_check("", [('startendtag', 'a$b', [])])
- self._run_check("", [('starttag', 'a$b', [])])
- self._run_check("", [('startendtag', 'a$b', [])])
-+ self._run_check("", [('endtag', 'a$b')])
-
- def test_slashes_in_starttag(self):
- self._run_check('', [('startendtag', 'a', [('foo', 'var')])])
-@@ -576,21 +583,50 @@
- for html, expected in data:
- self._run_check(html, expected)
-
-- def test_EOF_in_comments_or_decls(self):
-+ def test_eof_in_comments(self):
- data = [
-- ('', [('comment', '-!>')]),
-+ (''
- ''
- ''
-@@ -604,6 +640,7 @@
- '' # required '[' after CDATA
- )
- expected = [
-+ ('comment', 'ELEMENT br EMPTY'),
- ('comment', ' not really a comment '),
- ('comment', ' not a comment either --'),
- ('comment', ' -- close enough --'),
-@@ -684,6 +721,26 @@
- ('endtag', 'a'), ('data', ' bar & baz')]
- )
-
-+ @support.requires_resource('cpu')
-+ def test_eof_no_quadratic_complexity(self):
-+ # Each of these examples used to take about an hour.
-+ # Now they take a fraction of a second.
-+ def check(source):
-+ parser = html.parser.HTMLParser()
-+ parser.feed(source)
-+ parser.close()
-+ n = 120_000
-+ check("
+Date: Tue, 7 Oct 2025 20:15:26 +0300
+Subject: [PATCH] [3.13] gh-139700: Check consistency of the zip64 end of
+ central directory record (GH-139702)
+
+Support records with "zip64 extensible data" if there are no bytes
+prepended to the ZIP file.
+(cherry picked from commit 162997bb70e067668c039700141770687bc8f267)
+
+Co-authored-by: Serhiy Storchaka
+---
+ Lib/test/test_zipfile/test_core.py | 82 ++++++++++++++++++-
+ Lib/zipfile/__init__.py | 51 +++++++-----
+ ...-10-07-19-31-34.gh-issue-139700.vNHU1O.rst | 3 +
+ 3 files changed, 113 insertions(+), 23 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst
+
+diff --git a/Lib/test/test_zipfile/test_core.py b/Lib/test/test_zipfile/test_core.py
+index 41ec6a437ba917..2212d9c91dc899 100644
+--- a/Lib/test/test_zipfile/test_core.py
++++ b/Lib/test/test_zipfile/test_core.py
+@@ -884,6 +884,8 @@ def make_zip64_file(
+ self, file_size_64_set=False, file_size_extra=False,
+ compress_size_64_set=False, compress_size_extra=False,
+ header_offset_64_set=False, header_offset_extra=False,
++ extensible_data=b'',
++ end_of_central_dir_size=None, offset_to_end_of_central_dir=None,
+ ):
+ """Generate bytes sequence for a zip with (incomplete) zip64 data.
+
+@@ -937,6 +939,12 @@ def make_zip64_file(
+
+ central_dir_size = struct.pack(' 1:
+ raise BadZipFile("zipfiles that span multiple disks are not supported")
+
+- # Assume no 'zip64 extensible data'
+- fpin.seek(offset - sizeEndCentDir64Locator - sizeEndCentDir64, 2)
++ offset -= sizeEndCentDir64
++ if reloff > offset:
++ raise BadZipFile("Corrupt zip64 end of central directory locator")
++ # First, check the assumption that there is no prepended data.
++ fpin.seek(reloff)
++ extrasz = offset - reloff
+ data = fpin.read(sizeEndCentDir64)
+ if len(data) != sizeEndCentDir64:
+- return endrec
++ raise OSError("Unknown I/O error")
++ if not data.startswith(stringEndArchive64) and reloff != offset:
++ # Since we already have seen the Zip64 EOCD Locator, it's
++ # possible we got here because there is prepended data.
++ # Assume no 'zip64 extensible data'
++ fpin.seek(offset)
++ extrasz = 0
++ data = fpin.read(sizeEndCentDir64)
++ if len(data) != sizeEndCentDir64:
++ raise OSError("Unknown I/O error")
++ if not data.startswith(stringEndArchive64):
++ raise BadZipFile("Zip64 end of central directory record not found")
++
+ sig, sz, create_version, read_version, disk_num, disk_dir, \
+ dircount, dircount2, dirsize, diroffset = \
+ struct.unpack(structEndArchive64, data)
+- if sig != stringEndArchive64:
+- return endrec
++ if (diroffset + dirsize != reloff or
++ sz + 12 != sizeEndCentDir64 + extrasz):
++ raise BadZipFile("Corrupt zip64 end of central directory record")
+
+ # Update the original endrec using data from the ZIP64 record
+ endrec[_ECD_SIGNATURE] = sig
+@@ -289,6 +305,7 @@ def _EndRecData64(fpin, offset, endrec):
+ endrec[_ECD_ENTRIES_TOTAL] = dircount2
+ endrec[_ECD_SIZE] = dirsize
+ endrec[_ECD_OFFSET] = diroffset
++ endrec[_ECD_LOCATION] = offset - extrasz
+ return endrec
+
+
+@@ -322,7 +339,7 @@ def _EndRecData(fpin):
+ endrec.append(filesize - sizeEndCentDir)
+
+ # Try to read the "Zip64 end of central directory" structure
+- return _EndRecData64(fpin, -sizeEndCentDir, endrec)
++ return _EndRecData64(fpin, filesize - sizeEndCentDir, endrec)
+
+ # Either this is not a ZIP file, or it is a ZIP file with an archive
+ # comment. Search the end of the file for the "end of central directory"
+@@ -346,8 +363,7 @@ def _EndRecData(fpin):
+ endrec.append(maxCommentStart + start)
+
+ # Try to read the "Zip64 end of central directory" structure
+- return _EndRecData64(fpin, maxCommentStart + start - filesize,
+- endrec)
++ return _EndRecData64(fpin, maxCommentStart + start, endrec)
+
+ # Unable to find a valid end of central directory structure
+ return None
+@@ -1458,9 +1474,6 @@ def _RealGetContents(self):
+
+ # "concat" is zero, unless zip was concatenated to another file
+ concat = endrec[_ECD_LOCATION] - size_cd - offset_cd
+- if endrec[_ECD_SIGNATURE] == stringEndArchive64:
+- # If Zip64 extension structures are present, account for them
+- concat -= (sizeEndCentDir64 + sizeEndCentDir64Locator)
+
+ if self.debug > 2:
+ inferred = concat + offset_cd
+@@ -2082,7 +2095,7 @@ def _write_end_record(self):
+ " would require ZIP64 extensions")
+ zip64endrec = struct.pack(
+ structEndArchive64, stringEndArchive64,
+- 44, 45, 45, 0, 0, centDirCount, centDirCount,
++ sizeEndCentDir64 - 12, 45, 45, 0, 0, centDirCount, centDirCount,
+ centDirSize, centDirOffset)
+ self.fp.write(zip64endrec)
+
+diff --git a/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst b/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst
+new file mode 100644
+index 00000000000000..a8e7a1f1878c6b
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst
+@@ -0,0 +1,3 @@
++Check consistency of the zip64 end of central directory record. Support
++records with "zip64 extensible data" if there are no bytes prepended to the
++ZIP file.
diff --git a/F00251-change-user-install-location.patch b/F00251-change-user-install-location.patch
index 0e67e07..a1aa69d 100644
--- a/F00251-change-user-install-location.patch
+++ b/F00251-change-user-install-location.patch
@@ -28,10 +28,10 @@ Co-authored-by: LumÃr Balhar
Lib/test/test_sysconfig.py | 17 +++++++++++--
2 files changed, 67 insertions(+), 7 deletions(-)
-Index: Python-3.13.3/Lib/sysconfig/__init__.py
+Index: Python-3.13.9/Lib/sysconfig/__init__.py
===================================================================
---- Python-3.13.3.orig/Lib/sysconfig/__init__.py 2025-04-08 15:54:08.000000000 +0200
-+++ Python-3.13.3/Lib/sysconfig/__init__.py 2025-04-11 21:52:31.769387873 +0200
+--- Python-3.13.9.orig/Lib/sysconfig/__init__.py 2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Lib/sysconfig/__init__.py 2025-11-04 17:41:28.521141323 +0100
@@ -106,6 +106,11 @@
else:
_INSTALL_SCHEMES['venv'] = _INSTALL_SCHEMES['posix_venv']
@@ -128,10 +128,10 @@ Index: Python-3.13.3/Lib/sysconfig/__init__.py
_CONFIG_VARS['py_version'] = _PY_VERSION
_CONFIG_VARS['py_version_short'] = _PY_VERSION_SHORT
_CONFIG_VARS['py_version_nodot'] = _PY_VERSION_SHORT_NO_DOT
-Index: Python-3.13.3/Lib/test/test_sysconfig.py
+Index: Python-3.13.9/Lib/test/test_sysconfig.py
===================================================================
---- Python-3.13.3.orig/Lib/test/test_sysconfig.py 2025-04-08 15:54:08.000000000 +0200
-+++ Python-3.13.3/Lib/test/test_sysconfig.py 2025-04-11 21:52:31.769841915 +0200
+--- Python-3.13.9.orig/Lib/test/test_sysconfig.py 2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Lib/test/test_sysconfig.py 2025-11-04 17:41:28.521386489 +0100
@@ -130,8 +130,19 @@
for scheme in _INSTALL_SCHEMES:
for name in _INSTALL_SCHEMES[scheme]:
@@ -153,7 +153,7 @@ Index: Python-3.13.3/Lib/test/test_sysconfig.py
os.path.normpath(expected),
)
-@@ -386,7 +397,7 @@
+@@ -393,7 +404,7 @@
self.assertTrue(os.path.isfile(config_h), config_h)
def test_get_scheme_names(self):
@@ -162,7 +162,7 @@ Index: Python-3.13.3/Lib/test/test_sysconfig.py
if HAS_USER_BASE:
wanted.extend(['nt_user', 'osx_framework_user', 'posix_user'])
self.assertEqual(get_scheme_names(), tuple(sorted(wanted)))
-@@ -398,6 +409,8 @@
+@@ -405,6 +416,8 @@
cmd = "-c", "import sysconfig; print(sysconfig.get_platform())"
self.assertEqual(py.call_real(*cmd), py.call_link(*cmd))
diff --git a/doc-py38-to-py36.patch b/doc-py38-to-py36.patch
index 8b10ad3..5389a41 100644
--- a/doc-py38-to-py36.patch
+++ b/doc-py38-to-py36.patch
@@ -27,10 +27,10 @@
Doc/tools/extensions/pydoc_topics.py | 22 +++++-----
18 files changed, 159 insertions(+), 130 deletions(-)
-Index: Python-3.13.5/Doc/Makefile
+Index: Python-3.13.9/Doc/Makefile
===================================================================
---- Python-3.13.5.orig/Doc/Makefile 2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/Makefile 2025-06-12 21:38:04.908380762 +0200
+--- Python-3.13.9.orig/Doc/Makefile 2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/Makefile 2025-11-20 01:09:35.814292408 +0100
@@ -14,15 +14,15 @@
SOURCES =
DISTVERSION = $(shell $(PYTHON) tools/extensions/patchlevel.py)
@@ -51,10 +51,10 @@ Index: Python-3.13.5/Doc/Makefile
$(PAPEROPT_$(PAPER)) \
$(SPHINXOPTS) $(SPHINXERRORHANDLING) \
. build/$(BUILDER) $(SOURCES)
-Index: Python-3.13.5/Doc/c-api/arg.rst
+Index: Python-3.13.9/Doc/c-api/arg.rst
===================================================================
---- Python-3.13.5.orig/Doc/c-api/arg.rst 2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/c-api/arg.rst 2025-06-12 21:38:04.908705133 +0200
+--- Python-3.13.9.orig/Doc/c-api/arg.rst 2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/c-api/arg.rst 2025-11-20 01:07:59.902914275 +0100
@@ -334,7 +334,6 @@
should raise an exception and leave the content of *address* unmodified.
@@ -63,10 +63,10 @@ Index: Python-3.13.5/Doc/c-api/arg.rst
If the *converter* returns :c:macro:`!Py_CLEANUP_SUPPORTED`, it may get called a
second time if the argument parsing eventually fails, giving the converter a
-Index: Python-3.13.5/Doc/c-api/typeobj.rst
+Index: Python-3.13.9/Doc/c-api/typeobj.rst
===================================================================
---- Python-3.13.5.orig/Doc/c-api/typeobj.rst 2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/c-api/typeobj.rst 2025-06-12 21:38:04.908874058 +0200
+--- Python-3.13.9.orig/Doc/c-api/typeobj.rst 2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/c-api/typeobj.rst 2025-11-20 01:07:59.903382829 +0100
@@ -610,7 +610,7 @@
Functions like :c:func:`PyObject_NewVar` will take the value of N as an
argument, and store in the instance's :c:member:`~PyVarObject.ob_size` field.
@@ -97,10 +97,10 @@ Index: Python-3.13.5/Doc/c-api/typeobj.rst
include :c:type:`PyObject` or :c:type:`PyVarObject` (depending on
whether :c:member:`~PyVarObject.ob_size` should be included). These are
usually defined by the macro :c:macro:`PyObject_HEAD` or
-Index: Python-3.13.5/Doc/conf.py
+Index: Python-3.13.9/Doc/conf.py
===================================================================
---- Python-3.13.5.orig/Doc/conf.py 2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/conf.py 2025-06-12 21:38:04.909609597 +0200
+--- Python-3.13.9.orig/Doc/conf.py 2025-11-20 01:07:14.944126757 +0100
++++ Python-3.13.9/Doc/conf.py 2025-11-20 01:07:59.903974303 +0100
@@ -11,6 +11,8 @@
from importlib import import_module
from importlib.util import find_spec
@@ -136,7 +136,7 @@ Index: Python-3.13.5/Doc/conf.py
# Create table of contents entries for domain objects (e.g. functions, classes,
# attributes, etc.). Default is True.
-@@ -323,6 +325,9 @@
+@@ -257,6 +259,9 @@
# Avoid a warning with Sphinx >= 4.0
root_doc = 'contents'
@@ -146,7 +146,7 @@ Index: Python-3.13.5/Doc/conf.py
# Allow translation of index directives
gettext_additional_targets = [
'index',
-@@ -362,7 +367,7 @@
+@@ -296,7 +301,7 @@
# (See .readthedocs.yml and https://docs.readthedocs.io/en/stable/reference/environment-variables.html)
is_deployment_preview = os.getenv("READTHEDOCS_VERSION_TYPE") == "external"
repository_url = os.getenv("READTHEDOCS_GIT_CLONE_URL", "")
@@ -172,22 +172,22 @@ Index: Python-3.13.5/Doc/conf.py
# Options for c_annotations extension
# -----------------------------------
-Index: Python-3.13.5/Doc/library/doctest.rst
+Index: Python-3.13.9/Doc/library/doctest.rst
===================================================================
---- Python-3.13.5.orig/Doc/library/doctest.rst 2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/library/doctest.rst 2025-06-12 21:38:04.909944989 +0200
-@@ -308,7 +308,6 @@
- searched. Objects imported into the module are not searched.
+--- Python-3.13.9.orig/Doc/library/doctest.rst 2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/library/doctest.rst 2025-11-20 01:07:59.904511686 +0100
+@@ -310,7 +310,6 @@
+ .. currentmodule:: None
.. attribute:: module.__test__
- :no-typesetting:
- In addition, there are cases when you want tests to be part of a module but not part
- of the help text, which requires that the tests not be included in the docstring.
-Index: Python-3.13.5/Doc/library/email.compat32-message.rst
+ .. currentmodule:: doctest
+
+Index: Python-3.13.9/Doc/library/email.compat32-message.rst
===================================================================
---- Python-3.13.5.orig/Doc/library/email.compat32-message.rst 2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/library/email.compat32-message.rst 2025-06-12 21:38:04.910320877 +0200
+--- Python-3.13.9.orig/Doc/library/email.compat32-message.rst 2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/library/email.compat32-message.rst 2025-11-20 01:07:59.905009154 +0100
@@ -7,7 +7,6 @@
:synopsis: The base class representing email messages in a fashion
backward compatible with Python 3.2
@@ -196,11 +196,11 @@ Index: Python-3.13.5/Doc/library/email.compat32-message.rst
The :class:`Message` class is very similar to the
-Index: Python-3.13.5/Doc/library/xml.etree.elementtree.rst
+Index: Python-3.13.9/Doc/library/xml.etree.elementtree.rst
===================================================================
---- Python-3.13.5.orig/Doc/library/xml.etree.elementtree.rst 2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/library/xml.etree.elementtree.rst 2025-06-12 21:38:04.910594893 +0200
-@@ -874,7 +874,6 @@
+--- Python-3.13.9.orig/Doc/library/xml.etree.elementtree.rst 2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/library/xml.etree.elementtree.rst 2025-11-20 01:07:59.905273001 +0100
+@@ -873,7 +873,6 @@
.. module:: xml.etree.ElementTree
:noindex:
@@ -208,10 +208,10 @@ Index: Python-3.13.5/Doc/library/xml.etree.elementtree.rst
.. class:: Element(tag, attrib={}, **extra)
-Index: Python-3.13.5/Doc/tools/check-warnings.py
+Index: Python-3.13.9/Doc/tools/check-warnings.py
===================================================================
---- Python-3.13.5.orig/Doc/tools/check-warnings.py 2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/tools/check-warnings.py 2025-06-12 21:38:04.910896050 +0200
+--- Python-3.13.9.orig/Doc/tools/check-warnings.py 2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/tools/check-warnings.py 2025-11-20 01:07:59.905613002 +0100
@@ -228,7 +228,8 @@
print(filename)
for warning in warnings:
@@ -231,10 +231,10 @@ Index: Python-3.13.5/Doc/tools/check-warnings.py
for warning in warnings
if "Doc/" in warning
}
-Index: Python-3.13.5/Doc/tools/extensions/audit_events.py
+Index: Python-3.13.9/Doc/tools/extensions/audit_events.py
===================================================================
---- Python-3.13.5.orig/Doc/tools/extensions/audit_events.py 2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/tools/extensions/audit_events.py 2025-06-12 21:38:04.911151491 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/audit_events.py 2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/tools/extensions/audit_events.py 2025-11-20 01:08:35.819222654 +0100
@@ -1,9 +1,6 @@
"""Support for documenting audit events."""
@@ -370,10 +370,10 @@ Index: Python-3.13.5/Doc/tools/extensions/audit_events.py
) -> nodes.row:
row = nodes.row()
name_node = nodes.paragraph("", nodes.Text(name))
-Index: Python-3.13.5/Doc/tools/extensions/availability.py
+Index: Python-3.13.9/Doc/tools/extensions/availability.py
===================================================================
---- Python-3.13.5.orig/Doc/tools/extensions/availability.py 2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/tools/extensions/availability.py 2025-06-12 21:38:04.911376735 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/availability.py 2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/tools/extensions/availability.py 2025-11-20 01:07:59.906156697 +0100
@@ -1,8 +1,6 @@
"""Support for documenting platform availability"""
@@ -427,10 +427,10 @@ Index: Python-3.13.5/Doc/tools/extensions/availability.py
app.add_directive("availability", Availability)
return {
-Index: Python-3.13.5/Doc/tools/extensions/c_annotations.py
+Index: Python-3.13.9/Doc/tools/extensions/c_annotations.py
===================================================================
---- Python-3.13.5.orig/Doc/tools/extensions/c_annotations.py 2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/tools/extensions/c_annotations.py 2025-06-12 21:38:04.911575881 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/c_annotations.py 2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/tools/extensions/c_annotations.py 2025-11-20 01:07:59.906354780 +0100
@@ -9,22 +9,26 @@
* Set ``stable_abi_file`` to the path to stable ABI list.
"""
@@ -568,10 +568,10 @@ Index: Python-3.13.5/Doc/tools/extensions/c_annotations.py
return {
"version": "1.0",
"parallel_read_safe": True,
-Index: Python-3.13.5/Doc/tools/extensions/changes.py
+Index: Python-3.13.9/Doc/tools/extensions/changes.py
===================================================================
---- Python-3.13.5.orig/Doc/tools/extensions/changes.py 2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/tools/extensions/changes.py 2025-06-12 21:38:04.911758715 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/changes.py 2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/tools/extensions/changes.py 2025-11-20 01:07:59.906539198 +0100
@@ -1,7 +1,5 @@
"""Support for documenting version of changes, additions, deprecations."""
@@ -607,10 +607,10 @@ Index: Python-3.13.5/Doc/tools/extensions/changes.py
# Override Sphinx's directives with support for 'next'
app.add_directive("versionadded", PyVersionChange, override=True)
app.add_directive("versionchanged", PyVersionChange, override=True)
-Index: Python-3.13.5/Doc/tools/extensions/glossary_search.py
+Index: Python-3.13.9/Doc/tools/extensions/glossary_search.py
===================================================================
---- Python-3.13.5.orig/Doc/tools/extensions/glossary_search.py 2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/tools/extensions/glossary_search.py 2025-06-12 21:38:04.911907976 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/glossary_search.py 2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/tools/extensions/glossary_search.py 2025-11-20 01:07:59.906696224 +0100
@@ -1,21 +1,27 @@
"""Feature search results for glossary items prominently."""
@@ -654,10 +654,10 @@ Index: Python-3.13.5/Doc/tools/extensions/glossary_search.py
app.connect('doctree-resolved', process_glossary_nodes)
app.connect('build-finished', write_glossary_json)
-Index: Python-3.13.5/Doc/tools/extensions/implementation_detail.py
+Index: Python-3.13.9/Doc/tools/extensions/implementation_detail.py
===================================================================
---- Python-3.13.5.orig/Doc/tools/extensions/implementation_detail.py 2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/tools/extensions/implementation_detail.py 2025-06-12 21:38:04.912061736 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/implementation_detail.py 2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/tools/extensions/implementation_detail.py 2025-11-20 01:07:59.906853200 +0100
@@ -1,17 +1,10 @@
"""Support for marking up implementation details."""
@@ -708,10 +708,10 @@ Index: Python-3.13.5/Doc/tools/extensions/implementation_detail.py
app.add_directive("impl-detail", ImplementationDetail)
return {
-Index: Python-3.13.5/Doc/tools/extensions/issue_role.py
+Index: Python-3.13.9/Doc/tools/extensions/issue_role.py
===================================================================
---- Python-3.13.5.orig/Doc/tools/extensions/issue_role.py 2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/tools/extensions/issue_role.py 2025-06-12 21:38:04.912236134 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/issue_role.py 2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/tools/extensions/issue_role.py 2025-11-20 01:07:59.907010386 +0100
@@ -1,22 +1,18 @@
"""Support for referencing issues in the tracker."""
@@ -757,10 +757,10 @@ Index: Python-3.13.5/Doc/tools/extensions/issue_role.py
app.add_role("issue", BPOIssue())
app.add_role("gh", GitHubIssue())
-Index: Python-3.13.5/Doc/tools/extensions/misc_news.py
+Index: Python-3.13.9/Doc/tools/extensions/misc_news.py
===================================================================
---- Python-3.13.5.orig/Doc/tools/extensions/misc_news.py 2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/tools/extensions/misc_news.py 2025-06-12 21:38:04.912390144 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/misc_news.py 2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/tools/extensions/misc_news.py 2025-11-20 01:07:59.907170899 +0100
@@ -1,7 +1,5 @@
"""Support for including Misc/NEWS."""
@@ -813,10 +813,10 @@ Index: Python-3.13.5/Doc/tools/extensions/misc_news.py
app.add_directive("miscnews", MiscNews)
return {
-Index: Python-3.13.5/Doc/tools/extensions/patchlevel.py
+Index: Python-3.13.9/Doc/tools/extensions/patchlevel.py
===================================================================
---- Python-3.13.5.orig/Doc/tools/extensions/patchlevel.py 2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/tools/extensions/patchlevel.py 2025-06-12 21:38:04.912563631 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/patchlevel.py 2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/tools/extensions/patchlevel.py 2025-11-20 01:07:59.907494228 +0100
@@ -3,7 +3,7 @@
import re
import sys
@@ -854,10 +854,10 @@ Index: Python-3.13.5/Doc/tools/extensions/patchlevel.py
version = f"{info.major}.{info.minor}"
release = f"{info.major}.{info.minor}.{info.micro}"
if info.releaselevel != "final":
-Index: Python-3.13.5/Doc/tools/extensions/pydoc_topics.py
+Index: Python-3.13.9/Doc/tools/extensions/pydoc_topics.py
===================================================================
---- Python-3.13.5.orig/Doc/tools/extensions/pydoc_topics.py 2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/tools/extensions/pydoc_topics.py 2025-06-12 21:38:04.912726688 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/pydoc_topics.py 2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/tools/extensions/pydoc_topics.py 2025-11-20 01:07:59.907684617 +0100
@@ -1,21 +1,23 @@
"""Support for building "topic help" for pydoc."""
diff --git a/gh126985-mv-pyvenv.cfg2getpath.patch b/gh126985-mv-pyvenv.cfg2getpath.patch
index d4dace5..810464f 100644
--- a/gh126985-mv-pyvenv.cfg2getpath.patch
+++ b/gh126985-mv-pyvenv.cfg2getpath.patch
@@ -8,10 +8,10 @@ Date: Tue Nov 26 13:46:33 2024 +0000
Lib/test/test_sysconfig.py | 67 ---------------------------------------------
1 file changed, 1 insertion(+), 66 deletions(-)
-Index: Python-3.13.5/Lib/test/test_sysconfig.py
+Index: Python-3.13.9/Lib/test/test_sysconfig.py
===================================================================
---- Python-3.13.5.orig/Lib/test/test_sysconfig.py 2025-06-12 19:55:42.184491497 +0200
-+++ Python-3.13.5/Lib/test/test_sysconfig.py 2025-06-12 19:56:05.737665419 +0200
+--- Python-3.13.9.orig/Lib/test/test_sysconfig.py 2025-11-04 17:41:28.521386489 +0100
++++ Python-3.13.9/Lib/test/test_sysconfig.py 2025-11-04 17:42:36.888243505 +0100
@@ -110,6 +110,7 @@
**venv_create_args,
)
@@ -20,7 +20,7 @@ Index: Python-3.13.5/Lib/test/test_sysconfig.py
def test_get_path_names(self):
self.assertEqual(get_path_names(), sysconfig._SCHEME_KEYS)
-@@ -604,72 +605,6 @@
+@@ -611,72 +612,6 @@
suffix = sysconfig.get_config_var('EXT_SUFFIX')
self.assertTrue(suffix.endswith('-darwin.so'), suffix)
diff --git a/python313.changes b/python313.changes
index 0793f2d..ed8b40c 100644
--- a/python313.changes
+++ b/python313.changes
@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Tue Nov 4 16:44:05 UTC 2025 - Matej Cepl
+
+- Add CVE-2025-8291-consistency-zip64.patch which checks
+ consistency of the zip64 end of central directory record, and
+ preventing obfuscation of the payload, i.e., you scanning for
+ malicious content in a ZIP file with one ZIP parser (let's say
+ a Rust one) then unpack it in production with another (e.g.,
+ the Python one) and get malicious content that the other parser
+ did not see (CVE-2025-8291, bsc#1251305)
+- Readjust patches while synchronizing between openSUSE and SLE trees:
+ - F00251-change-user-install-location.patch
+ - doc-py38-to-py36.patch
+ - gh126985-mv-pyvenv.cfg2getpath.patch
+
-------------------------------------------------------------------
Wed Oct 15 09:15:38 UTC 2025 - Daniel Garcia
diff --git a/python313.spec b/python313.spec
index 81167a9..f6a745e 100644
--- a/python313.spec
+++ b/python313.spec
@@ -235,6 +235,9 @@ Patch43: bsc1243155-sphinx-non-determinism.patch
Patch44: gh138131-exclude-pycache-from-digest.patch
# PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com
Patch45: gh139257-Support-docutils-0.22.patch
+# PATCH-FIX-UPSTREAM CVE-2025-8291-consistency-zip64.patch bsc#1251305 mcepl@suse.com
+# Check consistency of the zip64 end of central directory record
+Patch46: CVE-2025-8291-consistency-zip64.patch
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: fdupes