diff --git a/CVE-2023-52425-libexpat-2.6.0-backport-15.6.patch b/CVE-2023-52425-libexpat-2.6.0-backport-15.6.patch
index e0e1ece..c66d943 100644
--- a/CVE-2023-52425-libexpat-2.6.0-backport-15.6.patch
+++ b/CVE-2023-52425-libexpat-2.6.0-backport-15.6.patch
@@ -4,11 +4,11 @@
Lib/test/test_xml_etree.py | 10 ++++++++++
3 files changed, 17 insertions(+)
-Index: Python-3.15.0a1/Lib/test/test_pyexpat.py
+Index: Python-3.15.0a3/Lib/test/test_pyexpat.py
===================================================================
---- Python-3.15.0a1.orig/Lib/test/test_pyexpat.py 2025-10-24 23:53:24.356893960 +0200
-+++ Python-3.15.0a1/Lib/test/test_pyexpat.py 2025-10-24 23:53:50.136311340 +0200
-@@ -843,6 +843,10 @@
+--- Python-3.15.0a3.orig/Lib/test/test_pyexpat.py 2025-12-16 13:26:12.000000000 +0100
++++ Python-3.15.0a3/Lib/test/test_pyexpat.py 2025-12-19 02:26:33.964969539 +0100
+@@ -860,6 +860,10 @@
self.assertEqual(started, ['doc'])
def test_reparse_deferral_disabled(self):
@@ -19,10 +19,10 @@ Index: Python-3.15.0a1/Lib/test/test_pyexpat.py
started = []
def start_element(name, _):
-Index: Python-3.15.0a1/Lib/test/test_sax.py
+Index: Python-3.15.0a3/Lib/test/test_sax.py
===================================================================
---- Python-3.15.0a1.orig/Lib/test/test_sax.py 2025-10-24 23:53:24.425039914 +0200
-+++ Python-3.15.0a1/Lib/test/test_sax.py 2025-10-24 23:53:50.136951370 +0200
+--- Python-3.15.0a3.orig/Lib/test/test_sax.py 2025-12-16 13:26:12.000000000 +0100
++++ Python-3.15.0a3/Lib/test/test_sax.py 2025-12-19 02:26:33.966048947 +0100
@@ -1241,6 +1241,9 @@
self.assertEqual(result.getvalue(), start + b"")
@@ -33,10 +33,10 @@ Index: Python-3.15.0a1/Lib/test/test_sax.py
def test_flush_reparse_deferral_disabled(self):
result = BytesIO()
xmlgen = XMLGenerator(result)
-Index: Python-3.15.0a1/Lib/test/test_xml_etree.py
+Index: Python-3.15.0a3/Lib/test/test_xml_etree.py
===================================================================
---- Python-3.15.0a1.orig/Lib/test/test_xml_etree.py 2025-10-24 23:53:24.855327755 +0200
-+++ Python-3.15.0a1/Lib/test/test_xml_etree.py 2025-10-24 23:53:50.137646227 +0200
+--- Python-3.15.0a3.orig/Lib/test/test_xml_etree.py 2025-12-16 13:26:12.000000000 +0100
++++ Python-3.15.0a3/Lib/test/test_xml_etree.py 2025-12-19 02:26:33.966681016 +0100
@@ -138,6 +138,11 @@
return mock.patch.object(cls, "__eq__", autospec=True, wraps=eq)
@@ -49,7 +49,7 @@ Index: Python-3.15.0a1/Lib/test/test_xml_etree.py
def checkwarnings(*filters, quiet=False):
def decorator(test):
def newtest(*args, **kwargs):
-@@ -1547,9 +1552,11 @@
+@@ -1620,9 +1625,11 @@
self.assert_event_tags(parser, [('end', 'root')])
self.assertIsNone(parser.close())
@@ -61,7 +61,7 @@ Index: Python-3.15.0a1/Lib/test/test_xml_etree.py
def test_simple_xml_chunk_5(self):
self.test_simple_xml(chunk_size=5, flush=True)
-@@ -1776,6 +1783,9 @@
+@@ -1849,6 +1856,9 @@
self.assert_event_tags(parser, [('end', 'doc')])
diff --git a/CVE-2025-13836-http-resp-cont-len.patch b/CVE-2025-13836-http-resp-cont-len.patch
deleted file mode 100644
index a390918..0000000
--- a/CVE-2025-13836-http-resp-cont-len.patch
+++ /dev/null
@@ -1,154 +0,0 @@
-From b3a7998115e195c40e00cfa662bcaa899d937c05 Mon Sep 17 00:00:00 2001
-From: Serhiy Storchaka
-Date: Mon, 1 Dec 2025 17:26:07 +0200
-Subject: [PATCH] gh-119451: Fix a potential denial of service in http.client
- (GH-119454)
-
-Reading the whole body of the HTTP response could cause OOM if
-the Content-Length value is too large even if the server does not send
-a large amount of data. Now the HTTP client reads large data by chunks,
-therefore the amount of consumed memory is proportional to the amount
-of sent data.
-(cherry picked from commit 5a4c4a033a4a54481be6870aa1896fad732555b5)
-
-Co-authored-by: Serhiy Storchaka
----
- Lib/http/client.py | 28 +++-
- Lib/test/test_httplib.py | 66 ++++++++++
- Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst | 5
- 3 files changed, 95 insertions(+), 4 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst
-
-Index: Python-3.15.0a2/Lib/http/client.py
-===================================================================
---- Python-3.15.0a2.orig/Lib/http/client.py 2025-12-18 22:39:49.435421792 +0100
-+++ Python-3.15.0a2/Lib/http/client.py 2025-12-18 22:40:02.599038188 +0100
-@@ -111,6 +111,11 @@
- _MAXLINE = 65536
- _MAXHEADERS = 100
-
-+# Data larger than this will be read in chunks, to prevent extreme
-+# overallocation.
-+_MIN_READ_BUF_SIZE = 1 << 20
-+
-+
- # Header name/value ABNF (http://tools.ietf.org/html/rfc7230#section-3.2)
- #
- # VCHAR = %x21-7E
-@@ -642,10 +647,25 @@
- reading. If the bytes are truly not available (due to EOF), then the
- IncompleteRead exception can be used to detect the problem.
- """
-- data = self.fp.read(amt)
-- if len(data) < amt:
-- raise IncompleteRead(data, amt-len(data))
-- return data
-+ cursize = min(amt, _MIN_READ_BUF_SIZE)
-+ data = self.fp.read(cursize)
-+ if len(data) >= amt:
-+ return data
-+ if len(data) < cursize:
-+ raise IncompleteRead(data, amt - len(data))
-+
-+ data = io.BytesIO(data)
-+ data.seek(0, 2)
-+ while True:
-+ # This is a geometric increase in read size (never more than
-+ # doubling out the current length of data per loop iteration).
-+ delta = min(cursize, amt - cursize)
-+ data.write(self.fp.read(delta))
-+ if data.tell() >= amt:
-+ return data.getvalue()
-+ cursize += delta
-+ if data.tell() < cursize:
-+ raise IncompleteRead(data.getvalue(), amt - data.tell())
-
- def _safe_readinto(self, b):
- """Same as _safe_read, but for reading into a buffer."""
-Index: Python-3.15.0a2/Lib/test/test_httplib.py
-===================================================================
---- Python-3.15.0a2.orig/Lib/test/test_httplib.py 2025-12-18 22:39:51.081332214 +0100
-+++ Python-3.15.0a2/Lib/test/test_httplib.py 2025-12-18 22:40:02.599675565 +0100
-@@ -1511,6 +1511,72 @@
- thread.join()
- self.assertEqual(result, b"proxied data\n")
-
-+ def test_large_content_length(self):
-+ serv = socket.create_server((HOST, 0))
-+ self.addCleanup(serv.close)
-+
-+ def run_server():
-+ [conn, address] = serv.accept()
-+ with conn:
-+ while conn.recv(1024):
-+ conn.sendall(
-+ b"HTTP/1.1 200 Ok\r\n"
-+ b"Content-Length: %d\r\n"
-+ b"\r\n" % size)
-+ conn.sendall(b'A' * (size//3))
-+ conn.sendall(b'B' * (size - size//3))
-+
-+ thread = threading.Thread(target=run_server)
-+ thread.start()
-+ self.addCleanup(thread.join, 1.0)
-+
-+ conn = client.HTTPConnection(*serv.getsockname())
-+ try:
-+ for w in range(15, 27):
-+ size = 1 << w
-+ conn.request("GET", "/")
-+ with conn.getresponse() as response:
-+ self.assertEqual(len(response.read()), size)
-+ finally:
-+ conn.close()
-+ thread.join(1.0)
-+
-+ def test_large_content_length_truncated(self):
-+ serv = socket.create_server((HOST, 0))
-+ self.addCleanup(serv.close)
-+
-+ def run_server():
-+ while True:
-+ [conn, address] = serv.accept()
-+ with conn:
-+ conn.recv(1024)
-+ if not size:
-+ break
-+ conn.sendall(
-+ b"HTTP/1.1 200 Ok\r\n"
-+ b"Content-Length: %d\r\n"
-+ b"\r\n"
-+ b"Text" % size)
-+
-+ thread = threading.Thread(target=run_server)
-+ thread.start()
-+ self.addCleanup(thread.join, 1.0)
-+
-+ conn = client.HTTPConnection(*serv.getsockname())
-+ try:
-+ for w in range(18, 65):
-+ size = 1 << w
-+ conn.request("GET", "/")
-+ with conn.getresponse() as response:
-+ self.assertRaises(client.IncompleteRead, response.read)
-+ conn.close()
-+ finally:
-+ conn.close()
-+ size = 0
-+ conn.request("GET", "/")
-+ conn.close()
-+ thread.join(1.0)
-+
- def test_putrequest_override_domain_validation(self):
- """
- It should be possible to override the default validation
-Index: Python-3.15.0a2/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ Python-3.15.0a2/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst 2025-12-18 22:40:02.600168090 +0100
-@@ -0,0 +1,5 @@
-+Fix a potential memory denial of service in the :mod:`http.client` module.
-+When connecting to a malicious server, it could cause
-+an arbitrary amount of memory to be allocated.
-+This could have led to symptoms including a :exc:`MemoryError`, swapping, out
-+of memory (OOM) killed processes or containers, or even system crashes.
diff --git a/Python-3.15.0a2.tar.xz b/Python-3.15.0a2.tar.xz
deleted file mode 100644
index b693351..0000000
--- a/Python-3.15.0a2.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d8a0a2f4a7f3d7090cf195e81814efe95f70554955557f40e149d8694a662751
-size 23728836
diff --git a/Python-3.15.0a2.tar.xz.sigstore b/Python-3.15.0a2.tar.xz.sigstore
deleted file mode 100644
index d3439e7..0000000
--- a/Python-3.15.0a2.tar.xz.sigstore
+++ /dev/null
@@ -1 +0,0 @@
-{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzjCCAlSgAwIBAgIUBmylNbQW8lgH3BD7NaD4dsMNkSYwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUxMTE5MDk0NDU1WhcNMjUxMTE5MDk1NDU1WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEi0wghUz8k/UNn7MEg6TwxPsewzYFutTbDMxXxKevJePP7XqFB1UQnLH1GokPltZPyB+l1m4VF5Sy8ZvaF1ClcKOCAXMwggFvMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUFUET7divejslt9ZiyIL0u9SFfBYwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHQYDVR0RAQH/BBMwEYEPaHVnb0BweXRob24ub3JnMCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABmpuAt6EAAAQDAEcwRQIgE3w20s7OrtGL+zODecqs7H0Smv8KcfaAKYvEdR5XT5oCIQD7Eq3ulu9eBvww92bR9tnW4ghFqkpnDXVU7J7i/yM4vzAKBggqhkjOPQQDAwNoADBlAjBiUgZCSW+Mjhx7RJ+zYdrpTtg8EDMOZHbnXq/RTYvRrh3iKv6E5oH11IgPFn9MmEECMQCZUuUixsdRNihrf8ZrSyuQ9RCMvLg7Y+Gg5eJ8eJjIm+9vtZfkRNtD2SGMOWTKDXY="}, "tlogEntries": [{"logIndex": "708501076", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1763545495", "inclusionPromise": {"signedEntryTimestamp": "MEQCIBBFm5zZqaDhf/2WNPlvBVa+hgbqGFDW9pSVGDwT+aMjAiBJWrthkghtaPFH+TYaCwiOpBYvXNql3HltsZ/DsXcV2A=="}, "inclusionProof": {"logIndex": "586596814", "rootHash": "eYRHPRBPrv7VPt0RJ5/Wfp8sctnBIszg6NIaf3GQrfw=", "treeSize": "586596815", "hashes": ["WQXHunKvibcfvQ9ZT6N2rUAkABNdnLQRwa92wR4gX58=", "287rj+EV908dOcox9MDXVe+gnfm6BAolfDJm46eY1Xw=", "cl+YdAs75DrN9x0oB+vn3kgtMfroClWhykZO839ri1Q=", "TAcghz4eEeOn8NMKSy1KOeg9H09f30R8FC+PGof84Oc=", "Ne2M91/psRGlS51Q1/TlubrsVcsm9OnJ3/5dqeXizZc=", "VA3Ony+IuiKE6GaSIUOVU8jfXsw54CyctvI+If9sXdI=", "k17qYjw0FJ9hhgBebiwJG1JJwGYkXslaEFslKgI2FTs=", "7GMOmqHGPgIUD2AGgoZScCiJ5IbZSh18ZlHgKKxnaRo=", "/Lh1BYN2nonyxa0Ny6DeXbNUcSJIp2Of2JLKKCxDbUo=", "1Hte46ZYqMjMJtFdJJyTJoXer0VRtOnSa+JEILdAMI8=", "XPOd8yApSEIRvyCps+FG/vNe/n08jAfXlL68srajUQU=", "3TB24c2iSQ7Z4Xrp+12hwHyAJq+0z5oGCREpV9ajoe0=", "E/c5y8qGcENHbLJDyW+YH8tGXlQ+8+Qcg/TJ3j4d/mg=", "bzTJsC7KPkC5dVD2uXRC5gpiYT1DSYoxvShGPXwjLBI=", "f2j1ljMRjwO8o3f9nSp1S8xu26ILehAfUf3wltrZCKU=", "T4DqWD42hAtN+vX8jKCWqoC4meE4JekI9LxYGCcPy1M="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n586596815\neYRHPRBPrv7VPt0RJ5/Wfp8sctnBIszg6NIaf3GQrfw=\n\n\u2014 rekor.sigstore.dev wNI9ajBGAiEAt/UvfI7Nr/RIGZXc7idhtGQKiA0lrHTQAk5pKZTsVZ4CIQD9hNwwvtAocNIkXCLnGJ9gtMSWWNpacpxX2c8TKyJ9yQ==\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJkOGEwYTJmNGE3ZjNkNzA5MGNmMTk1ZTgxODE0ZWZlOTVmNzA1NTQ5NTU1NTdmNDBlMTQ5ZDg2OTRhNjYyNzUxIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUURzUXEwMTJUa3FkV3VkTXk2cXBLeURsdUxOVGk1Ry9xS3NVOEtYaU9RMlpBSWhBSnVXSlgxN0FwL0kyU3hIWHFremMrNlZoKzBwUmRySXI0WGhXdHlENXFQcCIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZha05EUVd4VFowRjNTVUpCWjBsVlFtMTViRTVpVVZjNGJHZElNMEpFTjA1aFJEUmtjMDFPYTFOWmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZlRTFVUlRWTlJHc3dUa1JWTVZkb1kwNU5hbFY0VFZSRk5VMUVhekZPUkZVeFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZwTUhkbmFGVjZPR3N2VlU1dU4wMUZaelpVZDNoUWMyVjNlbGxHZFhSVVlrUk5lRmdLZUV0bGRrcGxVRkEzV0hGR1FqRlZVVzVNU0RGSGIydFFiSFJhVUhsQ0syd3hiVFJXUmpWVGVUaGFkbUZHTVVOc1kwdFBRMEZZVFhkblowWjJUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZHVlVWVUNqZGthWFpsYW5Oc2REbGFhWGxKVERCMU9WTkdaa0paZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoUldVUldVakJTUVZGSUwwSkNUWGRGV1VWUVlVaFdibUl3UW5kbFdGSnZZakkwZFdJelNtNU5RM2RIUTJselIwRlJVVUpuTnpoM1FWRkZSUXBJYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemx6WWpKa2NHSnBPWFpaV0ZZd1lVUkJkVUpuYjNKQ1owVkZRVmxQTDAxQlJVbENRMEZOQ2todGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndZbWs1ZGxsWVZqQmhSRU5DYVdkWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWpnS1FraHZRV1ZCUWpKQlRqQTVUVWR5UjNoNFJYbFplR3RsU0Vwc2JrNTNTMmxUYkRZME0ycDVkQzgwWlV0amIwRjJTMlUyVDBGQlFVSnRjSFZCZERaRlFRcEJRVkZFUVVWamQxSlJTV2RGTTNjeU1ITTNUM0owUjB3cmVrOUVaV054Y3pkSU1GTnRkamhMWTJaaFFVdFpka1ZrVWpWWVZEVnZRMGxSUkRkRmNUTjFDbXgxT1dWQ2RuZDNPVEppVWpsMGJsYzBaMmhHY1d0d2JrUllWbFUzU2pkcEwzbE5OSFo2UVV0Q1oyZHhhR3RxVDFCUlVVUkJkMDV2UVVSQ2JFRnFRbWtLVldkYVExTlhLMDFxYUhnM1Vrb3JlbGxrY25CVWRHYzRSVVJOVDFwSVltNVljUzlTVkZsMlVuSm9NMmxMZGpaRk5XOUlNVEZKWjFCR2JqbE5iVVZGUXdwTlVVTmFWWFZWYVhoelpGSk9hV2h5WmpoYWNsTjVkVkU1VWtOTmRreG5OMWtyUjJjMVpVbzRaVXBxU1cwck9YWjBXbVpyVWs1MFJESlRSMDFQVjFSTENrUllXVDBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}], "timestampVerificationData": {}}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "2KCi9Kfz1wkM8ZXoGBTv6V9wVUlVVX9A4UnYaUpmJ1E="}, "signature": "MEYCIQDsQq012TkqdWudMy6qpKyDluLNTi5G/qKsU8KXiOQ2ZAIhAJuWJX17Ap/I2SxHXqkzc+6Vh+0pRdrIr4XhWtyD5qPp"}}
diff --git a/Python-3.15.0a3.tar.xz b/Python-3.15.0a3.tar.xz
new file mode 100644
index 0000000..0653314
--- /dev/null
+++ b/Python-3.15.0a3.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6ab02cdac24505779877bb1d9189432d67e90ddf2a9b8b7b373ead54ac07b607
+size 34723712
diff --git a/Python-3.15.0a3.tar.xz.sigstore b/Python-3.15.0a3.tar.xz.sigstore
new file mode 100644
index 0000000..cbe3fc3
--- /dev/null
+++ b/Python-3.15.0a3.tar.xz.sigstore
@@ -0,0 +1 @@
+{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzjCCAlOgAwIBAgIUWGdIw6jkonGGlxTefVWR5dycYMUwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUxMjE2MTQzNDE1WhcNMjUxMjE2MTQ0NDE1WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMeXAUdFRAMUwkol7S3TfLRDGSmTBLxrIQ3KpDiKGHVX13ZTBQwnQnTwV+sIwP787IJZHObALFx34l925AS5oSKOCAXIwggFuMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU1KEmc4ZWtSbp0HrR7xEl632FVQEwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHQYDVR0RAQH/BBMwEYEPaHVnb0BweXRob24ub3JnMCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBiQYKKwYBBAHWeQIEAgR7BHkAdwB1AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABmyeVUi8AAAQDAEYwRAIgeNcEmGEuUlpapxVCjn9ssKb5U0FKgDx1cACe+m//GqwCIHaMa36eZ/5Ov9IQNyTUkm0bquaYWBvG5iGXMccaNkI+MAoGCCqGSM49BAMDA2kAMGYCMQDE+zTm1YaPVjKhhV7UrybXV88rHo7p1wedZglYz/WTQ6tdfXmeWXd4XcY8qvdMXxECMQCKipA6iUBoyWfYxM9wwNk1R0+YPpDvApKpuKcJssq7UBMH+qsVU2mYROAeVI/cTUc="}, "tlogEntries": [{"logIndex": "767379108", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1765895656", "inclusionPromise": {"signedEntryTimestamp": "MEYCIQC/gr68tewjyDayVY1YgkSx3wyJr1gDp9niugBN6CuI3QIhAI+AI17ZFMXpBHbN6nqzRRSF3gkcOFeiztd/ddPiR3Qr"}, "inclusionProof": {"logIndex": "645474846", "rootHash": "+7pvZSc1vkrbz1NYkRJTW6ebJVNEKnBbysMwrYfqBBw=", "treeSize": "645474850", "hashes": ["3IExMYCGoBe2wYmaUDFh/NwM9Yfz+YqErksZ9FiJMdU=", "5OlXK7CbwTpuOXJUjRBnsTRYTjVw1n5Yy8FU5TBL0XA=", "k7H5SO2fy1fisX7nQuhceTTJDt+OYrkbDLi4yA4s8x8=", "OUxbxHF4gP/nb0YaEJsiu5bD9WwjbSKIysm29uO2Wg8=", "xhz07XLYNXp0QZ6l+zMHq2ou8fUvEBzrXHj5p8bhW0w=", "TBrb22/2hnzqPGPgryvf9E/XySk6biXtuETjbuLr4iQ=", "XXiywYiYcfd6pMWvLjChESCzRvayGZ5Ga9vLoivArTc=", "6ymuOfiti8iWpSzihumjs587leNSK8iia3j2fQWYQvQ=", "x/rIPkrAoE9rz9kw44ofjWopN9MMV2UwNq4ZZxyk6gA=", "Jx3nGngq60bR51zwd8OmKd+Jv0wh/mwftjiOc6qQXgo=", "1Vd3rUmNolkFfJocF+ehhHicx+XZCI1oORVzpl1WD3k=", "STJBwmMYjQL7nNE7RtmufqTzKydDq3utsDtdFqjV83Q=", "volnUoGNFpLYblGf83KDzlbqdAQlS0WvwWzyZgIHQjo=", "1j4lDTV8P+GITn6Cn5v42uy3JK42BtPmPkJMt5IcMy0=", "X6vkxz0poxK2DIlRur/7LbEdz3iDXj5QY/gLk/ewXjA=", "ZmUkYkHBy1B723JrEgiKvepTdHYrP6y2a4oODYvi5VY=", "T4DqWD42hAtN+vX8jKCWqoC4meE4JekI9LxYGCcPy1M="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n645474850\n+7pvZSc1vkrbz1NYkRJTW6ebJVNEKnBbysMwrYfqBBw=\n\n\u2014 rekor.sigstore.dev wNI9ajBDAh8xrHp05yLv6Q/03Lpwf+xo601cjQSlyFVx6fhX4g6QAiAHV2ukAWeKPX30txbAW2ymQCsMCjyaxXVyMi5ohj7Dvg==\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI2YWIwMmNkYWMyNDUwNTc3OTg3N2JiMWQ5MTg5NDMyZDY3ZTkwZGRmMmE5YjhiN2IzNzNlYWQ1NGFjMDdiNjA3In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJQ0hPTThHQjNyZFVTZTZzSFNMLzZWeDE3TkVabmlqRG1qZ2tVdXdDS0xuYkFpQU54VFdKRFk4dmhhVEF2NDVpWFlDM0dvTjl6RDVtYllpdUFkM3FockN2MGc9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZha05EUVd4UFowRjNTVUpCWjBsVlYwZGtTWGMyYW10dmJrZEhiSGhVWldaV1YxSTFaSGxqV1UxVmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZlRTFxUlRKTlZGRjZUa1JGTVZkb1kwNU5hbFY0VFdwRk1rMVVVVEJPUkVVeFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZOWlZoQlZXUkdVa0ZOVlhkcmIydzNVek5VWmt4U1JFZFRiVlJDVEhoeVNWRXpTM0FLUkdsTFIwaFdXREV6V2xSQ1VYZHVVVzVVZDFZcmMwbDNVRGM0TjBsS1draFBZa0ZNUm5nek5HdzVNalZCVXpWdlUwdFBRMEZZU1hkblowWjFUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlV4UzBWdENtTTBXbGQwVTJKd01FaHlVamQ0Uld3Mk16SkdWbEZGZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoUldVUldVakJTUVZGSUwwSkNUWGRGV1VWUVlVaFdibUl3UW5kbFdGSnZZakkwZFdJelNtNU5RM2RIUTJselIwRlJVVUpuTnpoM1FWRkZSUXBJYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemx6WWpKa2NHSnBPWFpaV0ZZd1lVUkJkVUpuYjNKQ1owVkZRVmxQTDAxQlJVbENRMEZOQ2todGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndZbWs1ZGxsWVZqQmhSRU5DYVZGWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWpjS1FraHJRV1IzUWpGQlRqQTVUVWR5UjNoNFJYbFplR3RsU0Vwc2JrNTNTMmxUYkRZME0ycDVkQzgwWlV0amIwRjJTMlUyVDBGQlFVSnRlV1ZXVldrNFFRcEJRVkZFUVVWWmQxSkJTV2RsVG1ORmJVZEZkVlZzY0dGd2VGWkRhbTQ1YzNOTFlqVlZNRVpMWjBSNE1XTkJRMlVyYlM4dlIzRjNRMGxJWVUxaE16WmxDbG92TlU5Mk9VbFJUbmxVVld0dE1HSnhkV0ZaVjBKMlJ6VnBSMWhOWTJOaFRtdEpLMDFCYjBkRFEzRkhVMDAwT1VKQlRVUkJNbXRCVFVkWlEwMVJSRVVLSzNwVWJURlpZVkJXYWt0b2FGWTNWWEo1WWxoV09EaHlTRzgzY0RGM1pXUmFaMnhaZWk5WFZGRTJkR1JtV0cxbFYxaGtORmhqV1RoeGRtUk5XSGhGUXdwTlVVTkxhWEJCTm1sVlFtOTVWMlpaZUUwNWQzZE9hekZTTUN0WlVIQkVka0Z3UzNCMVMyTktjM054TjFWQ1RVZ3JjWE5XVlRKdFdWSlBRV1ZXU1M5akNsUlZZejBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}], "timestampVerificationData": {}}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "arAs2sJFBXeYd7sdkYlDLWfpDd8qm4t7Nz6tVKwHtgc="}, "signature": "MEQCICHOM8GB3rdUSe6sHSL/6Vx17NEZnijDmjgkUuwCKLnbAiANxTWJDY8vhaTAv45iXYC3GoN9zD5mbYiuAd3qhrCv0g=="}}
diff --git a/bpo-31046_ensurepip_honours_prefix.patch b/bpo-31046_ensurepip_honours_prefix.patch
index 6c317b5..f481098 100644
--- a/bpo-31046_ensurepip_honours_prefix.patch
+++ b/bpo-31046_ensurepip_honours_prefix.patch
@@ -13,11 +13,11 @@ Co-Authored-By: Xavier de Gaye
5 files changed, 37 insertions(+), 9 deletions(-)
create mode 100644 Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst
-Index: Python-3.15.0a1/Doc/library/ensurepip.rst
+Index: Python-3.15.0a3/Doc/library/ensurepip.rst
===================================================================
---- Python-3.15.0a1.orig/Doc/library/ensurepip.rst 2025-10-14 12:46:08.000000000 +0200
-+++ Python-3.15.0a1/Doc/library/ensurepip.rst 2025-10-24 23:53:43.587408643 +0200
-@@ -61,7 +61,11 @@
+--- Python-3.15.0a3.orig/Doc/library/ensurepip.rst 2025-12-16 13:26:12.000000000 +0100
++++ Python-3.15.0a3/Doc/library/ensurepip.rst 2025-12-19 02:25:25.531895542 +0100
+@@ -65,7 +65,11 @@
By default, ``pip`` is installed into the current virtual environment
(if one is active) or into the system site packages (if there is no
active virtual environment). The installation location can be controlled
@@ -30,7 +30,7 @@ Index: Python-3.15.0a1/Doc/library/ensurepip.rst
.. option:: --root
-@@ -102,7 +106,7 @@
+@@ -106,7 +110,7 @@
Returns a string specifying the available version of pip that will be
installed when bootstrapping an environment.
@@ -39,7 +39,7 @@ Index: Python-3.15.0a1/Doc/library/ensurepip.rst
altinstall=False, default_pip=False, \
verbosity=0)
-@@ -112,6 +116,8 @@
+@@ -116,6 +120,8 @@
If *root* is ``None``, then installation uses the default install location
for the current environment.
@@ -48,7 +48,7 @@ Index: Python-3.15.0a1/Doc/library/ensurepip.rst
*upgrade* indicates whether or not to upgrade an existing installation
of an earlier version of ``pip`` to the available version.
-@@ -132,6 +138,8 @@
+@@ -136,6 +142,8 @@
*verbosity* controls the level of output to :data:`sys.stdout` from the
bootstrapping operation.
@@ -57,10 +57,10 @@ Index: Python-3.15.0a1/Doc/library/ensurepip.rst
.. audit-event:: ensurepip.bootstrap root ensurepip.bootstrap
.. note::
-Index: Python-3.15.0a1/Lib/ensurepip/__init__.py
+Index: Python-3.15.0a3/Lib/ensurepip/__init__.py
===================================================================
---- Python-3.15.0a1.orig/Lib/ensurepip/__init__.py 2025-10-24 23:53:22.118065622 +0200
-+++ Python-3.15.0a1/Lib/ensurepip/__init__.py 2025-10-24 23:53:43.587899003 +0200
+--- Python-3.15.0a3.orig/Lib/ensurepip/__init__.py 2025-12-19 02:25:10.205902876 +0100
++++ Python-3.15.0a3/Lib/ensurepip/__init__.py 2025-12-19 02:25:25.532348886 +0100
@@ -106,27 +106,27 @@
os.environ['PIP_CONFIG_FILE'] = os.devnull
@@ -123,10 +123,10 @@ Index: Python-3.15.0a1/Lib/ensurepip/__init__.py
upgrade=args.upgrade,
user=args.user,
verbosity=args.verbosity,
-Index: Python-3.15.0a1/Lib/test/test_ensurepip.py
+Index: Python-3.15.0a3/Lib/test/test_ensurepip.py
===================================================================
---- Python-3.15.0a1.orig/Lib/test/test_ensurepip.py 2025-10-24 23:53:23.546712597 +0200
-+++ Python-3.15.0a1/Lib/test/test_ensurepip.py 2025-10-24 23:53:43.588286136 +0200
+--- Python-3.15.0a3.orig/Lib/test/test_ensurepip.py 2025-12-19 02:25:11.631602338 +0100
++++ Python-3.15.0a3/Lib/test/test_ensurepip.py 2025-12-19 02:25:25.532817735 +0100
@@ -105,6 +105,17 @@
unittest.mock.ANY,
)
@@ -145,11 +145,11 @@ Index: Python-3.15.0a1/Lib/test/test_ensurepip.py
def test_bootstrapping_with_user(self):
ensurepip.bootstrap(user=True)
-Index: Python-3.15.0a1/Makefile.pre.in
+Index: Python-3.15.0a3/Makefile.pre.in
===================================================================
---- Python-3.15.0a1.orig/Makefile.pre.in 2025-10-24 23:53:39.419910772 +0200
-+++ Python-3.15.0a1/Makefile.pre.in 2025-10-24 23:53:43.588889640 +0200
-@@ -2378,7 +2378,7 @@
+--- Python-3.15.0a3.orig/Makefile.pre.in 2025-12-19 02:25:24.201299566 +0100
++++ Python-3.15.0a3/Makefile.pre.in 2025-12-19 02:25:25.533184405 +0100
+@@ -2389,7 +2389,7 @@
install|*) ensurepip="" ;; \
esac; \
$(RUNSHARED) $(PYTHON_FOR_BUILD) -m ensurepip \
@@ -158,7 +158,7 @@ Index: Python-3.15.0a1/Makefile.pre.in
fi
.PHONY: altinstall
-@@ -2389,7 +2389,7 @@
+@@ -2400,7 +2400,7 @@
install|*) ensurepip="--altinstall" ;; \
esac; \
$(RUNSHARED) $(PYTHON_FOR_BUILD) -m ensurepip \
@@ -167,9 +167,9 @@ Index: Python-3.15.0a1/Makefile.pre.in
fi
.PHONY: commoninstall
-Index: Python-3.15.0a1/Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst
+Index: Python-3.15.0a3/Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ Python-3.15.0a1/Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst 2025-10-24 23:53:43.589498870 +0200
++++ Python-3.15.0a3/Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst 2025-12-19 02:25:25.534506792 +0100
@@ -0,0 +1 @@
+A directory prefix can now be specified when using :mod:`ensurepip`.
diff --git a/gh139257-Support-docutils-0.22.patch b/gh139257-Support-docutils-0.22.patch
index cdbaf5b..28544d2 100644
--- a/gh139257-Support-docutils-0.22.patch
+++ b/gh139257-Support-docutils-0.22.patch
@@ -4,17 +4,18 @@ Date: Tue, 23 Sep 2025 10:20:16 +0200
Subject: [PATCH 1/2] gh-139257: Support docutils >= 0.22
---
- Doc/tools/extensions/pyspecific.py | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
+ Doc/tools/extensions/pyspecific.py | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
-Index: Python-3.15.0a1/Doc/tools/extensions/pyspecific.py
+Index: Python-3.15.0a3/Doc/tools/extensions/pyspecific.py
===================================================================
---- Python-3.15.0a1.orig/Doc/tools/extensions/pyspecific.py 2025-10-14 12:46:08.000000000 +0200
-+++ Python-3.15.0a1/Doc/tools/extensions/pyspecific.py 2025-10-24 23:55:02.700550007 +0200
-@@ -25,11 +25,21 @@
+--- Python-3.15.0a3.orig/Doc/tools/extensions/pyspecific.py 2025-12-16 13:26:12.000000000 +0100
++++ Python-3.15.0a3/Doc/tools/extensions/pyspecific.py 2025-12-19 02:27:34.493094269 +0100
+@@ -24,6 +24,24 @@
+ # Used in conf.py and updated here by python/release-tools/run_release.py
SOURCE_URI = 'https://github.com/python/cpython/tree/main/%s'
- # monkey-patch reST parser to disable alphabetic and roman enumerated lists
++# monkey-patch reST parser to disable alphabetic and roman enumerated lists
+def _disable_alphabetic_and_roman(text):
+ try:
+ # docutils >= 0.22
@@ -25,12 +26,13 @@ Index: Python-3.15.0a1/Doc/tools/extensions/pyspecific.py
+ return None
+
+
- from docutils.parsers.rst.states import Body
- Body.enum.converters['loweralpha'] = \
- Body.enum.converters['upperalpha'] = \
- Body.enum.converters['lowerroman'] = \
-- Body.enum.converters['upperroman'] = lambda x: None
++from docutils.parsers.rst.states import Body
++Body.enum.converters['loweralpha'] = \
++ Body.enum.converters['upperalpha'] = \
++ Body.enum.converters['lowerroman'] = \
+ Body.enum.converters['upperroman'] = _disable_alphabetic_and_roman
-
-
++
++
class PyAwaitableMixin(object):
+ def handle_signature(self, sig, signode):
+ ret = super(PyAwaitableMixin, self).handle_signature(sig, signode)
diff --git a/python-3.3.0b1-fix_date_time_compiler.patch b/python-3.3.0b1-fix_date_time_compiler.patch
index 7f1b240..c751deb 100644
--- a/python-3.3.0b1-fix_date_time_compiler.patch
+++ b/python-3.3.0b1-fix_date_time_compiler.patch
@@ -2,11 +2,11 @@
Makefile.pre.in | 5 +++++
1 file changed, 5 insertions(+)
-Index: Python-3.15.0a1/Makefile.pre.in
+Index: Python-3.15.0a3/Makefile.pre.in
===================================================================
---- Python-3.15.0a1.orig/Makefile.pre.in 2025-10-14 12:46:08.000000000 +0200
-+++ Python-3.15.0a1/Makefile.pre.in 2025-10-24 23:53:39.419910772 +0200
-@@ -1917,6 +1917,11 @@
+--- Python-3.15.0a3.orig/Makefile.pre.in 2025-12-19 02:26:23.594002103 +0100
++++ Python-3.15.0a3/Makefile.pre.in 2025-12-19 02:26:28.185444105 +0100
+@@ -1926,6 +1926,11 @@
-DGITBRANCH="\"`LC_ALL=C $(GITBRANCH)`\"" \
-o $@ $(srcdir)/Modules/getbuildinfo.c
diff --git a/python315.changes b/python315.changes
index e612c98..5dc5d0b 100644
--- a/python315.changes
+++ b/python315.changes
@@ -1,10 +1,495 @@
-------------------------------------------------------------------
-Thu Dec 18 10:33:44 UTC 2025 - Matej Cepl
+Fri Dec 19 01:05:54 UTC 2025 - Matej Cepl
-- Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400,
- CVE-2025-13836) to prevent reading an HTTP response from
- a server, if no read amount is specified, with using
- Content-Length per default as the length.
+Update to 3.15.0~a3:
+- Security
+ - gh-142145: Remove quadratic behavior in xml.minidom node ID
+ cache clearing (CVE-2025-12084, bsc#1254997).
+ - gh-42400: Fix buffer overflow in _Py_wrealpath() for paths
+ exceeding MAXPATHLEN bytes by using dynamic memory
+ allocation instead of fixed-size buffer. Patch by Shamil
+ Abdulaev.
+ - gh-119451: Fix a potential memory denial of service in the
+ http.client module. When connecting to a malicious server,
+ it could cause an arbitrary amount of memory to be
+ allocated. This could have led to symptoms including
+ a MemoryError, swapping, out of memory (OOM) killed
+ processes or containers, or even system crashes
+ (CVE-2025-13836, bsc#1254400).
+ - gh-119342: Fix a potential memory denial of service in the
+ plistlib module. When reading a Plist file received from
+ untrusted source, it could cause an arbitrary amount of
+ memory to be allocated. This could have led to symptoms
+ including a MemoryError, swapping, out of memory (OOM)
+ killed processes or containers, or even system crashes
+ (CVE-2025-13837, bsc#1254401).
+- Library
+ - gh-142754: Add the ownerDocument attribute to
+ xml.dom.minidom elements and attributes created by directly
+ instantiating the Element or Attr class. Note that this way
+ of creating nodes is not supported; creator functions like
+ xml.dom.Document.documentElement() should be used instead.
+ - gh-142594: Fix crash in TextIOWrapper.close() when the
+ underlying buffer’s closed property calls detach().
+ - gh-76007: Deprecate __version__ from ctypes. Patch by Hugo
+ van Kemenade.
+ - gh-76007: Deprecate __version__ from wsgiref.simple_server.
+ Patch by Hugo van Kemenade.
+ - gh-142651: unittest.mock: fix a thread safety issue where
+ Mock.call_count may return inaccurate values when the mock
+ is called concurrently from multiple threads.
+ - gh-76007: Deprecate __version__ from http.server. Patch by
+ Hugo van Kemenade.
+ - gh-138122: Add --subprocesses flag to profiling.sampling
+ CLI to automatically profile subprocesses spawned by the
+ target. When enabled, the profiler monitors for new Python
+ subprocesses and profiles each one separately, writing
+ results to individual output files. This is useful for
+ profiling applications that use multiprocessing,
+ ProcessPoolExecutor, or other subprocess-based parallelism.
+ Patch by Pablo Galindo.
+ - gh-142595: Added type check during initialization of the
+ decimal module to prevent a crash in case of broken stdlib.
+ Patch by Sergey B Kirpichev.
+ - gh-142556: Fix crash when a task gets re-registered during
+ finalization in asyncio. Patch by Kumar Aditya.
+ - gh-138122: Add --mode=exception to the sampling profiler to
+ capture samples only from threads with an active exception,
+ useful for analyzing exception handling overhead. Patch by
+ Pablo Galindo.
+ - gh-142539: traceback: Fix location of carets in
+ SyntaxErrors when the source contains wide characters.
+ - gh-123241: Avoid reference count operations in garbage
+ collection of ctypes objects.
+ - gh-142451: hmac: correctly copy HMAC attributes for objects
+ copied through HMAC.copy(). Patch by Bénédikt Tran.
+ - gh-138122: The profiling.sampling flamegraph profiler now
+ supports inverted flamegraph view that aggregates all leaf
+ nodes. In a standard flamegraph, if a hot function is
+ called from multiple locations, it appears multiple times
+ as separate leaf nodes. In the inverted flamegraph, all
+ occurrences of the same leaf function are merged into
+ a single aggregated node at the root, showing the total
+ hotness of that function in one place. The children of each
+ aggregated node represent its callers, making it easier to
+ identify which functions consume the most CPU time and
+ where they are called from.
+ - gh-112527: The help text for required options in argparse
+ no longer extended with “ (default: None)”.
+ - gh-142438: Fixed a possible leaked GIL in
+ _PySSL_keylog_callback.
+ - gh-138122: Add bytecode-level instruction profiling to the
+ sampling profiler via the new --opcodes flag. When enabled,
+ the profiler captures which bytecode opcode is executing at
+ each sample, including Python 3.11+ adaptive
+ specializations, and visualizes this data in the heatmap,
+ flamegraph, gecko, and live output formats. Patch by Pablo
+ Galindo
+ - gh-142389: Add backtick markup support in argparse
+ description and epilog text to highlight inline code when
+ color output is enabled.
+ - gh-142346: Fix usage formatting for mutually exclusive
+ groups in argparse when they are preceded by positional
+ arguments or followed or intermixed with other optional
+ arguments.
+ - gh-142374: Fix cumulative percentage calculation for
+ recursive functions in the new sampling profiler. When
+ profiling recursive functions, cumulative statistics
+ (cumul%, cumtime) could exceed 100% because each recursive
+ frame in a stack was counted separately. For example,
+ a function recursing 500 times in every sample would show
+ 50000% cumulative presence. The fix deduplicates locations
+ within each sample so cumulative stats correctly represent
+ “percentage of samples where this function was on the
+ stack”. Patch by Pablo Galindo.
+ - gh-142315: Pdb can now run scripts from anonymous pipes
+ used in process substitution. Patch by Bartosz Sławecki.
+ - gh-64532: Subparser help now includes required optional
+ arguments from the parent parser in the usage, making it
+ clearer what arguments are needed to run a subcommand.
+ Patch by Savannah Ostrowski.
+ - gh-142207: Fix: profiling.sampling may cause assertion
+ !(has_gil && gil_requested)
+ - gh-142332: Fix usage formatting for positional arguments in
+ mutually exclusive groups in argparse. in argparse.
+ - gh-142282: Fix winreg.QueryValueEx() to not accidentally
+ read garbage buffer under race condition.
+ - gh-142318: Fix typing 'q' at the help of the interactive
+ tachyon profiler exiting the profiler.
+ - gh-75949: Fix argparse to preserve | separators in mutually
+ exclusive groups when the usage line wraps due to length.
+ - gh-142267: Improve argparse performance by caching the
+ formatter used for argument validation.
+ - gh-139862: Remove color parameter from
+ argparse.HelpFormatter constructor. Color is controlled by
+ ArgumentParser.
+ - gh-68552: MisplacedEnvelopeHeaderDefect and Missing header
+ name defects are now correctly passed to the handle_defect
+ method of policy in FeedParser.
+ - gh-142206: The resource tracker in the multiprocessing
+ module can now understand messages from older versions of
+ itself. This avoids issues with upgrading Python while it
+ is running. (Note that such ‘in-place’ upgrades are not
+ tested.)
+ - gh-142214: Fix two regressions in dataclasses in Python
+ 3.14.1 related to annotations. An exception is no longer
+ raised if slots=True is used and the __init__ method does
+ not have an __annotate__ attribute (likely because
+ init=False was used). An exception is no longer raised if
+ annotations are requested on the __init__ method and one of
+ the fields is not present in the class annotations. This
+ can occur in certain dynamic scenarios. Patch by Jelle
+ Zijlstra.
+ - gh-142203: Remove the debug_override parameter from
+ importlib.util.cache_from_source() which has been
+ deprecated since Python 3.5.
+ - gh-138122: The _remote_debugging module now implements
+ frame caching in the RemoteUnwinder class to reduce memory
+ reads when profiling remote processes. When
+ cache_frames=True, unchanged portions of the call stack are
+ reused from previous samples, significantly improving
+ profiling performance for deep call stacks.
+ - gh-116738: Fix cmath data race when initializing
+ trigonometric tables with subinterpreters.
+ - gh-141982: Allow pdb to set breakpoints on async functions
+ with function names.
+ - gh-74389: When the stdin being used by a subprocess.Popen
+ instance is closed, this is now ignored in
+ subprocess.Popen.communicate() instead of leaving the class
+ in an inconsistent state.
+ - gh-87512: Fix subprocess.Popen.communicate() timeout
+ handling on Windows when writing large input. Previously,
+ the timeout was ignored during stdin writing, causing the
+ method to block indefinitely if the child process did not
+ consume input quickly. The stdin write is now performed in
+ a background thread, allowing the timeout to be properly
+ enforced.
+ - gh-141939: Add color to all interpolated values in argparse
+ help, like %(default)s or %(choices)s. Patch by Alex
+ Prengère.
+ - gh-141473: When subprocess.Popen.communicate() was called
+ with input and a timeout and is called for a second time
+ after a TimeoutExpired exception before the process has
+ died, it should no longer hang.
+ - gh-141999: Correctly allow KeyboardInterrupt to stop the
+ process when using profiling.sampling.
+ - gh-142006: Fix a bug in the email.policy.default folding
+ algorithm which incorrectly resulted in a doubled newline
+ when a line ending at exactly max_line_length was followed
+ by an unfoldable token.
+ - gh-141968: Remove data copy from re compilation of regexes
+ with large charsets by using bytearray.take_bytes().
+ - gh-141968: Remove data copy from encodings.idna encode()
+ and encode() by using bytearray.take_bytes().
+ - gh-141968: Remove data copy from codecs punycode encoding
+ by using bytearray.take_bytes().
+ - gh-141968: Remove data copy from
+ wave.Wave_read.readframes() and
+ wave.Wave_write.writeframes() by using
+ bytearray.take_bytes().
+ - gh-141968: Remove a data copy from base64.b32decode() and
+ base64.b32encode() by using bytearray.take_bytes().
+ - gh-59000: Fix pdb breakpoint resolution for class methods
+ when the module defining the class is not imported.
+ - gh-116738: Fix thread safety issue with re scanner objects
+ in free-threaded builds.
+ - gh-138122: The profiling.sampling flamegraph profiler now
+ displays thread status statistics showing the percentage of
+ time threads spend holding the GIL, running without the
+ GIL, waiting for the GIL, and performing garbage
+ collection. These statistics help identify GIL contention
+ and thread behavior patterns. When filtering by thread, the
+ display shows per-thread metrics.
+ - gh-141781: Fixed an issue where pdb.line_prefix assignment
+ was ignored if assigned after the module was imported.
+ - gh-141863: Update Streams to use bytearray.take_bytes() for
+ a over 10% performance improvement on pyperformance
+ asyncio_tcp benchmark.
+ - gh-141817: Add socket.IPV6_HDRINCL constant.
+ - gh-105836: Fix asyncio.run_coroutine_threadsafe() leaving
+ underlying cancelled asyncio task running.
+ - gh-141570: Support file-like object raising OSError from
+ fileno() in color detection (_colorize.can_colorize()).
+ This can occur when sys.stdout is redirected.
+ - gh-141679: Add colour to defaults in argparse help. Patch
+ by Hugo van Kemenade.
+ - gh-141686: Break reference cycles created by each call to
+ json.dump() or json.JSONEncoder.iterencode().
+ - gh-141659: Fix bad file descriptor errors from
+ _posixsubprocess on AIX.
+ - gh-141645: Add a new --live mode to the tachyon profiler in
+ profiling.sampling module. This mode consist of a live TUI
+ that displays real-time profiling statistics as the target
+ application runs, similar to top. Patch by Pablo Galindo
+ - gh-141615: Check stdin instead of stdout for use_rawinput
+ in pdb.
+ - gh-69113: Fix doctest to correctly report line numbers for
+ doctests in __test__ dictionary when formatted as
+ triple-quoted strings by finding unique lines in the string
+ and matching them in the source file.
+ - gh-141600: Fix musl version detection on Void Linux.
+ - gh-48752: Add readline.get_pre_input_hook() function to
+ retrieve the current pre-input hook. This allows
+ applications to save and restore the hook without
+ overwriting user settings. Patch by Sanyam Khurana.
+ - gh-141565: Add async-aware profiling to the Tachyon
+ sampling profiler. The profiler now reconstructs and
+ displays async task hierarchies in flamegraphs, making the
+ output more actionable for users. Patch by Savannah
+ Ostrowski and Pablo Galindo Salgado.
+ - gh-60107: Remove a copy from io.RawIOBase.read(). If the
+ underlying I/O class keeps a reference to the mutable
+ memory, raise a BufferError.
+ - gh-116738: Make csv module thread-safe on the free threaded
+ build.
+ - gh-140911: collections: Ensure that the methods
+ UserString.rindex() and UserString.index() accept
+ collections.UserString instances as the sub argument.
+ - gh-140875: Fix handling of unclosed character references
+ (named and numerical) followed by the end of file in
+ html.parser.HTMLParser with convert_charrefs=False.
+ - gh-140677: Add heatmap visualization mode to the Tachyon
+ sampling profiler. The new --heatmap output format provides
+ a line-by-line view showing execution intensity with
+ color-coded samples, inline statistics, and interactive
+ call graph navigation between callers and callees.
+ - gh-139946: Distinguish stdout and stderr when colorizing
+ output in argparse module.
+ - gh-76007: pydoc: Fix DeprecationWarning being raised when
+ generating doc for stdlib modules.
+ - gh-139686: Make importlib.reload no-op for lazy modules.
+ - gh-138697: Fix inferring dest from a single-dash long
+ option in argparse. If a short option and a single-dash
+ long option are passed to add_argument(), dest is now
+ inferred from the single-dash long option.
+ - gh-138525: Add support for single-dash long options and
+ alternate prefix characters in
+ argparse.BooleanOptionalAction.
+ - gh-79986: Add parsing for References and In-Reply-To
+ headers to the email library that parses the header content
+ as lists of message id tokens. This prevents them from
+ being folded incorrectly.
+ - gh-135559: Flag: a dir() on a Flag enumeration now shows
+ non-canonical members. (i.e. aliases).
+ - gh-134453: Fixed subprocess.Popen.communicate() input=
+ handling of memoryview instances that were non-byte shaped
+ on POSIX platforms. Those are now properly cast to a byte
+ shaped view instead of truncating the input. Windows
+ platforms did not have this bug.
+ - gh-127930: Add __all__ to tkinter.simpledialog.
+ - gh-115952: Fix a potential memory denial of service in the
+ pickle module. When reading a pickled data received from
+ untrusted source, it could cause an arbitrary amount of
+ memory to be allocated, even if the code that is allowed to
+ execute is restricted by overriding the find_class()
+ method. This could have led to symptoms including
+ a MemoryError, swapping, out of memory (OOM) killed
+ processes or containers, or even system crashes. bpo-40350:
+ Fix support for namespace packages in modulefinder.
+- Documentation
+ - gh-141994: xml.sax.handler: Make Documentation of
+ xml.sax.handler.feature_external_ges warn of opening up to
+ external entity attacks. Patch by Sebastian Pipping.
+- Core and Builtins
+ - gh-134584: Eliminate redundant refcounting from
+ _STORE_ATTR_INSTANCE_VALUE.
+ - gh-142718: JIT: Fix segfault caused by not flushing the
+ stack to memory at side exits.
+ - gh-142737: Tracebacks will be displayed in fallback mode
+ even if io.open() is lost. Previously, this would crash the
+ interpreter. Patch by Bartosz Sławecki.
+ - gh-116738: Make the attributes in bz2 thread-safe on the
+ free threaded build.
+ - gh-134584: Eliminate redundant refcounting from
+ _CALL_LIST_APPEND.
+ - gh-142554: Fix a crash in divmod() when
+ _pylong.int_divmod() does not return a tuple of length two
+ exactly. Patch by Bénédikt Tran.
+ - gh-142531: Fix a free-threaded GC performance regression.
+ If there are many untracked tuples, the GC will run too
+ often, resulting in poor performance. The fix is to include
+ untracked tuples in the “long lived” object count. The
+ number of frozen objects is also now included since the
+ free-threaded GC must scan those too.
+ - gh-142402: Fix reference counting when adjacent literal
+ parts are merged while constructing
+ string.templatelib.Template, preventing the displaced
+ string object from leaking.
+ - gh-116738: Make the attributes in zlib thread-safe on the
+ free threaded build.
+ - gh-142343: Fix SIGILL crash on m68k due to incorrect
+ assembly constraint.
+ - gh-142236: Improve the “Perhaps you forgot a comma?” syntax
+ error for multi-line string concatenations to point to the
+ last string instead of the first, making it easier to
+ locate where the comma is missing. Patch by Pablo Galindo.
+ - gh-142236: Fix incorrect keyword suggestions for syntax
+ errors in traceback. The keyword typo suggestion mechanism
+ would incorrectly suggest replacements when the extracted
+ source code was incomplete rather than containing an actual
+ typo. Patch by Pablo Galindo.
+ - gh-142305: Decrease the size of the generated stencils and
+ the runtime JIT code. Patch by Diego Russo.
+ - gh-135379: Implement a limited form of register allocation
+ known as “top of stack caching” in the JIT. It works by
+ keeping 0-3 of the top items in the stack in registers. The
+ code generator generates multiple versions of those uops
+ that do not escape and are relatively small. During JIT
+ compilation, the copy that produces the least memory
+ traffic is selected, spilling or reloading values when
+ needed.
+ - gh-142276: Fix missing type watcher when promoting
+ attribute loads to constants in the JIT. Patch by Ken Jin.
+ Reproducer by Yuancheng Jiang.
+ - gh-142218: Fix crash when inserting into a split table
+ dictionary with a non str key that matches an existing key.
+ - gh-141976: Check against abstract stack overflow in the JIT
+ optimizer.
+ - gh-97850: Remove all *.load_module() usage and definitions
+ from the import system and importlib. The method has been
+ deprecated in favor of importlib.abc.Loader.exec_module()
+ since Python 3.4.
+ - gh-142048: Fix quadratically increasing garbage collection
+ delays in free-threaded build.
+ - gh-65961: Stop setting __cached__ on modules.
+ - gh-141770: Annotate anonymous mmap usage only when
+ supported by the Linux kernel and if -X dev is used or
+ Python is built in debug mode. Patch by Donghee Na.
+ - gh-142029: Raise ModuleNotFoundError instead of crashing
+ when a nonexistent module is used as a name in
+ _imp.create_builtin().
+ - gh-142029: Raise ValueError instead of crashing when empty
+ string is used as a name in _imp.create_builtin().
+ - gh-141976: Protect against specialization failures in the
+ tracing JIT compiler for performance reasons.
+ - gh-141861: Fix invalid memory read in the ENTER_EXECUTOR
+ instruction.
+ - gh-141930: When importing a module, use Python’s regular
+ file object to ensure that writes to .pyc files are
+ complete or an appropriate error is raised.
+ - gh-138122: Add incomplete sample detection to prevent
+ corrupted profiling data. Each thread state now contains an
+ embedded base frame (sentinel at the bottom of the frame
+ stack) with owner type FRAME_OWNED_BY_INTERPRETER. The
+ profiler validates that stack unwinding terminates at this
+ sentinel frame. Samples that fail to reach the base frame
+ (due to race conditions, memory corruption, or other
+ errors) are now rejected rather than being included as
+ spurious data.
+ - gh-120158: Fix inconsistent state when enabling or
+ disabling monitoring events too many times.
+ - gh-140638: Expose a "candidates" stat in gc.get_stats() and
+ gc.callbacks.
+ - gh-141780: Fix Py_mod_gil with API added in PEP 793:
+ PyModule_FromSlotsAndSpec() and PyModExport hooks
+ - gh-141732: Ensure the __repr__() for ExceptionGroup and
+ BaseExceptionGroup does not change when the exception
+ sequence that was original passed in to its constructor is
+ subsequently mutated.
+ - gh-140638: Expose a "duration" stat in gc.get_stats() and
+ gc.callbacks.
+ - gh-139653: Only raise a RecursionError or trigger a fatal
+ error if the stack pointer is both below the limit pointer
+ and above the stack base. If outside of these bounds assume
+ that it is OK. This prevents false positives when
+ user-space threads swap stacks.
+ - gh-41779: Allowed defining the __dict__ and __weakref__
+ __slots__ for any class.
+ - gh-139103: Improve multithreaded scaling of dataclasses on
+ the free-threaded build.
+ - gh-141589: Change backoff counter to use prime numbers
+ instead of powers of 2. Use only 3 bits for counter and 13
+ bits for value. This allows to support values up to 8191.
+ Patch by Mikhail Efimov.
+ - gh-137007: Fix a bug during JIT compilation failure which
+ caused garbage collection debug assertions to fail.
+ - gh-132657: For the free-threaded build, avoid locking the
+ set object for the __contains__ method.
+ - gh-134584: Eliminate redundant refcounting from
+ _CALL_STR_1.
+ - gh-134584: Eliminate redundant refcounting from
+ _CALL_BUILTIN_O.
+ - gh-134584: Eliminate redundant refcounting from
+ _CALL_TUPLE_1. Patch by Noam Cohen
+- C API
+ - gh-142589: Fix
+ PyUnstable_Object_IsUniqueReferencedTemporary() handling of
+ tagged ints on the interpreter stack.
+ - gh-142571: PyUnstable_CopyPerfMapFile() now checks that
+ opening the file succeeded before flushing.
+ - gh-142225: Fixed the PyABIInfo_VAR macro.
+ - gh-141049: _PyObject_CallMethodId(), _PyObject_GetAttrId()
+ and _PyUnicode_FromId() are deprecated since 3.15 and will
+ be removed in 3.20. Instead, use
+ PyUnicode_InternFromString() and cache the result in the
+ module state, then call PyObject_CallMethod() or
+ PyObject_GetAttr(). Patch by Victor Stinner.
+ - gh-142163: Fix the HAVE_THREAD_LOCAL macro being defined
+ without the Py_BUILD_CORE macro set after including
+ Python.h.
+ - gh-137422: Fix free threading race condition in
+ PyImport_AddModuleRef(). It was previously possible for two
+ calls to the function return two different objects, only
+ one of which was stored in sys.modules.
+ - gh-141726: Add PyDict_SetDefaultRef() to the Stable ABI.
+ - gh-140042: Removed the sqlite3_shutdown call that could
+ cause closing connections for sqlite when used with
+ multiple sub interpreters.
+ - gh-141070: Add PyUnstable_Object_Dump() to dump an object
+ to stderr. It should only be used for debugging. Patch by
+ Victor Stinner.
+ - gh-139165: Expose the functions Py_SIZE(), Py_IS_TYPE() and
+ Py_SET_SIZE() in the Stable ABI.
+- Build
+ - gh-131372: Add LDVERSION and EXE to the base_interpreter
+ value of build-details.json.
+ - gh-142454: When calculating the digest of the JIT stencils
+ input, sort the hashed files by filenames before adding
+ their content to the hasher. This ensures deterministic
+ hash input and hence deterministic hash, independent on
+ filesystem order.
+ - gh-131372: build-details.py will only be installed as part
+ of the main install (make install). make altinstall will no
+ longer include it.
+ - gh-142234: Allow --enable-wasm-dynamic-linking for WASI.
+ While CPython doesn’t directly support it so
+ external/downstream users do not have to patch in support
+ for the flag.
+ - gh-142050: Fixed a bug where JIT stencils produced on
+ Windows contained debug data. Patch by Chris Eibl.
+ - gh-141808: Do not generate the jit stencils twice in case
+ of PGO builds on Windows.
+ - gh-141926: RUNSHARED is no longer cleared when
+ cross-compiling. Previously, RUNSHARED was cleared when
+ cross-compiling, which breaks PGO when using
+ --enabled-shared on systems where the cross-compiled
+ CPython is otherwise executable (e.g., via transparent
+ emulation).
+ - gh-141808: When running make clean-retain-profile, keep the
+ generated JIT stencils. That way, the stencils are not
+ generated twice when Profile-guided optimization (PGO) is
+ used. It also allows distributors to supply their own
+ pre-built JIT stencils.
+ - gh-141784: Fix _remote_debugging_module.c compilation on
+ 32-bit Linux. Include Python.h before system headers to
+ make sure that _remote_debugging_module.c uses the same
+ types (ABI) than Python. Patch by Victor Stinner.
+ - gh-141172: Update to WASI SDK 29.
+ - gh-139707: Add configure option
+ --with-missing-stdlib-config=FILE allows which distributors
+ to pass a JSON configuration file containing custom error
+ messages for missing standard library modules.
+ - gh-108819: Honor --with-platlibdir in the pure-Python
+ standard library installation path, if PLATLIBDIR doesn’t
+ match the value used in LIBDIR.
+- Tests
+ - gh-140381: Fix flaky test_profiling tests on i686 and s390x
+ architectures by increasing slow_fibonacci call frequency
+ from every 5th iteration to every 2nd iteration.
+ - gh-140210: Make
+ test_sysconfig.test_parse_makefile_renamed_vars less
+ fragile by clearing the environment variables before
+ parsing the Makefile.
-------------------------------------------------------------------
Wed Dec 10 03:48:24 UTC 2025 - Steve Kowalik
diff --git a/python315.spec b/python315.spec
index aaa44c4..e69d370 100644
--- a/python315.spec
+++ b/python315.spec
@@ -162,8 +162,8 @@
# _md5.cpython-38m-x86_64-linux-gnu.so
%define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
Name: %{python_pkg_name}%{psuffix}
-Version: 3.15.0~a2
-%define tarversion 3.15.0a2
+Version: 3.15.0~a3
+%define tarversion 3.15.0a3
%define tarname Python-%{tarversion}
Release: 0
Summary: Python 3 Interpreter
@@ -224,9 +224,6 @@ Patch40: fix-test-recursion-limit-15.6.patch
Patch41: bsc1243155-sphinx-non-determinism.patch
# PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com
Patch42: gh139257-Support-docutils-0.22.patch
-# PATCH-FIX-UPSTREAM CVE-2025-13836-http-resp-cont-len.patch bsc#1254400 mcepl@suse.com
-# Avoid loading possibly compromised length of HTTP response
-Patch43: CVE-2025-13836-http-resp-cont-len.patch
#### Python 3.15 DEVELOPMENT PATCHES
BuildRequires: autoconf-archive
BuildRequires: automake
@@ -577,7 +574,7 @@ export SUSE_VERSION="0%{?suse_version}"
export SLE_VERSION="0%{?sle_version}"
%if %{with doc}
-TODAY_DATE=`date -r %{SOURCE0} "+%%B %%d, %%Y"`
+TODAY_DATE=`date -r %{SOURCE0} "+%B %d, %Y"`
# TODO use not date of tarball but date of latest patch
cd Doc