diff --git a/CVE-2024-5642-OpenSSL-API-buf-overread-NPN.patch b/CVE-2024-5642-OpenSSL-API-buf-overread-NPN.patch
index 94f6c70..d58c211 100644
--- a/CVE-2024-5642-OpenSSL-API-buf-overread-NPN.patch
+++ b/CVE-2024-5642-OpenSSL-API-buf-overread-NPN.patch
@@ -56,7 +56,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
  =============
 --- a/Lib/ssl.py
 +++ b/Lib/ssl.py
-@@ -910,15 +910,12 @@ class SSLObject:
+@@ -912,15 +912,12 @@ class SSLObject:
          """Return the currently selected NPN protocol as a string, or ``None``
          if a next protocol was not negotiated or if NPN is not supported by one
          of the peers."""
@@ -73,7 +73,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
  
      def cipher(self):
          """Return the currently selected cipher as a 3-tuple ``(name,
-@@ -1160,10 +1157,7 @@ class SSLSocket(socket):
+@@ -1162,10 +1159,7 @@ class SSLSocket(socket):
      @_sslcopydoc
      def selected_npn_protocol(self):
          self._checkClosed()
@@ -314,9 +314,9 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
 -            self.assertEqual(server_result, expected, msg % (server_result, "server"))
 +        assert not ssl.HAS_NPN
  
-     def sni_contexts(self):
-         server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
-@@ -4387,8 +4321,7 @@ class ThreadedTests(unittest.TestCase):
+     def test_empty_npn_protocols(self):
+         """npn_protocols cannot be empty, see CVE-2024-5642 & gh-121227"""
+@@ -4393,8 +4327,7 @@ class ThreadedTests(unittest.TestCase):
          self.assertGreater(session.time, 0)
          self.assertGreater(session.timeout, 0)
          self.assertTrue(session.has_ticket)
@@ -1739,7 +1739,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
  #endif /* !defined(_SSL_RAND_EGD_METHODDEF) */
 --- a/Tools/ssl/multissltests.py
 +++ b/Tools/ssl/multissltests.py
-@@ -43,8 +43,6 @@ import tarfile
+@@ -44,8 +44,6 @@ import tarfile
  log = logging.getLogger("multissl")
  
  OPENSSL_OLD_VERSIONS = [
@@ -1748,7 +1748,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
  ]
  
  OPENSSL_RECENT_VERSIONS = [
-@@ -53,11 +51,9 @@ OPENSSL_RECENT_VERSIONS = [
+@@ -54,11 +52,9 @@ OPENSSL_RECENT_VERSIONS = [
  ]
  
  LIBRESSL_OLD_VERSIONS = [
diff --git a/CVE-2025-6069-quad-complex-HTMLParser.patch b/CVE-2025-6069-quad-complex-HTMLParser.patch
deleted file mode 100644
index e75d9bf..0000000
--- a/CVE-2025-6069-quad-complex-HTMLParser.patch
+++ /dev/null
@@ -1,238 +0,0 @@
-From 2a6869c71a3132eff9c7be96db9bdca48b3636aa Mon Sep 17 00:00:00 2001
-From: Serhiy Storchaka <storchaka@gmail.com>
-Date: Fri, 13 Jun 2025 19:57:48 +0300
-Subject: [PATCH] [3.9] gh-135462: Fix quadratic complexity in processing
- special input in HTMLParser (GH-135464)
-
-End-of-file errors are now handled according to the HTML5 specs --
-comments and declarations are automatically closed, tags are ignored.
-(cherry picked from commit 6eb6c5dbfb528bd07d77b60fd71fd05d81d45c41)
-
-Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
----
- Lib/html/parser.py                                                       |   41 +++-
- Lib/test/test_htmlparser.py                                              |   95 ++++++++--
- Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst |    4 
- 3 files changed, 117 insertions(+), 23 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst
-
-Index: Python-3.9.23/Lib/html/parser.py
-===================================================================
---- Python-3.9.23.orig/Lib/html/parser.py	2025-07-02 18:10:23.763249887 +0200
-+++ Python-3.9.23/Lib/html/parser.py	2025-07-02 18:10:29.124564834 +0200
-@@ -25,6 +25,7 @@
- charref = re.compile('&#(?:[0-9]+|[xX][0-9a-fA-F]+)[^0-9a-fA-F]')
- 
- starttagopen = re.compile('<[a-zA-Z]')
-+endtagopen = re.compile('</[a-zA-Z]')
- piclose = re.compile('>')
- commentclose = re.compile(r'--\s*>')
- # Note:
-@@ -176,7 +177,7 @@
-                     k = self.parse_pi(i)
-                 elif startswith("<!", i):
-                     k = self.parse_html_declaration(i)
--                elif (i + 1) < n:
-+                elif (i + 1) < n or end:
-                     self.handle_data("<")
-                     k = i + 1
-                 else:
-@@ -184,17 +185,35 @@
-                 if k < 0:
-                     if not end:
-                         break
--                    k = rawdata.find('>', i + 1)
--                    if k < 0:
--                        k = rawdata.find('<', i + 1)
--                        if k < 0:
--                            k = i + 1
-+                    if starttagopen.match(rawdata, i):  # < + letter
-+                        pass
-+                    elif startswith("</", i):
-+                        if i + 2 == n:
-+                            self.handle_data("</")
-+                        elif endtagopen.match(rawdata, i):  # </ + letter
-+                            pass
-+                        else:
-+                            # bogus comment
-+                            self.handle_comment(rawdata[i+2:])
-+                    elif startswith("<!--", i):
-+                        j = n
-+                        for suffix in ("--!", "--", "-"):
-+                            if rawdata.endswith(suffix, i+4):
-+                                j -= len(suffix)
-+                                break
-+                        self.handle_comment(rawdata[i+4:j])
-+                    elif startswith("<![CDATA[", i):
-+                        self.unknown_decl(rawdata[i+3:])
-+                    elif rawdata[i:i+9].lower() == '<!doctype':
-+                        self.handle_decl(rawdata[i+2:])
-+                    elif startswith("<!", i):
-+                        # bogus comment
-+                        self.handle_comment(rawdata[i+2:])
-+                    elif startswith("<?", i):
-+                        self.handle_pi(rawdata[i+2:])
-                     else:
--                        k += 1
--                    if self.convert_charrefs and not self.cdata_elem:
--                        self.handle_data(unescape(rawdata[i:k]))
--                    else:
--                        self.handle_data(rawdata[i:k])
-+                        raise AssertionError("we should not get here!")
-+                    k = n
-                 i = self.updatepos(i, k)
-             elif startswith("&#", i):
-                 match = charref.match(rawdata, i)
-Index: Python-3.9.23/Lib/test/test_htmlparser.py
-===================================================================
---- Python-3.9.23.orig/Lib/test/test_htmlparser.py	2025-07-02 18:10:25.136241201 +0200
-+++ Python-3.9.23/Lib/test/test_htmlparser.py	2025-07-02 18:10:29.124805368 +0200
-@@ -4,6 +4,8 @@
- import pprint
- import unittest
- 
-+from test import support
-+
- 
- class EventCollector(html.parser.HTMLParser):
- 
-@@ -391,28 +393,34 @@
-                             ('data', '<'),
-                             ('starttag', 'bc<', [('a', None)]),
-                             ('endtag', 'html'),
--                            ('data', '\n<img src="URL>'),
--                            ('comment', '/img'),
--                            ('endtag', 'html<')])
-+                            ('data', '\n')])
- 
-     def test_starttag_junk_chars(self):
-+        self._run_check("<", [('data', '<')])
-+        self._run_check("<>", [('data', '<>')])
-+        self._run_check("< >", [('data', '< >')])
-+        self._run_check("< ", [('data', '< ')])
-         self._run_check("</>", [])
-+        self._run_check("<$>", [('data', '<$>')])
-         self._run_check("</$>", [('comment', '$')])
-         self._run_check("</", [('data', '</')])
--        self._run_check("</a", [('data', '</a')])
-+        self._run_check("</a", [])
-+        self._run_check("</ a>", [('endtag', 'a')])
-+        self._run_check("</ a", [('comment', ' a')])
-         self._run_check("<a<a>", [('starttag', 'a<a', [])])
-         self._run_check("</a<a>", [('endtag', 'a<a')])
--        self._run_check("<!", [('data', '<!')])
--        self._run_check("<a", [('data', '<a')])
--        self._run_check("<a foo='bar'", [('data', "<a foo='bar'")])
--        self._run_check("<a foo='bar", [('data', "<a foo='bar")])
--        self._run_check("<a foo='>'", [('data', "<a foo='>'")])
--        self._run_check("<a foo='>", [('data', "<a foo='>")])
-+        self._run_check("<!", [('comment', '')])
-+        self._run_check("<a", [])
-+        self._run_check("<a foo='bar'", [])
-+        self._run_check("<a foo='bar", [])
-+        self._run_check("<a foo='>'", [])
-+        self._run_check("<a foo='>", [])
-         self._run_check("<a$>", [('starttag', 'a$', [])])
-         self._run_check("<a$b>", [('starttag', 'a$b', [])])
-         self._run_check("<a$b/>", [('startendtag', 'a$b', [])])
-         self._run_check("<a$b  >", [('starttag', 'a$b', [])])
-         self._run_check("<a$b  />", [('startendtag', 'a$b', [])])
-+        self._run_check("</a$b>", [('endtag', 'a$b')])
- 
-     def test_slashes_in_starttag(self):
-         self._run_check('<a foo="var"/>', [('startendtag', 'a', [('foo', 'var')])])
-@@ -537,13 +545,56 @@
-         for html, expected in data:
-             self._run_check(html, expected)
- 
--    def test_broken_comments(self):
--        html = ('<! not really a comment >'
-+    def test_eof_in_comments(self):
-+        data = [
-+            ('<!--', [('comment', '')]),
-+            ('<!---', [('comment', '')]),
-+            ('<!----', [('comment', '')]),
-+            ('<!-----', [('comment', '-')]),
-+            ('<!------', [('comment', '--')]),
-+            ('<!----!', [('comment', '')]),
-+            ('<!---!', [('comment', '-!')]),
-+            ('<!---!>', [('comment', '-!>')]),
-+            ('<!--foo', [('comment', 'foo')]),
-+            ('<!--foo-', [('comment', 'foo')]),
-+            ('<!--foo--', [('comment', 'foo')]),
-+            ('<!--foo--!', [('comment', 'foo')]),
-+            ('<!--<!--', [('comment', '<!')]),
-+            ('<!--<!--!', [('comment', '<!')]),
-+        ]
-+        for html, expected in data:
-+            self._run_check(html, expected)
-+
-+    def test_eof_in_declarations(self):
-+        data = [
-+            ('<!', [('comment', '')]),
-+            ('<!-', [('comment', '-')]),
-+            ('<![', [('comment', '[')]),
-+            ('<![CDATA[', [('unknown decl', 'CDATA[')]),
-+            ('<![CDATA[x', [('unknown decl', 'CDATA[x')]),
-+            ('<![CDATA[x]', [('unknown decl', 'CDATA[x]')]),
-+            ('<![CDATA[x]]', [('unknown decl', 'CDATA[x]]')]),
-+            ('<!DOCTYPE', [('decl', 'DOCTYPE')]),
-+            ('<!DOCTYPE ', [('decl', 'DOCTYPE ')]),
-+            ('<!DOCTYPE html', [('decl', 'DOCTYPE html')]),
-+            ('<!DOCTYPE html ', [('decl', 'DOCTYPE html ')]),
-+            ('<!DOCTYPE html PUBLIC', [('decl', 'DOCTYPE html PUBLIC')]),
-+            ('<!DOCTYPE html PUBLIC "foo', [('decl', 'DOCTYPE html PUBLIC "foo')]),
-+            ('<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "foo',
-+             [('decl', 'DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "foo')]),
-+        ]
-+        for html, expected in data:
-+            self._run_check(html, expected)
-+
-+    def test_bogus_comments(self):
-+        html = ('<!ELEMENT br EMPTY>'
-+                '<! not really a comment >'
-                 '<! not a comment either -->'
-                 '<! -- close enough -->'
-                 '<!><!<-- this was an empty comment>'
-                 '<!!! another bogus comment !!!>')
-         expected = [
-+            ('comment', 'ELEMENT br EMPTY'),
-             ('comment', ' not really a comment '),
-             ('comment', ' not a comment either --'),
-             ('comment', ' -- close enough --'),
-@@ -598,6 +649,26 @@
-              ('endtag', 'a'), ('data', ' bar & baz')]
-         )
- 
-+    @support.requires_resource('cpu')
-+    def test_eof_no_quadratic_complexity(self):
-+        # Each of these examples used to take about an hour.
-+        # Now they take a fraction of a second.
-+        def check(source):
-+            parser = html.parser.HTMLParser()
-+            parser.feed(source)
-+            parser.close()
-+        n = 120_000
-+        check("<a " * n)
-+        check("<a a=" * n)
-+        check("</a " * 14 * n)
-+        check("</a a=" * 11 * n)
-+        check("<!--" * 4 * n)
-+        check("<!" * 60 * n)
-+        check("<?" * 19 * n)
-+        check("</$" * 15 * n)
-+        check("<![CDATA[" * 9 * n)
-+        check("<!doctype" * 35 * n)
-+
- 
- class AttributesTestCase(TestCaseBase):
- 
-Index: Python-3.9.23/Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst
-===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ Python-3.9.23/Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst	2025-07-02 18:10:29.125044785 +0200
-@@ -0,0 +1,4 @@
-+Fix quadratic complexity in processing specially crafted input in
-+:class:`html.parser.HTMLParser`. End-of-file errors are now handled according
-+to the HTML5 specs -- comments and declarations are automatically closed,
-+tags are ignored.
diff --git a/CVE-2025-8194-tarfile-no-neg-offsets.patch b/CVE-2025-8194-tarfile-no-neg-offsets.patch
deleted file mode 100644
index f9bed98..0000000
--- a/CVE-2025-8194-tarfile-no-neg-offsets.patch
+++ /dev/null
@@ -1,212 +0,0 @@
-From ea07f6b7faccc71c3ce4edeb88a8322f3453d0ff Mon Sep 17 00:00:00 2001
-From: Alexander Urieles <aeurielesn@users.noreply.github.com>
-Date: Mon, 28 Jul 2025 17:37:26 +0200
-Subject: [PATCH] [3.9] gh-130577: tarfile now validates archives to ensure
- member offsets are non-negative (GH-137027) (cherry picked from commit
- 7040aa54f14676938970e10c5f74ea93cd56aa38)
-
-Co-authored-by: Alexander Urieles <aeurielesn@users.noreply.github.com>
-Co-authored-by: Gregory P. Smith <greg@krypto.org>
----
- Lib/tarfile.py                                                          |    3 
- Lib/test/test_tarfile.py                                                |  156 ++++++++++
- Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst |    3 
- 3 files changed, 162 insertions(+)
- create mode 100644 Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
-
-Index: Python-3.9.23/Lib/tarfile.py
-===================================================================
---- Python-3.9.23.orig/Lib/tarfile.py	2025-08-02 17:56:38.706191816 +0200
-+++ Python-3.9.23/Lib/tarfile.py	2025-08-02 17:56:43.118456301 +0200
-@@ -1601,6 +1601,9 @@
-         """Round up a byte count by BLOCKSIZE and return it,
-            e.g. _block(834) => 1024.
-         """
-+        # Only non-negative offsets are allowed
-+        if count < 0:
-+            raise InvalidHeaderError("invalid offset")
-         blocks, remainder = divmod(count, BLOCKSIZE)
-         if remainder:
-             blocks += 1
-Index: Python-3.9.23/Lib/test/test_tarfile.py
-===================================================================
---- Python-3.9.23.orig/Lib/test/test_tarfile.py	2025-08-02 17:56:40.012303862 +0200
-+++ Python-3.9.23/Lib/test/test_tarfile.py	2025-08-02 17:56:56.856747140 +0200
-@@ -48,6 +48,7 @@
- xzname = os.path.join(TEMPDIR, "testtar.tar.xz")
- tmpname = os.path.join(TEMPDIR, "tmp.tar")
- dotlessname = os.path.join(TEMPDIR, "testtar")
-+SPACE = b" "
- 
- sha256_regtype = (
-     "e09e4bc8b3c9d9177e77256353b36c159f5f040531bbd4b024a8f9b9196c71ce"
-@@ -4234,6 +4235,161 @@
-             self.expect_exception(TypeError)  # errorlevel is not int
- 
- 
-+class OffsetValidationTests(unittest.TestCase):
-+    tarname = tmpname
-+    invalid_posix_header = (
-+        # name: 100 bytes
-+        tarfile.NUL * tarfile.LENGTH_NAME
-+        # mode, space, null terminator: 8 bytes
-+        + b"000755" + SPACE + tarfile.NUL
-+        # uid, space, null terminator: 8 bytes
-+        + b"000001" + SPACE + tarfile.NUL
-+        # gid, space, null terminator: 8 bytes
-+        + b"000001" + SPACE + tarfile.NUL
-+        # size, space: 12 bytes
-+        + b"\xff" * 11 + SPACE
-+        # mtime, space: 12 bytes
-+        + tarfile.NUL * 11 + SPACE
-+        # chksum: 8 bytes
-+        + b"0011407" + tarfile.NUL
-+        # type: 1 byte
-+        + tarfile.REGTYPE
-+        # linkname: 100 bytes
-+        + tarfile.NUL * tarfile.LENGTH_LINK
-+        # magic: 6 bytes, version: 2 bytes
-+        + tarfile.POSIX_MAGIC
-+        # uname: 32 bytes
-+        + tarfile.NUL * 32
-+        # gname: 32 bytes
-+        + tarfile.NUL * 32
-+        # devmajor, space, null terminator: 8 bytes
-+        + tarfile.NUL * 6 + SPACE + tarfile.NUL
-+        # devminor, space, null terminator: 8 bytes
-+        + tarfile.NUL * 6 + SPACE + tarfile.NUL
-+        # prefix: 155 bytes
-+        + tarfile.NUL * tarfile.LENGTH_PREFIX
-+        # padding: 12 bytes
-+        + tarfile.NUL * 12
-+    )
-+    invalid_gnu_header = (
-+        # name: 100 bytes
-+        tarfile.NUL * tarfile.LENGTH_NAME
-+        # mode, null terminator: 8 bytes
-+        + b"0000755" + tarfile.NUL
-+        # uid, null terminator: 8 bytes
-+        + b"0000001" + tarfile.NUL
-+        # gid, space, null terminator: 8 bytes
-+        + b"0000001" + tarfile.NUL
-+        # size, space: 12 bytes
-+        + b"\xff" * 11 + SPACE
-+        # mtime, space: 12 bytes
-+        + tarfile.NUL * 11 + SPACE
-+        # chksum: 8 bytes
-+        + b"0011327" + tarfile.NUL
-+        # type: 1 byte
-+        + tarfile.REGTYPE
-+        # linkname: 100 bytes
-+        + tarfile.NUL * tarfile.LENGTH_LINK
-+        # magic: 8 bytes
-+        + tarfile.GNU_MAGIC
-+        # uname: 32 bytes
-+        + tarfile.NUL * 32
-+        # gname: 32 bytes
-+        + tarfile.NUL * 32
-+        # devmajor, null terminator: 8 bytes
-+        + tarfile.NUL * 8
-+        # devminor, null terminator: 8 bytes
-+        + tarfile.NUL * 8
-+        # padding: 167 bytes
-+        + tarfile.NUL * 167
-+    )
-+    invalid_v7_header = (
-+        # name: 100 bytes
-+        tarfile.NUL * tarfile.LENGTH_NAME
-+        # mode, space, null terminator: 8 bytes
-+        + b"000755" + SPACE + tarfile.NUL
-+        # uid, space, null terminator: 8 bytes
-+        + b"000001" + SPACE + tarfile.NUL
-+        # gid, space, null terminator: 8 bytes
-+        + b"000001" + SPACE + tarfile.NUL
-+        # size, space: 12 bytes
-+        + b"\xff" * 11 + SPACE
-+        # mtime, space: 12 bytes
-+        + tarfile.NUL * 11 + SPACE
-+        # chksum: 8 bytes
-+        + b"0010070" + tarfile.NUL
-+        # type: 1 byte
-+        + tarfile.REGTYPE
-+        # linkname: 100 bytes
-+        + tarfile.NUL * tarfile.LENGTH_LINK
-+        # padding: 255 bytes
-+        + tarfile.NUL * 255
-+    )
-+    valid_gnu_header = tarfile.TarInfo("filename").tobuf(tarfile.GNU_FORMAT)
-+    data_block = b"\xff" * tarfile.BLOCKSIZE
-+
-+    def _write_buffer(self, buffer):
-+        with open(self.tarname, "wb") as f:
-+            f.write(buffer)
-+
-+    def _get_members(self, ignore_zeros=None):
-+        with open(self.tarname, "rb") as f:
-+            with tarfile.open(
-+                mode="r", fileobj=f, ignore_zeros=ignore_zeros
-+            ) as tar:
-+                return tar.getmembers()
-+
-+    def _assert_raises_read_error_exception(self):
-+        with self.assertRaisesRegex(
-+            tarfile.ReadError, "file could not be opened successfully"
-+        ):
-+            self._get_members()
-+
-+    def test_invalid_offset_header_validations(self):
-+        for tar_format, invalid_header in (
-+            ("posix", self.invalid_posix_header),
-+            ("gnu", self.invalid_gnu_header),
-+            ("v7", self.invalid_v7_header),
-+        ):
-+            with self.subTest(format=tar_format):
-+                self._write_buffer(invalid_header)
-+                self._assert_raises_read_error_exception()
-+
-+    def test_early_stop_at_invalid_offset_header(self):
-+        buffer = self.valid_gnu_header + self.invalid_gnu_header + self.valid_gnu_header
-+        self._write_buffer(buffer)
-+        members = self._get_members()
-+        self.assertEqual(len(members), 1)
-+        self.assertEqual(members[0].name, "filename")
-+        self.assertEqual(members[0].offset, 0)
-+
-+    def test_ignore_invalid_archive(self):
-+        # 3 invalid headers with their respective data
-+        buffer = (self.invalid_gnu_header + self.data_block) * 3
-+        self._write_buffer(buffer)
-+        members = self._get_members(ignore_zeros=True)
-+        self.assertEqual(len(members), 0)
-+
-+    def test_ignore_invalid_offset_headers(self):
-+        for first_block, second_block, expected_offset in (
-+            (
-+                (self.valid_gnu_header),
-+                (self.invalid_gnu_header + self.data_block),
-+                0,
-+            ),
-+            (
-+                (self.invalid_gnu_header + self.data_block),
-+                (self.valid_gnu_header),
-+                1024,
-+            ),
-+        ):
-+            self._write_buffer(first_block + second_block)
-+            members = self._get_members(ignore_zeros=True)
-+            self.assertEqual(len(members), 1)
-+            self.assertEqual(members[0].name, "filename")
-+            self.assertEqual(members[0].offset, expected_offset)
-+
-+
- def setUpModule():
-     support.unlink(TEMPDIR)
-     os.makedirs(TEMPDIR)
-Index: Python-3.9.23/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
-===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ Python-3.9.23/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst	2025-08-02 17:56:43.119864870 +0200
-@@ -0,0 +1,3 @@
-+:mod:`tarfile` now validates archives to ensure member offsets are
-+non-negative.  (Contributed by Alexander Enrique Urieles Nieto in
-+:gh:`130577`.)
diff --git a/Python-3.9.23.tar.xz b/Python-3.9.23.tar.xz
deleted file mode 100644
index 1edf267..0000000
--- a/Python-3.9.23.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:61a42919e13d539f7673cf11d1c404380e28e540510860b9d242196e165709c9
-size 19659284
diff --git a/Python-3.9.23.tar.xz.sigstore b/Python-3.9.23.tar.xz.sigstore
deleted file mode 100644
index f3e8c70..0000000
--- a/Python-3.9.23.tar.xz.sigstore
+++ /dev/null
@@ -1 +0,0 @@
-{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIIC0DCCAlWgAwIBAgIUG229RKhIVHHNhr+bZV55P8F/JiYwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUwNjAzMTkyMDQ1WhcNMjUwNjAzMTkzMDQ1WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHAdkk3GmQSTLHaA3qgs8Mto97OSVbVhaNbzSF2eatgDIKJUkUF9BFqx+RKVYbHU5FQJHdwA5T67OfhaDYHiyaqOCAXQwggFwMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUaB0HmIo69ITnU91ryuyAKS4hsbgwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHQYDVR0RAQH/BBMwEYEPbHVrYXN6QGxhbmdhLnBsMCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBiwYKKwYBBAHWeQIEAgR9BHsAeQB3AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABlzc9LZwAAAQDAEgwRgIhAKVxDJnomsWJaXHsKKu19qVvfaPnwK5YQXGoI9SKn+NJAiEA+CLl5/VDMS+UMV8Nh+89J2zcpcypEhw6C4tW1BCCuDAwCgYIKoZIzj0EAwMDaQAwZgIxAICtnwUolcM1gk7JBamvFMSw9K1YXhTaErgTVTlJK+pVy7GnuG9sFdBAo1cu2l8KpwIxAPa0s2b6co6pQfHxXbTADBsp4WT6YmiW7A+92JlwY87vD+7dP1rKzW3NWRZOE5BnqQ=="}, "tlogEntries": [{"logIndex": "228949549", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1748978445", "inclusionPromise": {"signedEntryTimestamp": "MEUCIQCNuRResQCE4b2mA5/+gTwctji/1qL67SbeaciSlgj6NQIgE7vY0Fdoem2aODoKaHoieIRo89rcg7mX2mZL3B/XYh8="}, "inclusionProof": {"logIndex": "107045287", "rootHash": "hgR6aB6kU+T1uo4iUx75tlIhKkYbUyPsHac2yhFgZpE=", "treeSize": "107045297", "hashes": ["31ltlTE5JIioyJ8rdH3OjwO9d3Us17sfd29GleLF5J0=", "AkqFsr2XZZPs2xu+kw64e2CheTwS6pgmH1DXBgpJfAo=", "LJsE/B9ZOF5PmmdxEQjiLmyHEEzfGmsX9HiXp3ZTiTU=", "VEnlDOQVZn3+NExF7G53geFQZYNf6U5DexkG4vgRlLQ=", "auvWhUrmnBq8g0KEcbAMvjyfrOYhAmiC5+yXjoBsGiw=", "8Cr3zC0dQe124OAQufmKfTZ8lnAYWQuw6AnXuy6DDMQ=", "tbcHjIX6G446NLcoiLw+hjALDmPwWWErWEOvrndCH7Q=", "Bj4reJ88xQpUq0P43RDNLi1sLcLaEeH443F87S4CHoc=", "mAX/zvx1jR0ujLtDApsQpHyxmoDGidClHMOn0BX1aQA=", "u5LKLBPTYgXZg0fBi6/8LuEeNy3EBAxJF0AkkB4Co6E=", "SPUVncwJRVX/n/RICCYqLpAzraqx7S0eMdXRr1RLRgg=", "uEJFtwcGQJMd9kjQhkXb7gl2WD3WMElCc15uDFvFGxs=", "VdOKzpQhJlpXgijzXANf/hNlje1G/N1kUuVnKNskkso=", "mta5fH/gFwxJ/0fT8yGpn3sFCY0G1RY555Iflm0LInM=", "7v8qPHNDLerpduaMx06eb/MwgoQwczTn/cYGKX/9wZ4="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n107045297\nhgR6aB6kU+T1uo4iUx75tlIhKkYbUyPsHac2yhFgZpE=\n\n\u2014 rekor.sigstore.dev wNI9ajBFAiEAqS6BBP1515FNbJUk/993J1ftsTnoVvZ3qFtXGB5WT6cCIGjBPbInr7P6zATImuD6RaTQfWxcPpmcquKCZbAnIseq\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI2MWE0MjkxOWUxM2Q1MzlmNzY3M2NmMTFkMWM0MDQzODBlMjhlNTQwNTEwODYwYjlkMjQyMTk2ZTE2NTcwOWM5In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJRVJHRUpUU0RXOVhjR0lDbFZKVXdXOFcyeTlHdVRIQnNJUXozTE9pVkU1R0FpQWFINnVTdVBSNmYvbURkeXN0Q1JLZWVreWdrVmZvQ3gyekJGWGVNRUNxNEE9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTXdSRU5EUVd4WFowRjNTVUpCWjBsVlJ6SXlPVkpMYUVsV1NFaE9hSElyWWxwV05UVlFPRVl2U21sWmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZkMDVxUVhwTlZHdDVUVVJSTVZkb1kwNU5hbFYzVG1wQmVrMVVhM3BOUkZFeFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZJUVdScmF6TkhiVkZUVkV4SVlVRXpjV2R6T0UxMGJ6azNUMU5XWWxab1lVNWllbE1LUmpKbFlYUm5SRWxMU2xWclZVWTVRa1p4ZUN0U1MxWlpZa2hWTlVaUlNraGtkMEUxVkRZM1QyWm9ZVVJaU0dsNVlYRlBRMEZZVVhkblowWjNUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZoUWpCSUNtMUpielk1U1ZSdVZUa3hjbmwxZVVGTFV6Um9jMkpuZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoUldVUldVakJTUVZGSUwwSkNUWGRGV1VWUVlraFdjbGxZVGpaUlIzaG9ZbTFrYUV4dVFuTk5RM2RIUTJselIwRlJVVUpuTnpoM1FWRkZSUXBJYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemx6WWpKa2NHSnBPWFpaV0ZZd1lVUkJkVUpuYjNKQ1owVkZRVmxQTDAxQlJVbENRMEZOQ2todGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndZbWs1ZGxsWVZqQmhSRU5DYVhkWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWprS1FraHpRV1ZSUWpOQlRqQTVUVWR5UjNoNFJYbFplR3RsU0Vwc2JrNTNTMmxUYkRZME0ycDVkQzgwWlV0amIwRjJTMlUyVDBGQlFVSnNlbU01VEZwM1FRcEJRVkZFUVVWbmQxSm5TV2hCUzFaNFJFcHViMjF6VjBwaFdFaHpTMHQxTVRseFZuWm1ZVkJ1ZDBzMVdWRllSMjlKT1ZOTGJpdE9Ta0ZwUlVFclEweHNDalV2VmtSTlV5dFZUVlk0VG1nck9EbEtNbnBqY0dONWNFVm9kelpETkhSWE1VSkRRM1ZFUVhkRFoxbEpTMjlhU1hwcU1FVkJkMDFFWVZGQmQxcG5TWGdLUVVsRGRHNTNWVzlzWTAweFoyczNTa0poYlhaR1RWTjNPVXN4V1Zob1ZHRkZjbWRVVmxSc1Nrc3JjRlo1TjBkdWRVYzVjMFprUWtGdk1XTjFNbXc0U3dwd2QwbDRRVkJoTUhNeVlqWmpielp3VVdaSWVGaGlWRUZFUW5Od05GZFVObGx0YVZjM1FTczVNa3BzZDFrNE4zWkVLemRrVURGeVMzcFhNMDVYVWxwUENrVTFRbTV4VVQwOUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9fX19"}], "timestampVerificationData": {}}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "YaQpGeE9U592c88R0cQEOA4o5UBRCGC50kIZbhZXCck="}, "signature": "MEQCIERGEJTSDW9XcGIClVJUwW8W2y9GuTHBsIQz3LOiVE5GAiAaH6uSuPR6f/mDdystCRKeekygkVfoCx2zBFXeMECq4A=="}}
diff --git a/Python-3.9.24.tar.xz b/Python-3.9.24.tar.xz
new file mode 100644
index 0000000..962bcf2
--- /dev/null
+++ b/Python-3.9.24.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:668391afabd5083faafa4543753d190f82f33ce6ba22d6e9ac728b43644b278a
+size 20176216
diff --git a/Python-3.9.24.tar.xz.sigstore b/Python-3.9.24.tar.xz.sigstore
new file mode 100644
index 0000000..46b8ad5
--- /dev/null
+++ b/Python-3.9.24.tar.xz.sigstore
@@ -0,0 +1 @@
+{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzjCCAlSgAwIBAgIUWUQZdrlPpYck5mBa5p/erkhWfVEwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUxMDA5MTI0MDE5WhcNMjUxMDA5MTI1MDE5WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwTfhkUPkWQYRXgJJLSSh9G4rT7+j6+rS6dHBDvvKixE46/x1FMOSgLKo6A8iHnpQ/kPm8uFvYnWxujVq4S0PhqOCAXMwggFvMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU3yQFVdjJqb+Kw/3MQTpHDpBXbS0wHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHQYDVR0RAQH/BBMwEYEPbHVrYXN6QGxhbmdhLnBsMCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABmcj8kSMAAAQDAEcwRQIhALKTMOxAFvHDvYKLeaw3HoTfbHMK727w8GN5s4XBsvAdAiAmbuJY8VgFLdgV/Vp8ZKkHIndltHPmf9cm9g1TwWN1tTAKBggqhkjOPQQDAwNoADBlAjEApwnH/TqWUsWTIfgmobddn3e5dLnj3wR4CvhCP57zl/1ezrRJdr5zpVjyUIRqT09eAjAyTWTpTbQRzC/0mQYxIB9O1dfr0oNhFXwXWvoS9LAoKo4t7LJtnoBUaU9NL85U6vE="}, "tlogEntries": [{"logIndex": "597490354", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1760013619", "inclusionPromise": {"signedEntryTimestamp": "MEUCIAb40wGh1ztseI9BBY86I0ah8P4983EWJ5QtqsyD7tWWAiEAmCPsL0vrCvrm/zajIUlVzZ/NWW0kEjHFJk5XR+bUPIY="}, "inclusionProof": {"logIndex": "475586092", "rootHash": "gKgTH5eS9k2SUCoQcopHE+4F+U0tBp+n5nTE5kJatgQ=", "treeSize": "475586094", "hashes": ["JnuG6tFwRjh31ssfrULXX0EM6EgDKb/ESxDp2nObzAs=", "R3G5ETpA1x2NN+EpiCYQmQE49ioWrhA+bqub6yxk8nw=", "nhxC9B2j4yZZSHbBXHq0z+eLVPemMtv0Q94L6Dwwx8U=", "dmrDoQ/a4v0UsKdQnhhW0SW9EJO7NYXjihdJogGzgJs=", "Mx5p6Pjxdx4jeyljoyPJqio5/HuoDXt3VsGBKxo4h/U=", "ozwjpRC/chHKIVP1B+5ZxF6lhlftOEOfaUXH5TIP/Gg=", "xS6Mho1XDz30bzMrHeVbL1WVtsUsW8/91aa15y2oCa8=", "PlwzzkmGBQJUxByS0DKMURlgLQdfW+2lfQCGAIjlgkk=", "GDhIZR0BNnPq5tBSGD0X/jc3ecOF6kzwjg54z61Q7bg=", "aivWZ0d9X4kfaLqxl2h+DSSFA4OYi0wHqV94C0yFguM=", "qXhJobQjWl6SO/pue3trUW2uL4jXx24Ip7lpd4hc5bU=", "56ObhlROm9L8Q4JyN+mxEQ5pZD5QdobB1xZFIeL0lVg=", "EGaD/cNavzxGYLx1Gl0uNNWBZvyXlSHSdlIeH7m+63A=", "2Wv4GiithwNukRKV06clevnQQYCzXmSS/+/OJtXgsXQ=", "1mfy94KpcItqshH9+gwqV6jccupcaMpVsF28New8zDY=", "vS7O4ozHIQZJWBiov+mkpI27GE8zAmVCEkRcP3NDyNE="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n475586094\ngKgTH5eS9k2SUCoQcopHE+4F+U0tBp+n5nTE5kJatgQ=\n\n\u2014 rekor.sigstore.dev wNI9ajBEAiACw0JCrZ/MG3tqbpRlB2A+S8Uu1S6an7Cd9yTjW1DzwwIgGv4xTwJ3cqoQVnLO8WNO8fYL/sxLlogjMUj/iJsvJBU=\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI2NjgzOTFhZmFiZDUwODNmYWFmYTQ1NDM3NTNkMTkwZjgyZjMzY2U2YmEyMmQ2ZTlhYzcyOGI0MzY0NGIyNzhhIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJRmxCalRaMEtaT0JzY2RNL1lBWDdGS1ZKZ0k4alJGeXR3ZTFVQ0tyWFZqTkFpQXZsTmJ4WXI0MjJCSzlySHRTbGVWR0JSNGJBbk9ETVN3eHNFdGxHVkxtd0E9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZha05EUVd4VFowRjNTVUpCWjBsVlYxVlJXbVJ5YkZCd1dXTnJOVzFDWVRWd0wyVnlhMmhYWmxaRmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZlRTFFUVRWTlZFa3dUVVJGTlZkb1kwNU5hbFY0VFVSQk5VMVVTVEZOUkVVMVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVYzVkdab2ExVlFhMWRSV1ZKWVowcEtURk5UYURsSE5ISlVOeXRxTml0eVV6WmtTRUlLUkhaMlMybDRSVFEyTDNneFJrMVBVMmRNUzI4MlFUaHBTRzV3VVM5clVHMDRkVVoyV1c1WGVIVnFWbkUwVXpCUWFIRlBRMEZZVFhkblowWjJUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlV6ZVZGR0NsWmtha3B4WWl0TGR5OHpUVkZVY0VoRWNFSllZbE13ZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoUldVUldVakJTUVZGSUwwSkNUWGRGV1VWUVlraFdjbGxZVGpaUlIzaG9ZbTFrYUV4dVFuTk5RM2RIUTJselIwRlJVVUpuTnpoM1FWRkZSUXBJYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemx6WWpKa2NHSnBPWFpaV0ZZd1lVUkJkVUpuYjNKQ1owVkZRVmxQTDAxQlJVbENRMEZOQ2todGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndZbWs1ZGxsWVZqQmhSRU5DYVdkWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWpnS1FraHZRV1ZCUWpKQlRqQTVUVWR5UjNoNFJYbFplR3RsU0Vwc2JrNTNTMmxUYkRZME0ycDVkQzgwWlV0amIwRjJTMlUyVDBGQlFVSnRZMm80YTFOTlFRcEJRVkZFUVVWamQxSlJTV2hCVEV0VVRVOTRRVVoyU0VSMldVdE1aV0YzTTBodlZHWmlTRTFMTnpJM2R6aEhUalZ6TkZoQ2MzWkJaRUZwUVcxaWRVcFpDamhXWjBaTVpHZFdMMVp3T0ZwTGEwaEpibVJzZEVoUWJXWTVZMjA1WnpGVWQxZE9NWFJVUVV0Q1oyZHhhR3RxVDFCUlVVUkJkMDV2UVVSQ2JFRnFSVUVLY0hkdVNDOVVjVmRWYzFkVVNXWm5iVzlpWkdSdU0yVTFaRXh1YWpOM1VqUkRkbWhEVURVM2Vtd3ZNV1Y2Y2xKS1pISTFlbkJXYW5sVlNWSnhWREE1WlFwQmFrRjVWRmRVY0ZSaVVWSjZReTh3YlZGWmVFbENPVTh4WkdaeU1HOU9hRVpZZDFoWGRtOVRPVXhCYjB0dk5IUTNURXAwYm05Q1ZXRlZPVTVNT0RWVkNqWjJSVDBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}], "timestampVerificationData": {}}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "ZoORr6vVCD+q+kVDdT0ZD4LzPOa6ItbprHKLQ2RLJ4o="}, "signature": "MEQCIFlBjTZ0KZOBscdM/YAX7FKVJgI8jRFytwe1UCKrXVjNAiAvlNbxYr422BK9rHtSleVGBR4bAnODMSwxsEtlGVLmwA=="}}
diff --git a/python39.changes b/python39.changes
index cd9ee44..58ca0d3 100644
--- a/python39.changes
+++ b/python39.changes
@@ -1,3 +1,67 @@
+-------------------------------------------------------------------
+Wed Oct 15 06:28:09 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Update to 3.9.24:
+  - Security
+    - gh-139700: Check consistency of the zip64 end of central
+      directory record. Support records with “zip64 extensible data”
+      if there are no bytes prepended to the ZIP file.
+    - gh-139400: xml.parsers.expat: Make sure that parent Expat
+      parsers are only garbage-collected once they are no longer
+      referenced by subparsers created by
+      ExternalEntityParserCreate(). Patch by Sebastian Pipping.
+    - gh-121227: Raise an SSL.SSLError if an empty protocols argument
+      is passed to ssl.SSLContext.set_npn_protocols() to fix
+      CVE-2024-5642.
+    - gh-135661: Fix parsing start and end tags in
+      html.parser.HTMLParser according to the HTML5 standard.
+      * Whitespaces no longer accepted between </ and the tag name.
+        E.g. </ script> does not end the script section.
+      * Vertical tabulation (\v) and non-ASCII whitespaces no longer
+        recognized as whitespaces. The only whitespaces are \t\n\r\f
+        and space.
+      * Null character (U+0000) no longer ends the tag name.
+      * Attributes and slashes after the tag name in end tags are now
+        ignored, instead of terminating after the first > in quoted
+        attribute value. E.g. </script/foo=">"/>.
+      * Multiple slashes and whitespaces between the last attribute
+        and closing > are now ignored in both start and end tags. E.g.
+        <a foo=bar/ //>.
+      * Multiple = between attribute name and value are no longer
+        collapsed. E.g. <a foo==bar> produces attribute “foo” with
+        value “=bar”.
+    - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser
+      according to the HTML5 standard: ] ]> and ]] > no longer end the
+      CDATA section. Add private method _set_support_cdata() which can
+      be used to specify how to parse <[CDATA[ — as a CDATA section in
+      foreign content (SVG or MathML) or as a bogus comment in the
+      HTML namespace.
+    - gh-102555: Fix comment parsing in html.parser.HTMLParser
+      according to the HTML5 standard. --!> now ends the comment. -- >
+      no longer ends the comment. Support abnormally ended empty
+      comments <--> and <--->.
+    - gh-135462: Fix quadratic complexity in processing specially
+      crafted input in html.parser.HTMLParser. End-of-file errors are
+      now handled according to the HTML5 specs – comments and
+      declarations are automatically closed, tags are ignored.
+    - gh-118350: Fix support of escapable raw text mode (elements
+      “textarea” and “title”) in html.parser.HTMLParser.
+    - gh-86155: html.parser.HTMLParser.close() no longer loses data
+      when the <script> tag is not closed. Patch by Waylan Limberg.
+  - Library
+    - gh-139312: Upgrade bundled libexpat to 2.7.3
+    - gh-138998: Update bundled libexpat to 2.7.2
+    - gh-130577: tarfile now validates archives to ensure member
+      offsets are non-negative. (Contributed by Alexander Enrique
+      Urieles Nieto in gh-130577.)
+    - gh-135374: Update the bundled copy of setuptools to 79.0.1.
+
+- Drop upstreamed patches:
+  - CVE-2025-8194-tarfile-no-neg-offsets.patch
+  - CVE-2025-6069-quad-complex-HTMLParser.patch
+
+- Refresh patch CVE-2024-5642-OpenSSL-API-buf-overread-NPN.patch
+
 -------------------------------------------------------------------
 Mon Sep 29 06:52:07 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
 
diff --git a/python39.spec b/python39.spec
index 1c30506..73dab0d 100644
--- a/python39.spec
+++ b/python39.spec
@@ -99,7 +99,7 @@
 %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
 %bcond_without profileopt
 Name:           %{python_pkg_name}%{psuffix}
-Version:        3.9.23
+Version:        3.9.24
 Release:        0
 Summary:        Python 3 Interpreter
 License:        Python-2.0
@@ -192,14 +192,8 @@ Patch50:        gh120226-fix-sendfile-test-kernel-610.patch
 # PATCH-FIX-UPSTREAM sphinx-802.patch mcepl@suse.com
 # status_iterator method moved between the Sphinx versions
 Patch51:        sphinx-802.patch
-# PATCH-FIX-UPSTREAM CVE-2025-6069-quad-complex-HTMLParser.patch bsc#1244705 mcepl@suse.com
-# avoid quadratic complexity when processing malformed inputs with HTMLParser
-Patch52:        CVE-2025-6069-quad-complex-HTMLParser.patch
-# PATCH-FIX-UPSTREAM CVE-2025-8194-tarfile-no-neg-offsets.patch bsc#1247249 mcepl@suse.com
-# tarfile now validates archives to ensure member offsets are non-negative
-Patch53:        CVE-2025-8194-tarfile-no-neg-offsets.patch
 # PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com
-Patch54:        gh139257-Support-docutils-0.22.patch
+Patch52:        gh139257-Support-docutils-0.22.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes
@@ -472,8 +466,6 @@ other applications.
 %patch -p1 -P 50
 %patch -p1 -P 51
 %patch -p1 -P 52
-%patch -p1 -P 53
-%patch -p1 -P 54
 
 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac