diff --git a/CVE-2023-52425-libexpat-2.6.0-backport.patch b/CVE-2023-52425-libexpat-2.6.0-backport.patch
index 299dc3e..3fa1594 100644
--- a/CVE-2023-52425-libexpat-2.6.0-backport.patch
+++ b/CVE-2023-52425-libexpat-2.6.0-backport.patch
@@ -4,9 +4,11 @@
Lib/test/test_xml_etree.py | 7 +++++++
3 files changed, 14 insertions(+)
---- a/Lib/test/test_pyexpat.py
-+++ b/Lib/test/test_pyexpat.py
-@@ -766,6 +766,10 @@ class ReparseDeferralTest(unittest.TestC
+Index: Python-3.9.25/Lib/test/test_pyexpat.py
+===================================================================
+--- Python-3.9.25.orig/Lib/test/test_pyexpat.py 2025-12-11 22:43:38.646411669 +0100
++++ Python-3.9.25/Lib/test/test_pyexpat.py 2025-12-11 22:43:57.288891858 +0100
+@@ -802,6 +802,10 @@
self.assertEqual(started, ['doc'])
def test_reparse_deferral_disabled(self):
@@ -17,9 +19,11 @@
started = []
def start_element(name, _):
---- a/Lib/test/test_sax.py
-+++ b/Lib/test/test_sax.py
-@@ -1236,6 +1236,9 @@ class ExpatReaderTest(XmlTestBase):
+Index: Python-3.9.25/Lib/test/test_sax.py
+===================================================================
+--- Python-3.9.25.orig/Lib/test/test_sax.py 2025-12-11 22:43:38.675498657 +0100
++++ Python-3.9.25/Lib/test/test_sax.py 2025-12-11 22:43:57.289349463 +0100
+@@ -1236,6 +1236,9 @@
self.assertEqual(result.getvalue(), start + b"")
@@ -29,9 +33,11 @@
def test_flush_reparse_deferral_disabled(self):
result = BytesIO()
xmlgen = XMLGenerator(result)
---- a/Lib/test/test_xml_etree.py
-+++ b/Lib/test/test_xml_etree.py
-@@ -1416,9 +1416,13 @@ class XMLPullParserTest(unittest.TestCas
+Index: Python-3.9.25/Lib/test/test_xml_etree.py
+===================================================================
+--- Python-3.9.25.orig/Lib/test/test_xml_etree.py 2025-12-11 22:43:38.988627336 +0100
++++ Python-3.9.25/Lib/test/test_xml_etree.py 2025-12-11 22:43:57.289604596 +0100
+@@ -1416,9 +1416,13 @@
self.assert_event_tags(parser, [('end', 'root')])
self.assertIsNone(parser.close())
@@ -45,7 +51,7 @@
def test_simple_xml_chunk_5(self):
self.test_simple_xml(chunk_size=5, flush=True)
-@@ -1643,6 +1647,9 @@ class XMLPullParserTest(unittest.TestCas
+@@ -1643,6 +1647,9 @@
self.assert_event_tags(parser, [('end', 'doc')])
diff --git a/CVE-2025-6075-expandvars-perf-degrad.patch b/CVE-2025-6075-expandvars-perf-degrad.patch
deleted file mode 100644
index b77d74b..0000000
--- a/CVE-2025-6075-expandvars-perf-degrad.patch
+++ /dev/null
@@ -1,385 +0,0 @@
-From 8b8e68d3dc95f454f58fdd8aac10848facb1491d Mon Sep 17 00:00:00 2001
-From: Serhiy Storchaka
-Date: Fri, 31 Oct 2025 15:49:51 +0200
-Subject: [PATCH 1/2] [3.9] gh-136065: Fix quadratic complexity in
- os.path.expandvars() (GH-134952) (cherry picked from commit
- f029e8db626ddc6e3a3beea4eff511a71aaceb5c)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Co-authored-by: Serhiy Storchaka
-Co-authored-by: Łukasz Langa
----
- Lib/ntpath.py | 126 +++-------
- Lib/posixpath.py | 43 +--
- Lib/test/test_genericpath.py | 19 +
- Lib/test/test_ntpath.py | 23 +
- Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst | 1
- 5 files changed, 96 insertions(+), 116 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
-
-Index: Python-3.9.24/Lib/ntpath.py
-===================================================================
---- Python-3.9.24.orig/Lib/ntpath.py 2025-11-21 12:52:18.350673347 +0100
-+++ Python-3.9.24/Lib/ntpath.py 2025-11-21 12:52:34.076133325 +0100
-@@ -335,17 +335,23 @@
- # XXX With COMMAND.COM you can use any characters in a variable name,
- # XXX except '^|<>='.
-
-+_varpattern = r"'[^']*'?|%(%|[^%]*%?)|\$(\$|[-\w]+|\{[^}]*\}?)"
-+_varsub = None
-+_varsubb = None
-+
- def expandvars(path):
- """Expand shell variables of the forms $var, ${var} and %var%.
-
- Unknown variables are left unchanged."""
- path = os.fspath(path)
-+ global _varsub, _varsubb
- if isinstance(path, bytes):
- if b'$' not in path and b'%' not in path:
- return path
-- import string
-- varchars = bytes(string.ascii_letters + string.digits + '_-', 'ascii')
-- quote = b'\''
-+ if not _varsubb:
-+ import re
-+ _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub
-+ sub = _varsubb
- percent = b'%'
- brace = b'{'
- rbrace = b'}'
-@@ -354,94 +360,44 @@
- else:
- if '$' not in path and '%' not in path:
- return path
-- import string
-- varchars = string.ascii_letters + string.digits + '_-'
-- quote = '\''
-+ if not _varsub:
-+ import re
-+ _varsub = re.compile(_varpattern, re.ASCII).sub
-+ sub = _varsub
- percent = '%'
- brace = '{'
- rbrace = '}'
- dollar = '$'
- environ = os.environ
-- res = path[:0]
-- index = 0
-- pathlen = len(path)
-- while index < pathlen:
-- c = path[index:index+1]
-- if c == quote: # no expansion within single quotes
-- path = path[index + 1:]
-- pathlen = len(path)
-- try:
-- index = path.index(c)
-- res += c + path[:index + 1]
-- except ValueError:
-- res += c + path
-- index = pathlen - 1
-- elif c == percent: # variable or '%'
-- if path[index + 1:index + 2] == percent:
-- res += c
-- index += 1
-- else:
-- path = path[index+1:]
-- pathlen = len(path)
-- try:
-- index = path.index(percent)
-- except ValueError:
-- res += percent + path
-- index = pathlen - 1
-- else:
-- var = path[:index]
-- try:
-- if environ is None:
-- value = os.fsencode(os.environ[os.fsdecode(var)])
-- else:
-- value = environ[var]
-- except KeyError:
-- value = percent + var + percent
-- res += value
-- elif c == dollar: # variable or '$$'
-- if path[index + 1:index + 2] == dollar:
-- res += c
-- index += 1
-- elif path[index + 1:index + 2] == brace:
-- path = path[index+2:]
-- pathlen = len(path)
-- try:
-- index = path.index(rbrace)
-- except ValueError:
-- res += dollar + brace + path
-- index = pathlen - 1
-- else:
-- var = path[:index]
-- try:
-- if environ is None:
-- value = os.fsencode(os.environ[os.fsdecode(var)])
-- else:
-- value = environ[var]
-- except KeyError:
-- value = dollar + brace + var + rbrace
-- res += value
-- else:
-- var = path[:0]
-- index += 1
-- c = path[index:index + 1]
-- while c and c in varchars:
-- var += c
-- index += 1
-- c = path[index:index + 1]
-- try:
-- if environ is None:
-- value = os.fsencode(os.environ[os.fsdecode(var)])
-- else:
-- value = environ[var]
-- except KeyError:
-- value = dollar + var
-- res += value
-- if c:
-- index -= 1
-+
-+ def repl(m):
-+ lastindex = m.lastindex
-+ if lastindex is None:
-+ return m[0]
-+ name = m[lastindex]
-+ if lastindex == 1:
-+ if name == percent:
-+ return name
-+ if not name.endswith(percent):
-+ return m[0]
-+ name = name[:-1]
- else:
-- res += c
-- index += 1
-- return res
-+ if name == dollar:
-+ return name
-+ if name.startswith(brace):
-+ if not name.endswith(rbrace):
-+ return m[0]
-+ name = name[1:-1]
-+
-+ try:
-+ if environ is None:
-+ return os.fsencode(os.environ[os.fsdecode(name)])
-+ else:
-+ return environ[name]
-+ except KeyError:
-+ return m[0]
-+
-+ return sub(repl, path)
-
-
- # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A\B.
-Index: Python-3.9.24/Lib/posixpath.py
-===================================================================
---- Python-3.9.24.orig/Lib/posixpath.py 2025-11-21 12:52:18.388628236 +0100
-+++ Python-3.9.24/Lib/posixpath.py 2025-11-21 12:52:34.076301225 +0100
-@@ -275,42 +275,41 @@
- # This expands the forms $variable and ${variable} only.
- # Non-existent variables are left unchanged.
-
--_varprog = None
--_varprogb = None
-+_varpattern = r'\$(\w+|\{[^}]*\}?)'
-+_varsub = None
-+_varsubb = None
-
- def expandvars(path):
- """Expand shell variables of form $var and ${var}. Unknown variables
- are left unchanged."""
- path = os.fspath(path)
-- global _varprog, _varprogb
-+ global _varsub, _varsubb
- if isinstance(path, bytes):
- if b'$' not in path:
- return path
-- if not _varprogb:
-+ if not _varsubb:
- import re
-- _varprogb = re.compile(br'\$(\w+|\{[^}]*\})', re.ASCII)
-- search = _varprogb.search
-+ _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub
-+ sub = _varsubb
- start = b'{'
- end = b'}'
- environ = getattr(os, 'environb', None)
- else:
- if '$' not in path:
- return path
-- if not _varprog:
-+ if not _varsub:
- import re
-- _varprog = re.compile(r'\$(\w+|\{[^}]*\})', re.ASCII)
-- search = _varprog.search
-+ _varsub = re.compile(_varpattern, re.ASCII).sub
-+ sub = _varsub
- start = '{'
- end = '}'
- environ = os.environ
-- i = 0
-- while True:
-- m = search(path, i)
-- if not m:
-- break
-- i, j = m.span(0)
-- name = m.group(1)
-- if name.startswith(start) and name.endswith(end):
-+
-+ def repl(m):
-+ name = m[1]
-+ if name.startswith(start):
-+ if not name.endswith(end):
-+ return m[0]
- name = name[1:-1]
- try:
- if environ is None:
-@@ -318,13 +317,11 @@
- else:
- value = environ[name]
- except KeyError:
-- i = j
-+ return m[0]
- else:
-- tail = path[j:]
-- path = path[:i] + value
-- i = len(path)
-- path += tail
-- return path
-+ return value
-+
-+ return sub(repl, path)
-
-
- # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A/B.
-Index: Python-3.9.24/Lib/test/test_genericpath.py
-===================================================================
---- Python-3.9.24.orig/Lib/test/test_genericpath.py 2025-11-21 12:52:19.232406542 +0100
-+++ Python-3.9.24/Lib/test/test_genericpath.py 2025-11-21 12:52:34.077309462 +0100
-@@ -9,7 +9,7 @@
- import warnings
- from test import support
- from test.support.script_helper import assert_python_ok
--from test.support import FakePath
-+from test.support import FakePath, EnvironmentVarGuard
-
-
- def create_file(filename, data=b'foo'):
-@@ -374,7 +374,7 @@
-
- def test_expandvars(self):
- expandvars = self.pathmodule.expandvars
-- with support.EnvironmentVarGuard() as env:
-+ with EnvironmentVarGuard() as env:
- env.clear()
- env["foo"] = "bar"
- env["{foo"] = "baz1"
-@@ -408,7 +408,7 @@
- expandvars = self.pathmodule.expandvars
- def check(value, expected):
- self.assertEqual(expandvars(value), expected)
-- with support.EnvironmentVarGuard() as env:
-+ with EnvironmentVarGuard() as env:
- env.clear()
- nonascii = support.FS_NONASCII
- env['spam'] = nonascii
-@@ -429,6 +429,19 @@
- os.fsencode('$bar%s bar' % nonascii))
- check(b'$spam}bar', os.fsencode('%s}bar' % nonascii))
-
-+ @support.requires_resource('cpu')
-+ def test_expandvars_large(self):
-+ expandvars = self.pathmodule.expandvars
-+ with EnvironmentVarGuard() as env:
-+ env.clear()
-+ env["A"] = "B"
-+ n = 100_000
-+ self.assertEqual(expandvars('$A'*n), 'B'*n)
-+ self.assertEqual(expandvars('${A}'*n), 'B'*n)
-+ self.assertEqual(expandvars('$A!'*n), 'B!'*n)
-+ self.assertEqual(expandvars('${A}A'*n), 'BA'*n)
-+ self.assertEqual(expandvars('${'*10*n), '${'*10*n)
-+
- def test_abspath(self):
- self.assertIn("foo", self.pathmodule.abspath("foo"))
- with warnings.catch_warnings():
-Index: Python-3.9.24/Lib/test/test_ntpath.py
-===================================================================
---- Python-3.9.24.orig/Lib/test/test_ntpath.py 2025-11-21 12:52:19.665352116 +0100
-+++ Python-3.9.24/Lib/test/test_ntpath.py 2025-11-21 12:52:34.077441463 +0100
-@@ -1,11 +1,10 @@
- import ntpath
- import os
--import subprocess
- import sys
- import unittest
- import warnings
- from ntpath import ALLOW_MISSING
--from test.support import TestFailed, FakePath
-+from test.support import TestFailed, FakePath, EnvironmentVarGuard
- from test import support, test_genericpath
- from tempfile import TemporaryFile
-
-@@ -642,7 +641,7 @@
- ntpath.realpath("file.txt", **kwargs))
-
- def test_expandvars(self):
-- with support.EnvironmentVarGuard() as env:
-+ with EnvironmentVarGuard() as env:
- env.clear()
- env["foo"] = "bar"
- env["{foo"] = "baz1"
-@@ -671,7 +670,7 @@
- def test_expandvars_nonascii(self):
- def check(value, expected):
- tester('ntpath.expandvars(%r)' % value, expected)
-- with support.EnvironmentVarGuard() as env:
-+ with EnvironmentVarGuard() as env:
- env.clear()
- nonascii = support.FS_NONASCII
- env['spam'] = nonascii
-@@ -687,10 +686,23 @@
- check('%spam%bar', '%sbar' % nonascii)
- check('%{}%bar'.format(nonascii), 'ham%sbar' % nonascii)
-
-+ @support.requires_resource('cpu')
-+ def test_expandvars_large(self):
-+ expandvars = ntpath.expandvars
-+ with EnvironmentVarGuard() as env:
-+ env.clear()
-+ env["A"] = "B"
-+ n = 100_000
-+ self.assertEqual(expandvars('%A%'*n), 'B'*n)
-+ self.assertEqual(expandvars('%A%A'*n), 'BA'*n)
-+ self.assertEqual(expandvars("''"*n + '%%'), "''"*n + '%')
-+ self.assertEqual(expandvars("%%"*n), "%"*n)
-+ self.assertEqual(expandvars("$$"*n), "$"*n)
-+
- def test_expanduser(self):
- tester('ntpath.expanduser("test")', 'test')
-
-- with support.EnvironmentVarGuard() as env:
-+ with EnvironmentVarGuard() as env:
- env.clear()
- tester('ntpath.expanduser("~test")', '~test')
-
-@@ -908,6 +920,7 @@
- self.assertIsInstance(b_final_path, bytes)
- self.assertGreater(len(b_final_path), 0)
-
-+
- class NtCommonTest(test_genericpath.CommonTest, unittest.TestCase):
- pathmodule = ntpath
- attributes = ['relpath']
-Index: Python-3.9.24/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ Python-3.9.24/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst 2025-11-21 12:52:34.076771610 +0100
-@@ -0,0 +1 @@
-+Fix quadratic complexity in :func:`os.path.expandvars`.
diff --git a/Python-3.9.24.tar.xz b/Python-3.9.24.tar.xz
deleted file mode 100644
index 962bcf2..0000000
--- a/Python-3.9.24.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:668391afabd5083faafa4543753d190f82f33ce6ba22d6e9ac728b43644b278a
-size 20176216
diff --git a/Python-3.9.24.tar.xz.sigstore b/Python-3.9.24.tar.xz.sigstore
deleted file mode 100644
index 46b8ad5..0000000
--- a/Python-3.9.24.tar.xz.sigstore
+++ /dev/null
@@ -1 +0,0 @@
-{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzjCCAlSgAwIBAgIUWUQZdrlPpYck5mBa5p/erkhWfVEwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUxMDA5MTI0MDE5WhcNMjUxMDA5MTI1MDE5WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwTfhkUPkWQYRXgJJLSSh9G4rT7+j6+rS6dHBDvvKixE46/x1FMOSgLKo6A8iHnpQ/kPm8uFvYnWxujVq4S0PhqOCAXMwggFvMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU3yQFVdjJqb+Kw/3MQTpHDpBXbS0wHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHQYDVR0RAQH/BBMwEYEPbHVrYXN6QGxhbmdhLnBsMCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABmcj8kSMAAAQDAEcwRQIhALKTMOxAFvHDvYKLeaw3HoTfbHMK727w8GN5s4XBsvAdAiAmbuJY8VgFLdgV/Vp8ZKkHIndltHPmf9cm9g1TwWN1tTAKBggqhkjOPQQDAwNoADBlAjEApwnH/TqWUsWTIfgmobddn3e5dLnj3wR4CvhCP57zl/1ezrRJdr5zpVjyUIRqT09eAjAyTWTpTbQRzC/0mQYxIB9O1dfr0oNhFXwXWvoS9LAoKo4t7LJtnoBUaU9NL85U6vE="}, "tlogEntries": [{"logIndex": "597490354", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1760013619", "inclusionPromise": {"signedEntryTimestamp": "MEUCIAb40wGh1ztseI9BBY86I0ah8P4983EWJ5QtqsyD7tWWAiEAmCPsL0vrCvrm/zajIUlVzZ/NWW0kEjHFJk5XR+bUPIY="}, "inclusionProof": {"logIndex": "475586092", "rootHash": "gKgTH5eS9k2SUCoQcopHE+4F+U0tBp+n5nTE5kJatgQ=", "treeSize": "475586094", "hashes": ["JnuG6tFwRjh31ssfrULXX0EM6EgDKb/ESxDp2nObzAs=", "R3G5ETpA1x2NN+EpiCYQmQE49ioWrhA+bqub6yxk8nw=", "nhxC9B2j4yZZSHbBXHq0z+eLVPemMtv0Q94L6Dwwx8U=", "dmrDoQ/a4v0UsKdQnhhW0SW9EJO7NYXjihdJogGzgJs=", "Mx5p6Pjxdx4jeyljoyPJqio5/HuoDXt3VsGBKxo4h/U=", "ozwjpRC/chHKIVP1B+5ZxF6lhlftOEOfaUXH5TIP/Gg=", "xS6Mho1XDz30bzMrHeVbL1WVtsUsW8/91aa15y2oCa8=", "PlwzzkmGBQJUxByS0DKMURlgLQdfW+2lfQCGAIjlgkk=", "GDhIZR0BNnPq5tBSGD0X/jc3ecOF6kzwjg54z61Q7bg=", "aivWZ0d9X4kfaLqxl2h+DSSFA4OYi0wHqV94C0yFguM=", "qXhJobQjWl6SO/pue3trUW2uL4jXx24Ip7lpd4hc5bU=", "56ObhlROm9L8Q4JyN+mxEQ5pZD5QdobB1xZFIeL0lVg=", "EGaD/cNavzxGYLx1Gl0uNNWBZvyXlSHSdlIeH7m+63A=", "2Wv4GiithwNukRKV06clevnQQYCzXmSS/+/OJtXgsXQ=", "1mfy94KpcItqshH9+gwqV6jccupcaMpVsF28New8zDY=", "vS7O4ozHIQZJWBiov+mkpI27GE8zAmVCEkRcP3NDyNE="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n475586094\ngKgTH5eS9k2SUCoQcopHE+4F+U0tBp+n5nTE5kJatgQ=\n\n\u2014 rekor.sigstore.dev wNI9ajBEAiACw0JCrZ/MG3tqbpRlB2A+S8Uu1S6an7Cd9yTjW1DzwwIgGv4xTwJ3cqoQVnLO8WNO8fYL/sxLlogjMUj/iJsvJBU=\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI2NjgzOTFhZmFiZDUwODNmYWFmYTQ1NDM3NTNkMTkwZjgyZjMzY2U2YmEyMmQ2ZTlhYzcyOGI0MzY0NGIyNzhhIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJRmxCalRaMEtaT0JzY2RNL1lBWDdGS1ZKZ0k4alJGeXR3ZTFVQ0tyWFZqTkFpQXZsTmJ4WXI0MjJCSzlySHRTbGVWR0JSNGJBbk9ETVN3eHNFdGxHVkxtd0E9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZha05EUVd4VFowRjNTVUpCWjBsVlYxVlJXbVJ5YkZCd1dXTnJOVzFDWVRWd0wyVnlhMmhYWmxaRmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZlRTFFUVRWTlZFa3dUVVJGTlZkb1kwNU5hbFY0VFVSQk5VMVVTVEZOUkVVMVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVYzVkdab2ExVlFhMWRSV1ZKWVowcEtURk5UYURsSE5ISlVOeXRxTml0eVV6WmtTRUlLUkhaMlMybDRSVFEyTDNneFJrMVBVMmRNUzI4MlFUaHBTRzV3VVM5clVHMDRkVVoyV1c1WGVIVnFWbkUwVXpCUWFIRlBRMEZZVFhkblowWjJUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlV6ZVZGR0NsWmtha3B4WWl0TGR5OHpUVkZVY0VoRWNFSllZbE13ZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoUldVUldVakJTUVZGSUwwSkNUWGRGV1VWUVlraFdjbGxZVGpaUlIzaG9ZbTFrYUV4dVFuTk5RM2RIUTJselIwRlJVVUpuTnpoM1FWRkZSUXBJYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemx6WWpKa2NHSnBPWFpaV0ZZd1lVUkJkVUpuYjNKQ1owVkZRVmxQTDAxQlJVbENRMEZOQ2todGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndZbWs1ZGxsWVZqQmhSRU5DYVdkWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWpnS1FraHZRV1ZCUWpKQlRqQTVUVWR5UjNoNFJYbFplR3RsU0Vwc2JrNTNTMmxUYkRZME0ycDVkQzgwWlV0amIwRjJTMlUyVDBGQlFVSnRZMm80YTFOTlFRcEJRVkZFUVVWamQxSlJTV2hCVEV0VVRVOTRRVVoyU0VSMldVdE1aV0YzTTBodlZHWmlTRTFMTnpJM2R6aEhUalZ6TkZoQ2MzWkJaRUZwUVcxaWRVcFpDamhXWjBaTVpHZFdMMVp3T0ZwTGEwaEpibVJzZEVoUWJXWTVZMjA1WnpGVWQxZE9NWFJVUVV0Q1oyZHhhR3RxVDFCUlVVUkJkMDV2UVVSQ2JFRnFSVUVLY0hkdVNDOVVjVmRWYzFkVVNXWm5iVzlpWkdSdU0yVTFaRXh1YWpOM1VqUkRkbWhEVURVM2Vtd3ZNV1Y2Y2xKS1pISTFlbkJXYW5sVlNWSnhWREE1WlFwQmFrRjVWRmRVY0ZSaVVWSjZReTh3YlZGWmVFbENPVTh4WkdaeU1HOU9hRVpZZDFoWGRtOVRPVXhCYjB0dk5IUTNURXAwYm05Q1ZXRlZPVTVNT0RWVkNqWjJSVDBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}], "timestampVerificationData": {}}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "ZoORr6vVCD+q+kVDdT0ZD4LzPOa6ItbprHKLQ2RLJ4o="}, "signature": "MEQCIFlBjTZ0KZOBscdM/YAX7FKVJgI8jRFytwe1UCKrXVjNAiAvlNbxYr422BK9rHtSleVGBR4bAnODMSwxsEtlGVLmwA=="}}
diff --git a/Python-3.9.25.tar.xz b/Python-3.9.25.tar.xz
new file mode 100644
index 0000000..6d20e1c
--- /dev/null
+++ b/Python-3.9.25.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:00e07d7c0f2f0cc002432d1ee84d2a40dae404a99303e3f97701c10966c91834
+size 20183236
diff --git a/Python-3.9.25.tar.xz.sigstore b/Python-3.9.25.tar.xz.sigstore
new file mode 100644
index 0000000..d9ef591
--- /dev/null
+++ b/Python-3.9.25.tar.xz.sigstore
@@ -0,0 +1 @@
+{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIIC0DCCAlWgAwIBAgIUSE8YjcZE7qIfcXBmon9sjs/bXigwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUxMDMxMTkxODA3WhcNMjUxMDMxMTkyODA3WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEA6yjGoTGSk/DNRQrYu24vtllO2P4q+8Xs5gAvqAlpLFRbiwV+LQ0Y3K8dL9l/YQdEebQw2VubMtCT7+/Fces56OCAXQwggFwMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUrGjN+BE6kS9LHFAI7LP28090YSUwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHQYDVR0RAQH/BBMwEYEPbHVrYXN6QGxhbmdhLnBsMCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBiwYKKwYBBAHWeQIEAgR9BHsAeQB3AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABmju0qy8AAAQDAEgwRgIhAL8ki3tJadNid476A1p76OYVlhU7oycSBfcb5c3sLBZlAiEA2DHNTGfm/RYMKD3MZJu4j07lZDhI1SowuffssaBa7SowCgYIKoZIzj0EAwMDaQAwZgIxAJ8ecVP937zDRwWrWm6G2aVPfUBuNFlOQNN8WcTiM71UeNruq/v41bBq4lieQBPLvAIxAMe+gAbYU814Bm4wjQKabB092Ff7VqMrcQJmXheVoGjxR9I8qQVQDPbZ/7Y56KuMjg=="}, "tlogEntries": [{"logIndex": "659720914", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1761938287", "inclusionPromise": {"signedEntryTimestamp": "MEUCICrwfHdwexG/Qr84ewj9clbARXxmYZucbxIn3RtqhfvnAiEAtFpc1qNHFTRAw3rgkCQF0TbXim9GjtfMP++wXdc0xV8="}, "inclusionProof": {"logIndex": "537816652", "rootHash": "uAmIjgEWa1Prxhbgpq4AVHAYs9tcFoPVCqhADl7hkxw=", "treeSize": "537816656", "hashes": ["1GcTRuaf7HBx7wSuJepnaN/c16ao3rDe4wcx2xgmtgI=", "wRwBCCkRrnqj2K31QN11BulchNPNQ/3qMjBjH+POb9Q=", "eLMkow2jrdQ16nZSOirBTbMp+aK1J5XEhB8cMCxV54w=", "2XnvavAYnz6HeFp47zGVixDVw9UKzEa/rAMvDokG/XI=", "Tcg9oMtlCt5IseDMYwJlGVFWs6szf8unhGeKKyfqO5Y=", "A8seTLu7kTbMAJ1cUoLozJ0srg0iqfcXWtkBfDql73c=", "0IWU0DIrPXMesfpziQPOfXvOzypQi5RdfiGC0yc82TQ=", "HBFY0+pnCZ5MZlMHYju3w04YQ4fT8ZwKSyphuyiB2gI=", "9LKIZw4E60SFTmf7kyxOI4nnrmBKpgsna8qyyZXFByQ=", "xXgiWsHpKch5sCDqiyapE8Y4IaCiugvET/gbAlT7J0g=", "O8hbSCVKSgRMpZP5kiaj7oBr3lQGbv88a8kC00l01U0=", "zBKCztkD58rVBdsrjIwb0OpR9WQ3jF3gMUf45Asi/ic=", "I5zfwl40tjYU6vN8rB+1grSG1Hs9d3ti2wGD+3H11lw=", "T4DqWD42hAtN+vX8jKCWqoC4meE4JekI9LxYGCcPy1M="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n537816656\nuAmIjgEWa1Prxhbgpq4AVHAYs9tcFoPVCqhADl7hkxw=\n\n\u2014 rekor.sigstore.dev wNI9ajBEAiB8WofOFSi5xDqkjrYGIoc98Ey3JE75qsSOVSUs+san9wIgEPE10ILmZ+M+Wy5hNisqcejbQkdAIky9DFYAVpLezrA=\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIwMGUwN2Q3YzBmMmYwY2MwMDI0MzJkMWVlODRkMmE0MGRhZTQwNGE5OTMwM2UzZjk3NzAxYzEwOTY2YzkxODM0In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUQvbjltUmppS0MyOGJsMmpKRkZVU1Z1SUFrd1A3emdZVzd1OGRRaHR6MUpBSWdUVzNHUEdqS2Nvcm14S3ZtMzNRamhRdmdOV1ovc1g0cW1ES0o4K21yWWI0PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTXdSRU5EUVd4WFowRjNTVUpCWjBsVlUwVTRXV3BqV2tVM2NVbG1ZMWhDYlc5dU9YTnFjeTlpV0dsbmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZlRTFFVFhoTlZHdDRUMFJCTTFkb1kwNU5hbFY0VFVSTmVFMVVhM2xQUkVFelYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZCTm5scVIyOVVSMU5yTDBST1VsRnlXWFV5TkhaMGJHeFBNbEEwY1NzNFdITTFaMEVLZG5GQmJIQk1SbEppYVhkV0sweFJNRmt6U3poa1REbHNMMWxSWkVWbFlsRjNNbFoxWWsxMFExUTNLeTlHWTJWek5UWlBRMEZZVVhkblowWjNUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZ5UjJwT0NpdENSVFpyVXpsTVNFWkJTVGRNVURJNE1Ea3dXVk5WZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoUldVUldVakJTUVZGSUwwSkNUWGRGV1VWUVlraFdjbGxZVGpaUlIzaG9ZbTFrYUV4dVFuTk5RM2RIUTJselIwRlJVVUpuTnpoM1FWRkZSUXBJYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemx6WWpKa2NHSnBPWFpaV0ZZd1lVUkJkVUpuYjNKQ1owVkZRVmxQTDAxQlJVbENRMEZOQ2todGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndZbWs1ZGxsWVZqQmhSRU5DYVhkWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWprS1FraHpRV1ZSUWpOQlRqQTVUVWR5UjNoNFJYbFplR3RsU0Vwc2JrNTNTMmxUYkRZME0ycDVkQzgwWlV0amIwRjJTMlUyVDBGQlFVSnRhblV3Y1hrNFFRcEJRVkZFUVVWbmQxSm5TV2hCVERocmFUTjBTbUZrVG1sa05EYzJRVEZ3TnpaUFdWWnNhRlUzYjNsalUwSm1ZMkkxWXpOelRFSmFiRUZwUlVFeVJFaE9DbFJIWm0wdlVsbE5TMFF6VFZwS2RUUnFNRGRzV2tSb1NURlRiM2QxWm1aemMyRkNZVGRUYjNkRFoxbEpTMjlhU1hwcU1FVkJkMDFFWVZGQmQxcG5TWGdLUVVvNFpXTldVRGt6TjNwRVVuZFhjbGR0TmtjeVlWWlFabFZDZFU1R2JFOVJUazQ0VjJOVWFVMDNNVlZsVG5KMWNTOTJOREZpUW5FMGJHbGxVVUpRVEFwMlFVbDRRVTFsSzJkQllsbFZPREUwUW0wMGQycFJTMkZpUWpBNU1rWm1OMVp4VFhKalVVcHRXR2hsVm05SGFuaFNPVWs0Y1ZGV1VVUlFZbG92TjFrMUNqWkxkVTFxWnowOUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9fX19"}], "timestampVerificationData": {}}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "AOB9fA8vDMACQy0e6E0qQNrkBKmTA+P5dwHBCWbJGDQ="}, "signature": "MEUCIQD/n9mRjiKC28bl2jJFFUSVuIAkwP7zgYW7u8dQhtz1JAIgTW3GPGjKcormxKvm33QjhQvgNWZ/sX4qmDKJ8+mrYb4="}}
diff --git a/python39.changes b/python39.changes
index 916ccde..7a2e99a 100644
--- a/python39.changes
+++ b/python39.changes
@@ -1,3 +1,33 @@
+-------------------------------------------------------------------
+Thu Dec 11 21:44:35 UTC 2025 - Matej Cepl
+
+* Update to 3.9.25:
+- Security
+ - gh-137836: Add support of the “plaintext” element, RAWTEXT
+ elements “xmp”, “iframe”, “noembed” and “noframes”, and
+ optionally RAWTEXT element “noscript” in
+ html.parser.HTMLParser.
+ - gh-136063: email.message: ensure linear complexity for
+ legacy HTTP parameters parsing. Patch by Bénédikt Tran.
+ - gh-136065: Fix quadratic complexity in
+ os.path.expandvars() (CVE-2025-6075, bsc#1252974).
+- Library
+ - gh-98793: Fix argument typechecks in
+ _overlapped.WSAConnect() and
+ _overlapped.Overlapped.WSASendTo() functions. bpo-44817:
+ Ignore WinError 53 (ERROR_BAD_NETPATH), 65
+ (ERROR_NETWORK_ACCESS_DENIED) and 161 (ERROR_BAD_PATHNAME)
+ when using ntpath.realpath().
+- Core and Builtins
+ - gh-120384: Fix an array out of bounds crash in
+ list_ass_subscript, which could be invoked via some
+ specificly tailored input: including concurrent
+ modification of a list object, where one thread assigns
+ a slice and another clears it.
+ - gh-120298: Fix use-after free in list_richcompare_impl
+ which can be invoked via some specificly tailored evil
+ input.
+
-------------------------------------------------------------------
Thu Nov 13 17:13:03 UTC 2025 - Matej Cepl
diff --git a/python39.spec b/python39.spec
index 31f5e8e..6c0fd26 100644
--- a/python39.spec
+++ b/python39.spec
@@ -99,7 +99,7 @@
%define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
%bcond_without profileopt
Name: %{python_pkg_name}%{psuffix}
-Version: 3.9.24
+Version: 3.9.25
Release: 0
Summary: Python 3 Interpreter
License: Python-2.0
@@ -194,9 +194,6 @@ Patch50: gh120226-fix-sendfile-test-kernel-610.patch
Patch51: sphinx-802.patch
# PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com
Patch52: gh139257-Support-docutils-0.22.patch
-# PATCH-FIX-UPSTREAM CVE-2025-6075-expandvars-perf-degrad.patch bsc#1252974 mcepl@suse.com
-# Avoid potential quadratic complexity vulnerabilities in path modules
-Patch53: CVE-2025-6075-expandvars-perf-degrad.patch
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: fdupes