Accepting request 1290034 from devel:languages:python:Factory

- Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst
  case quadratic complexity when processing certain crafted
  malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705).

OBS-URL: https://build.opensuse.org/request/show/1290034
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=78

98437-sphinx.locale._-as-gettext-in-pyspecific.patch

@@ -10,9 +10,11 @@ Subject: [PATCH 1/2] fix(doc-tools): use sphinx.locale._ as gettext() for
  Misc/NEWS.d/next/Documentation/2022-10-19-07-15-52.gh-issue-98366.UskMXF.rst |    1 +
  2 files changed, 5 insertions(+), 4 deletions(-)
 
---- a/Doc/tools/extensions/pyspecific.py
-+++ b/Doc/tools/extensions/pyspecific.py
-@@ -26,7 +26,7 @@ try:
+Index: Python-3.9.22/Doc/tools/extensions/pyspecific.py
+===================================================================
+--- Python-3.9.22.orig/Doc/tools/extensions/pyspecific.py	2025-04-11 09:49:58.417019238 +0200
++++ Python-3.9.22/Doc/tools/extensions/pyspecific.py	2025-04-11 09:50:56.818993764 +0200
+@@ -27,7 +27,7 @@
      from sphinx.errors import NoUri
  except ImportError:
      from sphinx.environment import NoUri
@@ -21,7 +23,7 @@ Subject: [PATCH 1/2] fix(doc-tools): use sphinx.locale._ as gettext() for
  from sphinx.util import status_iterator, logging
  from sphinx.util.nodes import split_explicit_title
  from sphinx.writers.text import TextWriter, TextTranslator
-@@ -110,7 +110,7 @@ class ImplementationDetail(Directive):
+@@ -111,7 +111,7 @@
  
      def run(self):
          pnode = nodes.compound(classes=['impl-detail'])
@@ -30,7 +32,7 @@ Subject: [PATCH 1/2] fix(doc-tools): use sphinx.locale._ as gettext() for
          content = self.content
          add_text = nodes.strong(label, label)
          if self.arguments:
-@@ -179,7 +179,7 @@ class AuditEvent(Directive):
+@@ -180,7 +180,7 @@
          else:
              args = []
  
@@ -39,16 +41,18 @@ Subject: [PATCH 1/2] fix(doc-tools): use sphinx.locale._ as gettext() for
          text = label.format(name="``{}``".format(name),
                              args=", ".join("``{}``".format(a) for a in args if a))
  
-@@ -358,7 +358,7 @@ class DeprecatedRemoved(Directive):
+@@ -380,7 +380,7 @@
          else:
              label = self._removed_label
  
 -        label = translators['sphinx'].gettext(label)
 +        label = sphinx_gettext(label)
-         text = label.format(deprecated=self.arguments[0], removed=self.arguments[1])
+         text = label.format(deprecated=version[0], removed=version[1])
          if len(self.arguments) == 3:
              inodes, messages = self.state.inline_text(self.arguments[2],
---- /dev/null
-+++ b/Misc/NEWS.d/next/Documentation/2022-10-19-07-15-52.gh-issue-98366.UskMXF.rst
+Index: Python-3.9.22/Misc/NEWS.d/next/Documentation/2022-10-19-07-15-52.gh-issue-98366.UskMXF.rst
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ Python-3.9.22/Misc/NEWS.d/next/Documentation/2022-10-19-07-15-52.gh-issue-98366.UskMXF.rst	2025-04-11 09:50:08.952333342 +0200
 @@ -0,0 +1 @@
 +Use sphinx.locale._ as the gettext function in pyspecific.py.

CVE-2025-6069-quad-complex-HTMLParser.patch

@@ -0,0 +1,238 @@
+From 2a6869c71a3132eff9c7be96db9bdca48b3636aa Mon Sep 17 00:00:00 2001
+From: Serhiy Storchaka <storchaka@gmail.com>
+Date: Fri, 13 Jun 2025 19:57:48 +0300
+Subject: [PATCH] [3.9] gh-135462: Fix quadratic complexity in processing
+ special input in HTMLParser (GH-135464)
+
+End-of-file errors are now handled according to the HTML5 specs --
+comments and declarations are automatically closed, tags are ignored.
+(cherry picked from commit 6eb6c5dbfb528bd07d77b60fd71fd05d81d45c41)
+
+Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
+---
+ Lib/html/parser.py                                                       |   41 +++-
+ Lib/test/test_htmlparser.py                                              |   95 ++++++++--
+ Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst |    4 
+ 3 files changed, 117 insertions(+), 23 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst
+
+Index: Python-3.9.23/Lib/html/parser.py
+===================================================================
+--- Python-3.9.23.orig/Lib/html/parser.py	2025-07-02 18:10:23.763249887 +0200
++++ Python-3.9.23/Lib/html/parser.py	2025-07-02 18:10:29.124564834 +0200
+@@ -25,6 +25,7 @@
+ charref = re.compile('&#(?:[0-9]+|[xX][0-9a-fA-F]+)[^0-9a-fA-F]')
+ 
+ starttagopen = re.compile('<[a-zA-Z]')
++endtagopen = re.compile('</[a-zA-Z]')
+ piclose = re.compile('>')
+ commentclose = re.compile(r'--\s*>')
+ # Note:
+@@ -176,7 +177,7 @@
+                     k = self.parse_pi(i)
+                 elif startswith("<!", i):
+                     k = self.parse_html_declaration(i)
+-                elif (i + 1) < n:
++                elif (i + 1) < n or end:
+                     self.handle_data("<")
+                     k = i + 1
+                 else:
+@@ -184,17 +185,35 @@
+                 if k < 0:
+                     if not end:
+                         break
+-                    k = rawdata.find('>', i + 1)
+-                    if k < 0:
+-                        k = rawdata.find('<', i + 1)
+-                        if k < 0:
+-                            k = i + 1
++                    if starttagopen.match(rawdata, i):  # < + letter
++                        pass
++                    elif startswith("</", i):
++                        if i + 2 == n:
++                            self.handle_data("</")
++                        elif endtagopen.match(rawdata, i):  # </ + letter
++                            pass
++                        else:
++                            # bogus comment
++                            self.handle_comment(rawdata[i+2:])
++                    elif startswith("<!--", i):
++                        j = n
++                        for suffix in ("--!", "--", "-"):
++                            if rawdata.endswith(suffix, i+4):
++                                j -= len(suffix)
++                                break
++                        self.handle_comment(rawdata[i+4:j])
++                    elif startswith("<![CDATA[", i):
++                        self.unknown_decl(rawdata[i+3:])
++                    elif rawdata[i:i+9].lower() == '<!doctype':
++                        self.handle_decl(rawdata[i+2:])
++                    elif startswith("<!", i):
++                        # bogus comment
++                        self.handle_comment(rawdata[i+2:])
++                    elif startswith("<?", i):
++                        self.handle_pi(rawdata[i+2:])
+                     else:
+-                        k += 1
+-                    if self.convert_charrefs and not self.cdata_elem:
+-                        self.handle_data(unescape(rawdata[i:k]))
+-                    else:
+-                        self.handle_data(rawdata[i:k])
++                        raise AssertionError("we should not get here!")
++                    k = n
+                 i = self.updatepos(i, k)
+             elif startswith("&#", i):
+                 match = charref.match(rawdata, i)
+Index: Python-3.9.23/Lib/test/test_htmlparser.py
+===================================================================
+--- Python-3.9.23.orig/Lib/test/test_htmlparser.py	2025-07-02 18:10:25.136241201 +0200
++++ Python-3.9.23/Lib/test/test_htmlparser.py	2025-07-02 18:10:29.124805368 +0200
+@@ -4,6 +4,8 @@
+ import pprint
+ import unittest
+ 
++from test import support
++
+ 
+ class EventCollector(html.parser.HTMLParser):
+ 
+@@ -391,28 +393,34 @@
+                             ('data', '<'),
+                             ('starttag', 'bc<', [('a', None)]),
+                             ('endtag', 'html'),
+-                            ('data', '\n<img src="URL>'),
+-                            ('comment', '/img'),
+-                            ('endtag', 'html<')])
++                            ('data', '\n')])
+ 
+     def test_starttag_junk_chars(self):
++        self._run_check("<", [('data', '<')])
++        self._run_check("<>", [('data', '<>')])
++        self._run_check("< >", [('data', '< >')])
++        self._run_check("< ", [('data', '< ')])
+         self._run_check("</>", [])
++        self._run_check("<$>", [('data', '<$>')])
+         self._run_check("</$>", [('comment', '$')])
+         self._run_check("</", [('data', '</')])
+-        self._run_check("</a", [('data', '</a')])
++        self._run_check("</a", [])
++        self._run_check("</ a>", [('endtag', 'a')])
++        self._run_check("</ a", [('comment', ' a')])
+         self._run_check("<a<a>", [('starttag', 'a<a', [])])
+         self._run_check("</a<a>", [('endtag', 'a<a')])
+-        self._run_check("<!", [('data', '<!')])
+-        self._run_check("<a", [('data', '<a')])
+-        self._run_check("<a foo='bar'", [('data', "<a foo='bar'")])
+-        self._run_check("<a foo='bar", [('data', "<a foo='bar")])
+-        self._run_check("<a foo='>'", [('data', "<a foo='>'")])
+-        self._run_check("<a foo='>", [('data', "<a foo='>")])
++        self._run_check("<!", [('comment', '')])
++        self._run_check("<a", [])
++        self._run_check("<a foo='bar'", [])
++        self._run_check("<a foo='bar", [])
++        self._run_check("<a foo='>'", [])
++        self._run_check("<a foo='>", [])
+         self._run_check("<a$>", [('starttag', 'a$', [])])
+         self._run_check("<a$b>", [('starttag', 'a$b', [])])
+         self._run_check("<a$b/>", [('startendtag', 'a$b', [])])
+         self._run_check("<a$b  >", [('starttag', 'a$b', [])])
+         self._run_check("<a$b  />", [('startendtag', 'a$b', [])])
++        self._run_check("</a$b>", [('endtag', 'a$b')])
+ 
+     def test_slashes_in_starttag(self):
+         self._run_check('<a foo="var"/>', [('startendtag', 'a', [('foo', 'var')])])
+@@ -537,13 +545,56 @@
+         for html, expected in data:
+             self._run_check(html, expected)
+ 
+-    def test_broken_comments(self):
+-        html = ('<! not really a comment >'
++    def test_eof_in_comments(self):
++        data = [
++            ('<!--', [('comment', '')]),
++            ('<!---', [('comment', '')]),
++            ('<!----', [('comment', '')]),
++            ('<!-----', [('comment', '-')]),
++            ('<!------', [('comment', '--')]),
++            ('<!----!', [('comment', '')]),
++            ('<!---!', [('comment', '-!')]),
++            ('<!---!>', [('comment', '-!>')]),
++            ('<!--foo', [('comment', 'foo')]),
++            ('<!--foo-', [('comment', 'foo')]),
++            ('<!--foo--', [('comment', 'foo')]),
++            ('<!--foo--!', [('comment', 'foo')]),
++            ('<!--<!--', [('comment', '<!')]),
++            ('<!--<!--!', [('comment', '<!')]),
++        ]
++        for html, expected in data:
++            self._run_check(html, expected)
++
++    def test_eof_in_declarations(self):
++        data = [
++            ('<!', [('comment', '')]),
++            ('<!-', [('comment', '-')]),
++            ('<![', [('comment', '[')]),
++            ('<![CDATA[', [('unknown decl', 'CDATA[')]),
++            ('<![CDATA[x', [('unknown decl', 'CDATA[x')]),
++            ('<![CDATA[x]', [('unknown decl', 'CDATA[x]')]),
++            ('<![CDATA[x]]', [('unknown decl', 'CDATA[x]]')]),
++            ('<!DOCTYPE', [('decl', 'DOCTYPE')]),
++            ('<!DOCTYPE ', [('decl', 'DOCTYPE ')]),
++            ('<!DOCTYPE html', [('decl', 'DOCTYPE html')]),
++            ('<!DOCTYPE html ', [('decl', 'DOCTYPE html ')]),
++            ('<!DOCTYPE html PUBLIC', [('decl', 'DOCTYPE html PUBLIC')]),
++            ('<!DOCTYPE html PUBLIC "foo', [('decl', 'DOCTYPE html PUBLIC "foo')]),
++            ('<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "foo',
++             [('decl', 'DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "foo')]),
++        ]
++        for html, expected in data:
++            self._run_check(html, expected)
++
++    def test_bogus_comments(self):
++        html = ('<!ELEMENT br EMPTY>'
++                '<! not really a comment >'
+                 '<! not a comment either -->'
+                 '<! -- close enough -->'
+                 '<!><!<-- this was an empty comment>'
+                 '<!!! another bogus comment !!!>')
+         expected = [
++            ('comment', 'ELEMENT br EMPTY'),
+             ('comment', ' not really a comment '),
+             ('comment', ' not a comment either --'),
+             ('comment', ' -- close enough --'),
+@@ -598,6 +649,26 @@
+              ('endtag', 'a'), ('data', ' bar & baz')]
+         )
+ 
++    @support.requires_resource('cpu')
++    def test_eof_no_quadratic_complexity(self):
++        # Each of these examples used to take about an hour.
++        # Now they take a fraction of a second.
++        def check(source):
++            parser = html.parser.HTMLParser()
++            parser.feed(source)
++            parser.close()
++        n = 120_000
++        check("<a " * n)
++        check("<a a=" * n)
++        check("</a " * 14 * n)
++        check("</a a=" * 11 * n)
++        check("<!--" * 4 * n)
++        check("<!" * 60 * n)
++        check("<?" * 19 * n)
++        check("</$" * 15 * n)
++        check("<![CDATA[" * 9 * n)
++        check("<!doctype" * 35 * n)
++
+ 
+ class AttributesTestCase(TestCaseBase):
+ 
+Index: Python-3.9.23/Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ Python-3.9.23/Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst	2025-07-02 18:10:29.125044785 +0200
+@@ -0,0 +1,4 @@
++Fix quadratic complexity in processing specially crafted input in
++:class:`html.parser.HTMLParser`. End-of-file errors are now handled according
++to the HTML5 specs -- comments and declarations are automatically closed,
++tags are ignored.

Python-3.9.20.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:6b281279efd85294d2d6993e173983a57464c0133956fbbb5536ec9646beaf0c
-size 19648968

Python-3.9.20.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmbcKf0ACgkQsmmV4xAl
-BWh4rg//R5E1EjsifYqhLeIyT+JnrBvbTZeEcdxPXevsgilojYmrxBUKuXXViul0
-YZFaoDf6wjbHh6NMNgUpqcOH/5S/LsFZvuEcrw0jyGlMr0AMA4KLmNvQ9Wxf+wp4
-mUmhymQx555nVivsdPiziNnDwubZeA870ZllYEMWP5vXw7p2LbnlZvn7A+LSKjqM
-S/6xbiKYVexK3vHY/uG0xo4z24FySfvs0/PF11JfRJCxm9+bli7FmHOoFMwpOO6S
-caZLok4987YWOcPIPY6h+o2sFhDqHs8POGKd8k+0KQNQs5UbEQ4t/eKgnaoATkGn
-nfcAGXSjX5RSv5uXPzBUc0PulYo6EalIn1b5fu96La/FEg9GLMR/n9g75Fgm/j9L
-QGYu/DSaastY/c7Ot4QVyB6pxbQKjM438yneQrjhKBILGla4Crh1k6yRCx93j/TH
-hF9kiuRf7jtLIGTp0cnquELGnatmL1RhOySn/1Y+asMR+oK8d+XQab//w4VsAt7C
-SIfVXg25PUgZoaiYj/qIjLK9vkcj/EZ1IacivP5qBWb3O1E8gzSV8Z9duGT8Ef3P
-ch4M/pd6hefVVVfyCoazB3gwDs68O6U2BIRdYLRlet8AuKTBysQKFwOo3EcCMmJV
-W20KutPnERCzt8jeJdzFd0z3po9mvxNTKDLYaABtNI6NN00LcsM=
-=svjf
------END PGP SIGNATURE-----

Python-3.9.23.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:61a42919e13d539f7673cf11d1c404380e28e540510860b9d242196e165709c9
+size 19659284

python-3.3.0b1-test-posix_fadvise.patch

@@ -1,15 +0,0 @@
----
- Lib/test/test_posix.py |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/Lib/test/test_posix.py
-+++ b/Lib/test/test_posix.py
-@@ -422,7 +422,7 @@ class PosixTester(unittest.TestCase):
-     def test_posix_fadvise(self):
-         fd = os.open(support.TESTFN, os.O_RDONLY)
-         try:
--            posix.posix_fadvise(fd, 0, 0, posix.POSIX_FADV_WILLNEED)
-+            posix.posix_fadvise(fd, 0, 0, posix.POSIX_FADV_RANDOM)
-         finally:
-             os.close(fd)
- 

python39.changes

@@ -1,3 +1,190 @@
+-------------------------------------------------------------------
+Wed Jul  2 14:47:20 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst
+  case quadratic complexity when processing certain crafted
+  malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705).
+
+-------------------------------------------------------------------
+Mon Jun  9 16:14:05 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Update to 3.9.23:
+  - Security
+    - gh-135034: Fixes multiple issues that allowed tarfile
+      extraction filters (filter="data" and filter="tar")
+      to be bypassed using crafted symlinks and hard links.
+      Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
+      (bsc#1244059), CVE-2025-4330 (bsc#1244060), and
+      CVE-2025-4517 (bsc#1244032). Also addresses CVE-2025-4435
+      (gh#135034, bsc#1244061).
+    - gh-133767: Fix use-after-free in the “unicode-escape”
+      decoder with a non-“strict” error handler (CVE-2025-4516,
+      bsc#1243273).
+    - gh-128840: Short-circuit the processing of long IPv6
+      addresses early in ipaddress to prevent excessive memory
+      consumption and a minor denial-of-service.
+    - gh-80222: Fix bug in the folding of quoted strings
+      when flattening an email message using a modern email
+      policy. Previously when a quoted string was folded so
+      that it spanned more than one line, the surrounding
+      quotes and internal escapes would be omitted. This could
+      theoretically be used to spoof header lines using a
+      carefully constructed quoted string if the resulting
+      rendered email was transmitted or re-parsed.
+  - Library
+    - gh-128840: Fix parsing long IPv6 addresses with embedded
+      IPv4 address.
+    - gh-134062: ipaddress: fix collisions in __hash__() for
+      IPv4Network and IPv6Network objects.
+    - gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
+      according to RFC 3596, §2.5. Patch by Bénédikt Tran.
+    - bpo-43633: Improve the textual representation of
+      IPv4-mapped IPv6 addresses (RFC 4291 Sections 2.2, 2.5.5.2)
+      in ipaddress. Patch by Oleksandr Pavliuk.
+    - bpo-25264: os.path.realpath() now accepts a strict
+      keyword-only argument. When set to True, OSError is raised
+      if a path doesn’t exist or a symlink loop is encountered.
+- Remove upstreamed patches:
+  - CVE-2025-4516-DecodeError-handler.patch
+
+-------------------------------------------------------------------
+Thu May 22 13:01:17 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2025-4516-DecodeError-handler.patch fixing
+  CVE-2025-4516 (bsc#1243273) blocking DecodeError handling
+  vulnerability, which could lead to DoS.
+
+-------------------------------------------------------------------
+Sat May 10 11:38:21 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Remove python-3.3.0b1-test-posix_fadvise.patch (not needed
+  since kernel 3.6-rc1)
+
+-------------------------------------------------------------------
+Wed Apr  9 20:04:17 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Update to 3.9.22:
+  - gh-131809: Update bundled libexpat to 2.7.1
+  - gh-131261: Upgrade to libexpat 2.7.0
+  - gh-105704: When using urllib.parse.urlsplit() and
+    urllib.parse.urlparse() host parsing would not reject domain
+    names containing square brackets ([ and ]). Square brackets
+    are only valid for IPv6 and IPvFuture hosts according to RFC
+    3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938,
+    gh#python/cpython#105704).
+  - gh-121284: Fix bug in the folding of rfc2047 encoded-words
+    when flattening an email message using a modern email
+    policy. Previously when an encoded-word was too long for
+    a line, it would be decoded, split across lines, and
+    re-encoded. But commas and other special characters in the
+    original text could be left unencoded and unquoted. This
+    could theoretically be used to spoof header lines using a
+    carefully constructed encoded-word if the resulting rendered
+    email was transmitted or re-parsed.
+  - gh-119511: Fix a potential denial of service in the imaplib
+    module. When connecting to a malicious server, it could
+    cause an arbitrary amount of memory to be allocated. On many
+    systems this is harmless as unused virtual memory is only
+    a mapping, but if this hit a virtual address size limit
+    it could lead to a MemoryError or other process crash. On
+    unusual systems or builds where all allocated memory is
+    touched and backed by actual ram or storage it could’ve
+    consumed resources doing so until similarly crashing.
+  - gh-121277: Writers of CPython’s documentation can now use
+    next as the version for the versionchanged, versionadded,
+    deprecated directives.
+- Remote upstreamed patch:
+  - CVE-2025-0938-sq-brackets-domain-names.patch
+
+-------------------------------------------------------------------
+Mon Mar 10 15:44:31 UTC 2025 - Bernhard Wiedemann <bwiedemann@suse.com>
+
+- Skip PGO with %want_reproducible_builds (bsc#1239210)
+
+-------------------------------------------------------------------
+Tue Feb  4 14:43:13 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2025-0938-sq-brackets-domain-names.patch which
+  disallows square brackets ([ and ]) in domain names for parsed
+  URLs (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704)
+
+-------------------------------------------------------------------
+Wed Dec  4 19:51:41 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
+
+- Update to 3.9.21:
+  - Tests
+    - gh-125041: Re-enable skipped tests for zlib on the
+      s390x architecture: only skip checks of the compressed
+      bytes, which can be different between zlib’s software
+      implementation and the hardware-accelerated implementation.
+    - gh-109396: Fix test_socket.test_hmac_sha1() in FIPS
+      mode. Use a longer key: FIPS mode requires at least of at
+      least 112 bits. The previous key was only 32 bits. Patch by
+      Victor Stinner.
+    - gh-100454: Fix SSL tests CI for OpenSSL 3.1+
+  - Security
+    - gh-126623: Upgrade libexpat to 2.6.4
+    - gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to
+      consistently use the mapped IPv4 address value for deciding
+      properties. Properties which have their behavior fixed are
+      is_multicast, is_reserved, is_link_local, is_global, and
+      is_unspecified (bsc#1233307, CVE-2024-11168).
+  - Library
+    - gh-124651: Properly quote template strings in venv
+      activation scripts (bsc#1232241, CVE-2024-9287).
+    - gh-103848: Add checks to ensure that [ bracketed ] hosts
+      found by urllib.parse.urlsplit() are of IPv6 or IPvFuture
+      format.
+  - Documentation
+    - gh-95588: Clarified the conflicting advice given in the ast
+      documentation about ast.literal_eval() being “safe” for use
+      on untrusted input while at the same time warning that it
+      can crash the process. The latter statement is true and is
+      deemed unfixable without a large amount of work unsuitable
+      for a bugfix. So we keep the warning and no longer claim
+      that literal_eval is safe.
+- Remove upstreamed patches:
+  - CVE-2024-11168-validation-IPv6-addrs.patch
+  - CVE-2024-9287-venv_path_unquoted.patch
+
+-------------------------------------------------------------------
+Thu Nov 14 07:06:20 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
+
+- Remove -IVendor/ from python-config boo#1231795
+
+-------------------------------------------------------------------
+Wed Nov 13 13:25:01 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2024-11168-validation-IPv6-addrs.patch
+  fixing bsc#1233307 (CVE-2024-11168,
+  gh#python/cpython#103848): Improper validation of IPv6 and
+  IPvFuture addresses.
+
+-------------------------------------------------------------------
+Fri Nov  1 21:16:32 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
+
+- Update CVE-2024-9287-venv_path_unquoted.patch according to the
+  upstream PR gh#python/cpython!126301.
+
+-------------------------------------------------------------------
+Thu Oct 24 16:09:00 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2024-9287-venv_path_unquoted.patch to properly quote
+  path names provided when creating a virtual environment
+  (bsc#1232241, CVE-2024-9287)
+
+-------------------------------------------------------------------
+Wed Oct  2 16:18:29 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
+
+- Drop .pyc files from docdir for reproducible builds
+  (bsc#1230906).
+
+-------------------------------------------------------------------
+Fri Sep 20 14:57:10 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
+
+- Add sphinx-802.patch to overcome working both with the most
+  recent and older Sphinx versions.
+
 -------------------------------------------------------------------
 Mon Sep  9 18:02:59 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
 
@@ -34,7 +221,7 @@ Mon Sep  9 18:02:59 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
       :class:`zipfile.Path` causing infinite loops (gh-122905) without breaking
       contents using legitimate characters (bsc#1229704, CVE-2024-8088).
     - gh-123067: Fix quadratic complexity in parsing ``"``-quoted cookie values
-      with backslashes by :mod:`http.cookies`.
+      with backslashes by :mod:`http.cookies` (bsc#1229596, CVE-2024-7592).
     - gh-121650: :mod:`email` headers with embedded newlines are now quoted on
       output. The :mod:`~email.generator` will now refuse to serialize (write)
       headers that are unsafely folded or delimited; see
@@ -76,8 +263,7 @@ Mon Sep  9 18:02:59 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
 Thu Sep  5 13:44:48 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
 
 - Add CVE-2024-6232-cookies-quad-complex.patch to avoid quadratic
-  complexity in parsing "-quoted cookie values with backslashes
-  (bsc#1229596, CVE-2024-6232).
+  complexity in parsing tarfile headers (bsc#1230227, CVE-2024-6232).
 
 -------------------------------------------------------------------
 Thu Sep  5 08:11:45 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
@@ -224,12 +410,12 @@ Fri Feb 23 01:06:42 UTC 2024 - Matej Cepl <mcepl@suse.com>
 - Repurpose skip-failing-tests.patch to increase timeout for
   test.test_asyncio.test_tasks.TimeoutTests.test_timeout_time,
   which fails on slow machines in IBS (s390x).
- 
+
 -------------------------------------------------------------------
 Tue Feb 20 22:14:02 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
 
 - Remove double definition of /usr/bin/idle%%{version} in
-  %%files. 
+  %%files.
 
 -------------------------------------------------------------------
 Thu Feb 15 10:29:07 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
@@ -368,7 +554,7 @@ Wed May  3 14:09:37 UTC 2023 - Matej Cepl <mcepl@suse.com>
 -------------------------------------------------------------------
 Tue Apr 18 05:00:11 UTC 2023 - Steve Kowalik <steven.kowalik@suse.com>
 
-- Use python3 modules to build the documentation. 
+- Use python3 modules to build the documentation.
 
 -------------------------------------------------------------------
 Wed Mar  1 14:43:31 UTC 2023 - Matej Cepl <mcepl@suse.com>
@@ -941,7 +1127,7 @@ Sat Mar 26 22:22:24 UTC 2022 - Matej Cepl <mcepl@suse.com>
 Tue Feb 22 05:53:06 UTC 2022 - Steve Kowalik <steven.kowalik@suse.com>
 
 - Add patch support-expat-245.patch:
-  * Support Expat >= 2.4.5 
+  * Support Expat >= 2.4.5
 
 -------------------------------------------------------------------
 Wed Jan 19 21:50:04 UTC 2022 - Matej Cepl <mcepl@suse.com>
@@ -1384,7 +1570,7 @@ Sat Jun  5 21:21:38 UTC 2021 - Matej Cepl <mcepl@suse.com>
 -------------------------------------------------------------------
 Fri Jun  4 21:36:30 UTC 2021 - Dirk Müller <dmueller@suse.com>
 
-- allow build with Sphinx >= 3.x 
+- allow build with Sphinx >= 3.x
 
 -------------------------------------------------------------------
 Wed Jun  2 13:12:04 UTC 2021 - Dan Čermák <dcermak@suse.com>
@@ -1936,7 +2122,7 @@ Sat Dec 12 14:29:33 UTC 2020 - Matej Cepl <mcepl@suse.com>
 Thu Dec 10 00:26:51 UTC 2020 - Benjamin Greiner <code@bnavigator.de>
 
 - Last try before this results in an editwar:
-  * remove importlib_resources and importlib-metadata 
+  * remove importlib_resources and importlib-metadata
     provides/obsoletes
   * import importlib_resources is not the same as
     import importlib.resources, same for metadata
@@ -2053,54 +2239,54 @@ Tue Jul 21 09:53:06 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com>
 - Removed CVE-2019-20907_tarfile-inf-loop.patch: fixed in upstream
 - Removed recursion.tar: contained in upstream
 - Update to 3.9.0b5:
-  - bpo-41304: Fixes python3x._pth being ignored on Windows, caused 
+  - bpo-41304: Fixes python3x._pth being ignored on Windows, caused
     by the fix for bpo-29778 (CVE-2020-15801).
   - bpo-41162: Audit hooks are now cleared later during
     finalization to avoid missing events.
-  - bpo-29778: Ensure python3.dll is loaded from correct locations 
+  - bpo-29778: Ensure python3.dll is loaded from correct locations
     when Python is embedded (CVE-2020-15523).
-  - bpo-39603: Prevent http header injection by rejecting control 
+  - bpo-39603: Prevent http header injection by rejecting control
     characters in http.client.putrequest(…).
   - bpo-41295: Resolve a regression in CPython 3.8.4 where defining
-    “__setattr__” in a multi-inheritance setup and 
+    “__setattr__” in a multi-inheritance setup and
     calling up the hierarchy chain could fail if builtins/extension
     types were involved in the base types.
-  - bpo-41247: Always cache the running loop holder when running 
+  - bpo-41247: Always cache the running loop holder when running
     asyncio.set_running_loop.
-  - bpo-41252: Fix incorrect refcounting in 
+  - bpo-41252: Fix incorrect refcounting in
     _ssl.c’s _servername_callback().
-  - bpo-41215: Use non-NULL default values in the PEG parser 
+  - bpo-41215: Use non-NULL default values in the PEG parser
     keyword list to overcome a bug that was '
     preventing Python from being properly compiled when using the
     XLC compiler. Patch by Pablo Galindo.
-  - bpo-41218: Python 3.8.3 had a regression where compiling with 
-    ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would 
+  - bpo-41218: Python 3.8.3 had a regression where compiling with
+    ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would
     aggressively mark list comprehension with CO_COROUTINE. Now only
     list comprehension making use of async/await will tagged as so.
-  - bpo-41175: Guard against a NULL pointer dereference within 
+  - bpo-41175: Guard against a NULL pointer dereference within
     bytearrayobject triggered by the bytearray() + bytearray() operation.
-  - bpo-39960: The “hackcheck” that prevents sneaking around a type’s 
-    __setattr__() by calling the superclass method was 
+  - bpo-39960: The “hackcheck” that prevents sneaking around a type’s
+    __setattr__() by calling the superclass method was
     rewritten to allow C implemented heap types.
-  - bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the 
+  - bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the
     C implementation raises now UnpicklingError instead of crashing.
-  - bpo-39017: Avoid infinite loop when reading specially crafted 
+  - bpo-39017: Avoid infinite loop when reading specially crafted
     TAR files using the tarfile module (CVE-2019-20907, bsc#1174091).
   - bpo-41235: Fix the error handling in ssl.SSLContext.load_dh_params().
-  - bpo-41207: In distutils.spawn, restore expectation that 
+  - bpo-41207: In distutils.spawn, restore expectation that
     DistutilsExecError is raised when the command is not found.
   - bpo-39168: Remove the __new__ method of typing.Generic.
-  - bpo-41194: Fix a crash in the _ast module: it can no longer be 
+  - bpo-41194: Fix a crash in the _ast module: it can no longer be
     loaded more than once. It now uses a global state rather than a module state.
-  - bpo-39384: Fixed email.contentmanager to allow set_content() to set a 
+  - bpo-39384: Fixed email.contentmanager to allow set_content() to set a
     null string.
-  - bpo-41300: Save files with non-ascii chars. 
+  - bpo-41300: Save files with non-ascii chars.
     Fix regression released in 3.9.0b4 and 3.8.4.
-  - bpo-37765: Add keywords to module name completion list. 
+  - bpo-37765: Add keywords to module name completion list.
     Rewrite Completions section of IDLE doc.
-  - bpo-40170: Revert PyType_HasFeature() change: it reads 
-    again directly the PyTypeObject.tp_flags 
-    member when the limited C API is not used, rather than always calling 
+  - bpo-40170: Revert PyType_HasFeature() change: it reads
+    again directly the PyTypeObject.tp_flags
+    member when the limited C API is not used, rather than always calling
     PyType_GetFlags() which hides implementation details.
 
 -------------------------------------------------------------------
@@ -2621,7 +2807,7 @@ Wed Jun  5 12:19:09 CEST 2019 - Matej Cepl <mcepl@suse.com>
     pickling costs between processes
   - typed_ast is merged back to CPython
   - LOAD_GLOBAL is now 40% faster
-  - pickle now uses Protocol 4 by default, improving performance 
+  - pickle now uses Protocol 4 by default, improving performance
 - Remove patches which were included in the upstream:
   - 00251-change-user-install-location.patch
   - 00316-mark-bdist_wininst-unsupported.patch
@@ -2766,7 +2952,7 @@ Mon Dec 17 17:24:49 CET 2018 - mcepl@suse.com
 
 - Upgrade to 3.7.2rc1:
     * bugfix release, for the full list of all changes see
-      https://docs.python.org/3.7/whatsnew/changelog.html#changelog 
+      https://docs.python.org/3.7/whatsnew/changelog.html#changelog
 - Make run of the test suite more verbose
 
 -------------------------------------------------------------------
@@ -3193,7 +3379,7 @@ Mon Mar 13 14:04:22 UTC 2017 - jmatejek@suse.com
 Sat Feb 25 20:55:57 UTC 2017 - bwiedemann@suse.com
 
 - Add 0001-allow-for-reproducible-builds-of-python-packages.patch
-  upstream https://github.com/python/cpython/pull/296 
+  upstream https://github.com/python/cpython/pull/296
 
 -------------------------------------------------------------------
 Wed Feb  8 12:30:20 UTC 2017 - jmatejek@suse.com
@@ -3259,7 +3445,7 @@ Mon Mar  7 20:38:11 UTC 2016 - toddrme2178@gmail.com
 
 - Add  Python-3.5.1-fix_lru_cache_copying.patch
   Fix copying the lru_cache() wrapper object.
-  Fixes deep-copying lru_cache regression, which worked on 
+  Fixes deep-copying lru_cache regression, which worked on
   previous versions of python but fails on python 3.5.
   This fixes a bunch of packages in devel:languages:python3.
   See: https://bugs.python.org/issue25447
@@ -3397,7 +3583,7 @@ Sun Jan 11 13:01:30 UTC 2015 - p.drouand@gmail.com
 -------------------------------------------------------------------
 Sat Oct 18 20:14:54 UTC 2014 - crrodriguez@opensuse.org
 
-- Only pkgconfig(x11) is required for build, not the whole 
+- Only pkgconfig(x11) is required for build, not the whole
   set of packages provided by xorg-x11-devel metapackage.
 
 -------------------------------------------------------------------
@@ -3457,7 +3643,7 @@ Wed Mar 26 15:24:46 UTC 2014 - jmatejek@suse.com
 -------------------------------------------------------------------
 Mon Mar 24 17:29:31 UTC 2014 - dmueller@suse.com
 
-- remove blacklisting of test_posix on aarch64: qemu bug is fixed 
+- remove blacklisting of test_posix on aarch64: qemu bug is fixed
 
 -------------------------------------------------------------------
 Mon Mar 17 18:26:58 UTC 2014 - jmatejek@suse.com
@@ -3560,7 +3746,7 @@ Tue Nov 19 14:28:41 UTC 2013 - jmatejek@suse.com
 -------------------------------------------------------------------
 Tue Oct 15 17:44:08 UTC 2013 - crrodriguez@opensuse.org
 
-- build with -DOPENSSL_LOAD_CONF for the same reasons 
+- build with -DOPENSSL_LOAD_CONF for the same reasons
   described in the python2 package.
 
 -------------------------------------------------------------------
@@ -3572,7 +3758,7 @@ Fri Aug 16 11:35:15 UTC 2013 - jmatejek@suse.com
 -------------------------------------------------------------------
 Thu Aug  8 14:54:49 UTC 2013 - dvaleev@suse.com
 
-- Exclue test_faulthandler from tests on powerpc due to bnc#831629 
+- Exclue test_faulthandler from tests on powerpc due to bnc#831629
 
 -------------------------------------------------------------------
 Thu Jun 13 15:05:34 UTC 2013 - jmatejek@suse.com
@@ -3631,7 +3817,7 @@ Fri Mar  1 07:42:21 UTC 2013 - dmueller@suse.com
 
 - add ctypes-libffi-aarch64.patch:
   * import aarch64 support for libffi in _ctypes module
-- add aarch64 to the list of lib64 based archs 
+- add aarch64 to the list of lib64 based archs
 - add movetogetdents64.diff:
   * port to getdents64, as SYS_getdents is not implemented everywhere
 
@@ -3685,9 +3871,9 @@ Mon Oct 29 18:21:45 UTC 2012 - dmueller@suse.com
 -------------------------------------------------------------------
 Thu Oct 25 08:14:36 UTC 2012 - Rene.vanPaassen@gmail.com
 
-- exclude test_math for SLE 11; math library fails on negative 
+- exclude test_math for SLE 11; math library fails on negative
   gamma function values close to integers and 0, probably
-  due to imprecision in -lm on SLE_11_SP2. 
+  due to imprecision in -lm on SLE_11_SP2.
 
 -------------------------------------------------------------------
 Tue Oct 16 12:15:34 UTC 2012 - coolo@suse.com
@@ -3711,7 +3897,7 @@ Mon Oct  1 08:53:03 UTC 2012 - idonmez@suse.com
 -------------------------------------------------------------------
 Thu Sep 27 12:35:01 UTC 2012 - idonmez@suse.com
 
-- Correct dependency for python3-testsuite, 
+- Correct dependency for python3-testsuite,
   python3-tkinter -> python3-tk
 
 -------------------------------------------------------------------
@@ -3744,7 +3930,7 @@ Fri Aug  3 12:09:34 UTC 2012 - jmatejek@suse.com
 -------------------------------------------------------------------
 Fri Jul 27 09:02:41 UTC 2012 - dvaleev@suse.com
 
-- skip test_io on ppc 
+- skip test_io on ppc
 - drop test_io ppc patch
 
 -------------------------------------------------------------------
@@ -3793,8 +3979,8 @@ Wed Jan 18 15:49:47 UTC 2012 - jmatejek@suse.com
 -------------------------------------------------------------------
 Sun Dec 25 13:25:01 UTC 2011 - idonmez@suse.com
 
-- Use system ffi, included one is broken see 
-  http://bugs.python.org/issue11729 and 
+- Use system ffi, included one is broken see
+  http://bugs.python.org/issue11729 and
   http://bugs.python.org/issue12081
 
 -------------------------------------------------------------------

python39.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python39
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -36,7 +36,7 @@
 %bcond_without general
 %endif
 
-%if 0%{?do_profiling}
+%if 0%{?do_profiling} && !0%{?want_reproducible_builds}
 %bcond_without profileopt
 %else
 %bcond_with profileopt
@@ -99,13 +99,13 @@
 %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
 %bcond_without profileopt
 Name:           %{python_pkg_name}%{psuffix}
-Version:        3.9.20
+Version:        3.9.23
 Release:        0
 Summary:        Python 3 Interpreter
 License:        Python-2.0
 URL:            https://www.python.org/
 Source0:        https://www.python.org/ftp/python/%{folderversion}/%{tarname}.tar.xz
-Source1:        https://www.python.org/ftp/python/%{folderversion}/%{tarname}.tar.xz.asc
+Source1:        https://www.python.org/ftp/python/%{folderversion}/%{tarname}.tar.xz.sigstore
 Source2:        baselibs.conf
 Source3:        README.SUSE
 Source7:        macros.python3
@@ -134,10 +134,6 @@ Source100:      PACKAGING-NOTES
 # to /usr/local if executable is /usr/bin/python* and RPM build
 # is not detected to make pip and distutils install into separate location
 Patch02:        F00251-change-user-install-location.patch
-# PATCH-FEATURE-UPSTREAM decimal.patch bsc#1189356 mcepl@suse.com
-# fix building with mpdecimal
-# https://www.bytereef.org/contrib/decimal.diff
-Patch05:        decimal.patch
 # PATCH-FEATURE-UPSTREAM distutils-reproducible-compile.patch gh#python/cpython#8057 mcepl@suse.com
 # Improve reproduceability
 Patch06:        distutils-reproducible-compile.patch
@@ -145,8 +141,6 @@ Patch06:        distutils-reproducible-compile.patch
 Patch07:        python-3.3.0b1-localpath.patch
 # replace DATE, TIME and COMPILER by fixed definitions to aid reproducible builds
 Patch08:        python-3.3.0b1-fix_date_time_compiler.patch
-# POSIX_FADV_WILLNEED throws EINVAL. Use a different constant in test
-Patch09:        python-3.3.0b1-test-posix_fadvise.patch
 # Raise timeout value for test_subprocess
 Patch15:        subprocess-raise-timeout.patch
 Patch25:        python3-imp-returntype.patch
@@ -161,37 +155,46 @@ Patch33:        no-skipif-doctests.patch
 # PATCH-FIX-SLE skip-test_pyobject_freed_is_freed.patch mcepl@suse.com
 # skip a test failing on SLE-15
 Patch34:        skip-test_pyobject_freed_is_freed.patch
+# PATCH-FEATURE-UPSTREAM decimal.patch bsc#1189356 mcepl@suse.com
+# fix building with mpdecimal
+# https://www.bytereef.org/contrib/decimal.diff
+Patch35:        decimal.patch
 # PATCH-FIX-UPSTREAM support-expat-CVE-2022-25236-patched.patch jsc#SLE-21253 mcepl@suse.com
 # Makes Python resilient to changes of API of libexpat
-Patch35:        support-expat-CVE-2022-25236-patched.patch
+Patch40:        support-expat-CVE-2022-25236-patched.patch
 # PATCH-FIX-UPSTREAM CVE-2023-52425-libexpat-2.6.0-backport.patch gh#python/cpython#117187 mcepl@suse.com
 # Make the test suite work with libexpat < 2.6.0
-Patch36:        CVE-2023-52425-libexpat-2.6.0-backport.patch
+Patch41:        CVE-2023-52425-libexpat-2.6.0-backport.patch
 # PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 mcepl@suse.com
 # this patch makes things totally awesome
-Patch37:        98437-sphinx.locale._-as-gettext-in-pyspecific.patch
+Patch42:        98437-sphinx.locale._-as-gettext-in-pyspecific.patch
 # PATCH-FIX-UPSTREAM bpo-37596-make-set-marshalling.patch bsc#1211765 mcepl@suse.com
 # Make `set` and `frozenset` marshalling deterministic
-Patch38:        bpo-37596-make-set-marshalling.patch
+Patch43:        bpo-37596-make-set-marshalling.patch
 # PATCH-FIX-UPSTREAM gh-78214-marshal_stabilize_FLAG_REF.patch bsc#1213463 mcepl@suse.com
 # marshal: Stabilize FLAG_REF usage
-Patch39:        gh-78214-marshal_stabilize_FLAG_REF.patch
+Patch44:        gh-78214-marshal_stabilize_FLAG_REF.patch
 # PATCH-FIX-UPSTREAM 99366-patch.dict-can-decorate-async.patch bsc#[0-9]+ mcepl@suse.com
 # Patch for gh#python/cpython#98086
-Patch40:        99366-patch.dict-can-decorate-async.patch
+Patch45:        99366-patch.dict-can-decorate-async.patch
 # PATCH-FIX-OPENSUSE downport-Sphinx-features.patch mcepl@suse.com
 # Make documentation build with older Sphinx
-Patch41:        downport-Sphinx-features.patch
+Patch46:        downport-Sphinx-features.patch
 # PATCH-FIX-UPSTREAM bso1227999-reproducible-builds.patch bsc#1227999 mcepl@suse.com
 # reproducibility patches
-Patch46:        bso1227999-reproducible-builds.patch
+Patch47:        bso1227999-reproducible-builds.patch
 # PATCH-FIX-UPSTREAM CVE-2024-5642-OpenSSL-API-buf-overread-NPN.patch bsc#1227233 mcepl@suse.com
 # Remove for support for anything but OpenSSL 1.1.1 or newer
 Patch48:        CVE-2024-5642-OpenSSL-API-buf-overread-NPN.patch
 # PATCH-FIX-UPSTREAM gh120226-fix-sendfile-test-kernel-610.patch gh#python/cpython#120226 mcepl@suse.com
 # Fix test_sendfile_close_peer_in_the_middle_of_receiving on Linux >= 6.10 (GH-120227)
 Patch50:        gh120226-fix-sendfile-test-kernel-610.patch
-
+# PATCH-FIX-UPSTREAM sphinx-802.patch mcepl@suse.com
+# status_iterator method moved between the Sphinx versions
+Patch51:        sphinx-802.patch
+# PATCH-FIX-UPSTREAM CVE-2025-6069-quad-complex-HTMLParser.patch bsc#1244705 mcepl@suse.com
+# avoid quadratic complexity when processing malformed inputs with HTMLParser
+Patch52:        CVE-2025-6069-quad-complex-HTMLParser.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes
@@ -430,34 +433,40 @@ other applications.
 
 %prep
 %setup -q -n %{tarname}
-%patch -P 02 -p1
-%patch -P 06 -p1
-%patch -P 07 -p1
-%patch -P 08 -p1
-%patch -P 09 -p1
-%patch -P 15 -p1
-%patch -P 25 -p1
-%patch -P 29 -p1
-%patch -P 32 -p1
+
+%patch -p1 -P 02
+%patch -p1 -P 06
+%patch -p1 -P 07
+%patch -p1 -P 08
+%patch -p1 -P 15
+%patch -p1 -P 25
+%patch -p1 -P 29
+%patch -p1 -P 32
+
 %if 0%{?sle_version}
-%patch -P 33 -p1
-%patch -P 34 -p1
+%patch -p1 -P 33
+%patch -p1 -P 34
 %endif
 %if %{with mpdecimal}
-%patch -P 05 -p1
+%patch -p1 -P 35
 %endif
-%patch -P 35 -p1
-%patch -P 36 -p1
-%patch -P 37 -p1
-%patch -P 38 -p1
-%patch -P 39 -p1
-%patch -P 40 -p1
-%if 0%{?sle_version} && 0%{?sle_version} <= 150500
+
+%patch -p1 -P 40
 %patch -p1 -P 41
-%endif
+%patch -p1 -P 42
+%patch -p1 -P 43
+%patch -p1 -P 44
+%patch -p1 -P 45
+
+%if 0%{?sle_version} && 0%{?sle_version} <= 150500
 %patch -p1 -P 46
+%endif
+
+%patch -p1 -P 47
 %patch -p1 -P 48
 %patch -p1 -P 50
+%patch -p1 -P 51
+%patch -p1 -P 52
 
 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
@@ -764,6 +773,9 @@ install -m 755 -D Tools/gdb/libpython.py %{buildroot}%{_datadir}/gdb/auto-load/%
 # install devel files to /config
 #cp Makefile Makefile.pre.in Makefile.pre $RPM_BUILD_ROOT%{sitedir}/config-%{python_abi}/
 
+# Remove -IVendor/ from python-config boo#1231795
+sed -i 's/-IVendor\///' %{buildroot}%{_bindir}/python%{python_abi}-config
+
 # RPM macros
 %if %{primary_interpreter}
 mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d/
@@ -792,6 +804,11 @@ LD_LIBRARY_PATH=. ./python -O -c "from py_compile import compile; compile('$FAIL
 echo %{sitedir}/_import_failed > %{buildroot}/%{sitedir}/site-packages/zzzz-import-failed-hooks.pth
 %endif
 
+# For the purposes of reproducibility, it is necessary to eliminate any *.pyc files inside documentation dirs
+if [ -d %{buildroot}%{_defaultdocdir} ] ; then
+find %{buildroot}%{_defaultdocdir} -type f -name \*.pyc -ls -exec rm -vf '{}' \;
+fi
+
 %if %{with general}
 %files -n %{python_pkg_name}-tk
 %{sitedir}/tkinter

sphinx-802.patch

@@ -0,0 +1,30 @@
+---
+ Doc/tools/extensions/pyspecific.py |   10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/Doc/tools/extensions/pyspecific.py
++++ b/Doc/tools/extensions/pyspecific.py
+@@ -28,7 +28,13 @@ try:
+ except ImportError:
+     from sphinx.environment import NoUri
+ from sphinx.locale import _ as sphinx_gettext
+-from sphinx.util import status_iterator, logging
++try:
++    from sphinx.util.display import status_iterator
++except ImportError:
++    # This method was moved into sphinx.util.display in Sphinx 6.1.0. Before
++    # that it resided in sphinx.util.
++    from sphinx.util import status_iterator
++from sphinx.util import logging
+ from sphinx.util.nodes import split_explicit_title
+ from sphinx.writers.text import TextWriter, TextTranslator
+ from sphinx.writers.latex import LaTeXTranslator
+@@ -338,7 +344,7 @@ class PyAbstractMethod(PyMethod):
+ def expand_version_arg(argument, release):
+     """Expand "next" to the current version"""
+     if argument == 'next':
+-        return translators['sphinx'].gettext('{} (unreleased)').format(release)
++        return sphinx_gettext('{} (unreleased)').format(release)
+     return argument
+ 
+ 

sphinx-update-removed-function.patch

@@ -2,9 +2,11 @@
  Doc/tools/extensions/pyspecific.py |    7 ++++++-
  1 file changed, 6 insertions(+), 1 deletion(-)
 
---- a/Doc/tools/extensions/pyspecific.py
-+++ b/Doc/tools/extensions/pyspecific.py
-@@ -385,7 +385,12 @@ class DeprecatedRemoved(Directive):
+Index: Python-3.9.22/Doc/tools/extensions/pyspecific.py
+===================================================================
+--- Python-3.9.22.orig/Doc/tools/extensions/pyspecific.py	2025-04-08 17:21:55.000000000 +0200
++++ Python-3.9.22/Doc/tools/extensions/pyspecific.py	2025-04-11 09:49:58.417019238 +0200
+@@ -407,7 +407,12 @@
                                     translatable=False)
              node.append(para)
          env = self.state.document.settings.env