diff --git a/.gitignore b/.gitignore
index c53326a..315bf3c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -41,3 +41,4 @@
 /urllib3-1.26.17.tar.gz
 /urllib3-1.26.18.tar.gz
 /urllib3-1.26.19.tar.gz
+/urllib3-2.0.7.tar.gz
diff --git a/python-urllib3.spec b/python-urllib3.spec
index 7acc053..54c5ec8 100644
--- a/python-urllib3.spec
+++ b/python-urllib3.spec
@@ -9,7 +9,7 @@
 %endif
 
 Name:           python-urllib3
-Version:        1.26.19
+Version:        2.0.7
 Release:        %autorelease
 Summary:        HTTP library with thread-safe connection pooling, file post, and more
 
@@ -26,27 +26,25 @@ BuildRequires:  python3-devel
 # Test dependencies are listed only in dev-requirements.txt. Because there are
 # linters and coverage tools mixed in, and exact versions are pinned, we resort
 # to manual listing.
-# mock==3.0.5: patched out in %%prep
-# coverage~=6.0;python_version>="3.6": omitted linter/coverage tool
-# tornado==6.1.0;python_version>="3.6"
-BuildRequires:  %{py3_dist tornado} >= 6.1
+# coverage==7.3.2: omitted linter/coverage tool
+# tornado==6.3.3
+BuildRequires:  %{py3_dist tornado}
 # PySocks==1.7.1
-BuildRequires:  %{py3_dist PySocks} >= 1.7.1
-# win-inet-pton==1.1.0: Windows-only workaround
-# pytest==6.2.4; python_version>="3.10"
-BuildRequires:  %{py3_dist pytest} >= 6.2.4
-# pytest-timeout==1.4.2
-BuildRequires:  %{py3_dist pytest-timeout} >= 1.4.2
-# pytest-freezegun==0.4.2
-BuildRequires:  %{py3_dist pytest-freezegun} >= 0.4.2
-# flaky==3.7.0: not really required
-# trustme==0.7.0
-BuildRequires:  %{py3_dist trustme} >= 0.7
-# cryptography==38.0.3;python_version>="3.6": associated with the deprecated
-#                                             “secure” extra
-# python-dateutil==2.8.1
-BuildRequires:  %{py3_dist python-dateutil} >= 2.8.1
-# gcp-devrel-py-tools==0.0.16: not used in offline testing
+BuildRequires:  %{py3_dist PySocks}
+# pytest==7.4.2
+BuildRequires:  %{py3_dist pytest}
+# pytest-timeout==2.1.0
+BuildRequires:  %{py3_dist pytest-timeout}
+# pyOpenSSL==23.2.0
+BuildRequires:  %{py3_dist pyOpenSSL}
+# trustme==1.1.0
+BuildRequires:  %{py3_dist trustme}
+# cryptography==41.0.4
+BuildRequires:  %{py3_dist cryptography}
+# backports.zoneinfo==0.2.1;python_version<"3.9"
+# towncrier==23.6.0: used for generating a changelog
+# pytest-memray==1.5.0;python_version>="3.8" and implementation_name=="cpython":
+#     not packaged, unwanted profiler
 %endif
 
 %global _description %{expand:
@@ -75,9 +73,6 @@ Requires:       ca-certificates
 BuildRequires:  %{py3_dist idna}
 Requires:       %{py3_dist idna}
 
-# grep __version__ src/urllib3/packages/six.py
-Provides:       bundled(python3dist(six)) = 1.16.0
-
 %if %{with extras}
 # There has historically been a manual hard dependency on python3-pysocks;
 # since bringing it in is the sole function of python3-urllib3+socks,
@@ -89,10 +84,7 @@ Recommends:     python3-urllib3+socks
 
 
 %if %{with extras}
-# We do NOT package the “secure” extra because it is deprecated; see:
-# “Deprecate the pyOpenSSL TLS implementation and [secure] extra”
-# https://github.com/urllib3/urllib3/issues/2680
-%pyproject_extras_subpkg -n python3-urllib3 brotli socks
+%pyproject_extras_subpkg -n python3-urllib3 brotli zstd socks
 %endif
 
 
@@ -116,16 +108,11 @@ Recommends:     python3-urllib3+socks
 recent_date=$(date --date "7 month ago" +"%Y, %_m, %_d")
 sed -i "s/^RECENT_DATE = datetime.date(.*)/RECENT_DATE = datetime.date($recent_date)/" src/urllib3/connection.py
 
-# Use the standard library instead of a backport
-sed -i -e 's/^import mock/from unittest import mock/' \
-       -e 's/^from mock import /from unittest.mock import /' \
-    test/*.py docs/conf.py
-
 
 %generate_buildrequires
 # Generate BR’s from packaged extras even when tests are disabled, to ensure
 # the extras metapackages are installable if the build succeeds.
-%pyproject_buildrequires %{?with_extras:-x brotli,socks}
+%pyproject_buildrequires %{?with_extras:-x brotli,zstd,socks}
 
 
 %build
@@ -135,36 +122,59 @@ sed -i -e 's/^import mock/from unittest import mock/' \
 %install
 %pyproject_install
 
-%pyproject_save_files urllib3
+%pyproject_save_files -l urllib3
 
 
 %check
 # urllib3.contrib.socks requires urllib3[socks]
 # urllib3.contrib.ntlmpool is deprecated and requires ntlm
 # urllib3.contrib.securetransport is macOS only
-# urllib3.contrib.pyopenssl requires urllib3[secure]
+# urllib3.contrib.pyopenssl requires pyOpenSSL
 %{pyproject_check_import %{!?with_extras:-e urllib3.contrib.socks}
                          -e urllib3.contrib.ntlmpool
                          -e urllib3.contrib.securetransport
                          -e urllib3.contrib.pyopenssl}
+
+# Increase the “long timeout” for slower environments; as of this writing, it
+# is increased from 0.1 to 0.5 second.
+export CI=1
+
 %if %{with tests}
-# Drop the dummyserver tests in koji.  They fail there in real builds, but not
-# in scratch builds (weird).
-ignore="${ignore-} --ignore=test/with_dummyserver/"
-# Don't run the Google App Engine tests
-ignore="${ignore-} --ignore=test/appengine/"
-# Lots of these tests started failing, even for old versions, so it has something
-# to do with Fedora in particular. They don't fail in upstream build infrastructure
-ignore="${ignore-} --ignore=test/contrib/"
-# Tests for Python built without SSL, but Fedora builds with SSL. These tests
-# fail when combined with the unbundling of backports-ssl_match_hostname
-ignore="${ignore-} --ignore=test/test_no_ssl.py"
-%pytest -v ${ignore-}
+# These tests *may* time out; https://github.com/urllib3/urllib3/pull/3206
+# purports to fix some of them, but there is still a lot of flakiness here.
+ignore="${ignore-} --ignore=test/with_dummyserver/test_socketlevel.py"
+# This test still times out sometimes, especially on certain architectures,
+# even when we export the CI environment variable to increase timeouts.
+k="${k-}${k+ and }not (TestHTTPProxyManager and test_tunneling_proxy_request_timeout[https-https])"
+%if 0%{?__isa_bits} == 32
+# These fail on i686 and presumably on other 32-bit architectures. Note that
+# since the base package is noarch and the package may be assigned to a builder
+# of any architecture, there is no guarantee that these tests run at all in a
+# particular build. See discussion in
+# https://src.fedoraproject.org/rpms/python-urllib3/pull-request/33.
+k="${k-}${k+ and }not (TestSSL and test_requesting_large_resources_via_ssl)"
+k="${k-}${k+ and }not (TestSocketSSL and test_requesting_large_resources_via_ssl)"
+%endif
+# These require network access:
+k="${k-}${k+ and }not (TestPoolManager and test_deprecated_no_scheme)"
+# The error message does not quite match what upstream expects; this is fixed
+# in later urllib3 releases.
+# >           with pytest.raises(
+#                 SSLError, match=r"(wrong version number|record overflow)"
+#             ):
+# E           AssertionError: Regex pattern did not match.
+# E            Regex: '(wrong version number|record overflow)'
+# E            Input: '("read error: Error([(\'SSL routines\', \'\',
+#                     \'packet length too long\'), (\'SSL routines\', \'\',
+#                     \'record layer failure\')])",)'
+k="${k-}${k+ and }not (TestSocketSSL and test_ssl_failure_midway_through_conn)"
+
+%pytest -v -rs ${ignore-} -k "${k-}"
 %endif
 
 
 %files -n python3-urllib3 -f %{pyproject_files}
-%doc CHANGES.rst README.rst
+%doc CHANGES.rst README.md
 
 
 %changelog
diff --git a/sources b/sources
index 010dd3d..84e7405 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (urllib3-1.26.19.tar.gz) = 6b72012dbd85434b2441229cbdea2a94583693f904dde349780e1290d581c8a5e10fe00a287a032ed1276349d0078b530f16a133e0f164dcea18105fa3dec79a
+SHA512 (urllib3-2.0.7.tar.gz) = 3819d87a0b37859b7b6615170016fe2885ed818e289fc56ecd180b97eef4d1ad0c587b0250cc0d2eb73a3c21223febda95a5b6a5b4c27f88038da89d3e889eeb