Security fix for CVE-2025-12084

(cherry picked from python3.10 commit 55d25b67d6153038b462d312e40c083d965ed5dc)

00001-rpath.patch

@@ -1,9 +1,10 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: David Malcolm <dmalcolm@redhat.com>
 Date: Wed, 13 Jan 2010 21:25:18 +0000
-Subject: [PATCH] 00001: Fixup distutils/unixccompiler.py to remove standard
- library path from rpath Was Patch0 in ivazquez' python3000 specfile
+Subject: 00001: Fixup distutils/unixccompiler.py to remove standard library
+ path from rpath
 
+Was Patch0 in ivazquez' python3000 specfile
 ---
  Lib/distutils/unixccompiler.py | 9 +++++++++
  1 file changed, 9 insertions(+)

00111-no-static-lib.patch

@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: David Malcolm <dmalcolm@redhat.com>
 Date: Mon, 18 Jan 2010 17:59:07 +0000
-Subject: [PATCH] 00111: Don't try to build a libpythonMAJOR.MINOR.a
+Subject: 00111: Don't try to build a libpythonMAJOR.MINOR.a
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -21,7 +21,7 @@ Co-authored-by: Miro Hrončok <miro@hroncok.cz>
  1 file changed, 2 insertions(+), 19 deletions(-)
 
 diff --git a/Makefile.pre.in b/Makefile.pre.in
-index c0272bfcdd..b64837c126 100644
+index a276d535c7..568018827b 100644
 --- a/Makefile.pre.in
 +++ b/Makefile.pre.in
 @@ -588,7 +588,7 @@ clinic: check-clean-src $(srcdir)/Modules/_blake2/blake2s_impl.c

00189-use-rpm-wheels.patch

@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
 Date: Wed, 15 Aug 2018 15:36:29 +0200
-Subject: [PATCH] 00189: Instead of bundled wheels, use our RPM packaged wheels
+Subject: 00189: Instead of bundled wheels, use our RPM packaged wheels
 
 We keep them in /usr/share/python-wheels
 
@@ -12,7 +12,7 @@ We might eventually pursuit upstream support, but it's low prio
  1 file changed, 26 insertions(+), 11 deletions(-)
 
 diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py
-index 981534c4a0..77d7ec5a65 100644
+index d61bb089e3..77d7ec5a65 100644
 --- a/Lib/ensurepip/__init__.py
 +++ b/Lib/ensurepip/__init__.py
 @@ -1,3 +1,5 @@
@@ -30,8 +30,8 @@ index 981534c4a0..77d7ec5a65 100644
  
  
  __all__ = ["version", "bootstrap"]
--_SETUPTOOLS_VERSION = "58.1.0"
--_PIP_VERSION = "22.0.4"
+-_SETUPTOOLS_VERSION = "79.0.1"
+-_PIP_VERSION = "23.0.1"
 +
 +_WHEEL_DIR = "/usr/share/python-wheels/"
 +

00251-change-user-install-location.patch

@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Michal Cyprian <m.cyprian@gmail.com>
 Date: Mon, 26 Jun 2017 16:32:56 +0200
-Subject: [PATCH] 00251: Change user install location
+Subject: 00251: Change user install location
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -61,10 +61,10 @@ index aaa300efa9..18f01f10d4 100644
              else:
                  if self.exec_prefix is None:
 diff --git a/Lib/site.py b/Lib/site.py
-index 9e617afb00..db14f715f9 100644
+index 54ffc4fdc0..930b91813e 100644
 --- a/Lib/site.py
 +++ b/Lib/site.py
-@@ -353,7 +353,14 @@ def getsitepackages(prefixes=None):
+@@ -362,7 +362,14 @@ def getsitepackages(prefixes=None):
      return sitepackages
  
  def addsitepackages(known_paths, prefixes=None):

00328-pyc-timestamp-invalidation-mode.patch

@@ -1,54 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
-Date: Thu, 11 Jul 2019 13:44:13 +0200
-Subject: [PATCH] 00328: Restore pyc to TIMESTAMP invalidation mode as default
- in rpmbuild
-
-Since Fedora 31, the $SOURCE_DATE_EPOCH is set in rpmbuild to the latest
-%changelog date. This makes Python default to the CHECKED_HASH pyc
-invalidation mode, bringing more reproducible builds traded for an import
-performance decrease. To avoid that, we don't default to CHECKED_HASH
-when $RPM_BUILD_ROOT is set (i.e. when we are building RPM packages).
-
-See https://src.fedoraproject.org/rpms/redhat-rpm-config/pull-request/57#comment-27426
-Downstream only: only used when building RPM packages
-Ideally, we should talk to upstream and explain why we don't want this
----
- Lib/py_compile.py           | 3 ++-
- Lib/test/test_py_compile.py | 2 ++
- 2 files changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/Lib/py_compile.py b/Lib/py_compile.py
-index a81f493731..bba3642bf2 100644
---- a/Lib/py_compile.py
-+++ b/Lib/py_compile.py
-@@ -70,7 +70,8 @@ class PycInvalidationMode(enum.Enum):
- 
- 
- def _get_default_invalidation_mode():
--    if os.environ.get('SOURCE_DATE_EPOCH'):
-+    if (os.environ.get('SOURCE_DATE_EPOCH') and not
-+            os.environ.get('RPM_BUILD_ROOT')):
-         return PycInvalidationMode.CHECKED_HASH
-     else:
-         return PycInvalidationMode.TIMESTAMP
-diff --git a/Lib/test/test_py_compile.py b/Lib/test/test_py_compile.py
-index e6791c6916..b2d3dcf7fb 100644
---- a/Lib/test/test_py_compile.py
-+++ b/Lib/test/test_py_compile.py
-@@ -19,6 +19,7 @@ def without_source_date_epoch(fxn):
-     def wrapper(*args, **kwargs):
-         with support.EnvironmentVarGuard() as env:
-             env.unset('SOURCE_DATE_EPOCH')
-+            env.unset('RPM_BUILD_ROOT')
-             return fxn(*args, **kwargs)
-     return wrapper
- 
-@@ -29,6 +30,7 @@ def with_source_date_epoch(fxn):
-     def wrapper(*args, **kwargs):
-         with support.EnvironmentVarGuard() as env:
-             env['SOURCE_DATE_EPOCH'] = '123456789'
-+            env.unset('RPM_BUILD_ROOT')
-             return fxn(*args, **kwargs)
-     return wrapper
- 

00353-architecture-names-upstream-downstream.patch

@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Tue, 4 Aug 2020 12:04:03 +0200
-Subject: [PATCH] 00353: Original names for architectures with different names
+Subject: 00353: Original names for architectures with different names
  downstream
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8

00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch

@@ -1,8 +1,8 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hrn=C4=8Diar?= <thrnciar@redhat.com>
 Date: Fri, 19 Nov 2021 13:37:16 +0100
-Subject: [PATCH] 00371: Revert "bpo-1596321: Fix threading._shutdown() for the
- main thread (GH-28549) (GH-28589)"
+Subject: 00371: Revert "bpo-1596321: Fix threading._shutdown() for the main
+ thread (GH-28549) (GH-28589)"
 
 This reverts commit 94d19f606fa18a1c4d2faca1caf2f470a8ce6d46. It
 introduced regression causing FreeIPA's tests to fail.

00407-gh-99086-fix-implicit-int-compiler-warning-in-configure-check-for-pthread_scope_system.patch

@@ -0,0 +1,47 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Erlend E. Aasland" <erlend.aasland@protonmail.com>
+Date: Sun, 6 Nov 2022 22:39:34 +0100
+Subject: 00407: gh-99086: Fix implicit int compiler warning in configure check
+ for PTHREAD_SCOPE_SYSTEM
+
+Co-authored-by: Sam James <sam@cmpct.info>
+---
+ .../next/Build/2022-11-04-02-58-10.gh-issue-99086.DV_4Br.rst    | 1 +
+ configure                                                       | 2 +-
+ configure.ac                                                    | 2 +-
+ 3 files changed, 3 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Build/2022-11-04-02-58-10.gh-issue-99086.DV_4Br.rst
+
+diff --git a/Misc/NEWS.d/next/Build/2022-11-04-02-58-10.gh-issue-99086.DV_4Br.rst b/Misc/NEWS.d/next/Build/2022-11-04-02-58-10.gh-issue-99086.DV_4Br.rst
+new file mode 100644
+index 0000000000..e320ecfdfb
+--- /dev/null
++++ b/Misc/NEWS.d/next/Build/2022-11-04-02-58-10.gh-issue-99086.DV_4Br.rst
+@@ -0,0 +1 @@
++Fix ``-Wimplicit-int`` compiler warning in :program:`configure` check for ``PTHREAD_SCOPE_SYSTEM``.
+diff --git a/configure b/configure
+index b7be60eaa3..51c2a231ac 100755
+--- a/configure
++++ b/configure
+@@ -11151,7 +11151,7 @@ else
+       void *foo(void *parm) {
+         return NULL;
+       }
+-      main() {
++      int main() {
+         pthread_attr_t attr;
+         pthread_t id;
+         if (pthread_attr_init(&attr)) return (-1);
+diff --git a/configure.ac b/configure.ac
+index aa515da465..7729ccee9c 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -3336,7 +3336,7 @@ if test "$posix_threads" = "yes"; then
+       void *foo(void *parm) {
+         return NULL;
+       }
+-      main() {
++      int main() {
+         pthread_attr_t attr;
+         pthread_t id;
+         if (pthread_attr_init(&attr)) return (-1);

00452-properly-apply-exported-cflags-for-dtrace-systemtap-builds.patch

@@ -0,0 +1,51 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 31 Mar 2025 20:29:04 +0200
+Subject: 00452: Properly apply exported CFLAGS for dtrace/systemtap builds
+
+When using --with-dtrace the resulting object file could be missing
+specific CFLAGS exported by the build system due to the systemtap
+script using specific defaults.
+
+Exporting the CC and CFLAGS variables before the dtrace invocation
+allows us to properly apply CFLAGS exported by the build system
+even when cross-compiling.
+
+Co-authored-by: stratakis <cstratak@redhat.com>
+---
+ Makefile.pre.in                                               | 4 ++--
+ .../next/Build/2025-03-31-19-22-41.gh-issue-131865.PIJy7X.rst | 2 ++
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Build/2025-03-31-19-22-41.gh-issue-131865.PIJy7X.rst
+
+diff --git a/Makefile.pre.in b/Makefile.pre.in
+index 568018827b..b401724d92 100644
+--- a/Makefile.pre.in
++++ b/Makefile.pre.in
+@@ -989,7 +989,7 @@ Python/frozen.o: $(srcdir)/Python/importlib.h $(srcdir)/Python/importlib_externa
+ # an include guard, so we can't use a pipeline to transform its output.
+ Include/pydtrace_probes.h: $(srcdir)/Include/pydtrace.d
+ 	$(MKDIR_P) Include
+-	$(DTRACE) $(DFLAGS) -o $@ -h -s $<
++	CC="$(CC)" CFLAGS="$(CFLAGS)" $(DTRACE) $(DFLAGS) -o $@ -h -s $<
+ 	: sed in-place edit with POSIX-only tools
+ 	sed 's/PYTHON_/PyDTrace_/' $@ > $@.tmp
+ 	mv $@.tmp $@
+@@ -999,7 +999,7 @@ Python/import.o: $(srcdir)/Include/pydtrace.h
+ Modules/gcmodule.o: $(srcdir)/Include/pydtrace.h
+ 
+ Python/pydtrace.o: $(srcdir)/Include/pydtrace.d $(DTRACE_DEPS)
+-	$(DTRACE) $(DFLAGS) -o $@ -G -s $< $(DTRACE_DEPS)
++	CC="$(CC)" CFLAGS="$(CFLAGS)" $(DTRACE) $(DFLAGS) -o $@ -G -s $< $(DTRACE_DEPS)
+ 
+ Objects/typeobject.o: Objects/typeslots.inc
+ 
+diff --git a/Misc/NEWS.d/next/Build/2025-03-31-19-22-41.gh-issue-131865.PIJy7X.rst b/Misc/NEWS.d/next/Build/2025-03-31-19-22-41.gh-issue-131865.PIJy7X.rst
+new file mode 100644
+index 0000000000..a287e0b228
+--- /dev/null
++++ b/Misc/NEWS.d/next/Build/2025-03-31-19-22-41.gh-issue-131865.PIJy7X.rst
+@@ -0,0 +1,2 @@
++The DTrace build now properly passes the ``CC`` and ``CFLAGS`` variables
++to the ``dtrace`` command when utilizing SystemTap on Linux.

00471-cve-2025-12084.patch

@@ -0,0 +1,140 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 22 Dec 2025 14:48:49 +0100
+Subject: 00471: CVE-2025-12084
+
+* gh-142145: Remove quadratic behavior in node ID cache clearing (GH-142146)
+* gh-142754: Ensure that Element & Attr instances have the ownerDocument attribute (GH-142794)
+(cherry picked from commit 1cc7551b3f9f71efbc88d96dce90f82de98b2454)
+(cherry picked from commit 08d8e18ad81cd45bc4a27d6da478b51ea49486e4)
+(cherry picked from commit 8d2d7bb2e754f8649a68ce4116271a4932f76907)
+
+Co-authored-by: Jacob Walls <38668450+jacobtylerwalls@users.noreply.github.com>
+Co-authored-by: Seth Michael Larson <seth@python.org>
+Co-authored-by: Petr Viktorin <encukou@gmail.com>
+Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
+Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
+Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
+Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
+Co-authored-by: Gregory P. Smith <greg@krypto.org>
+---
+ Lib/test/test_minidom.py                      | 33 ++++++++++++++++++-
+ Lib/xml/dom/minidom.py                        | 11 ++-----
+ ...-12-01-09-36-45.gh-issue-142145.tcAUhg.rst |  6 ++++
+ 3 files changed, 41 insertions(+), 9 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
+
+diff --git a/Lib/test/test_minidom.py b/Lib/test/test_minidom.py
+index 97620258d8..9f7f5b240e 100644
+--- a/Lib/test/test_minidom.py
++++ b/Lib/test/test_minidom.py
+@@ -2,6 +2,7 @@
+ 
+ import copy
+ import pickle
++import time
+ import io
+ from test import support
+ import unittest
+@@ -9,7 +10,7 @@ import unittest
+ import pyexpat
+ import xml.dom.minidom
+ 
+-from xml.dom.minidom import parse, Node, Document, parseString
++from xml.dom.minidom import parse, Attr, Node, Document, Element, parseString
+ from xml.dom.minidom import getDOMImplementation
+ from xml.parsers.expat import ExpatError
+ 
+@@ -163,6 +164,36 @@ class MinidomTest(unittest.TestCase):
+         self.confirm(dom.documentElement.childNodes[-1].data == "Hello")
+         dom.unlink()
+ 
++    @support.requires_resource('cpu')
++    def testAppendChildNoQuadraticComplexity(self):
++        impl = getDOMImplementation()
++
++        newdoc = impl.createDocument(None, "some_tag", None)
++        top_element = newdoc.documentElement
++        children = [newdoc.createElement(f"child-{i}") for i in range(1, 2 ** 15 + 1)]
++        element = top_element
++
++        start = time.monotonic()
++        for child in children:
++            element.appendChild(child)
++            element = child
++        end = time.monotonic()
++
++        # This example used to take at least 30 seconds.
++        # Conservative assertion due to the wide variety of systems and
++        # build configs timing based tests wind up run under.
++        # A --with-address-sanitizer --with-pydebug build on a rpi5 still
++        # completes this loop in <0.5 seconds.
++        self.assertLess(end - start, 4)
++
++    def testSetAttributeNodeWithoutOwnerDocument(self):
++        # regression test for gh-142754
++        elem = Element("test")
++        attr = Attr("id")
++        attr.value = "test-id"
++        elem.setAttributeNode(attr)
++        self.assertEqual(elem.getAttribute("id"), "test-id")
++
+     def testAppendChildFragment(self):
+         dom, orig, c1, c2, c3, frag = self._create_fragment_test_nodes()
+         dom.documentElement.appendChild(frag)
+diff --git a/Lib/xml/dom/minidom.py b/Lib/xml/dom/minidom.py
+index d09ef5e7d0..e4e8b42996 100644
+--- a/Lib/xml/dom/minidom.py
++++ b/Lib/xml/dom/minidom.py
+@@ -292,13 +292,6 @@ def _append_child(self, node):
+     childNodes.append(node)
+     node.parentNode = self
+ 
+-def _in_document(node):
+-    # return True iff node is part of a document tree
+-    while node is not None:
+-        if node.nodeType == Node.DOCUMENT_NODE:
+-            return True
+-        node = node.parentNode
+-    return False
+ 
+ def _write_data(writer, data):
+     "Writes datachars to writer."
+@@ -355,6 +348,7 @@ class Attr(Node):
+     def __init__(self, qName, namespaceURI=EMPTY_NAMESPACE, localName=None,
+                  prefix=None):
+         self.ownerElement = None
++        self.ownerDocument = None
+         self._name = qName
+         self.namespaceURI = namespaceURI
+         self._prefix = prefix
+@@ -678,6 +672,7 @@ class Element(Node):
+ 
+     def __init__(self, tagName, namespaceURI=EMPTY_NAMESPACE, prefix=None,
+                  localName=None):
++        self.ownerDocument = None
+         self.parentNode = None
+         self.tagName = self.nodeName = tagName
+         self.prefix = prefix
+@@ -1537,7 +1532,7 @@ def _clear_id_cache(node):
+     if node.nodeType == Node.DOCUMENT_NODE:
+         node._id_cache.clear()
+         node._id_search_stack = None
+-    elif _in_document(node):
++    elif node.ownerDocument:
+         node.ownerDocument._id_cache.clear()
+         node.ownerDocument._id_search_stack= None
+ 
+diff --git a/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst b/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
+new file mode 100644
+index 0000000000..05c7df35d1
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
+@@ -0,0 +1,6 @@
++Remove quadratic behavior in ``xml.minidom`` node ID cache clearing.  In order
++to do this without breaking existing users, we also add the *ownerDocument*
++attribute to :mod:`xml.dom.minidom` elements and attributes created by directly
++instantiating the ``Element`` or ``Attr`` class. Note that this way of creating
++nodes is not supported; creator functions like
++:py:meth:`xml.dom.Document.documentElement` should be used instead.

check-pyc-timestamps.py

@@ -19,11 +19,9 @@ not_compiled = [
     '*/test/bad_coding.py',
     '*/test/bad_coding2.py',
     '*/test/badsyntax_*.py',
-    '*/lib2to3/tests/data/bom.py',
-    '*/lib2to3/tests/data/crlf.py',
-    '*/lib2to3/tests/data/different_encoding.py',
-    '*/lib2to3/tests/data/false_encoding.py',
-    '*/lib2to3/tests/data/py2_test_grammar.py',
+    '*/lib2to3/tests/data/*.py',
+    '*/lib2to3/tests/data/*/*.py',
+    '*/lib2to3/tests/data/*/*/*.py',
     '*.debug-gdb.py',
 ]
 

plan.fmf

@@ -0,0 +1,50 @@
+execute:
+  how: tmt
+
+provision:
+  hardware:
+    memory: '>= 3 GB'
+
+environment:
+  pybasever: '3.9'
+
+discover:
+  - name: tests_python
+    how: shell
+    url: https://src.fedoraproject.org/tests/python.git
+    tests:
+    - name: smoke
+      path: /smoke
+      test: "VERSION=${pybasever} ./venv.sh"
+    - name: debugsmoke
+      path: /smoke
+      test: "PYTHON=python${pybasever}d TOX=false VERSION=${pybasever} INSTALL_OR_SKIP=true ./venv.sh"
+    - name: selftest
+      path: /selftest
+      test: VERSION=${pybasever} X="-x test_wsgiref" ./parallel.sh
+    - name: marshalparser
+      path: /marshalparser
+      test: "VERSION=${pybasever} SAMPLE=10 ./test_marshalparser_compatibility.sh"
+
+prepare:
+  - name: Install dependencies
+    how: install
+    package:
+    - gcc  # for extension building in venv and selftest
+    - gdb  # for test_gdb
+    - "python${pybasever}"  # the test subject
+    - "python${pybasever}-devel"  # for extension building in venv and selftest
+    - "python${pybasever}-tkinter"  # for selftest
+    - "python${pybasever}-test"  # for selftest
+    - python3-tox  # for venv tests
+    - glibc-all-langpacks # for locale tests
+    - marshalparser  # for testing compatibility (magic numbers) with marshalparser
+    - rpm  # for debugging marshalparser
+    - dnf  # for upgrade
+  - name: Update packages
+    how: shell
+    script: dnf upgrade -y
+  - name: rpm_qa
+    order: 100
+    how: shell
+    script: rpm -qa | sort | tee $TMT_PLAN_DATA/rpmqa.txt

python3.9.spec

@@ -13,11 +13,11 @@ URL: https://www.python.org/
 
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
-%global general_version %{pybasever}.16
+%global general_version %{pybasever}.25
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 1%{?dist}
+Release: 3%{?dist}
 License: Python
 
 
@@ -40,9 +40,10 @@ License: Python
 %endif
 
 # Flat package, i.e. no separate subpackages
-# Default (in Fedora): if this is a main Python, it is not a flatpackage
+# Default (in Fedora >= 44): disabled
+# Default (in Fedora < 44): enabled when this is not the main Python
 # Not supported: Combination of flatpackage enabled and main_python enabled
-%if %{with main_python}
+%if %{with main_python} || 0%{?fedora} >= 44
 %bcond_with flatpackage
 %else
 %bcond_without flatpackage
@@ -201,6 +202,12 @@ License: Python
 %{warn:Doing a main_python build with wrong %%__default_python3_pkgversion (0%{?__default_python3_pkgversion}, but this is %pyshortver)}
 %endif
 
+# Opt-out from https://fedoraproject.org/wiki/Changes/fno-omit-frame-pointer
+# Python is slower with frame pointers, but we expect to remove this in Python 3.12+
+# See https://lists.fedoraproject.org/archives/list/python-devel@lists.fedoraproject.org/thread/6TQYCHMX4FZLF27U5BCEC7IFV6XNBKJP/
+# Tracking bugzilla: https://bugzilla.redhat.com/2158729
+%undefine _include_frame_pointers
+
 # =======================
 # Build-time requirements
 # =======================
@@ -212,7 +219,8 @@ BuildRequires: bluez-libs-devel
 BuildRequires: bzip2
 BuildRequires: bzip2-devel
 BuildRequires: desktop-file-utils
-BuildRequires: expat-devel
+# See the runtime requirement in the -libs subpackage
+BuildRequires: expat-devel >= 2.6
 
 BuildRequires: findutils
 BuildRequires: gcc-c++
@@ -230,6 +238,7 @@ BuildRequires: libnsl2-devel
 BuildRequires: libtirpc-devel
 BuildRequires: libGL-devel
 BuildRequires: libuuid-devel
+BuildRequires: libxcrypt-devel
 BuildRequires: libX11-devel
 BuildRequires: make
 BuildRequires: ncurses-devel
@@ -242,9 +251,9 @@ BuildRequires: sqlite-devel
 BuildRequires: gdb
 
 BuildRequires: tar
-BuildRequires: tcl-devel
+BuildRequires: tcl-devel < 1:9
 BuildRequires: tix-devel
-BuildRequires: tk-devel
+BuildRequires: tk-devel < 1:9
 BuildRequires: tzdata
 
 %if %{with valgrind}
@@ -254,6 +263,7 @@ BuildRequires: valgrind-devel
 BuildRequires: xz-devel
 BuildRequires: zlib-devel
 
+BuildRequires: systemtap-sdt-devel
 BuildRequires: /usr/bin/dtrace
 
 # workaround http://bugs.python.org/issue19804 (test_uuid requires ifconfig)
@@ -262,6 +272,9 @@ BuildRequires: /usr/sbin/ifconfig
 %if %{with rpmwheels}
 BuildRequires: python-setuptools-wheel
 BuildRequires: python-pip-wheel
+%else
+# For %%python_wheel_inject_sbom
+BuildRequires: python-rpm-macros
 %endif
 
 %if %{without bootstrap}
@@ -294,6 +307,7 @@ Source11: idle3.appdata.xml
 
 # 00001 # d06a8853cf4bae9e115f45e1d531d2dc152c5cc8
 # Fixup distutils/unixccompiler.py to remove standard library path from rpath
+#
 # Was Patch0 in ivazquez' python3000 specfile
 Patch1: 00001-rpath.patch
 
@@ -305,7 +319,7 @@ Patch1: 00001-rpath.patch
 # See https://bugzilla.redhat.com/show_bug.cgi?id=556092
 Patch111: 00111-no-static-lib.patch
 
-# 00189 # a79a85be3f0ad45792d998aed1104c2c2a0ef729
+# 00189 # 0c6dd5d318a22bbe89e09e1cd5513eaaca549aa5
 # Instead of bundled wheels, use our RPM packaged wheels
 #
 # We keep them in /usr/share/python-wheels
@@ -317,8 +331,8 @@ Patch189: 00189-use-rpm-wheels.patch
 # The versions are written in Lib/ensurepip/__init__.py, this patch removes them.
 # When the bundled setuptools/pip wheel is updated, the patch no longer applies cleanly.
 # In such cases, the patch needs to be amended and the versions updated here:
-%global pip_version 22.0.4
-%global setuptools_version 58.1.0
+%global pip_version 23.0.1
+%global setuptools_version 79.0.1
 
 # 00251 # 1b1047c14ff98eae6d355b4aac4df3e388813f62
 # Change user install location
@@ -337,20 +351,6 @@ Patch189: 00189-use-rpm-wheels.patch
 # See https://bugzilla.redhat.com/show_bug.cgi?id=2014513
 Patch251: 00251-change-user-install-location.patch
 
-# 00328 # 367fdcb5a075f083aea83ac174999272a8faf75c
-# Restore pyc to TIMESTAMP invalidation mode as default in rpmbuild
-#
-# Since Fedora 31, the $SOURCE_DATE_EPOCH is set in rpmbuild to the latest
-# %%changelog date. This makes Python default to the CHECKED_HASH pyc
-# invalidation mode, bringing more reproducible builds traded for an import
-# performance decrease. To avoid that, we don't default to CHECKED_HASH
-# when $RPM_BUILD_ROOT is set (i.e. when we are building RPM packages).
-#
-# See https://src.fedoraproject.org/rpms/redhat-rpm-config/pull-request/57#comment-27426
-# Downstream only: only used when building RPM packages
-# Ideally, we should talk to upstream and explain why we don't want this
-Patch328: 00328-pyc-timestamp-invalidation-mode.patch
-
 # 00353 # ab4cc97b643cfe99f567e3a03e5617b507183771
 # Original names for architectures with different names downstream
 #
@@ -387,6 +387,29 @@ Patch353: 00353-architecture-names-upstream-downstream.patch
 # https://github.com/GrahamDumpleton/mod_wsgi/issues/730
 Patch371: 00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch
 
+# 00407 # 17dbfc39d1118a479e7ea244ad46fb6eeeb38280
+# gh-99086: Fix implicit int compiler warning in configure check for PTHREAD_SCOPE_SYSTEM
+Patch407: 00407-gh-99086-fix-implicit-int-compiler-warning-in-configure-check-for-pthread_scope_system.patch
+
+# 00452 # eb11d070c5af7d1b5e47f4e02186152d08eaf793
+# Properly apply exported CFLAGS for dtrace/systemtap builds
+#
+# When using --with-dtrace the resulting object file could be missing
+# specific CFLAGS exported by the build system due to the systemtap
+# script using specific defaults.
+#
+# Exporting the CC and CFLAGS variables before the dtrace invocation
+# allows us to properly apply CFLAGS exported by the build system
+# even when cross-compiling.
+Patch452: 00452-properly-apply-exported-cflags-for-dtrace-systemtap-builds.patch
+
+# 00471 # fc5f344f7e15c13dbf41824a1b7a82d92205f79d
+# CVE-2025-12084
+#
+# * gh-142145: Remove quadratic behavior in node ID cache clearing (GH-142146)
+# * gh-142754: Ensure that Element & Attr instances have the ownerDocument attribute (GH-142794)
+Patch471: 00471-cve-2025-12084.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -455,9 +478,18 @@ Obsoletes: platform-python < %{pybasever}
 Provides: python%{pyshortver} = %{version}-%{release}
 Obsoletes: python%{pyshortver} < %{version}-%{release}
 
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/#_one_to_many_replacement
+Obsoletes: %{pkgname} < 3.9.24-2
+
+%if %{with main_python}
 # Packages with Python modules in standard locations automatically
 # depend on python(abi). Provide that here.
 Provides: python(abi) = %{pybasever}
+%else
+# We exclude the `python(abi)` Provides
+%global __requires_exclude ^python\\(abi\\) = 3\\..+
+%global __provides_exclude ^python\\(abi\\) = 3\\..+
+%endif
 
 Requires: %{pkgname}-libs%{?_isa} = %{version}-%{release}
 
@@ -553,6 +585,14 @@ Recommends: (%{pkgname}-tkinter%{?_isa} = %{version}-%{release} if tk%{?_isa})
 # The zoneinfo module needs tzdata
 Requires: tzdata
 
+# The requirement on libexpat is generated, but we need to version it.
+# When built with expat >= 2.6, but installed with older expat, we get:
+#   ImportError: /usr/lib64/python3.X/lib-dynload/pyexpat.cpython-....so:
+#   undefined symbol: XML_SetReparseDeferralEnabled
+# This breaks many things, including python -m venv.
+# Other subpackages (like -debug) also need this, but they all depend on -libs.
+Requires: expat >= 2.6
+
 # https://fedoraproject.org/wiki/Changes/Move_usr_bin_python_into_separate_package
 # In Fedora 31, several "unversioned" files like /usr/bin/pydoc and all the
 # "unversioned" provides were moved from python2 to python3.
@@ -564,6 +604,8 @@ Conflicts: python-libs < 3
 # (We explicitly conflict with python-libs and not python2-libs, so only the
 # old Python 2 builds that still provided unversioned Python are handled.)
 
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/#_one_to_many_replacement
+Obsoletes: %{pkgname} < 3.9.24-2
 
 %description -n %{pkgname}-libs
 This package contains runtime libraries for use by Python:
@@ -583,6 +625,7 @@ Requires: (python3-rpm-macros if rpm-build)
 Requires: (pyproject-rpm-macros if rpm-build)
 
 %if %{without bootstrap}
+%if %{with main_python}
 # This is not "API" (packages that need setuptools should still BuildRequire it)
 # However some packages apparently can build both with and without setuptools
 # producing egg-info as file or directory (depending on setuptools presence).
@@ -591,6 +634,7 @@ Requires: (pyproject-rpm-macros if rpm-build)
 # See https://bugzilla.redhat.com/show_bug.cgi?id=1623914
 # See https://fedoraproject.org/wiki/Packaging:Directory_Replacement
 Requires: (%{pkgname}-setuptools if rpm-build)
+%endif
 
 Requires: (python3-rpm-generators if rpm-build)
 %endif
@@ -610,6 +654,9 @@ Provides:  platform-python-devel%{?_isa} = %{version}-%{release}
 Obsoletes: platform-python-devel < %{pybasever}
 %endif
 
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/#_one_to_many_replacement
+Obsoletes: %{pkgname} < 3.9.24-2
+
 %description -n %{pkgname}-devel
 This package contains the header files and configuration needed to compile
 Python extension modules (typically written in C or C++), to embed Python
@@ -634,6 +681,9 @@ Obsoletes: %{pkgname}-tools < %{version}-%{release}
 # In Fedora 31, /usr/bin/idle was moved here from Python 2.
 Conflicts: python-tools < 3
 
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/#_one_to_many_replacement
+Obsoletes: %{pkgname} < 3.9.24-2
+
 %description -n %{pkgname}-idle
 IDLE is Python’s Integrated Development and Learning Environment.
 
@@ -655,6 +705,9 @@ Requires: %{pkgname} = %{version}-%{release}
 # (We don't provide python3-turtledemo, that's not too useful when imported.)
 %py_provides %{pkgname}-turtle
 
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/#_one_to_many_replacement
+Obsoletes: %{pkgname} < 3.9.24-2
+
 %description -n %{pkgname}-tkinter
 The Tkinter (Tk interface) library is a graphical user interface toolkit for
 the Python programming language.
@@ -665,6 +718,9 @@ Summary: The self-test suite for the main python3 package
 Requires: %{pkgname} = %{version}-%{release}
 Requires: %{pkgname}-libs%{?_isa} = %{version}-%{release}
 
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/#_one_to_many_replacement
+Obsoletes: %{pkgname} < 3.9.24-2
+
 %description -n %{pkgname}-test
 The self-test suite for the Python interpreter.
 
@@ -715,11 +771,6 @@ The debug runtime additionally supports debug builds of C-API extensions
 
 %else  # with flatpackage
 
-# We'll not provide this, on purpose
-# No package in Fedora shall ever depend on flatpackage via this
-%global __requires_exclude ^python\\(abi\\) = 3\\..$
-%global __provides_exclude ^python\\(abi\\) = 3\\..$
-
 # Python interpreter packages used to be named (or provide) name pythonXY (e.g.
 # python39). However, to align it with the executable names and to prepare for
 # Python 3.10, they were renamed to pythonX.Y (e.g. python3.9, python3.10). We
@@ -744,6 +795,24 @@ Provides: bundled(libmpdec) = %{libmpdec_version}
 # The zoneinfo module needs tzdata
 Requires: tzdata
 
+# The requirement on libexpat is generated, but we need to version it.
+# When built with expat >= 2.6, but installed with older expat, we get:
+#   ImportError: /usr/lib64/python3.X/lib-dynload/pyexpat.cpython-....so:
+#   undefined symbol: XML_SetReparseDeferralEnabled
+# This breaks many things, including python -m venv.
+# Other subpackages (like -debug) also need this, but they all depend on -libs.
+Requires: expat >= 2.6
+
+# Provides of the subpackages contained in flatpackage
+Provides: %{pkgname}-libs = %{version}-%{release}
+Provides: %{pkgname}-devel = %{version}-%{release}
+Provides: %{pkgname}-idle = %{version}-%{release}
+Provides: %{pkgname}-tkinter = %{version}-%{release}
+Provides: %{pkgname}-test = %{version}-%{release}
+%if %{with debug_build}
+Provides: %{pkgname}-debug = %{version}-%{release}
+%endif
+
 # The description for the flat package (SRPM and built)
 %description
 Python %{pybasever} package for developers.
@@ -833,14 +902,15 @@ topdir=$(pwd)
 # Standard library built here will still use the %%build_...flags,
 # Fedora packages utilizing %%py3_build will use them as well
 # https://fedoraproject.org/wiki/Changes/Python_Extension_Flags
-export CFLAGS="%{extension_cflags} -D_GNU_SOURCE -fPIC -fwrapv"
+# https://fedoraproject.org/wiki/Changes/Python_Extension_Flags_Reduction
+export CFLAGS="%{extension_cflags}"
 export CFLAGS_NODIST="%{build_cflags} -D_GNU_SOURCE -fPIC -fwrapv%{?with_no_semantic_interposition: -fno-semantic-interposition}"
-export CXXFLAGS="%{extension_cxxflags} -D_GNU_SOURCE -fPIC -fwrapv"
+export CXXFLAGS="%{extension_cxxflags}"
 export CPPFLAGS="$(pkg-config --cflags-only-I libffi)"
-export OPT="%{extension_cflags} -D_GNU_SOURCE -fPIC -fwrapv"
+export OPT="%{extension_cflags}"
 export LINKCC="gcc"
 export CFLAGS="$CFLAGS $(pkg-config --cflags openssl)"
-export LDFLAGS="%{extension_ldflags} -g $(pkg-config --libs-only-L openssl)"
+export LDFLAGS="%{extension_ldflags} $(pkg-config --libs-only-L openssl)"
 export LDFLAGS_NODIST="%{build_ldflags}%{?with_no_semantic_interposition: -fno-semantic-interposition} -g $(pkg-config --libs-only-L openssl)"
 
 # We can build several different configurations of Python: regular and debug.
@@ -1099,15 +1169,25 @@ find . -name "*~" -exec rm -f {} \;
 # Python CMD line options:
 # -s - don't add user site directory to sys.path
 # -B - don't write .pyc files on import
+# Clamp the source mtime first, see https://fedoraproject.org/wiki/Changes/ReproducibleBuildsClampMtimes
+# The clamp_source_mtime module is only guaranteed to exist on Fedoras that enabled this option:
+%if 0%{?clamp_mtime_to_source_date_epoch}
+LD_LIBRARY_PATH="%{buildroot}%{dynload_dir}/:%{buildroot}%{_libdir}" \
+PYTHONPATH="%{_rpmconfigdir}/redhat" \
+%{buildroot}%{_bindir}/python%{pybasever} -s -B -m clamp_source_mtime %{buildroot}%{pylibdir}
+%endif
 # compileall CMD line options:
 # -f - force rebuild even if timestamps are up to date
 # -o - optimization levels to run compilation with
 # -s - part of path to left-strip from path to source file (buildroot)
 # -p - path to add as prefix to path to source file (/ to make it absolute)
 # --hardlink-dupes - hardlink different optimization level pycs together if identical (saves space)
+# --invalidation-mode - we prefer the timestamp invalidation mode for performance reasons
+# -x - skip test modules with SyntaxErrors (taken from the Makefile)
 LD_LIBRARY_PATH="%{buildroot}%{dynload_dir}/:%{buildroot}%{_libdir}" \
 %{buildroot}%{_bindir}/python%{pybasever} -s -B -m compileall \
--f %{_smp_mflags} -o 0 -o 1 -o 2 -s %{buildroot} -p / %{buildroot} --hardlink-dupes || :
+-f %{_smp_mflags} -o 0 -o 1 -o 2 -s %{buildroot} -p / %{buildroot} --hardlink-dupes --invalidation-mode=timestamp \
+-x 'bad_coding|badsyntax|site-packages|lib2to3/tests/data'
 
 # Turn this BRP off, it is done by compileall2 --hardlink-dupes above
 %global __brp_python_hardlink %{nil}
@@ -1189,6 +1269,11 @@ for file in %{buildroot}%{pylibdir}/pydoc_data/topics.py $(grep --include='*.py'
     rm ${directory}/{__pycache__/${module}.cpython-%{pyshortver}.opt-?.pyc,${module}.py}
 done
 
+%if %{without rpmwheels}
+# Inject SBOM into the installed wheels (if the macro is available)
+%{?python_wheel_inject_sbom:%python_wheel_inject_sbom %{buildroot}%{pylibdir}/ensurepip/_bundled/*.whl}
+%endif
+
 # ======================================================
 # Checks for packaging issues
 # ======================================================
@@ -1259,6 +1344,8 @@ CheckPython() {
   #   package: rpmbuild requires /usr/bin/pythonX.Y to be installed
   # test_gdb on arm on Fedora 33:
   #   https://bugzilla.redhat.com/show_bug.cgi?id=1846390
+  # test_sendfile_close_peer_in_the_middle_of_receiving:
+  #  https://github.com/python/cpython/issues/120226
   LD_LIBRARY_PATH=$ConfDir $ConfDir/python -m test.regrtest \
     -wW --slowest -j0 --timeout=1800 \
     %if %{with bootstrap}
@@ -1272,6 +1359,9 @@ CheckPython() {
     -x test_gdb \
     %endif
     %endif
+    %ifarch ppc64le
+    -i test_sendfile_close_peer_in_the_middle_of_receiving \
+    %endif
 
   echo FINISHED: CHECKING OF PYTHON FOR CONFIGURATION: $ConfName
 
@@ -1451,6 +1541,10 @@ CheckPython optimized
 %dir %{pylibdir}/site-packages/
 %dir %{pylibdir}/site-packages/__pycache__/
 %{pylibdir}/site-packages/README.txt
+
+%exclude %{pylibdir}/_sysconfigdata_d_linux_%{platform_triplet}.py
+%exclude %{pylibdir}/__pycache__/_sysconfigdata_d_linux_%{platform_triplet}%{bytecode_suffixes}
+
 %{pylibdir}/*.py
 %dir %{pylibdir}/__pycache__/
 %{pylibdir}/__pycache__/*%{bytecode_suffixes}
@@ -1779,6 +1873,9 @@ CheckPython optimized
 %{dynload_dir}/_testinternalcapi.%{SOABI_debug}.so
 %{dynload_dir}/_testmultiphase.%{SOABI_debug}.so
 
+%{pylibdir}/_sysconfigdata_d_linux_%{platform_triplet}.py
+%{pylibdir}/__pycache__/_sysconfigdata_d_linux_%{platform_triplet}%{bytecode_suffixes}
+
 %endif # with debug_build
 
 # We put the debug-gdb.py file inside /usr/lib/debug to avoid noise from ldconfig
@@ -1802,6 +1899,117 @@ CheckPython optimized
 # ======================================================
 
 %changelog
+* Wed Jan 14 2026 Lumír Balhar <lbalhar@redhat.com> - 3.9.25-3
+- Security fix for CVE-2025-12084
+
+* Mon Nov 10 2025 Tomas Orsava <torsava@redhat.com> - 3.9.25-2
+- Move _sysconfigdata_d_linux*.py to the debug subpackage
+
+* Mon Nov 03 2025 Karolina Surma <ksurma@redhat.com> - 3.9.25-1
+- Update to Python 3.9.25
+
+* Wed Oct 15 2025 Miro Hrončok <mhroncok@redhat.com> - 3.9.24-2
+- On Fedora 44+, split this package into multiple subpackages
+- This mimics newer Python versions
+
+* Fri Oct 10 2025 Karolina Surma <ksurma@redhat.com> - 3.9.24-1
+- Update to Python 3.9.24
+
+* Fri Jul 25 2025 Fedora Release Engineering <releng@fedoraproject.org> - 3.9.23-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
+
+* Wed Jun 04 2025 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.9.23-1
+- Update to 3.9.23
+
+* Wed Apr 23 2025 Miro Hrončok <mhroncok@redhat.com> - 3.9.22-2
+- Add RPM Provides for python3.9-libs, python3.9-devel, python3.9-idle, python3.9-tkinter, python3.9-test
+
+* Wed Apr 09 2025 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.9.22-1
+- Update to 3.9.22
+
+* Mon Mar 31 2025 Charalampos Stratakis <cstratak@redhat.com> - 3.9.21-5
+- Properly apply exported CFLAGS for dtrace/systemtap builds
+- Fixes: rhbz#2356304
+
+* Mon Feb 10 2025 Charalampos Stratakis <cstratak@redhat.com> - 3.9.21-4
+- Security fix for CVE-2025-0938
+- Fixes: rhbz#2343278
+
+* Sat Feb 01 2025 Björn Esser <besser82@fedoraproject.org> - 3.9.21-3
+- Add explicit BR: libxcrypt-devel
+
+* Sat Jan 18 2025 Fedora Release Engineering <releng@fedoraproject.org> - 3.9.21-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
+
+* Tue Dec 03 2024 Lumír Balhar <lbalhar@redhat.com> - 3.9.21-1
+- Update to 3.9.21
+- Fixes: rhbz#2321662
+
+* Mon Sep 09 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.9.20-1
+- Update to 3.9.20
+
+* Fri Aug 23 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.9.19-6
+- Security fix for CVE-2024-8088
+- Fixes: rhbz#2307466
+
+* Tue Aug 13 2024 Lumír Balhar <lbalhar@redhat.com> - 3.9.19-5
+- Security fix for CVE-2024-4032 (rhbz#2293397)
+- Security fix for CVE-2024-6923 (rhbz#2303164)
+
+* Tue Jul 23 2024 Lumír Balhar <lbalhar@redhat.com> - 3.9.19-4
+- Require systemtap-sdt-devel for sys/sdt.h
+
+* Fri Jul 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.9.19-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Wed Apr 17 2024 Miro Hrončok <mhroncok@redhat.com> - 3.9.19-2
+- Require expat >= 2.6 to prevent errors when creating venvs with older expat
+
+* Wed Mar 20 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.9.19-1
+- Update to 3.9.19
+
+* Wed Feb 28 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.9.18-7
+- Fix tests for XMLPullParser with Expat 2.6.0
+
+* Mon Jan 29 2024 Karolina Surma <ksurma@redhat.com> - 3.9.18-6
+- Fix test_zlib when building with zlib-ng-compat
+
+* Fri Jan 26 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.9.18-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.9.18-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Mon Dec 18 2023 Lumír Balhar <lbalhar@redhat.com> - 3.9.18-3
+- Security fix for CVE-2023-27043 (rhbz#2196194)
+
+* Thu Nov 23 2023 Miro Hrončok <mhroncok@redhat.com> - 3.9.18-2
+- Fix implicit int compiler warning in configure check for PTHREAD_SCOPE_SYSTEM
+- Resolves: rhbz#2147519
+
+* Mon Aug 28 2023 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.9.18-1
+- Update to 3.9.18
+
+* Wed Aug 02 2023 Charalampos Stratakis <cstratak@redhat.com> - 3.9.17-3
+- Remove extra distro-applied CFLAGS passed to user built C extensions
+- https://fedoraproject.org/wiki/Changes/Python_Extension_Flags_Reduction
+
+* Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.9.17-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Thu Jun 08 2023 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.9.17-1
+- Update to 3.9.17
+
+* Mon May 29 2023 Lumír Balhar <lbalhar@redhat.com> - 3.9.16-4
+- Security fix for CVE-2023-24329
+- Resolves: rhbz#2174016
+
+* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.9.16-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Tue Jan 03 2023 Miro Hrončok <mhroncok@redhat.com> - 3.9.16-2
+- No longer patch the default bytecode cache invalidation policy
+
 * Wed Dec 07 2022 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.9.16-1
 - Update to 3.9.16
 

sources

@@ -1,2 +1,2 @@
-SHA512 (Python-3.9.16.tar.xz) = b5fd0afe131c82bbce6ddf887c59eef6945910d6a9a2bc87c0927f4e4a096bf9ca4d25bcb729c40f6ebb8a65fbe8bf7b0b97a7c4a8c9e551240eb4f34b878653
-SHA512 (Python-3.9.16.tar.xz.asc) = 468959c36a3ec6136f57a39475fff4745a25be0cb5d3d58cf3e5faf0b9ce2d2a8b89f1f9fea1479c4c6ad12ac49e97c1cfd4291c978bb3d30df5a582ec315210
+SHA512 (Python-3.9.25.tar.xz) = 33fd65952cc3ce5df83825aa32a103935815bdd5a016e5fd9896cafb068a3f89b3a6134458a2694e4f0f4f8a9fbe84739b53116264728b32cde0f03ab210cb19
+SHA512 (Python-3.9.25.tar.xz.asc) = 83f0a0e558aa89a106bdffeeb9b0fa2685fbd7be5c5954f9176c59c6c7023716207b07239f202b3508cbb98ca34572161955f0bfd3732fdb9265721cd6723dbe

tests/provision.fmf

@@ -1,4 +0,0 @@
----
-standard-inventory-qcow2:
-  qemu:
-    m: 3G  # Amount of VM memory

tests/tests.yml

@@ -1,37 +0,0 @@
----
-- hosts: localhost
-  tags:
-    - classic
-  tasks:
-    - dnf:
-        name: "*"
-        state: latest
-
-- hosts: localhost
-  roles:
-  - role: standard-test-basic
-    tags:
-    - classic
-    repositories:
-    - repo: "https://src.fedoraproject.org/tests/python.git"
-      dest: "python"
-    tests:
-    - rpm_qa:
-        run: rpm -qa
-    - smoke:
-        dir: python/smoke
-        run: VERSION=3.9 ./venv.sh
-    - selftest:
-        dir: python/selftest
-        run: VERSION=3.9 X="-x test_wsgiref" ./parallel.sh
-    - marshalparser:
-        dir: python/marshalparser
-        run: VERSION=3.9 SAMPLE=10 test_marshalparser_compatibility.sh
-    required_packages:
-    - gcc  # for extension building in venv and selftest
-    - gdb  # for test_gdb
-    - python3.9  # the test subject
-    - python3-tox  # for venv tests
-    - glibc-all-langpacks # for locale tests
-    - marshalparser  # for testing compatibility (magic numbers) with marshalparser
-    - rpm  # for debugging