Security fix for CVE-2025-12084

(cherry picked from python3.10 commit 55d25b67d6153038b462d312e40c083d965ed5dc)

00001-rpath.patch

@@ -1,9 +1,10 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: David Malcolm <dmalcolm@redhat.com>
 Date: Wed, 13 Jan 2010 21:25:18 +0000
-Subject: [PATCH] 00001: Fixup distutils/unixccompiler.py to remove standard
- library path from rpath Was Patch0 in ivazquez' python3000 specfile
+Subject: 00001: Fixup distutils/unixccompiler.py to remove standard library
+ path from rpath
 
+Was Patch0 in ivazquez' python3000 specfile
 ---
  Lib/distutils/unixccompiler.py | 9 +++++++++
  1 file changed, 9 insertions(+)

00111-no-static-lib.patch

@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: David Malcolm <dmalcolm@redhat.com>
 Date: Mon, 18 Jan 2010 17:59:07 +0000
-Subject: [PATCH] 00111: Don't try to build a libpythonMAJOR.MINOR.a
+Subject: 00111: Don't try to build a libpythonMAJOR.MINOR.a
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

00189-use-rpm-wheels.patch

@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
 Date: Wed, 15 Aug 2018 15:36:29 +0200
-Subject: [PATCH] 00189: Instead of bundled wheels, use our RPM packaged wheels
+Subject: 00189: Instead of bundled wheels, use our RPM packaged wheels
 
 We keep them in /usr/share/python-wheels
 
@@ -12,7 +12,7 @@ We might eventually pursuit upstream support, but it's low prio
  1 file changed, 26 insertions(+), 11 deletions(-)
 
 diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py
-index 07065c3cb7..77d7ec5a65 100644
+index d61bb089e3..77d7ec5a65 100644
 --- a/Lib/ensurepip/__init__.py
 +++ b/Lib/ensurepip/__init__.py
 @@ -1,3 +1,5 @@
@@ -30,7 +30,7 @@ index 07065c3cb7..77d7ec5a65 100644
  
  
  __all__ = ["version", "bootstrap"]
--_SETUPTOOLS_VERSION = "58.1.0"
+-_SETUPTOOLS_VERSION = "79.0.1"
 -_PIP_VERSION = "23.0.1"
 +
 +_WHEEL_DIR = "/usr/share/python-wheels/"

00251-change-user-install-location.patch

@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Michal Cyprian <m.cyprian@gmail.com>
 Date: Mon, 26 Jun 2017 16:32:56 +0200
-Subject: [PATCH] 00251: Change user install location
+Subject: 00251: Change user install location
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

00353-architecture-names-upstream-downstream.patch

@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Tue, 4 Aug 2020 12:04:03 +0200
-Subject: [PATCH] 00353: Original names for architectures with different names
+Subject: 00353: Original names for architectures with different names
  downstream
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8

00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch

@@ -1,8 +1,8 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hrn=C4=8Diar?= <thrnciar@redhat.com>
 Date: Fri, 19 Nov 2021 13:37:16 +0100
-Subject: [PATCH] 00371: Revert "bpo-1596321: Fix threading._shutdown() for the
- main thread (GH-28549) (GH-28589)"
+Subject: 00371: Revert "bpo-1596321: Fix threading._shutdown() for the main
+ thread (GH-28549) (GH-28589)"
 
 This reverts commit 94d19f606fa18a1c4d2faca1caf2f470a8ce6d46. It
 introduced regression causing FreeIPA's tests to fail.

00407-gh-99086-fix-implicit-int-compiler-warning-in-configure-check-for-pthread_scope_system.patch

@@ -1,8 +1,8 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: "Erlend E. Aasland" <erlend.aasland@protonmail.com>
 Date: Sun, 6 Nov 2022 22:39:34 +0100
-Subject: [PATCH] 00407: gh-99086: Fix implicit int compiler warning in
- configure check for PTHREAD_SCOPE_SYSTEM
+Subject: 00407: gh-99086: Fix implicit int compiler warning in configure check
+ for PTHREAD_SCOPE_SYSTEM
 
 Co-authored-by: Sam James <sam@cmpct.info>
 ---

00438-fix-threadedvsocksocketstreamtest-gh-119465-gh-119479-119484.patch

@@ -1,66 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: "Miss Islington (bot)"
- <31488909+miss-islington@users.noreply.github.com>
-Date: Fri, 24 May 2024 01:23:55 +0200
-Subject: [PATCH] 00438: Fix ThreadedVSOCKSocketStreamTest (GH-119465)
- (GH-119479) (#119484)
-
-Fix ThreadedVSOCKSocketStreamTest: if get_cid() returns the host
-address or the "any" address, use the local communication address
-(loopback): VMADDR_CID_LOCAL.
-
-On Linux 6.9, apparently, the /dev/vsock device is now available but
-get_cid() returns VMADDR_CID_ANY (-1).
-
-(cherry picked from commit c750061047ee520d8299334df4b112fd983d7e48)
-
-Co-authored-by: Victor Stinner <vstinner@python.org>
-(cherry picked from commit e94dbe4ed83460f18bd72563c5f09f6cdc71f604)
-
-Co-authored-by: Victor Stinner <vstinner@python.org>
----
- Lib/test/test_socket.py | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py
-index b36cb5beae..2f73ec24c3 100755
---- a/Lib/test/test_socket.py
-+++ b/Lib/test/test_socket.py
-@@ -39,6 +39,7 @@ HOST = socket_helper.HOST
- # test unicode string and carriage return
- MSG = 'Michael Gilfix was here\u1234\r\n'.encode('utf-8')
- 
-+VMADDR_CID_LOCAL = 1
- VSOCKPORT = 1234
- AIX = platform.system() == "AIX"
- 
-@@ -122,8 +123,8 @@ def _have_socket_qipcrtr():
- 
- def _have_socket_vsock():
-     """Check whether AF_VSOCK sockets are supported on this host."""
--    ret = get_cid() is not None
--    return ret
-+    cid = get_cid()
-+    return (cid is not None)
- 
- 
- def _have_socket_bluetooth():
-@@ -485,8 +486,6 @@ class ThreadedRDSSocketTest(SocketRDSTest, ThreadableTest):
- @unittest.skipIf(fcntl is None, "need fcntl")
- @unittest.skipUnless(HAVE_SOCKET_VSOCK,
-           'VSOCK sockets required for this test.')
--@unittest.skipUnless(get_cid() != 2,
--          "This test can only be run on a virtual guest.")
- class ThreadedVSOCKSocketStreamTest(unittest.TestCase, ThreadableTest):
- 
-     def __init__(self, methodName='runTest'):
-@@ -507,6 +506,9 @@ class ThreadedVSOCKSocketStreamTest(unittest.TestCase, ThreadableTest):
-         self.cli = socket.socket(socket.AF_VSOCK, socket.SOCK_STREAM)
-         self.addCleanup(self.cli.close)
-         cid = get_cid()
-+        if cid in (socket.VMADDR_CID_HOST, socket.VMADDR_CID_ANY):
-+            # gh-119461: Use the local communication address (loopback)
-+            cid = VMADDR_CID_LOCAL
-         self.cli.connect((cid, VSOCKPORT))
- 
-     def testStream(self):

00452-properly-apply-exported-cflags-for-dtrace-systemtap-builds.patch

@@ -0,0 +1,51 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 31 Mar 2025 20:29:04 +0200
+Subject: 00452: Properly apply exported CFLAGS for dtrace/systemtap builds
+
+When using --with-dtrace the resulting object file could be missing
+specific CFLAGS exported by the build system due to the systemtap
+script using specific defaults.
+
+Exporting the CC and CFLAGS variables before the dtrace invocation
+allows us to properly apply CFLAGS exported by the build system
+even when cross-compiling.
+
+Co-authored-by: stratakis <cstratak@redhat.com>
+---
+ Makefile.pre.in                                               | 4 ++--
+ .../next/Build/2025-03-31-19-22-41.gh-issue-131865.PIJy7X.rst | 2 ++
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Build/2025-03-31-19-22-41.gh-issue-131865.PIJy7X.rst
+
+diff --git a/Makefile.pre.in b/Makefile.pre.in
+index 568018827b..b401724d92 100644
+--- a/Makefile.pre.in
++++ b/Makefile.pre.in
+@@ -989,7 +989,7 @@ Python/frozen.o: $(srcdir)/Python/importlib.h $(srcdir)/Python/importlib_externa
+ # an include guard, so we can't use a pipeline to transform its output.
+ Include/pydtrace_probes.h: $(srcdir)/Include/pydtrace.d
+ 	$(MKDIR_P) Include
+-	$(DTRACE) $(DFLAGS) -o $@ -h -s $<
++	CC="$(CC)" CFLAGS="$(CFLAGS)" $(DTRACE) $(DFLAGS) -o $@ -h -s $<
+ 	: sed in-place edit with POSIX-only tools
+ 	sed 's/PYTHON_/PyDTrace_/' $@ > $@.tmp
+ 	mv $@.tmp $@
+@@ -999,7 +999,7 @@ Python/import.o: $(srcdir)/Include/pydtrace.h
+ Modules/gcmodule.o: $(srcdir)/Include/pydtrace.h
+ 
+ Python/pydtrace.o: $(srcdir)/Include/pydtrace.d $(DTRACE_DEPS)
+-	$(DTRACE) $(DFLAGS) -o $@ -G -s $< $(DTRACE_DEPS)
++	CC="$(CC)" CFLAGS="$(CFLAGS)" $(DTRACE) $(DFLAGS) -o $@ -G -s $< $(DTRACE_DEPS)
+ 
+ Objects/typeobject.o: Objects/typeslots.inc
+ 
+diff --git a/Misc/NEWS.d/next/Build/2025-03-31-19-22-41.gh-issue-131865.PIJy7X.rst b/Misc/NEWS.d/next/Build/2025-03-31-19-22-41.gh-issue-131865.PIJy7X.rst
+new file mode 100644
+index 0000000000..a287e0b228
+--- /dev/null
++++ b/Misc/NEWS.d/next/Build/2025-03-31-19-22-41.gh-issue-131865.PIJy7X.rst
+@@ -0,0 +1,2 @@
++The DTrace build now properly passes the ``CC`` and ``CFLAGS`` variables
++to the ``dtrace`` command when utilizing SystemTap on Linux.

00471-cve-2025-12084.patch

@@ -0,0 +1,140 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 22 Dec 2025 14:48:49 +0100
+Subject: 00471: CVE-2025-12084
+
+* gh-142145: Remove quadratic behavior in node ID cache clearing (GH-142146)
+* gh-142754: Ensure that Element & Attr instances have the ownerDocument attribute (GH-142794)
+(cherry picked from commit 1cc7551b3f9f71efbc88d96dce90f82de98b2454)
+(cherry picked from commit 08d8e18ad81cd45bc4a27d6da478b51ea49486e4)
+(cherry picked from commit 8d2d7bb2e754f8649a68ce4116271a4932f76907)
+
+Co-authored-by: Jacob Walls <38668450+jacobtylerwalls@users.noreply.github.com>
+Co-authored-by: Seth Michael Larson <seth@python.org>
+Co-authored-by: Petr Viktorin <encukou@gmail.com>
+Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
+Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
+Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
+Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
+Co-authored-by: Gregory P. Smith <greg@krypto.org>
+---
+ Lib/test/test_minidom.py                      | 33 ++++++++++++++++++-
+ Lib/xml/dom/minidom.py                        | 11 ++-----
+ ...-12-01-09-36-45.gh-issue-142145.tcAUhg.rst |  6 ++++
+ 3 files changed, 41 insertions(+), 9 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
+
+diff --git a/Lib/test/test_minidom.py b/Lib/test/test_minidom.py
+index 97620258d8..9f7f5b240e 100644
+--- a/Lib/test/test_minidom.py
++++ b/Lib/test/test_minidom.py
+@@ -2,6 +2,7 @@
+ 
+ import copy
+ import pickle
++import time
+ import io
+ from test import support
+ import unittest
+@@ -9,7 +10,7 @@ import unittest
+ import pyexpat
+ import xml.dom.minidom
+ 
+-from xml.dom.minidom import parse, Node, Document, parseString
++from xml.dom.minidom import parse, Attr, Node, Document, Element, parseString
+ from xml.dom.minidom import getDOMImplementation
+ from xml.parsers.expat import ExpatError
+ 
+@@ -163,6 +164,36 @@ class MinidomTest(unittest.TestCase):
+         self.confirm(dom.documentElement.childNodes[-1].data == "Hello")
+         dom.unlink()
+ 
++    @support.requires_resource('cpu')
++    def testAppendChildNoQuadraticComplexity(self):
++        impl = getDOMImplementation()
++
++        newdoc = impl.createDocument(None, "some_tag", None)
++        top_element = newdoc.documentElement
++        children = [newdoc.createElement(f"child-{i}") for i in range(1, 2 ** 15 + 1)]
++        element = top_element
++
++        start = time.monotonic()
++        for child in children:
++            element.appendChild(child)
++            element = child
++        end = time.monotonic()
++
++        # This example used to take at least 30 seconds.
++        # Conservative assertion due to the wide variety of systems and
++        # build configs timing based tests wind up run under.
++        # A --with-address-sanitizer --with-pydebug build on a rpi5 still
++        # completes this loop in <0.5 seconds.
++        self.assertLess(end - start, 4)
++
++    def testSetAttributeNodeWithoutOwnerDocument(self):
++        # regression test for gh-142754
++        elem = Element("test")
++        attr = Attr("id")
++        attr.value = "test-id"
++        elem.setAttributeNode(attr)
++        self.assertEqual(elem.getAttribute("id"), "test-id")
++
+     def testAppendChildFragment(self):
+         dom, orig, c1, c2, c3, frag = self._create_fragment_test_nodes()
+         dom.documentElement.appendChild(frag)
+diff --git a/Lib/xml/dom/minidom.py b/Lib/xml/dom/minidom.py
+index d09ef5e7d0..e4e8b42996 100644
+--- a/Lib/xml/dom/minidom.py
++++ b/Lib/xml/dom/minidom.py
+@@ -292,13 +292,6 @@ def _append_child(self, node):
+     childNodes.append(node)
+     node.parentNode = self
+ 
+-def _in_document(node):
+-    # return True iff node is part of a document tree
+-    while node is not None:
+-        if node.nodeType == Node.DOCUMENT_NODE:
+-            return True
+-        node = node.parentNode
+-    return False
+ 
+ def _write_data(writer, data):
+     "Writes datachars to writer."
+@@ -355,6 +348,7 @@ class Attr(Node):
+     def __init__(self, qName, namespaceURI=EMPTY_NAMESPACE, localName=None,
+                  prefix=None):
+         self.ownerElement = None
++        self.ownerDocument = None
+         self._name = qName
+         self.namespaceURI = namespaceURI
+         self._prefix = prefix
+@@ -678,6 +672,7 @@ class Element(Node):
+ 
+     def __init__(self, tagName, namespaceURI=EMPTY_NAMESPACE, prefix=None,
+                  localName=None):
++        self.ownerDocument = None
+         self.parentNode = None
+         self.tagName = self.nodeName = tagName
+         self.prefix = prefix
+@@ -1537,7 +1532,7 @@ def _clear_id_cache(node):
+     if node.nodeType == Node.DOCUMENT_NODE:
+         node._id_cache.clear()
+         node._id_search_stack = None
+-    elif _in_document(node):
++    elif node.ownerDocument:
+         node.ownerDocument._id_cache.clear()
+         node.ownerDocument._id_search_stack= None
+ 
+diff --git a/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst b/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
+new file mode 100644
+index 0000000000..05c7df35d1
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
+@@ -0,0 +1,6 @@
++Remove quadratic behavior in ``xml.minidom`` node ID cache clearing.  In order
++to do this without breaking existing users, we also add the *ownerDocument*
++attribute to :mod:`xml.dom.minidom` elements and attributes created by directly
++instantiating the ``Element`` or ``Attr`` class. Note that this way of creating
++nodes is not supported; creator functions like
++:py:meth:`xml.dom.Document.documentElement` should be used instead.

plan.fmf

@@ -0,0 +1,50 @@
+execute:
+  how: tmt
+
+provision:
+  hardware:
+    memory: '>= 3 GB'
+
+environment:
+  pybasever: '3.9'
+
+discover:
+  - name: tests_python
+    how: shell
+    url: https://src.fedoraproject.org/tests/python.git
+    tests:
+    - name: smoke
+      path: /smoke
+      test: "VERSION=${pybasever} ./venv.sh"
+    - name: debugsmoke
+      path: /smoke
+      test: "PYTHON=python${pybasever}d TOX=false VERSION=${pybasever} INSTALL_OR_SKIP=true ./venv.sh"
+    - name: selftest
+      path: /selftest
+      test: VERSION=${pybasever} X="-x test_wsgiref" ./parallel.sh
+    - name: marshalparser
+      path: /marshalparser
+      test: "VERSION=${pybasever} SAMPLE=10 ./test_marshalparser_compatibility.sh"
+
+prepare:
+  - name: Install dependencies
+    how: install
+    package:
+    - gcc  # for extension building in venv and selftest
+    - gdb  # for test_gdb
+    - "python${pybasever}"  # the test subject
+    - "python${pybasever}-devel"  # for extension building in venv and selftest
+    - "python${pybasever}-tkinter"  # for selftest
+    - "python${pybasever}-test"  # for selftest
+    - python3-tox  # for venv tests
+    - glibc-all-langpacks # for locale tests
+    - marshalparser  # for testing compatibility (magic numbers) with marshalparser
+    - rpm  # for debugging marshalparser
+    - dnf  # for upgrade
+  - name: Update packages
+    how: shell
+    script: dnf upgrade -y
+  - name: rpm_qa
+    order: 100
+    how: shell
+    script: rpm -qa | sort | tee $TMT_PLAN_DATA/rpmqa.txt

python3.9.spec

@@ -13,11 +13,11 @@ URL: https://www.python.org/
 
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
-%global general_version %{pybasever}.20
+%global general_version %{pybasever}.25
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 1%{?dist}
+Release: 3%{?dist}
 License: Python
 
 
@@ -40,9 +40,10 @@ License: Python
 %endif
 
 # Flat package, i.e. no separate subpackages
-# Default (in Fedora): if this is a main Python, it is not a flatpackage
+# Default (in Fedora >= 44): disabled
+# Default (in Fedora < 44): enabled when this is not the main Python
 # Not supported: Combination of flatpackage enabled and main_python enabled
-%if %{with main_python}
+%if %{with main_python} || 0%{?fedora} >= 44
 %bcond_with flatpackage
 %else
 %bcond_without flatpackage
@@ -237,6 +238,7 @@ BuildRequires: libnsl2-devel
 BuildRequires: libtirpc-devel
 BuildRequires: libGL-devel
 BuildRequires: libuuid-devel
+BuildRequires: libxcrypt-devel
 BuildRequires: libX11-devel
 BuildRequires: make
 BuildRequires: ncurses-devel
@@ -249,9 +251,9 @@ BuildRequires: sqlite-devel
 BuildRequires: gdb
 
 BuildRequires: tar
-BuildRequires: tcl-devel
+BuildRequires: tcl-devel < 1:9
 BuildRequires: tix-devel
-BuildRequires: tk-devel
+BuildRequires: tk-devel < 1:9
 BuildRequires: tzdata
 
 %if %{with valgrind}
@@ -270,6 +272,9 @@ BuildRequires: /usr/sbin/ifconfig
 %if %{with rpmwheels}
 BuildRequires: python-setuptools-wheel
 BuildRequires: python-pip-wheel
+%else
+# For %%python_wheel_inject_sbom
+BuildRequires: python-rpm-macros
 %endif
 
 %if %{without bootstrap}
@@ -302,6 +307,7 @@ Source11: idle3.appdata.xml
 
 # 00001 # d06a8853cf4bae9e115f45e1d531d2dc152c5cc8
 # Fixup distutils/unixccompiler.py to remove standard library path from rpath
+#
 # Was Patch0 in ivazquez' python3000 specfile
 Patch1: 00001-rpath.patch
 
@@ -313,7 +319,7 @@ Patch1: 00001-rpath.patch
 # See https://bugzilla.redhat.com/show_bug.cgi?id=556092
 Patch111: 00111-no-static-lib.patch
 
-# 00189 # 60517f098bd1525ad454adf7252b60a3d6b0f8ba
+# 00189 # 0c6dd5d318a22bbe89e09e1cd5513eaaca549aa5
 # Instead of bundled wheels, use our RPM packaged wheels
 #
 # We keep them in /usr/share/python-wheels
@@ -326,7 +332,7 @@ Patch189: 00189-use-rpm-wheels.patch
 # When the bundled setuptools/pip wheel is updated, the patch no longer applies cleanly.
 # In such cases, the patch needs to be amended and the versions updated here:
 %global pip_version 23.0.1
-%global setuptools_version 58.1.0
+%global setuptools_version 79.0.1
 
 # 00251 # 1b1047c14ff98eae6d355b4aac4df3e388813f62
 # Change user install location
@@ -385,16 +391,24 @@ Patch371: 00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-g
 # gh-99086: Fix implicit int compiler warning in configure check for PTHREAD_SCOPE_SYSTEM
 Patch407: 00407-gh-99086-fix-implicit-int-compiler-warning-in-configure-check-for-pthread_scope_system.patch
 
-# 00438 # 640f507108d102da99fa2f39d268a43f86c97acb
-# Fix ThreadedVSOCKSocketStreamTest (GH-119465) (GH-119479) (#119484)
+# 00452 # eb11d070c5af7d1b5e47f4e02186152d08eaf793
+# Properly apply exported CFLAGS for dtrace/systemtap builds
 #
-# Fix ThreadedVSOCKSocketStreamTest: if get_cid() returns the host
-# address or the "any" address, use the local communication address
-# (loopback): VMADDR_CID_LOCAL.
+# When using --with-dtrace the resulting object file could be missing
+# specific CFLAGS exported by the build system due to the systemtap
+# script using specific defaults.
 #
-# On Linux 6.9, apparently, the /dev/vsock device is now available but
-# get_cid() returns VMADDR_CID_ANY (-1).
-Patch438: 00438-fix-threadedvsocksocketstreamtest-gh-119465-gh-119479-119484.patch
+# Exporting the CC and CFLAGS variables before the dtrace invocation
+# allows us to properly apply CFLAGS exported by the build system
+# even when cross-compiling.
+Patch452: 00452-properly-apply-exported-cflags-for-dtrace-systemtap-builds.patch
+
+# 00471 # fc5f344f7e15c13dbf41824a1b7a82d92205f79d
+# CVE-2025-12084
+#
+# * gh-142145: Remove quadratic behavior in node ID cache clearing (GH-142146)
+# * gh-142754: Ensure that Element & Attr instances have the ownerDocument attribute (GH-142794)
+Patch471: 00471-cve-2025-12084.patch
 
 # (New patches go here ^^^)
 #
@@ -464,9 +478,18 @@ Obsoletes: platform-python < %{pybasever}
 Provides: python%{pyshortver} = %{version}-%{release}
 Obsoletes: python%{pyshortver} < %{version}-%{release}
 
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/#_one_to_many_replacement
+Obsoletes: %{pkgname} < 3.9.24-2
+
+%if %{with main_python}
 # Packages with Python modules in standard locations automatically
 # depend on python(abi). Provide that here.
 Provides: python(abi) = %{pybasever}
+%else
+# We exclude the `python(abi)` Provides
+%global __requires_exclude ^python\\(abi\\) = 3\\..+
+%global __provides_exclude ^python\\(abi\\) = 3\\..+
+%endif
 
 Requires: %{pkgname}-libs%{?_isa} = %{version}-%{release}
 
@@ -581,6 +604,8 @@ Conflicts: python-libs < 3
 # (We explicitly conflict with python-libs and not python2-libs, so only the
 # old Python 2 builds that still provided unversioned Python are handled.)
 
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/#_one_to_many_replacement
+Obsoletes: %{pkgname} < 3.9.24-2
 
 %description -n %{pkgname}-libs
 This package contains runtime libraries for use by Python:
@@ -600,6 +625,7 @@ Requires: (python3-rpm-macros if rpm-build)
 Requires: (pyproject-rpm-macros if rpm-build)
 
 %if %{without bootstrap}
+%if %{with main_python}
 # This is not "API" (packages that need setuptools should still BuildRequire it)
 # However some packages apparently can build both with and without setuptools
 # producing egg-info as file or directory (depending on setuptools presence).
@@ -608,6 +634,7 @@ Requires: (pyproject-rpm-macros if rpm-build)
 # See https://bugzilla.redhat.com/show_bug.cgi?id=1623914
 # See https://fedoraproject.org/wiki/Packaging:Directory_Replacement
 Requires: (%{pkgname}-setuptools if rpm-build)
+%endif
 
 Requires: (python3-rpm-generators if rpm-build)
 %endif
@@ -627,6 +654,9 @@ Provides:  platform-python-devel%{?_isa} = %{version}-%{release}
 Obsoletes: platform-python-devel < %{pybasever}
 %endif
 
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/#_one_to_many_replacement
+Obsoletes: %{pkgname} < 3.9.24-2
+
 %description -n %{pkgname}-devel
 This package contains the header files and configuration needed to compile
 Python extension modules (typically written in C or C++), to embed Python
@@ -651,6 +681,9 @@ Obsoletes: %{pkgname}-tools < %{version}-%{release}
 # In Fedora 31, /usr/bin/idle was moved here from Python 2.
 Conflicts: python-tools < 3
 
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/#_one_to_many_replacement
+Obsoletes: %{pkgname} < 3.9.24-2
+
 %description -n %{pkgname}-idle
 IDLE is Python’s Integrated Development and Learning Environment.
 
@@ -672,6 +705,9 @@ Requires: %{pkgname} = %{version}-%{release}
 # (We don't provide python3-turtledemo, that's not too useful when imported.)
 %py_provides %{pkgname}-turtle
 
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/#_one_to_many_replacement
+Obsoletes: %{pkgname} < 3.9.24-2
+
 %description -n %{pkgname}-tkinter
 The Tkinter (Tk interface) library is a graphical user interface toolkit for
 the Python programming language.
@@ -682,6 +718,9 @@ Summary: The self-test suite for the main python3 package
 Requires: %{pkgname} = %{version}-%{release}
 Requires: %{pkgname}-libs%{?_isa} = %{version}-%{release}
 
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/#_one_to_many_replacement
+Obsoletes: %{pkgname} < 3.9.24-2
+
 %description -n %{pkgname}-test
 The self-test suite for the Python interpreter.
 
@@ -732,11 +771,6 @@ The debug runtime additionally supports debug builds of C-API extensions
 
 %else  # with flatpackage
 
-# We'll not provide this, on purpose
-# No package in Fedora shall ever depend on flatpackage via this
-%global __requires_exclude ^python\\(abi\\) = 3\\..$
-%global __provides_exclude ^python\\(abi\\) = 3\\..$
-
 # Python interpreter packages used to be named (or provide) name pythonXY (e.g.
 # python39). However, to align it with the executable names and to prepare for
 # Python 3.10, they were renamed to pythonX.Y (e.g. python3.9, python3.10). We
@@ -769,6 +803,16 @@ Requires: tzdata
 # Other subpackages (like -debug) also need this, but they all depend on -libs.
 Requires: expat >= 2.6
 
+# Provides of the subpackages contained in flatpackage
+Provides: %{pkgname}-libs = %{version}-%{release}
+Provides: %{pkgname}-devel = %{version}-%{release}
+Provides: %{pkgname}-idle = %{version}-%{release}
+Provides: %{pkgname}-tkinter = %{version}-%{release}
+Provides: %{pkgname}-test = %{version}-%{release}
+%if %{with debug_build}
+Provides: %{pkgname}-debug = %{version}-%{release}
+%endif
+
 # The description for the flat package (SRPM and built)
 %description
 Python %{pybasever} package for developers.
@@ -1225,6 +1269,11 @@ for file in %{buildroot}%{pylibdir}/pydoc_data/topics.py $(grep --include='*.py'
     rm ${directory}/{__pycache__/${module}.cpython-%{pyshortver}.opt-?.pyc,${module}.py}
 done
 
+%if %{without rpmwheels}
+# Inject SBOM into the installed wheels (if the macro is available)
+%{?python_wheel_inject_sbom:%python_wheel_inject_sbom %{buildroot}%{pylibdir}/ensurepip/_bundled/*.whl}
+%endif
+
 # ======================================================
 # Checks for packaging issues
 # ======================================================
@@ -1492,6 +1541,10 @@ CheckPython optimized
 %dir %{pylibdir}/site-packages/
 %dir %{pylibdir}/site-packages/__pycache__/
 %{pylibdir}/site-packages/README.txt
+
+%exclude %{pylibdir}/_sysconfigdata_d_linux_%{platform_triplet}.py
+%exclude %{pylibdir}/__pycache__/_sysconfigdata_d_linux_%{platform_triplet}%{bytecode_suffixes}
+
 %{pylibdir}/*.py
 %dir %{pylibdir}/__pycache__/
 %{pylibdir}/__pycache__/*%{bytecode_suffixes}
@@ -1820,6 +1873,9 @@ CheckPython optimized
 %{dynload_dir}/_testinternalcapi.%{SOABI_debug}.so
 %{dynload_dir}/_testmultiphase.%{SOABI_debug}.so
 
+%{pylibdir}/_sysconfigdata_d_linux_%{platform_triplet}.py
+%{pylibdir}/__pycache__/_sysconfigdata_d_linux_%{platform_triplet}%{bytecode_suffixes}
+
 %endif # with debug_build
 
 # We put the debug-gdb.py file inside /usr/lib/debug to avoid noise from ldconfig
@@ -1843,6 +1899,52 @@ CheckPython optimized
 # ======================================================
 
 %changelog
+* Wed Jan 14 2026 Lumír Balhar <lbalhar@redhat.com> - 3.9.25-3
+- Security fix for CVE-2025-12084
+
+* Mon Nov 10 2025 Tomas Orsava <torsava@redhat.com> - 3.9.25-2
+- Move _sysconfigdata_d_linux*.py to the debug subpackage
+
+* Mon Nov 03 2025 Karolina Surma <ksurma@redhat.com> - 3.9.25-1
+- Update to Python 3.9.25
+
+* Wed Oct 15 2025 Miro Hrončok <mhroncok@redhat.com> - 3.9.24-2
+- On Fedora 44+, split this package into multiple subpackages
+- This mimics newer Python versions
+
+* Fri Oct 10 2025 Karolina Surma <ksurma@redhat.com> - 3.9.24-1
+- Update to Python 3.9.24
+
+* Fri Jul 25 2025 Fedora Release Engineering <releng@fedoraproject.org> - 3.9.23-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
+
+* Wed Jun 04 2025 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.9.23-1
+- Update to 3.9.23
+
+* Wed Apr 23 2025 Miro Hrončok <mhroncok@redhat.com> - 3.9.22-2
+- Add RPM Provides for python3.9-libs, python3.9-devel, python3.9-idle, python3.9-tkinter, python3.9-test
+
+* Wed Apr 09 2025 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.9.22-1
+- Update to 3.9.22
+
+* Mon Mar 31 2025 Charalampos Stratakis <cstratak@redhat.com> - 3.9.21-5
+- Properly apply exported CFLAGS for dtrace/systemtap builds
+- Fixes: rhbz#2356304
+
+* Mon Feb 10 2025 Charalampos Stratakis <cstratak@redhat.com> - 3.9.21-4
+- Security fix for CVE-2025-0938
+- Fixes: rhbz#2343278
+
+* Sat Feb 01 2025 Björn Esser <besser82@fedoraproject.org> - 3.9.21-3
+- Add explicit BR: libxcrypt-devel
+
+* Sat Jan 18 2025 Fedora Release Engineering <releng@fedoraproject.org> - 3.9.21-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
+
+* Tue Dec 03 2024 Lumír Balhar <lbalhar@redhat.com> - 3.9.21-1
+- Update to 3.9.21
+- Fixes: rhbz#2321662
+
 * Mon Sep 09 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.9.20-1
 - Update to 3.9.20
 

sources

@@ -1,2 +1,2 @@
-SHA512 (Python-3.9.20.tar.xz) = c828f33edf1704e3149499d6d34e89264cb5cdb2b09ff05561641b359716d7996f0fe928629e09f006b1fd7850fdaf937275919c7fdd83f5efc32707c64d814b
-SHA512 (Python-3.9.20.tar.xz.asc) = f21c012f4f642542479ba329da9654589e5a7f7305c39fb1b6f136b578316bdb115cef9773c9a9fe4e195677af01cb80af05780613cca83f42fae131862a9584
+SHA512 (Python-3.9.25.tar.xz) = 33fd65952cc3ce5df83825aa32a103935815bdd5a016e5fd9896cafb068a3f89b3a6134458a2694e4f0f4f8a9fbe84739b53116264728b32cde0f03ab210cb19
+SHA512 (Python-3.9.25.tar.xz.asc) = 83f0a0e558aa89a106bdffeeb9b0fa2685fbd7be5c5954f9176c59c6c7023716207b07239f202b3508cbb98ca34572161955f0bfd3732fdb9265721cd6723dbe

tests/provision.fmf

@@ -1,4 +0,0 @@
----
-standard-inventory-qcow2:
-  qemu:
-    m: 3G  # Amount of VM memory

tests/tests.yml

@@ -1,37 +0,0 @@
----
-- hosts: localhost
-  tags:
-    - classic
-  tasks:
-    - dnf:
-        name: "*"
-        state: latest
-
-- hosts: localhost
-  roles:
-  - role: standard-test-basic
-    tags:
-    - classic
-    repositories:
-    - repo: "https://src.fedoraproject.org/tests/python.git"
-      dest: "python"
-    tests:
-    - rpm_qa:
-        run: rpm -qa
-    - smoke:
-        dir: python/smoke
-        run: VERSION=3.9 ./venv.sh
-    - selftest:
-        dir: python/selftest
-        run: VERSION=3.9 X="-x test_wsgiref" ./parallel.sh
-    - marshalparser:
-        dir: python/marshalparser
-        run: VERSION=3.9 SAMPLE=10 test_marshalparser_compatibility.sh
-    required_packages:
-    - gcc  # for extension building in venv and selftest
-    - gdb  # for test_gdb
-    - python3.9  # the test subject
-    - python3-tox  # for venv tests
-    - glibc-all-langpacks # for locale tests
-    - marshalparser  # for testing compatibility (magic numbers) with marshalparser
-    - rpm  # for debugging