import python3.11-3.11.4-3.el9

1 year ago · 7c01f56f5b
parent 3d20d8a8d4
commit 7c01f56f5b
7 changed files with 514 additions and 23 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1 @@
-SOURCES/Python-3.11.2.tar.xz
+SOURCES/Python-3.11.4.tar.xz
 SOURCES/pgp_keys.asc
--- a/.python3.11.metadata
+++ b/.python3.11.metadata
@ -1,2 +1 @@
-ae1c199ecb7a969588b15354e19e7b60cb65d1b9 SOURCES/Python-3.11.2.tar.xz
+413b3715d919a7b473281529ab91eeea5c82e632 SOURCES/Python-3.11.4.tar.xz
 befe131eceffa73877ba3adceca3b7b1da1d2319 SOURCES/pgp_keys.asc
--- a/SOURCES/00397-tarfile-filter.patch
+++ b/SOURCES/00397-tarfile-filter.patch
@ -0,0 +1,361 @@
 From f36519078bde3cce4328c03fffccb846121fb5bc Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <encukou@gmail.com>
 Date: Wed, 9 Aug 2023 20:23:03 +0200
 Subject: [PATCH] Fix symlink handling for tarfile.data_filter
 ---
 Doc/library/tarfile.rst  |  5 +++++
 Lib/tarfile.py           |  9 ++++++++-
 Lib/test/test_tarfile.py | 26 ++++++++++++++++++++++++--
 3 files changed, 37 insertions(+), 3 deletions(-)
 diff --git a/Doc/library/tarfile.rst b/Doc/library/tarfile.rst
 index 00f3070324e..e0511bfeb64 100644
 --- a/Doc/library/tarfile.rst
 +++ b/Doc/library/tarfile.rst
@@ -740,6 +740,11 @@ A ``TarInfo`` object has the following public data attributes:
    Name of the target file name, which is only present in :class:`TarInfo` objects
    of type :const:`LNKTYPE` and :const:`SYMTYPE`.
 +   For symbolic links (``SYMTYPE``), the linkname is relative to the directory
 +   that contains the link.
 +   For hard links (``LNKTYPE``), the linkname is relative to the root of
 +   the archive.
 +
 .. attribute:: TarInfo.uid
    :type: int
 diff --git a/Lib/tarfile.py b/Lib/tarfile.py
 index df4e41f7a0d..d62323715b4 100755
 --- a/Lib/tarfile.py
 +++ b/Lib/tarfile.py
@@ -802,7 +802,14 @@ def _get_filtered_attrs(member, dest_path, for_data=True):
         if member.islnk() or member.issym():
             if os.path.isabs(member.linkname):
                 raise AbsoluteLinkError(member)
 -            target_path = os.path.realpath(os.path.join(dest_path, member.linkname))
 +            if member.issym():
 +                target_path = os.path.join(dest_path,
 +                                           os.path.dirname(name),
 +                                           member.linkname)
 +            else:
 +                target_path = os.path.join(dest_path,
 +                                           member.linkname)
 +            target_path = os.path.realpath(target_path)
             if os.path.commonpath([target_path, dest_path]) != dest_path:
                 raise LinkOutsideDestinationError(member, target_path)
     return new_attrs
 diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
 index 2eda7fc4cea..79fc35c2895 100644
 --- a/Lib/test/test_tarfile.py
 +++ b/Lib/test/test_tarfile.py
@@ -3337,10 +3337,12 @@ def __exit__(self, *exc):
         self.bio = None
     def add(self, name, *, type=None, symlink_to=None, hardlink_to=None,
 -            mode=None, **kwargs):
 +            mode=None, size=None, **kwargs):
         """Add a member to the test archive. Call within `with`."""
         name = str(name)
         tarinfo = tarfile.TarInfo(name).replace(**kwargs)
 +        if size is not None:
 +            tarinfo.size = size
         if mode:
             tarinfo.mode = _filemode_to_int(mode)
         if symlink_to is not None:
@@ -3416,7 +3418,8 @@ def check_context(self, tar, filter):
                 raise self.raised_exception
             self.assertEqual(self.expected_paths, set())
 -    def expect_file(self, name, type=None, symlink_to=None, mode=None):
 +    def expect_file(self, name, type=None, symlink_to=None, mode=None,
 +                    size=None):
         """Check a single file. See check_context."""
         if self.raised_exception:
             raise self.raised_exception
@@ -3445,6 +3448,8 @@ def expect_file(self, name, type=None, symlink_to=None, mode=None):
             self.assertTrue(path.is_fifo())
         else:
             raise NotImplementedError(type)
 +        if size is not None:
 +            self.assertEqual(path.stat().st_size, size)
         for parent in path.parents:
             self.expected_paths.discard(parent)
@@ -3649,6 +3654,22 @@ def test_sly_relative2(self):
                     + """['"].*moo['"], which is outside the """
                     + "destination")
 +    def test_deep_symlink(self):
 +        with ArchiveMaker() as arc:
 +            arc.add('targetdir/target', size=3)
 +            arc.add('linkdir/hardlink', hardlink_to='targetdir/target')
 +            arc.add('linkdir/symlink', symlink_to='../targetdir/target')
 +
 +        for filter in 'tar', 'data', 'fully_trusted':
 +            with self.check_context(arc.open(), filter):
 +                self.expect_file('targetdir/target', size=3)
 +                self.expect_file('linkdir/hardlink', size=3)
 +                if os_helper.can_symlink():
 +                    self.expect_file('linkdir/symlink', size=3,
 +                                     symlink_to='../targetdir/target')
 +                else:
 +                    self.expect_file('linkdir/symlink', size=3)
 +
     def test_modes(self):
         # Test how file modes are extracted
         # (Note that the modes are ignored on platforms without working chmod)
 -- 
 2.41.0
 From 8b70605b594b3831331a9340ba764ff751871612 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <encukou@gmail.com>
 Date: Mon, 6 Mar 2023 17:24:24 +0100
 Subject: [PATCH] CVE-2007-4559, PEP-706: Add filters for tarfile extraction
 (downstream)
 Add and test RHEL-specific ways of configuring the default behavior: environment
 variable and config file.
 ---
 Lib/tarfile.py           |  42 +++++++++++++
 Lib/test/test_shutil.py  |   3 +-
 Lib/test/test_tarfile.py | 128 ++++++++++++++++++++++++++++++++++++++-
 3 files changed, 169 insertions(+), 4 deletions(-)
 diff --git a/Lib/tarfile.py b/Lib/tarfile.py
 index 130b5e0..3b7d8d5 100755
 --- a/Lib/tarfile.py
 +++ b/Lib/tarfile.py
@@ -72,6 +72,13 @@ __all__ = ["TarFile", "TarInfo", "is_tarfile", "TarError", "ReadError",
            "ENCODING", "USTAR_FORMAT", "GNU_FORMAT", "PAX_FORMAT",
            "DEFAULT_FORMAT", "open"]
 +# If true, use the safer (but backwards-incompatible) 'tar' extraction filter,
 +# rather than 'fully_trusted', by default.
 +# The emitted warning is changed to match.
 +_RH_SAFER_DEFAULT = True
 +
 +# System-wide configuration file
 +_CONFIG_FILENAME = '/etc/python/tarfile.cfg'
 #---------------------------------------------------------
 # tar constants
@@ -2211,6 +2218,41 @@ class TarFile(object):
         if filter is None:
             filter = self.extraction_filter
             if filter is None:
 +                name = os.environ.get('PYTHON_TARFILE_EXTRACTION_FILTER')
 +                if name is None:
 +                    try:
 +                        file = bltn_open(_CONFIG_FILENAME)
 +                    except FileNotFoundError:
 +                        pass
 +                    else:
 +                        import configparser
 +                        conf = configparser.ConfigParser(
 +                            interpolation=None,
 +                            comment_prefixes=('#', ),
 +                        )
 +                        with file:
 +                            conf.read_file(file)
 +                        name = conf.get('tarfile',
 +                                        'PYTHON_TARFILE_EXTRACTION_FILTER',
 +                                        fallback='')
 +                if name:
 +                    try:
 +                        filter = _NAMED_FILTERS[name]
 +                    except KeyError:
 +                        raise ValueError(f"filter {filter!r} not found") from None
 +                    self.extraction_filter = filter
 +                    return filter
 +                if _RH_SAFER_DEFAULT:
 +                    warnings.warn(
 +                        'The default behavior of tarfile extraction has been '
 +                        + 'changed to disallow common exploits '
 +                        + '(including CVE-2007-4559). '
 +                        + 'By default, absolute/parent paths are disallowed '
 +                        + 'and some mode bits are cleared. '
 +                        + 'See https://access.redhat.com/articles/7004769 '
 +                        + 'for more details.',
 +                        RuntimeWarning)
 +                    return tar_filter
                 return fully_trusted_filter
             if isinstance(filter, str):
                 raise TypeError(
 diff --git a/Lib/test/test_shutil.py b/Lib/test/test_shutil.py
 index 9bf4145..f247b82 100644
 --- a/Lib/test/test_shutil.py
 +++ b/Lib/test/test_shutil.py
@@ -1665,7 +1665,8 @@ class TestArchives(BaseTest, unittest.TestCase):
     def check_unpack_tarball(self, format):
         self.check_unpack_archive(format, filter='fully_trusted')
         self.check_unpack_archive(format, filter='data')
 -        with warnings_helper.check_no_warnings(self):
 +        with warnings_helper.check_warnings(
 +                ('.*CVE-2007-4559', RuntimeWarning)):
             self.check_unpack_archive(format)
     def test_unpack_archive_tar(self):
 diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
 index cdea033..4724285 100644
 --- a/Lib/test/test_tarfile.py
 +++ b/Lib/test/test_tarfile.py
@@ -2,7 +2,7 @@ import sys
 import os
 import io
 from hashlib import sha256
 -from contextlib import contextmanager
 +from contextlib import contextmanager, ExitStack
 from random import Random
 import pathlib
 import shutil
@@ -2999,7 +2999,11 @@ class NoneInfoExtractTests(ReadTest):
         tar = tarfile.open(tarname, mode='r', encoding="iso8859-1")
         cls.control_dir = pathlib.Path(TEMPDIR) / "extractall_ctrl"
         tar.errorlevel = 0
 -        tar.extractall(cls.control_dir, filter=cls.extraction_filter)
 +        with ExitStack() as cm:
 +            if cls.extraction_filter is None:
 +                cm.enter_context(warnings.catch_warnings())
 +                warnings.simplefilter(action="ignore", category=RuntimeWarning)
 +            tar.extractall(cls.control_dir, filter=cls.extraction_filter)
         tar.close()
         cls.control_paths = set(
             p.relative_to(cls.control_dir)
@@ -3674,7 +3678,8 @@ class TestExtractionFilters(unittest.TestCase):
         """Ensure the default filter does not warn (like in 3.12)"""
         with ArchiveMaker() as arc:
             arc.add('foo')
 -        with warnings_helper.check_no_warnings(self):
 +        with warnings_helper.check_warnings(
 +                ('.*CVE-2007-4559', RuntimeWarning)):
             with self.check_context(arc.open(), None):
                 self.expect_file('foo')
@@ -3844,6 +3849,123 @@ class TestExtractionFilters(unittest.TestCase):
             self.expect_exception(TypeError)  # errorlevel is not int
 +    @contextmanager
 +    def rh_config_context(self, config_lines=None):
 +        """Set up for testing various ways of overriding the default filter
 +
 +        return a triple with:
 +        - temporary directory
 +        - EnvironmentVarGuard()
 +        - a test archive for use with check_* methods below
 +
 +        If config_lines is given, write them to the config file. Otherwise
 +        the config file is missing.
 +        """
 +        tempdir = pathlib.Path(TEMPDIR) / 'tmp'
 +        configfile = tempdir / 'tarfile.cfg'
 +        with ArchiveMaker() as arc:
 +            arc.add('good')
 +            arc.add('ugly', symlink_to='/etc/passwd')
 +            arc.add('../bad')
 +        with (
 +                os_helper.temp_dir(tempdir),
 +                support.swap_attr(tarfile, '_CONFIG_FILENAME', str(configfile)),
 +                os_helper.EnvironmentVarGuard() as env,
 +                arc.open() as tar,
 +        ):
 +            if config_lines is not None:
 +                with configfile.open('w') as f:
 +                    for line in config_lines:
 +                        print(line, file=f)
 +            yield tempdir, env, tar
 +
 +    def check_rh_default_behavior(self, tar, tempdir):
 +        """Check RH default: warn and refuse to extract dangerous files."""
 +        with (
 +                warnings_helper.check_warnings(
 +                    ('.*CVE-2007-4559', RuntimeWarning)),
 +                self.assertRaises(tarfile.OutsideDestinationError),
 +        ):
 +            tar.extractall(tempdir / 'outdir')
 +
 +    def check_trusted_default(self, tar, tempdir):
 +        """Check 'fully_trusted' is configured as the default filter."""
 +        with (
 +                warnings_helper.check_no_warnings(self),
 +        ):
 +            tar.extractall(tempdir / 'outdir')
 +            self.assertTrue((tempdir / 'outdir/good').exists())
 +            self.assertEqual((tempdir / 'outdir/ugly').readlink(),
 +                             pathlib.Path('/etc/passwd'))
 +            self.assertTrue((tempdir / 'bad').exists())
 +
 +    def test_rh_default_no_conf(self):
 +        with self.rh_config_context() as (tempdir, env, tar):
 +            self.check_rh_default_behavior(tar, tempdir)
 +
 +    def test_rh_default_from_file(self):
 +        lines = ['[tarfile]', 'PYTHON_TARFILE_EXTRACTION_FILTER=fully_trusted']
 +        with self.rh_config_context(lines) as (tempdir, env, tar):
 +            self.check_trusted_default(tar, tempdir)
 +
 +    def test_rh_empty_config_file(self):
 +        """Empty config file -> default behavior"""
 +        lines = []
 +        with self.rh_config_context(lines) as (tempdir, env, tar):
 +            self.check_rh_default_behavior(tar, tempdir)
 +
 +    def test_empty_config_section(self):
 +        """Empty section in config file -> default behavior"""
 +        lines = ['[tarfile]']
 +        with self.rh_config_context(lines) as (tempdir, env, tar):
 +            self.check_rh_default_behavior(tar, tempdir)
 +
 +    def test_rh_default_empty_config_option(self):
 +        """Empty option value in config file -> default behavior"""
 +        lines = ['[tarfile]', 'PYTHON_TARFILE_EXTRACTION_FILTER=']
 +        with self.rh_config_context(lines) as (tempdir, env, tar):
 +            self.check_rh_default_behavior(tar, tempdir)
 +
 +    def test_bad_config_option(self):
 +        """Bad option value in config file -> ValueError"""
 +        lines = ['[tarfile]', 'PYTHON_TARFILE_EXTRACTION_FILTER=unknown!']
 +        with self.rh_config_context(lines) as (tempdir, env, tar):
 +            with self.assertRaises(ValueError):
 +                tar.extractall(tempdir / 'outdir')
 +
 +    def test_default_from_envvar(self):
 +        with self.rh_config_context() as (tempdir, env, tar):
 +            env['PYTHON_TARFILE_EXTRACTION_FILTER'] = 'fully_trusted'
 +            self.check_trusted_default(tar, tempdir)
 +
 +    def test_empty_envvar(self):
 +        """Empty env variable -> default behavior"""
 +        with self.rh_config_context() as (tempdir, env, tar):
 +            env['PYTHON_TARFILE_EXTRACTION_FILTER'] = ''
 +            self.check_rh_default_behavior(tar, tempdir)
 +
 +    def test_bad_envvar(self):
 +        with self.rh_config_context() as (tempdir, env, tar):
 +            env['PYTHON_TARFILE_EXTRACTION_FILTER'] = 'unknown!'
 +            with self.assertRaises(ValueError):
 +                tar.extractall(tempdir / 'outdir')
 +
 +    def test_envvar_overrides_file(self):
 +        lines = ['[tarfile]', 'PYTHON_TARFILE_EXTRACTION_FILTER=data']
 +        with self.rh_config_context(lines) as (tempdir, env, tar):
 +            env['PYTHON_TARFILE_EXTRACTION_FILTER'] = 'fully_trusted'
 +            self.check_trusted_default(tar, tempdir)
 +
 +    def test_monkeypatch_overrides_envvar(self):
 +        with self.rh_config_context(None) as (tempdir, env, tar):
 +            env['PYTHON_TARFILE_EXTRACTION_FILTER'] = 'data'
 +            with support.swap_attr(
 +                    tarfile.TarFile, 'extraction_filter',
 +                    staticmethod(tarfile.fully_trusted_filter)
 +            ):
 +                self.check_trusted_default(tar, tempdir)
 +
 +
 def setUpModule():
     os_helper.unlink(TEMPDIR)
     os.makedirs(TEMPDIR)
 -- 
 2.41.0
--- a/SOURCES/Python-3.11.2.tar.xz.asc
+++ b/SOURCES/Python-3.11.2.tar.xz.asc
@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmPiV84ACgkQ/+h0BBaL
 2EeZ1xAAwBi0AEjUlZ9oeC54VuqC/XLuVwc3xWf+Irw/5mJA2/weJHoQqG9aEDkB
 ph1pDJ6G/vDyKdjh8NZKkKftIL9pggRpAcA4mQ3XcDMKI/J+EQe5P/BwsTGClLhK
 cZg6IcQKZvo9djfyRz48w9wfKs34NasBgoFQP+hOzmU10UMrcR7gUSB2ZgMVMDID
 0rK1w2aPmZmDLUltBhf6Xb2voUYo+3jINLHWmQC6tdDOBxtxv222dhxS1mvpV7Zu
 Xw8do9OsQxonc+owkpciMKDLcFoVmkdQPz9bmvHJKovMXT2RY7FEam9H7ukr35fC
 xA6BKnyMgvWIWQVTwjBhcz3C85adzAz/ypHNTbJOuPxp1ZP8qO3D6vPlhZIFyTeJ
 7LhagUBUkIKKtbz7u3ERJgvA6tn3UVyLOXM1DnaKkXQ1FgSymgWPRU7BsxanQ8FD
 QkfTjC8fatZLCewNfGInkeAdLue+rMwZc8Q6vw2CAmcVdOKsQ98Db/FLF5sC+Kjz
 D3brUESEX1ELcVk7vumUI0/z+MECF11dpv5hPOZ4cZDoInsNu846TfU0rzOeVe7H
 gGO6Ae/Lu5gG09TNqepbFGA/dWR8V3zdLs5ZShTT4FsNFrHh7GDAEAMZSwT3AsVZ
 TjOdU3+xEGsEfrYWRXOkhVIQdJtuovwv9+me5YWeyC4Puzp0Zwk=
 =8/cW
 -----END PGP SIGNATURE-----
--- a/SOURCES/Python-3.11.4.tar.xz.asc
+++ b/SOURCES/Python-3.11.4.tar.xz.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmR/sHIACgkQ/+h0BBaL
 2EfQDQ//eFWvcQ5ijhVd3r5lp7NTNUPK6xKR2iqzpNWlN2Z4QkGJ2+IworBaZoGA
 tzmbT0j0LB9ZQ+ba3xnqXGXD8Ky+fHLg8GV5yshPlH/bD7tPuHtfDRxNcWplEVSS
 MbMuLjAYavTIHhYEz/Rpx4jvZTI5lwplVqj9WxNI/8tNrL5M2bsCtv+IB6brohiw
 rUOUlT/KDkZbrGfB1Fe033Ep8hay5MkKjhgr7O1dU7zMuDRG+HRsCYGs7a5x6KhH
 3QNTEp+GEIAKEsip5nR7vl5KqL02lHa5sf36SV2wjRTwO+IhgV7lvtJEwOD12oE5
 c+TCQMFbmBXg2vVmNBN/Lwftw1SwT/+orFX6V4U93jq6QNUo4GvPqum6YzuayGYc
 /JM4MNziqmfdNW2YjEHPPfzti3f40eTapys97YufOrmYjM2NY0Fs+kAErvyxiWqi
 guVQtaZIYeLl/9KWqQ0F/Apy1N+fVDuWBkZlizwHrUsGips4Rp7Bh/iCrDdOj+1D
 gRCio7+KvdtzHavZPZnU5dcpUiXZgsDzOTI138IyYaEtVUS59ELkA2qxI1yCb5mk
 eLVG1L7r/J2tIaTcguQppp5Z+62UDTArlUbnRxda0buzA2r1aFiQCTMwp+kTRegw
 T9Ht/CT/D4vpMdmSQTun9MkKifcK+2uGfSsS7Lz4fSWjQLqg36k=
 =zSfJ
 -----END PGP SIGNATURE-----
--- a/SOURCES/pgp_keys.asc
+++ b/SOURCES/pgp_keys.asc
@ -0,0 +1,109 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQINBFq+ToQBEADRYvIVtbK6owynD3j3nxwpW2KEk/p+aDvtXmc2SR2dBcZ8sFW2
 R5vEsG8d3/D3wgv5pcL3KfNNXQYUnXVbobrFUUWQYc79qIsE3MgiPf5NVOtwKPUR
 i5g9YJgKvpBxkQfqp3LYGm9ZBtwo3DVLA3yn7KsazCmAgTNFJYw7ku1XxgmIzY6K
 5J30DfbJiqDqj4f9GslCCCCH3qiPnuLG/HUyVLHMpbWlaiy9NI0GcaLxjJewHj9w
 W2D2lydkxe5JGo7egUkV3ILcuLVSVKA35SKY27dYqfuyqp9tAzaRbjDYjsYdHA6G
 BqrNrKBn/GwlFDPrVdcvN3ZSY2wMLTxWE3Axc/FweuHxFnou/80FwX7F3JD+oEQ6
 rofmcxOBCC7J98I7HZAhP9jBn88XIS2hztbLq8d6rZJZRtcz0k61VR0ddO+TrFmf
 9rMYCPgCckRtVxeFIVIabrN1IzKynLFeo040h8hSGswd6YKDOVwjJY6Oa6EmVefZ
 a8QSt4+M65RSzH6SEPY008F3nJUAK6MEkzTak+tFltZNrVWu8p2xd1j9nmxAwEhZ
 /lgbxLqzYgaUWmfyHeZ8yVA0MhHzdiAL8nVUEdG3KecIq0RWCJLGLWWIjd6KAJl1
 yAmhRYKK/sjPDsL3elHsFACfZbyx3o5GGQNlas1FYoPLWbaNGaJtgFTF2QARAQAB
 tCtQYWJsbyBHYWxpbmRvIFNhbGdhZG8gPHBhYmxvZ3NhbEBnbWFpbC5jb20+iQJO
 BBMBCgA4FiEEoDXIwZIZuoIezqhrZOYo+NaEaW0FAlq+ToQCGwMFCwkIBwMFFQoJ
 CAsFFgIDAQACHgECF4AACgkQZOYo+NaEaW2bmA/+PXIap2udLoUVOHxnsIBdqYwp
 sv1Aj5lfIJmNhmxPbHShwp1Jg+w4urxe+2Dj5ofKVlIo1i83bQkvnKJMDXDVuc/K
 P6zqhBJ3rT4Q3qx2mzX8bIfQoJ2JHuH4lkP+I7doDcHHRyeNASyk72VdQmU4twNw
 Ibn8nSNV6ThKHdoPYzVnO2rZUFcGIqH5HNsvR+B7cc1MBCHsgURYwSVhSePIFGlZ
 iasdBD6QQkDSe4QWi7AcJFWFElw4kbOKJWxAWsrEk+tMXJVGRjnmL289EmPCx/vx
 BqKy7Mse0yWCSRR3vB+O6TB1S5SgEyEgqlYsfGNv1qf/rfRD4KkyCbNU3LhY1Aim
 vJP4pDW+KFxTk2Ks8vrx8gOSd2aFqPeO/pFDrpsF7PD62XwsfoXu4xc5V0Giw7r1
 Nai0nax7kOrldNF8TbbtRjW0jmoC7wLIDujAkwDIOroZ0CXA3N4HVHdSbrHm/urX
 nyxJXupXAQNwGx64JCBcbF2fp3Kvu1VAXBEFnd01KaopthHcbG5pA50Kl2Vhe+98
 OdezUX42fHkQpQkB7HgtXfm6W1bw6YRBamrNvs1OoHBYmUjlECpe566IIu25Hc8s
 x3qA+6eca7iqizyLG+WyMT8ZIYTWGAS59jxwR4esqGczbbZPSAPHFwLbGv7Wr0Rd
 TPu5B0FcKpDkTd4IxQW5Ag0EWr5O2gEQAMjLe4CtbSfofmJrz5wfNkMVsZ81Gbqe
 MoYd3dtkJnQYERUj8flzBj3ucaxGJ+Cuf7ybh3naPopKvEI1q0vkcgCDqrEgXK//
 jKJbP28uPSMGhOG28q4PbamG55gy5FtM3ezzAxPWWKe9qBpV65GMmFy7eBQx2iJs
 yiDIOOQQ4kraS+cTqNFimEXAGLCOQRNLcwIZzwAAHoW7HEpNUfVwaBD9kMlbo1ND
 I60IKcNrNcmcmRxhJqfxjj8YBMwcKHO6GBE3AVpaE/+UO9zyr4TH+0YuQUgxKlPW
 Dkg5XlkDo0S1GyLY5e9ckIDIlkTdDa2pOkoE2yB5MQCEga3YiHrKUVTTWaxn9XVJ
 6x5ZjUF6bgSWGkrG5dUqSYoO1iDMuNVjtiujNyf/rvfj5cNxS7/lgxchhQKZHZXL
 WVqxlneeVJ6s0P4+ROVG9ga2Sve7aUJ6wXIewZwulBcV2sE/W/DgxHgLBi53CUQt
 vEzFzKvo48GnDqL5VYjA7l0HMYHd4GksCLi8E8U6Cgj+imXiM8voL7pHRZfs8mY8
 udR+UT4e1Scl2MYP2qBJ9/17B/X52B3s1EZdqI/r+hfOyqrhPs+dbAN0mtMPn68+
 nrvY1+nscvrSYEP6ZBlc9Hp2mgJdb6IcTvINXBEeLRjgc3pjViva443pkiFp9Axm
 ecOckMKP3uSlABEBAAGJBGwEGAEKACAWIQSgNcjBkhm6gh7OqGtk5ij41oRpbQUC
 Wr5O2gIbAgJACRBk5ij41oRpbcF0IAQZAQoAHRYhBM/cokWxBDzypfl4Zf/odAQW
 i9hHBQJavk7aAAoJEP/odAQWi9hHr7YP/RCLre1CmOoWYpAtoa1yVCeYMDV6eQgL
 B488/BEZHQE1zbrYy16XkhORob3JF/kUMjmJW7XaFF8FrWvRcdj/xaUGbOOEulKg
 v+8zWfswYQRiZ4/JlwER4vRLi6fTE89MVER6Fkj2ASD4D2cifY+EztD4flV3sq3s
 vIogGFaN9IvdrdeptOVGXs1RmAyoTsiS2mKQ6xsGh8B9ZAm55W8fBOGiSzLX21Xk
 Ofdw53BrFQxn3cu/JgIKpdeZxgukcvEAI62B6X+YL6Na4j0eqEGLzsNtU1+xeJlo
 WtVvmRwnRHGSxF6fzIZ3mk/p/aFiXAEq/xITCTY6tDv7x7pFE/RpdlJZyNJ+R5Y4
 SQiuDsylxNCa/4G5EB6q+7iVYtbEQ9MnZg2phowEE42tlj0rz8/rvDK3LH3xibot
 KHIodCWKlWByxH99u2PuHUQ0c1oCVBUE1KkruMpvI236DpU/dvdq4JLSg/fWrys/
 VIjqLZgsIE5g/KO9XqngWHkLcBLh4CNAmHJ8Iia+s+/rfgsejQWB5uJb6eYg2JjB
 4WP1EI0rULM6fdrCNB+MJ36wE2Lnb4bfT0phOMgjjH5/Ki7ZCbkxkOsBs4SRjiS+
 weCsmpAtMqodWY/Cnw9pWSA/qLSRD5/mKeb9SO6OZ/OPfAatwnGHsvZ2sAueC6rR
 04W5BfXZWrnJUXQP/id/EKE1Ksp5fKoxSCbkKTCig+Sf5Afwe36yFN+niZBqzn5b
 BgL/HIKaZM97oDHersPPANeEgS+JVlBf95iKIYnQbZP43FLVbvOuaINhBIVtFO54
 2Y7EYwl41kP7ILDElVy36KAmdQyBAfrjnZiRA70xShOxApLug1L0lxhR3YfmLwNi
 RJ0V6KnYDKf0pfdhO9VFyFFWUojX1usn2SmSsXNizsNtvRqHXzPnX0rbJzZ9+N4O
 9k1nxygYFG/2R/jGonVmTjRzcAHrAkNJETMWXMA7/8wRMDwluz8j+cCldey9x8Vk
 JwgLGnZSbQtVpcFAnm5r/36Gt+9wc1VWMyrUrVr6Z679aqAbG7PMaeR5h5ygMj1k
 VqRTYAUPSk1f8bZKRssQkQwEbp9dVIjm9SsR8VT7/tB+UuB85dABxgHfv3psJRT+
 tL8g9V7kSZqQfcLNGmvEVvr2Zl9NtxwXtsFM2OBprxCenwb+e9Ppm1LjfJG/NE72
 mAnOERfDaiLt4bqNo36Ei5sGCJ4Fx61phzNBXzkdRNM47i8J5UZRKFkE91c99BVM
 HKUaY61NRK24fR0zP98ftDU82YFw0VRFJpTeBrO5ivN1MlQxUPzUWxKxMxO+20wa
 UOXroEw11Tb4SRLGOla1pCl6lCUPJRy9IzadPDgTr/OTMkob/snt/XLdnV5/uQIN
 BFq+TvoBEAC8Oy1g6pPWBbrCMhIq7VWY2fjylJ1fwg5BPXkOKVK1dsGYO4QD7oW9
 L0aSqcFSNFGF9Cl0Ri4TFXZC3hnG4HeSXUWApuKdBLn21H3jba36Ay1oGcGfdm0v
 Zght4c6BlMVBpGCw2wIkJbUNEy6InMM+O8CCbbaH3iJkJ4141P7pODHignx5AmZI
 conMui4YOhC+IXQXynVEv1Juk7erB1Nh1RcRvsA4lb44HWx49lIwe85ejOmoZ0O3
 6f9NJRer6bV0+rHWmg4IV5Q9h/Gn4IhEDZxA0DZl1RQI7dMgaMbIFbXGq7Kgzstz
 EUnOoy29hXodxVmwIsMrAiQUYtwJ9hW+ESsw47+W2iPHVgviGWl7r/SgcgMYmf6m
 5kiTBtwU7BQPS9G3zwwP2Rm3AA/6g39Q+tQKjOwi1I8+GZsY2On44Zly7BreBNg5
 4gJgdAGcMOYU9etr050clH3UpTYcAEtX++ahtOKhJgLIPNcIAQNlnifqvU0VYpgw
 R4YpZ7hgg+AVDzC73PIM0lFI0XiDuqChbxE+K1jmLXWe5iJF0dzgVTwP+PmsifNZ
 Wg3+YxSsS+hDMPQ2xPiQN49gT4JJDHcDuyhHyCGYgyMiVJCsku9KrkubbfVRivyN
 ZF2Zfo3f+nbrRxsftz0yjAq8byCvb0V0XOpt4pJ/ddlug9ytRxALNwARAQABiQI2
 BBgBCgAgFiEEoDXIwZIZuoIezqhrZOYo+NaEaW0FAlq+TvoCGwwACgkQZOYo+NaE
 aW3urA//UQ/cKQ7HvWjcLphzQOZc+6m5YL0wxvZkSjemU7mqjZdpacteIvRAoers
 EqXHc208liIBtNfRzoreXdcXNzie65xXkrRnWoHVH/fTWy4lOnHr2CMXLeHjUgg/
 M6PYi8+sARm05YFB8nsYhlhx3IdLhcfeVVbJedQKO0yL3CK1okT30DUVq5Lq6X/K
 DC6AxuJR3D6UMSoT0WLaoX8qbhAp88qLynInfBVL18d97h916WPLTPeP0eHwhwND
 bYtKDCMDuKQ9XX5+QsNH0RmbxlX274LHrUMMvkLKxcfCBvP+iuqrBeIuoeVzXYJZ
 j7ZJtEH79bW44eecl/CY/STFYgSQ2XGTp2BI2q60wAmtKlNhwxY5ena0FgyFl6Tm
 5OBHW/Pwo+ndQJGfbrCyWkTgRay9c8er3gl3GQYIBH6X0kCiG7h/Epj0b5CHOPU5
 hCw0kEB8MB4poTIjeiY+Q01472/lQ68CL3DX158hR5d3XaPSIxAN+qFsfB1o316p
 yjxhfK1MD/IfrOgjlggPPnc/KmLkCzpgdwKcZwLCdZq9hYBvF1Zs34HbaVMYbWTK
 uxLowtXGU43vatCXXqmPOvl4/g4tZD6rysJDgOrHQnEHzT+Napn07s0BRC0IbbNn
 FynUrkr5KMSuRz7Hg7xMApENOrb0nqdHSUJ914ZpuMIS6RhJgGu5Ag0EWr5PIAEQ
 ALfh9vPD2B+miHDTMADI8aRZ7g9tnzynZYkk3+2sCiiusetsQQ+HIPJ/ASEJB7On
 ane9dyT/LTRhrK9qaxgVMimk2COXB/xyh7Mnw7nJgFU0aRSbtX0vbvQz2suSzrQ6
 9mPKzan28JGoClqB0bw1vwf3VjjxHV2dgD57CmqFPv7kAC/2a56dE+etzXattZAL
 +2JWTpmfQ0ePRRadtBm0VahQhnU8x0+jvAVrEawqpVW83ozYFyW/0WInM2J7jHgQ
 16OosY4lj5L/DxpVxaArhRFoRfWPXfC37iE8Mou/I95isvPQIhp1wTo4jG0KM02B
 oIVbp/QRNBQ6WtpOzvJs1gqQiJJTfqbKJXQ3NDEY9crpVS83HJ+Zv99PNsyNkFjG
 QpU84U3ZhsI4ygjdY45mpZueqI1RVcRQdu8Hgvoo/78Q/Sir6gMGop3mVdVo2guI
 kFcJrXh0Xk3ech4aVqrmKx/mPXGwOAQU0DAul4RW3fKg1QxQE7Tlw3+95Ee/+q5j
 HARL0uDbCJpRO8Sl8NDEuL32n/2Ot6kQeCSHrU7KJRYAkTxkKvr8zNow7hFhHFPE
 SnHvTnskI6noh0VY6NwMhmLvhm0wKkRxZPzUNc3sgLvbK1NymIZ9aKCZamzhZrmG
 vnblEz/OSLwGUua465H3hM1vvBQiartj7+6ZqWIkSmBPABEBAAGJAjYEGAEKACAW
 IQSgNcjBkhm6gh7OqGtk5ij41oRpbQUCWr5PIAIbIAAKCRBk5ij41oRpbWmeEACG
 +axtDC8UoNp9ORiYwEWLzZWDuugE+ah7DYYGD4Vs633FXVZW3SgM/bFtJ/0Lg8CF
 74jI4LMHyIjDzEjcoItwnhBLix+kUoJTvrY58GPydwekLuw1p4KXLqtRs4fsZbNQ
 YTknl4jYtRWoxO98x7tun7Gq2gqmJkIB2uj630fKz5cBk6p6oDFKjzyrHe+V7BiK
 3okQPaD4x7hq8OnTy7lOy92ZZAqztS4tNEb4DkYW1MpuwsJ7hbBZitc1siI+FVVb
 GjVVGZz6ssXoW67Tz8+VxdWJxNLXlv27eMcj4sme5S0th/YYNA5fRRv6zuzqZAru
 YNGLpYYU7JLvZJ+3lCwa5j5ycOGBF0GvsGs6gj6h+CHkjR/BgzAgWC+GgUgslt6q
 aH04rWtV6rVz+Y91LcrX5P6OM4anmXD3Gp3kl35AypXb4KyASF19+11RUziD4Z7q
 wQEWfbwOltNyZv2lD8s2jPr7P02axWRQUbZAEhxRmvOQev/FZPyCF6gqUo/HxRbQ
 y3bzmnipyHSv1DlXNfCFCHvN8kGyZnRWARqIKRg+j9ediJgOUqlLhg6KmrTVxd5v
 3Dfv52PW2UODDTM20s3cQGuX/UswzMRwPI/+P44iCMwEKdm7duM/5oisZT9Vhy7g
 P15MreFZLcZvUVgjqgy0u57cstyGK1Bo9e2sFcK2fA==
 =6Zb4
 -----END PGP PUBLIC KEY BLOCK-----
--- a/SPECS/python3.11.spec
+++ b/SPECS/python3.11.spec
@ -16,11 +16,11 @@ URL: https://www.python.org/
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
-%global general_version %{pybasever}.2
+%global general_version %{pybasever}.4
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: Python
@ -63,7 +63,7 @@ License: Python
 # If the rpmwheels condition is disabled, we use the bundled wheel packages
 # from Python with the versions below.
 # This needs to be manually updated when we update Python.
-%global pip_version 22.3.1
+%global pip_version 23.1.2
 %global setuptools_version 65.5.0
 # Expensive optimizations (mainly, profile-guided optimizations)
@ -332,6 +332,16 @@ Patch329: 00329-fips.patch
 # https://github.com/GrahamDumpleton/mod_wsgi/issues/730
 Patch371: 00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch
 # 00397 #
 # Filters for tarfile extraction (CVE-2007-4559, PEP-706)
 # First patch fixes determination of symlink targets, which were treated
 # as relative to the root of the archive,
 # rather than the directory containing the symlink.
 # Not yet upstream as of this writing.
 # The second patch is Red Hat configuration, see KB for documentation:
 # - https://access.redhat.com/articles/7004769
 Patch397: 00397-tarfile-filter.patch
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1599,6 +1609,19 @@ CheckPython optimized
 # ======================================================
 %changelog
 * Wed Aug 09 2023 Petr Viktorin <pviktori@redhat.com> - 3.11.4-3
 - Fix symlink handling in the fix for CVE-2023-24329
 Resolves: rhbz#263261
 * Fri Jun 30 2023 Charalampos Stratakis <cstratak@redhat.com> - 3.11.4-2
 - Security fix for CVE-2007-4559
 Resolves: rhbz#263261
 * Mon Jun 26 2023 Charalampos Stratakis <cstratak@redhat.com> - 3.11.4-1
 - Update to 3.11.4
 - Security fix for CVE-2023-24329
 Resolves: rhbz#2173917
 * Thu Feb 16 2023 Charalampos Stratakis <cstratak@redhat.com> - 3.11.2-2
 - Support OpenSSL FIPS mode
`@ -1,2 +1 @@`
	`SOURCES/Python-3.11.2.tar.xz`	`SOURCES/Python-3.11.4.tar.xz`
	`SOURCES/pgp_keys.asc`
`@ -1,2 +1 @@`
	`ae1c199ecb7a969588b15354e19e7b60cb65d1b9 SOURCES/Python-3.11.2.tar.xz`	`413b3715d919a7b473281529ab91eeea5c82e632 SOURCES/Python-3.11.4.tar.xz`
	`befe131eceffa73877ba3adceca3b7b1da1d2319 SOURCES/pgp_keys.asc`