import python3.12-3.12.8-1.el8_10

.gitignore

@@ -1 +1 @@
-SOURCES/Python-3.12.6.tar.xz
+SOURCES/Python-3.12.8.tar.xz

.python3.12.metadata

@@ -1 +1 @@
-6d2bbe1603b01764c541608938766233bf56f780 SOURCES/Python-3.12.6.tar.xz
+8872c7a124c6970833e0bde4f25d6d7d61c6af6e SOURCES/Python-3.12.8.tar.xz

SOURCES/00251-change-user-install-location.patch

@@ -30,7 +30,7 @@ Co-authored-by: Lumír Balhar <frenzy.madness@gmail.com>
  3 files changed, 71 insertions(+), 4 deletions(-)
 
 diff --git a/Lib/site.py b/Lib/site.py
-index 924cfbecec..e2871ecc89 100644
+index aed254ad50..568dbdb945 100644
 --- a/Lib/site.py
 +++ b/Lib/site.py
 @@ -398,8 +398,15 @@ def getsitepackages(prefixes=None):
@@ -51,7 +51,7 @@ index 924cfbecec..e2871ecc89 100644
          if os.path.isdir(sitedir):
              addsitedir(sitedir, known_paths)
 diff --git a/Lib/sysconfig.py b/Lib/sysconfig.py
-index 122d441bd1..2d354a11da 100644
+index 517b13acaf..928d1a0541 100644
 --- a/Lib/sysconfig.py
 +++ b/Lib/sysconfig.py
 @@ -104,6 +104,11 @@
@@ -86,7 +86,7 @@ index 122d441bd1..2d354a11da 100644
  _SCHEME_KEYS = ('stdlib', 'platstdlib', 'purelib', 'platlib', 'include',
                  'scripts', 'data')
  
-@@ -263,11 +281,40 @@ def _extend_dict(target_dict, other_dict):
+@@ -261,11 +279,40 @@ def _extend_dict(target_dict, other_dict):
          target_dict[key] = value
  
  
@@ -119,7 +119,7 @@ index 122d441bd1..2d354a11da 100644
 +    # we only change the defaults here, so explicit --prefix will take precedence
 +    # https://fedoraproject.org/wiki/Changes/Making_sudo_pip_safe
 +    if (scheme == 'posix_prefix' and
-+        _PREFIX == '/usr' and
++        sys.prefix == '/usr' and
 +        'RPM_BUILD_ROOT' not in os.environ):
 +            _extend_dict(vars, _config_vars_local())
 +    else:
@@ -129,10 +129,10 @@ index 122d441bd1..2d354a11da 100644
          # On Windows we want to substitute 'lib' for schemes rather
          # than the native value (without modifying vars, in case it
 diff --git a/Lib/test/test_sysconfig.py b/Lib/test/test_sysconfig.py
-index 1137c2032b..8fc2b84f52 100644
+index 3468d0ce02..ff31010427 100644
 --- a/Lib/test/test_sysconfig.py
 +++ b/Lib/test/test_sysconfig.py
-@@ -110,8 +110,19 @@ def test_get_path(self):
+@@ -119,8 +119,19 @@ def test_get_path(self):
          for scheme in _INSTALL_SCHEMES:
              for name in _INSTALL_SCHEMES[scheme]:
                  expected = _INSTALL_SCHEMES[scheme][name].format(**config_vars)
@@ -153,7 +153,7 @@ index 1137c2032b..8fc2b84f52 100644
                      os.path.normpath(expected),
                  )
  
-@@ -344,7 +355,7 @@ def test_get_config_h_filename(self):
+@@ -353,7 +364,7 @@ def test_get_config_h_filename(self):
          self.assertTrue(os.path.isfile(config_h), config_h)
  
      def test_get_scheme_names(self):
@@ -162,7 +162,7 @@ index 1137c2032b..8fc2b84f52 100644
          if HAS_USER_BASE:
              wanted.extend(['nt_user', 'osx_framework_user', 'posix_user'])
          self.assertEqual(get_scheme_names(), tuple(sorted(wanted)))
-@@ -356,6 +367,8 @@ def test_symlink(self): # Issue 7880
+@@ -365,6 +376,8 @@ def test_symlink(self): # Issue 7880
              cmd = "-c", "import sysconfig; print(sysconfig.get_platform())"
              self.assertEqual(py.call_real(*cmd), py.call_link(*cmd))
  

SOURCES/00329-fips.patch

@@ -1,4 +1,4 @@
-From 43ce74d971fad62db6ccd723fe6b01da9c7ff407 Mon Sep 17 00:00:00 2001
+From 11deb3112bd90bc2dce2fcd4a1f5975c08b91360 Mon Sep 17 00:00:00 2001
 From: Charalampos Stratakis <cstratak@redhat.com>
 Date: Thu, 12 Dec 2019 16:58:31 +0100
 Subject: [PATCH 1/5] Expose blake2b and blake2s hashes from OpenSSL
@@ -29,10 +29,10 @@ index 73d758a..5921360 100644
              computed = m.hexdigest() if not shake else m.hexdigest(length)
              self.assertEqual(
 diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
-index af6d1b2..980712f 100644
+index 2998820..b96001e 100644
 --- a/Modules/_hashopenssl.c
 +++ b/Modules/_hashopenssl.c
-@@ -1079,6 +1079,41 @@ _hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj,
+@@ -1128,6 +1128,41 @@ _hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj,
  }
  
  
@@ -74,7 +74,7 @@ index af6d1b2..980712f 100644
  #ifdef PY_OPENSSL_HAS_SHA3
  
  /*[clinic input]
-@@ -2067,6 +2102,8 @@ static struct PyMethodDef EVP_functions[] = {
+@@ -2116,6 +2151,8 @@ static struct PyMethodDef EVP_functions[] = {
      _HASHLIB_OPENSSL_SHA256_METHODDEF
      _HASHLIB_OPENSSL_SHA384_METHODDEF
      _HASHLIB_OPENSSL_SHA512_METHODDEF
@@ -84,7 +84,7 @@ index af6d1b2..980712f 100644
      _HASHLIB_OPENSSL_SHA3_256_METHODDEF
      _HASHLIB_OPENSSL_SHA3_384_METHODDEF
 diff --git a/Modules/clinic/_hashopenssl.c.h b/Modules/clinic/_hashopenssl.c.h
-index fb61a44..1e42b87 100644
+index 84e2346..7fe03a3 100644
 --- a/Modules/clinic/_hashopenssl.c.h
 +++ b/Modules/clinic/_hashopenssl.c.h
 @@ -743,6 +743,156 @@ exit:
@@ -248,13 +248,13 @@ index fb61a44..1e42b87 100644
  #ifndef _HASHLIB_SCRYPT_METHODDEF
      #define _HASHLIB_SCRYPT_METHODDEF
  #endif /* !defined(_HASHLIB_SCRYPT_METHODDEF) */
--/*[clinic end generated code: output=b339e255db698147 input=a9049054013a1b77]*/
-+/*[clinic end generated code: output=1d988d457a8beebe input=a9049054013a1b77]*/
+-/*[clinic end generated code: output=4734184f6555dc95 input=a9049054013a1b77]*/
++/*[clinic end generated code: output=f0bfddb963a21208 input=a9049054013a1b77]*/
 -- 
-2.45.0
+2.47.1
 
 
-From 6872b634078a2c69644235781ebffb07f8edcb83 Mon Sep 17 00:00:00 2001
+From ea9d5c84e25b5c04c2823e1edee4354dd6b2b7a5 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <pviktori@redhat.com>
 Date: Thu, 25 Jul 2019 17:19:06 +0200
 Subject: [PATCH 2/5] Disable Python's hash implementations in FIPS mode,
@@ -445,10 +445,10 @@ index a8bad9d..1b1d937 100644
 +    if (_Py_hashlib_fips_error(exc, name)) return NULL; \
 +} while (0)
 diff --git a/configure.ac b/configure.ac
-index 65ad1c2..b5f9ab5 100644
+index 9270b5f..a9eb2c9 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -7463,7 +7463,8 @@ PY_STDLIB_MOD([_sha2],
+@@ -7482,7 +7482,8 @@ PY_STDLIB_MOD([_sha2],
  PY_STDLIB_MOD([_sha3], [test "$with_builtin_sha3" = yes])
  PY_STDLIB_MOD([_blake2],
    [test "$with_builtin_blake2" = yes], [],
@@ -459,10 +459,10 @@ index 65ad1c2..b5f9ab5 100644
  PY_STDLIB_MOD([_crypt],
    [], [test "$ac_cv_crypt_crypt" = yes],
 -- 
-2.45.0
+2.47.1
 
 
-From f904abdd7a607282c2cdfd18288045cedfa28414 Mon Sep 17 00:00:00 2001
+From 29a7b7ac9e18a501ed78bde7a449b90c57d44e24 Mon Sep 17 00:00:00 2001
 From: Charalampos Stratakis <cstratak@redhat.com>
 Date: Fri, 29 Jan 2021 14:16:21 +0100
 Subject: [PATCH 3/5] Use python's fall back crypto implementations only if we
@@ -552,10 +552,10 @@ index dd61a9a..6031b02 100644
          get_builtin_constructor = getattr(hashlib,
                                            '__get_builtin_constructor')
 -- 
-2.45.0
+2.47.1
 
 
-From 9bf0a53b7831409613c44fd7feecb56476f5e5e7 Mon Sep 17 00:00:00 2001
+From 59accf544492400c9fd32a8e682fb6f2206e932e Mon Sep 17 00:00:00 2001
 From: Charalampos Stratakis <cstratak@redhat.com>
 Date: Wed, 31 Jul 2019 15:43:43 +0200
 Subject: [PATCH 4/5] Test equivalence of hashes for the various digests with
@@ -712,21 +712,21 @@ index 6031b02..5bd5297 100644
  class KDFTests(unittest.TestCase):
  
 -- 
-2.45.0
+2.47.1
 
 
-From 8a76571515a64a57b4ea0586ae8376cf2ef0ac60 Mon Sep 17 00:00:00 2001
+From 21efadd8b488956482bdc6ccd91c37dcef705129 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <pviktori@redhat.com>
 Date: Mon, 26 Aug 2019 19:39:48 +0200
 Subject: [PATCH 5/5] Guard against Python HMAC in FIPS mode
 
 ---
- Lib/hmac.py           | 13 +++++++++----
+ Lib/hmac.py           | 12 +++++++++---
  Lib/test/test_hmac.py | 10 ++++++++++
- 2 files changed, 19 insertions(+), 4 deletions(-)
+ 2 files changed, 19 insertions(+), 3 deletions(-)
 
 diff --git a/Lib/hmac.py b/Lib/hmac.py
-index 8b4eb2f..e8e4864 100644
+index 8b4eb2f..8930bda 100644
 --- a/Lib/hmac.py
 +++ b/Lib/hmac.py
 @@ -16,8 +16,9 @@ else:
@@ -741,14 +741,7 @@ index 8b4eb2f..e8e4864 100644
  
  # The size of the digests returned by HMAC depends on the underlying
  # hashing module used.  Use digest_size from the instance of HMAC instead.
-@@ -48,17 +49,18 @@ class HMAC:
-                    msg argument.  Passing it as a keyword argument is
-                    recommended, though not required for legacy API reasons.
-         """
--
-         if not isinstance(key, (bytes, bytearray)):
-             raise TypeError("key: expected bytes or bytearray, but got %r" % type(key).__name__)
- 
+@@ -55,10 +56,12 @@ class HMAC:
          if not digestmod:
              raise TypeError("Missing required argument 'digestmod'.")
  
@@ -762,7 +755,7 @@ index 8b4eb2f..e8e4864 100644
                  self._init_old(key, msg, digestmod)
          else:
              self._init_old(key, msg, digestmod)
-@@ -69,6 +71,9 @@ class HMAC:
+@@ -69,6 +72,9 @@ class HMAC:
          self.block_size = self._hmac.block_size
  
      def _init_old(self, key, msg, digestmod):
@@ -829,5 +822,5 @@ index 1502fba..7997073 100644
      def test_realcopy_old(self):
          # Testing if the copy method created a real copy.
 -- 
-2.45.0
+2.47.1
 

SOURCES/00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch

@@ -16,7 +16,7 @@ https://github.com/GrahamDumpleton/mod_wsgi/issues/730
  2 files changed, 8 insertions(+), 50 deletions(-)
 
 diff --git a/Lib/test/test_threading.py b/Lib/test/test_threading.py
-index 2e4b860b97..3066b23ee1 100644
+index 75a56f7830..c2509fced1 100644
 --- a/Lib/test/test_threading.py
 +++ b/Lib/test/test_threading.py
 @@ -1100,39 +1100,6 @@ def noop(): pass

SOURCES/00445-cve-2024-12254-ensure-_selectorsockettransport-writelines-pauses-the-protocol-if-needed.patch

@@ -0,0 +1,62 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Fri, 6 Dec 2024 06:12:40 +0100
+Subject: [PATCH] 00445: CVE-2024-12254: Ensure
+ _SelectorSocketTransport.writelines pauses the protocol if needed
+
+Ensure _SelectorSocketTransport.writelines pauses the protocol if it reaches the high water mark as needed.
+
+Resolved upstream: https://github.com/python/cpython/issues/127655
+
+Co-authored-by: J. Nick Koston <nick@koston.org>
+Co-authored-by: Kumar Aditya <kumaraditya@python.org>
+---
+ Lib/asyncio/selector_events.py                       |  1 +
+ Lib/test/test_asyncio/test_selector_events.py        | 12 ++++++++++++
+ .../2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst   |  1 +
+ 3 files changed, 14 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst
+
+diff --git a/Lib/asyncio/selector_events.py b/Lib/asyncio/selector_events.py
+index 790711f834..dd79ad18df 100644
+--- a/Lib/asyncio/selector_events.py
++++ b/Lib/asyncio/selector_events.py
+@@ -1183,6 +1183,7 @@ def writelines(self, list_of_data):
+         # If the entire buffer couldn't be written, register a write handler
+         if self._buffer:
+             self._loop._add_writer(self._sock_fd, self._write_ready)
++            self._maybe_pause_protocol()
+ 
+     def can_write_eof(self):
+         return True
+diff --git a/Lib/test/test_asyncio/test_selector_events.py b/Lib/test/test_asyncio/test_selector_events.py
+index 47693ea4d3..736c19796e 100644
+--- a/Lib/test/test_asyncio/test_selector_events.py
++++ b/Lib/test/test_asyncio/test_selector_events.py
+@@ -805,6 +805,18 @@ def test_writelines_send_partial(self):
+         self.assertTrue(self.sock.send.called)
+         self.assertTrue(self.loop.writers)
+ 
++    def test_writelines_pauses_protocol(self):
++        data = memoryview(b'data')
++        self.sock.send.return_value = 2
++        self.sock.send.fileno.return_value = 7
++
++        transport = self.socket_transport()
++        transport._high_water = 1
++        transport.writelines([data])
++        self.assertTrue(self.protocol.pause_writing.called)
++        self.assertTrue(self.sock.send.called)
++        self.assertTrue(self.loop.writers)
++
+     @unittest.skipUnless(selector_events._HAS_SENDMSG, 'no sendmsg')
+     def test_write_sendmsg_full(self):
+         data = memoryview(b'data')
+diff --git a/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst b/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst
+new file mode 100644
+index 0000000000..76cfc58121
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst
+@@ -0,0 +1 @@
++Fixed the :class:`!asyncio.selector_events._SelectorSocketTransport` transport not pausing writes for the protocol when the buffer reaches the high water mark when using :meth:`asyncio.WriteTransport.writelines`.

SOURCES/Python-3.12.6.tar.xz.asc

@@ -1,18 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQKTBAABCgB9FiEEcWlgX2LHUTVtBUomqCHmgOX6YwUFAmbbZv1fFIAAAAAALgAo
-aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDcx
-Njk2MDVGNjJDNzUxMzU2RDA1NEEyNkE4MjFFNjgwRTVGQTYzMDUACgkQqCHmgOX6
-YwV51g//WpQjF/Rt19lgaWojZ3qDkvmTM2kpvfDGLe9Tkm1fWYzji4TLS3TnzGEp
-dw2K6ApqGX4aO9AKMBRdfiFyhaDp0ENlBzSspvyzVT4LsRxiWXqyJ1qZB9mui/S8
-k5pw2qygaS4gYEAOLrVEwmQ52pig1wMAouSmRuopVk5DGYUN6Wir7RZMrYynsd6P
-6HYqpZby2L1fKlcj2xYY44niuL5a+I8ucWN9qOBzRLCuzq20lVoII817vORjCqa7
-ZUMKrDXDlzHnISNqZyyX37/oi6a8UdNm0o8V9yDJLiBu9+Dy3OueoIguuzimk4hq
-ZnepBoCcr2YAxIsXvwl2qfQBOCjJ5WAZ/wzA/eQMo9Jn1TYRBwuMC1MmP0ylt7Me
-/pS57bGuulkfPv9pMto7qc2lNpotBmAsfGJAJMczeEmyo5tAXnJUBE94JRmiLaR/
-zwPmJB3O9uEQhEa8+cjx4+9bK6+YvAXkb9x92Wn70u+IaalPj8CRA7B45hy1KYHT
-5s/ndwFFWThxqxH61oqjPvlZW5PWBC83yi/KovhgDWNL2G9CTusKevMqX/LMUAKz
-M3mJU/24vUu9bJNxB2qsa3UeP8hbb6WN5LLQyxRsXPjVQ9iTeMWrQkz1mRGIK2Ec
-OFbYH2SGa/RELds6MZWzvZuXIefCoyuc51WsXnc4LFr2ZGv4dAI=
-=CK1W
------END PGP SIGNATURE-----

SOURCES/Python-3.12.8.tar.xz.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEEcWlgX2LHUTVtBUomqCHmgOX6YwUFAmdPZepfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDcx
+Njk2MDVGNjJDNzUxMzU2RDA1NEEyNkE4MjFFNjgwRTVGQTYzMDUACgkQqCHmgOX6
+YwV2vQ//enP0FhpesVqbIf52CDqRUxRmO29bgW+a4wvRMMcGhMwVhDYKBSXwpI1O
+FJDm6y16mjfgVDJ17aU15+NUGqEDEcDj/59LUgOBkbgGkhhi7qPvqG+8YJoTJtFr
+0N3dcYwMSJQmN+y+xAWWHhc576KSkASqTG5OcS/n6yTG+zjFkN2Iznp0INQZpSt2
+44YocvRIK0vozabd47JCx5w/txE3nYtsl6nG5VTMeavbWYzgFBJhVSyykLSJxlyU
+mJgL0DMspjsUH2ZeYkHqqnuEZkogwJfI3eL2Z4BdVb96hh/s/L4UaSa3GI1a2Tdf
+c6UJLGWTqaFFcohIVrGhgckAQRrit7AZCBb/FwTsDXahxau7ECLNpgcRQCWgAXlN
+l7SSQkI2snUs5c+mCuBspDvBVxhAWq1VUelkPurQymR/ajGywwXgdGQwmq7BO+Wr
+E7fChlwTKLFkQorrzKw7FoL674gTolCHoO/XTDmCNIkEblykSl9mz9FnI2q1C0id
+Q+rM1rGo2ubJhthvpKdA5jDpzK6tPqG2xNgV6+xhXl4Bg7w4dhEKIu1vKH4RRBgR
+GTf9LSlJMdaDIyWbbuMFpthCrhnmXbK0qe4whQRtip/TB+1qjl1e5gB0kULujApj
+RbtxbR50cCDmocM6nae2P1tq0s3jaSs/VemiptexdTilGcm3088=
+=2KVU
+-----END PGP SIGNATURE-----

SPECS/python3.12.spec

@@ -16,7 +16,7 @@ URL: https://www.python.org/
 
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
-%global general_version %{pybasever}.6
+%global general_version %{pybasever}.8
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
@@ -65,7 +65,7 @@ License: Python-2.0.1
 # If the rpmwheels condition is disabled, we use the bundled wheel packages
 # from Python with the versions below.
 # This needs to be manually updated when we update Python.
-%global pip_version 24.2
+%global pip_version 24.3.1
 %global setuptools_version 67.6.1
 %global wheel_version 0.40.0
 # All of those also include a list of indirect bundled libs:
@@ -73,8 +73,8 @@ License: Python-2.0.1
 #  $ %%{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/ensurepip/_bundled/pip-*.whl pip/_vendor/vendor.txt)
 %global pip_bundled_provides %{expand:
 Provides: bundled(python3dist(cachecontrol)) = 0.14
-Provides: bundled(python3dist(certifi)) = 2024.7.4
-Provides: bundled(python3dist(distlib)) = 0.3.8
+Provides: bundled(python3dist(certifi)) = 2024.8.30
+Provides: bundled(python3dist(distlib)) = 0.3.9
 Provides: bundled(python3dist(distro)) = 1.9
 Provides: bundled(python3dist(idna)) = 3.7
 Provides: bundled(python3dist(msgpack)) = 1.0.8
@@ -87,9 +87,9 @@ Provides: bundled(python3dist(resolvelib)) = 1.0.1
 Provides: bundled(python3dist(rich)) = 13.7.1
 Provides: bundled(python3dist(setuptools)) = 70.3
 Provides: bundled(python3dist(tomli)) = 2.0.1
-Provides: bundled(python3dist(truststore)) = 0.9.1
+Provides: bundled(python3dist(truststore)) = 0.10
 Provides: bundled(python3dist(typing-extensions)) = 4.12.2
-Provides: bundled(python3dist(urllib3)) = 1.26.18
+Provides: bundled(python3dist(urllib3)) = 1.26.20
 }
 # setuptools
 # vendor.txt files not in .whl
@@ -333,7 +333,7 @@ Source11: idle3.appdata.xml
 
 # (Patches taken from github.com/fedora-python/cpython)
 
-# 00251 # cae5a6abc5df08239c85b83e4e250b6f2702e4f5
+# 00251 # 6a4ec74157aa01f1ada9f29f30a371cd9e5369e8
 # Change user install location
 #
 # Set values of base and platbase in sysconfig from /usr
@@ -389,6 +389,14 @@ Patch397: 00397-tarfile-filter.patch
 # CVE-2023-52425. Future versions of Expat may be more reactive.
 Patch422: 00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch
 
+# 00445 # d1a32daddefad32ceb93155552858c0a0311b23e
+# CVE-2024-12254: Ensure _SelectorSocketTransport.writelines pauses the protocol if needed
+#
+# Ensure _SelectorSocketTransport.writelines pauses the protocol if it reaches the high water mark as needed.
+#
+# Resolved upstream: https://github.com/python/cpython/issues/127655
+Patch445: 00445-cve-2024-12254-ensure-_selectorsockettransport-writelines-pauses-the-protocol-if-needed.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -1879,6 +1887,11 @@ fi
 # ======================================================
 
 %changelog
+* Tue Dec 03 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.12.8-1
+- Update to 3.12.8
+- Security fix for CVE-2024-9287 and CVE-2024-12254
+Resolves: RHEL-64880, RHEL-70315
+
 * Mon Sep 09 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.12.6-1
 - Update to 3.12.6
 Resolves: RHEL-57405