9 changed files with 331 additions and 575 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/Python-3.9.20.tar.xz
+SOURCES/Python-3.9.17.tar.xz
--- a/.python39.metadata
+++ b/.python39.metadata
@ -1 +1 @@
-52902dd820d2d41c47ef927ecebb24a96a51cc4b SOURCES/Python-3.9.20.tar.xz
+34a6d24cef87fbf22b943d4fe22100a9bf0b3782 SOURCES/Python-3.9.17.tar.xz
--- a/SOURCES/00329-fips.patch
+++ b/SOURCES/00329-fips.patch
@ -1,4 +1,4 @@
-From 4cef6c756055a15dc33a475c1f405676fa69410c Mon Sep 17 00:00:00 2001
+From ccb2659fa0ec259d4161ed84345553bf3f216531 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <encukou@gmail.com>
 Date: Wed, 11 Aug 2021 16:51:03 +0200
 Subject: [PATCH 01/10] Backport PyModule_AddObjectRef as
@ -71,10 +71,10 @@ index 13482c6..fca1083 100644
 PyModule_AddIntConstant(PyObject *m, const char *name, long value)
 {
 -- 
-2.45.0
+2.37.2
-From a115773e979f968edaed8a3419f3ccc34eef8320 Mon Sep 17 00:00:00 2001
+From 794c37495d91823bd820b96382b999d84dcad58d Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <encukou@gmail.com>
 Date: Fri, 13 Aug 2021 13:16:43 +0200
 Subject: [PATCH 02/10] _hashopenssl: Uncomment and use initialization function
@ -144,10 +144,10 @@ index 4db058c..56dfff9 100644
     return m;
 -- 
-2.45.0
+2.37.2
-From 28506af69b2b005bb7a8931624f97273269458a1 Mon Sep 17 00:00:00 2001
+From 94b56c82b459474c3e0f9e5421fa7becbf5a1c70 Mon Sep 17 00:00:00 2001
 From: Christian Heimes <christian@python.org>
 Date: Sat, 27 Mar 2021 14:55:03 +0100
 Subject: [PATCH 03/10] bpo-40645: use C implementation of HMAC (GH-24920,
@ -927,10 +927,10 @@ index 68aa765..4466ec4 100644
 -/*[clinic end generated code: output=b6b280e46bf0b139 input=a9049054013a1b77]*/
 +/*[clinic end generated code: output=7ff9aad0bd53e7ce input=a9049054013a1b77]*/
 -- 
-2.45.0
+2.37.2
-From 1f5f7d3892febb68cf96ef151beab06eae1792ce Mon Sep 17 00:00:00 2001
+From b63e3fbd7c0506b5a6c00c1bb0d255054e38bbe8 Mon Sep 17 00:00:00 2001
 From: Charalampos Stratakis <cstratak@redhat.com>
 Date: Thu, 12 Dec 2019 16:58:31 +0100
 Subject: [PATCH 04/10] Expose blake2b and blake2s hashes from OpenSSL
@ -944,7 +944,7 @@ used under FIPS.
 3 files changed, 148 insertions(+), 1 deletion(-)
 diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
-index bc11a8d..9a07499 100644
+index f845c7a..7aaeb76 100644
 --- a/Lib/test/test_hashlib.py
 +++ b/Lib/test/test_hashlib.py
@@ -363,6 +363,12 @@ class HashLibTestCase(unittest.TestCase):
@ -1137,10 +1137,10 @@ index 4466ec4..54c22b2 100644
 -/*[clinic end generated code: output=7ff9aad0bd53e7ce input=a9049054013a1b77]*/
 +/*[clinic end generated code: output=fab05055e982f112 input=a9049054013a1b77]*/
 -- 
-2.45.0
+2.37.2
-From 842bd1c8c8a62c342fed848e5a5f0f1d97daeaba Mon Sep 17 00:00:00 2001
+From dc8ad7b98d6d9bf14cae439acb3a99fa8f4f5020 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <pviktori@redhat.com>
 Date: Thu, 1 Aug 2019 17:57:05 +0200
 Subject: [PATCH 05/10] Use a stronger hash in multiprocessing handshake
@ -1152,7 +1152,7 @@ https://bugs.python.org/issue17258
 1 file changed, 6 insertions(+), 2 deletions(-)
 diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py
-index 8e2facf..bb4acb6 100644
+index 510e4b5..b68f2fb 100644
 --- a/Lib/multiprocessing/connection.py
 +++ b/Lib/multiprocessing/connection.py
@@ -42,6 +42,10 @@ BUFSIZE = 8192
@ -1166,7 +1166,7 @@ index 8e2facf..bb4acb6 100644
 _mmap_counter = itertools.count()
 default_family = 'AF_INET'
-@@ -736,7 +740,7 @@ def deliver_challenge(connection, authkey):
+@@ -741,7 +745,7 @@ def deliver_challenge(connection, authkey):
             "Authkey must be bytes, not {0!s}".format(type(authkey)))
     message = os.urandom(MESSAGE_LENGTH)
     connection.send_bytes(CHALLENGE + message)
@ -1175,7 +1175,7 @@ index 8e2facf..bb4acb6 100644
     response = connection.recv_bytes(256)        # reject large message
     if response == digest:
         connection.send_bytes(WELCOME)
-@@ -752,7 +756,7 @@ def answer_challenge(connection, authkey):
+@@ -757,7 +761,7 @@ def answer_challenge(connection, authkey):
     message = connection.recv_bytes(256)         # reject large message
     assert message[:len(CHALLENGE)] == CHALLENGE, 'message = %r' % message
     message = message[len(CHALLENGE):]
@ -1185,10 +1185,10 @@ index 8e2facf..bb4acb6 100644
     response = connection.recv_bytes(256)        # reject large message
     if response != WELCOME:
 -- 
-2.45.0
+2.37.2
-From 0390f1ea33f8a604467829733541791a29cee4da Mon Sep 17 00:00:00 2001
+From af0c88c9d5bc4f9c127e49ed80d14e25d18813f2 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <pviktori@redhat.com>
 Date: Thu, 25 Jul 2019 17:19:06 +0200
 Subject: [PATCH 06/10] Disable Python's hash implementations in FIPS mode,
@ -1231,7 +1231,7 @@ index ffa3be0..3e3f4dd 100644
 def __get_builtin_constructor(name):
     cache = __builtin_constructor_cache
 diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
-index 9a07499..56dfbaa 100644
+index 7aaeb76..fa4a8d7 100644
 --- a/Lib/test/test_hashlib.py
 +++ b/Lib/test/test_hashlib.py
@@ -35,14 +35,15 @@ else:
@ -1446,10 +1446,10 @@ index 0bec170..479f4b5 100644
             ))
 -- 
-2.45.0
+2.37.2
-From 667781e01425308ae95f062f8596866a5af76f77 Mon Sep 17 00:00:00 2001
+From 9bc3d493a3508fb82df7d24cc62315c072d9eca8 Mon Sep 17 00:00:00 2001
 From: Charalampos Stratakis <cstratak@redhat.com>
 Date: Fri, 29 Jan 2021 14:16:21 +0100
 Subject: [PATCH 07/10] Use python's fall back crypto implementations only if
@ -1565,7 +1565,7 @@ index 3e3f4dd..b842f5f 100644
 for __func_name in __always_supported:
 diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
-index 56dfbaa..05f4a54 100644
+index fa4a8d7..ec6c883 100644
 --- a/Lib/test/test_hashlib.py
 +++ b/Lib/test/test_hashlib.py
@@ -171,7 +171,13 @@ class HashLibTestCase(unittest.TestCase):
@ -1604,7 +1604,7 @@ index 56dfbaa..05f4a54 100644
     def test_get_builtin_constructor(self):
         get_builtin_constructor = getattr(hashlib,
                                           '__get_builtin_constructor')
-@@ -1070,6 +1090,7 @@ class KDFTests(unittest.TestCase):
+@@ -1061,6 +1081,7 @@ class KDFTests(unittest.TestCase):
                 iterations=1, dklen=None)
             self.assertEqual(out, self.pbkdf2_results['sha1'][0][0])
@ -1613,10 +1613,10 @@ index 56dfbaa..05f4a54 100644
     def test_pbkdf2_hmac_py(self):
         self._test_pbkdf2_hmac(builtin_hashlib.pbkdf2_hmac, builtin_hashes)
 -- 
-2.45.0
+2.37.2
-From e36df0297eca09ca1826163f39a812b45558f690 Mon Sep 17 00:00:00 2001
+From 331c0d39cbc9c4df266c375bae8c1a0d27dd78d9 Mon Sep 17 00:00:00 2001
 From: Charalampos Stratakis <cstratak@redhat.com>
 Date: Wed, 31 Jul 2019 15:43:43 +0200
 Subject: [PATCH 08/10] Test equivalence of hashes for the various digests with
@ -1659,7 +1659,7 @@ index 0000000..1f99dd7
 +if __name__ == "__main__":
 +    unittest.main()
 diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
-index 05f4a54..980c773 100644
+index ec6c883..0fd036f 100644
 --- a/Lib/test/test_hashlib.py
 +++ b/Lib/test/test_hashlib.py
@@ -20,6 +20,7 @@ import warnings
@ -1755,7 +1755,7 @@ index 05f4a54..980c773 100644
                 return
             m = hash_object_constructor(data, **kwargs)
-@@ -983,6 +998,15 @@ class HashLibTestCase(unittest.TestCase):
+@@ -974,6 +989,15 @@ class HashLibTestCase(unittest.TestCase):
         ):
             HASHXOF()
@ -1772,10 +1772,10 @@ index 05f4a54..980c773 100644
 class KDFTests(unittest.TestCase):
 -- 
-2.45.0
+2.37.2
-From 8fc0216da1d6e148bf086c8c137ddc19a33ab642 Mon Sep 17 00:00:00 2001
+From 1a3df28f95710925bc80018bcf22b7f37bbb1e17 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <pviktori@redhat.com>
 Date: Mon, 26 Aug 2019 19:39:48 +0200
 Subject: [PATCH 09/10] Guard against Python HMAC in FIPS mode
@ -1889,43 +1889,290 @@ index adf52ad..41e6a14 100644
     def test_realcopy_old(self):
         # Testing if the copy method created a real copy.
 -- 
-2.45.0
+2.37.2
-From 4271e404c9aa918368d397654d60e4e845dfc844 Mon Sep 17 00:00:00 2001
+From dded0e09dd3e51998a2aa54d2ae8464d73987e51 Mon Sep 17 00:00:00 2001
-From: Nikita Sobolev <mail@sobolevn.me>
+From: Petr Viktorin <encukou@gmail.com>
-Date: Thu, 24 Nov 2022 01:47:31 +0300
+Date: Wed, 25 Aug 2021 16:44:43 +0200
-Subject: [PATCH 10/10] closes gh-99508: fix `TypeError` in
+Subject: [PATCH 10/10] Disable hash-based PYCs in FIPS mode
- `Lib/importlib/_bootstrap_external.py` (GH-99635)
+
 If FIPS mode is on, we can't use siphash-based HMAC
 (_Py_KeyedHash), so:
 - Unchecked hash PYCs can be imported, but not created
 - Checked hash PYCs can not be imported nor created
 - The default mode is timestamp-based PYCs, even if
  SOURCE_DATE_EPOCH is set.
 If FIPS mode is off, there are no changes in behavior.
 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1835169
 ---
- Lib/importlib/_bootstrap_external.py                           | 3 ++-
+ Lib/py_compile.py                             |  2 ++
- .../next/Library/2022-11-21-10-45-54.gh-issue-99508.QqVbby.rst | 2 ++
+ Lib/test/support/__init__.py                  | 14 +++++++++++++
- 2 files changed, 4 insertions(+), 1 deletion(-)
+ Lib/test/test_cmd_line_script.py              |  2 ++
- create mode 100644 Misc/NEWS.d/next/Library/2022-11-21-10-45-54.gh-issue-99508.QqVbby.rst
+ Lib/test/test_compileall.py                   | 11 +++++++++-
-
+ Lib/test/test_imp.py                          |  2 ++
-diff --git a/Lib/importlib/_bootstrap_external.py b/Lib/importlib/_bootstrap_external.py
+ .../test_importlib/source/test_file_loader.py |  6 ++++++
-index f0c9f8e..cccf6b2 100644
+ Lib/test/test_py_compile.py                   | 11 ++++++++--
--- a/Lib/importlib/_bootstrap_external.py
+ Lib/test/test_zipimport.py                    |  2 ++
-+++ b/Lib/importlib/_bootstrap_external.py
+ Python/import.c                               | 20 +++++++++++++++++++
-@@ -986,7 +986,8 @@ class SourceLoader(_LoaderBasics):
+ 9 files changed, 67 insertions(+), 3 deletions(-)
-                 source_mtime is not None):
+
-             if hash_based:
+diff --git a/Lib/py_compile.py b/Lib/py_compile.py
-                 if source_hash is None:
+index bba3642..02db901 100644
-                    source_hash = _imp.source_hash(source_bytes)
+--- a/Lib/py_compile.py
-+                    source_hash = _imp.source_hash(_RAW_MAGIC_NUMBER,
+++ b/Lib/py_compile.py
-+                                                   source_bytes)
+@@ -70,7 +70,9 @@ class PycInvalidationMode(enum.Enum):
-                 data = _code_to_hash_pyc(code_object, source_hash, check_source)
+ 
-             else:
+ 
-                 data = _code_to_timestamp_pyc(code_object, source_mtime,
+ def _get_default_invalidation_mode():
-diff --git a/Misc/NEWS.d/next/Library/2022-11-21-10-45-54.gh-issue-99508.QqVbby.rst b/Misc/NEWS.d/next/Library/2022-11-21-10-45-54.gh-issue-99508.QqVbby.rst
+    import _hashlib
-new file mode 100644
+     if (os.environ.get('SOURCE_DATE_EPOCH') and not
-index 0000000..82720d1
+            _hashlib.get_fips_mode() and not
--- /dev/null
+             os.environ.get('RPM_BUILD_ROOT')):
-+++ b/Misc/NEWS.d/next/Library/2022-11-21-10-45-54.gh-issue-99508.QqVbby.rst
+         return PycInvalidationMode.CHECKED_HASH
-@@ -0,0 +1,2 @@
+     else:
-+Fix ``TypeError`` in ``Lib/importlib/_bootstrap_external.py`` while calling
+diff --git a/Lib/test/support/__init__.py b/Lib/test/support/__init__.py
-+``_imp.source_hash()``.
+index 6dc0813..b9d5f9a 100644
 --- a/Lib/test/support/__init__.py
 +++ b/Lib/test/support/__init__.py
@@ -3296,6 +3296,20 @@ def clear_ignored_deprecations(*tokens: object) -> None:
         warnings._filters_mutated()
 +def fails_in_fips_mode(expected_error):
 +    import _hashlib
 +    if _hashlib.get_fips_mode():
 +        def _decorator(func):
 +            def _wrapper(self, *args, **kwargs):
 +                with self.assertRaises(expected_error):
 +                    func(self, *args, **kwargs)
 +            return _wrapper
 +    else:
 +        def _decorator(func):
 +            return func
 +    return _decorator
 +
 +
 @contextlib.contextmanager
 def adjust_int_max_str_digits(max_digits):
     """Temporarily change the integer string conversion length limit."""
 diff --git a/Lib/test/test_cmd_line_script.py b/Lib/test/test_cmd_line_script.py
 index 7cb1370..61df232 100644
 --- a/Lib/test/test_cmd_line_script.py
 +++ b/Lib/test/test_cmd_line_script.py
@@ -282,6 +282,7 @@ class CmdLineTest(unittest.TestCase):
             self._check_script(zip_name, run_name, zip_name, zip_name, '',
                                zipimport.zipimporter)
 +    @support.fails_in_fips_mode(ImportError)
     def test_zipfile_compiled_checked_hash(self):
         with support.temp_dir() as script_dir:
             script_name = _make_test_script(script_dir, '__main__')
@@ -292,6 +293,7 @@ class CmdLineTest(unittest.TestCase):
             self._check_script(zip_name, run_name, zip_name, zip_name, '',
                                zipimport.zipimporter)
 +    @support.fails_in_fips_mode(ImportError)
     def test_zipfile_compiled_unchecked_hash(self):
         with support.temp_dir() as script_dir:
             script_name = _make_test_script(script_dir, '__main__')
 diff --git a/Lib/test/test_compileall.py b/Lib/test/test_compileall.py
 index ab647d6..7d50f07 100644
 --- a/Lib/test/test_compileall.py
 +++ b/Lib/test/test_compileall.py
@@ -758,14 +758,23 @@ class CommandLineTestsBase:
         out = self.assertRunOK('badfilename')
         self.assertRegex(out, b"Can't list 'badfilename'")
 -    def test_pyc_invalidation_mode(self):
 +    @support.fails_in_fips_mode(AssertionError)
 +    def test_pyc_invalidation_mode_checked(self):
         script_helper.make_script(self.pkgdir, 'f1', '')
         pyc = importlib.util.cache_from_source(
             os.path.join(self.pkgdir, 'f1.py'))
 +
         self.assertRunOK('--invalidation-mode=checked-hash', self.pkgdir)
         with open(pyc, 'rb') as fp:
             data = fp.read()
         self.assertEqual(int.from_bytes(data[4:8], 'little'), 0b11)
 +
 +    @support.fails_in_fips_mode(AssertionError)
 +    def test_pyc_invalidation_mode_unchecked(self):
 +        script_helper.make_script(self.pkgdir, 'f1', '')
 +        pyc = importlib.util.cache_from_source(
 +            os.path.join(self.pkgdir, 'f1.py'))
 +
         self.assertRunOK('--invalidation-mode=unchecked-hash', self.pkgdir)
         with open(pyc, 'rb') as fp:
             data = fp.read()
 diff --git a/Lib/test/test_imp.py b/Lib/test/test_imp.py
 index fe394dc..802f0e8 100644
 --- a/Lib/test/test_imp.py
 +++ b/Lib/test/test_imp.py
@@ -343,6 +343,7 @@ class ImportTests(unittest.TestCase):
         import _frozen_importlib
         self.assertEqual(_frozen_importlib.__spec__.origin, "frozen")
 +    @support.fails_in_fips_mode(ImportError)
     def test_source_hash(self):
         self.assertEqual(_imp.source_hash(42, b'hi'), b'\xc6\xe7Z\r\x03:}\xab')
         self.assertEqual(_imp.source_hash(43, b'hi'), b'\x85\x9765\xf8\x9a\x8b9')
@@ -362,6 +363,7 @@ class ImportTests(unittest.TestCase):
             res = script_helper.assert_python_ok(*args)
             self.assertEqual(res.out.strip().decode('utf-8'), expected)
 +    @support.fails_in_fips_mode(ImportError)
     def test_find_and_load_checked_pyc(self):
         # issue 34056
         with support.temp_cwd():
 diff --git a/Lib/test/test_importlib/source/test_file_loader.py b/Lib/test/test_importlib/source/test_file_loader.py
 index ab44722..480cc81 100644
 --- a/Lib/test/test_importlib/source/test_file_loader.py
 +++ b/Lib/test/test_importlib/source/test_file_loader.py
@@ -17,6 +17,7 @@ import types
 import unittest
 import warnings
 +from test import support
 from test.support import make_legacy_pyc, unload
 from test.test_py_compile import without_source_date_epoch
@@ -239,6 +240,7 @@ class SimpleTest(abc.LoaderTests):
                 loader.load_module('bad name')
     @util.writes_bytecode_files
 +    @support.fails_in_fips_mode(ImportError)
     def test_checked_hash_based_pyc(self):
         with util.create_modules('_temp') as mapping:
             source = mapping['_temp']
@@ -270,6 +272,7 @@ class SimpleTest(abc.LoaderTests):
             )
     @util.writes_bytecode_files
 +    @support.fails_in_fips_mode(ImportError)
     def test_overridden_checked_hash_based_pyc(self):
         with util.create_modules('_temp') as mapping, \
              unittest.mock.patch('_imp.check_hash_based_pycs', 'never'):
@@ -295,6 +298,7 @@ class SimpleTest(abc.LoaderTests):
             self.assertEqual(mod.state, 'old')
     @util.writes_bytecode_files
 +    @support.fails_in_fips_mode(ImportError)
     def test_unchecked_hash_based_pyc(self):
         with util.create_modules('_temp') as mapping:
             source = mapping['_temp']
@@ -325,6 +329,7 @@ class SimpleTest(abc.LoaderTests):
             )
     @util.writes_bytecode_files
 +    @support.fails_in_fips_mode(ImportError)
     def test_overridden_unchecked_hash_based_pyc(self):
         with util.create_modules('_temp') as mapping, \
              unittest.mock.patch('_imp.check_hash_based_pycs', 'always'):
@@ -434,6 +439,7 @@ class BadBytecodeTest:
                                                del_source=del_source)
             test('_temp', mapping, bc_path)
 +    @support.fails_in_fips_mode(ImportError)
     def _test_partial_hash(self, test, *, del_source=False):
         with util.create_modules('_temp') as mapping:
             bc_path = self.manipulate_bytecode(
 diff --git a/Lib/test/test_py_compile.py b/Lib/test/test_py_compile.py
 index b2d3dcf..7e4b0c5 100644
 --- a/Lib/test/test_py_compile.py
 +++ b/Lib/test/test_py_compile.py
@@ -141,13 +141,16 @@ class PyCompileTestsBase:
             importlib.util.cache_from_source(bad_coding)))
     def test_source_date_epoch(self):
 +        import _hashlib
         py_compile.compile(self.source_path, self.pyc_path)
         self.assertTrue(os.path.exists(self.pyc_path))
         self.assertFalse(os.path.exists(self.cache_path))
         with open(self.pyc_path, 'rb') as fp:
             flags = importlib._bootstrap_external._classify_pyc(
                 fp.read(), 'test', {})
 -        if os.environ.get('SOURCE_DATE_EPOCH'):
 +        if _hashlib.get_fips_mode():
 +            expected_flags = 0b00
 +        elif os.environ.get('SOURCE_DATE_EPOCH'):
             expected_flags = 0b11
         else:
             expected_flags = 0b00
@@ -178,7 +181,8 @@ class PyCompileTestsBase:
         # Specifying optimized bytecode should lead to a path reflecting that.
         self.assertIn('opt-2', py_compile.compile(self.source_path, optimize=2))
 -    def test_invalidation_mode(self):
 +    @support.fails_in_fips_mode(ImportError)
 +    def test_invalidation_mode_checked(self):
         py_compile.compile(
             self.source_path,
             invalidation_mode=py_compile.PycInvalidationMode.CHECKED_HASH,
@@ -187,6 +191,9 @@ class PyCompileTestsBase:
             flags = importlib._bootstrap_external._classify_pyc(
                 fp.read(), 'test', {})
         self.assertEqual(flags, 0b11)
 +
 +    @support.fails_in_fips_mode(ImportError)
 +    def test_invalidation_mode_unchecked(self):
         py_compile.compile(
             self.source_path,
             invalidation_mode=py_compile.PycInvalidationMode.UNCHECKED_HASH,
 diff --git a/Lib/test/test_zipimport.py b/Lib/test/test_zipimport.py
 index b7347a3..09ea990 100644
 --- a/Lib/test/test_zipimport.py
 +++ b/Lib/test/test_zipimport.py
@@ -186,6 +186,7 @@ class UncompressedZipImportTestCase(ImportHooksBaseTestCase):
                  TESTMOD + pyc_ext: (NOW, test_pyc)}
         self.doTest(pyc_ext, files, TESTMOD)
 +    @support.fails_in_fips_mode(ImportError)
     def testUncheckedHashBasedPyc(self):
         source = b"state = 'old'"
         source_hash = importlib.util.source_hash(source)
@@ -200,6 +201,7 @@ class UncompressedZipImportTestCase(ImportHooksBaseTestCase):
             self.assertEqual(mod.state, 'old')
         self.doTest(None, files, TESTMOD, call=check)
 +    @support.fails_in_fips_mode(ImportError)
     @unittest.mock.patch('_imp.check_hash_based_pycs', 'always')
     def test_checked_hash_based_change_pyc(self):
         source = b"state = 'old'"
 diff --git a/Python/import.c b/Python/import.c
 index 8358d70..1b7fb85 100644
 --- a/Python/import.c
 +++ b/Python/import.c
@@ -2354,6 +2354,26 @@ static PyObject *
 _imp_source_hash_impl(PyObject *module, long key, Py_buffer *source)
 /*[clinic end generated code: output=edb292448cf399ea input=9aaad1e590089789]*/
 {
 +    PyObject *_hashlib = PyImport_ImportModule("_hashlib");
 +    if (_hashlib == NULL) {
 +        return NULL;
 +    }
 +    PyObject *fips_mode_obj = PyObject_CallMethod(_hashlib, "get_fips_mode", NULL);
 +    Py_DECREF(_hashlib);
 +    if (fips_mode_obj == NULL) {
 +        return NULL;
 +    }
 +    int fips_mode = PyObject_IsTrue(fips_mode_obj);
 +    Py_DECREF(fips_mode_obj);
 +    if (fips_mode < 0) {
 +        return NULL;
 +    }
 +    if (fips_mode) {
 +        PyErr_SetString(
 +            PyExc_ImportError,
 +            "hash-based PYC validation (siphash24) not available in FIPS mode");
 +        return NULL;
 +    };
     union {
         uint64_t x;
         char data[sizeof(uint64_t)];
 -- 
-2.45.0
+2.37.2
--- a/SOURCES/00414-skip_test_zlib_s390x.patch
+++ b/SOURCES/00414-skip_test_zlib_s390x.patch
@ -1,88 +0,0 @@
 From f253f1e7e8283b876d40af385d5729646f2c18b6 Mon Sep 17 00:00:00 2001
 From: Victor Stinner <vstinner@python.org>
 Date: Wed, 17 Jan 2024 14:53:23 +0100
 Subject: [PATCH] bpo-46623: Skip two test_zlib tests on s390x (GH-31096)
 Skip test_pair() and test_speech128() of test_zlib on s390x since
 they fail if zlib uses the s390x hardware accelerator.
 ---
 Lib/test/test_zlib.py                         | 32 +++++++++++++++++++
 .../2022-02-03-09-45-26.bpo-46623.vxzuhV.rst  |  2 ++
 2 files changed, 34 insertions(+)
 create mode 100644 Misc/NEWS.d/next/Tests/2022-02-03-09-45-26.bpo-46623.vxzuhV.rst
 diff --git a/Lib/test/test_zlib.py b/Lib/test/test_zlib.py
 index aa7943f..8945b10 100644
 --- a/Lib/test/test_zlib.py
 +++ b/Lib/test/test_zlib.py
@@ -2,6 +2,7 @@ import unittest
 from test import support
 import binascii
 import copy
 +import os
 import pickle
 import random
 import sys
@@ -16,6 +17,35 @@ requires_Decompress_copy = unittest.skipUnless(
         hasattr(zlib.decompressobj(), "copy"),
         'requires Decompress.copy()')
 +# bpo-46623: On s390x, when a hardware accelerator is used, using different
 +# ways to compress data with zlib can produce different compressed data.
 +# Simplified test_pair() code:
 +#
 +#   def func1(data):
 +#       return zlib.compress(data)
 +#
 +#   def func2(data)
 +#       co = zlib.compressobj()
 +#       x1 = co.compress(data)
 +#       x2 = co.flush()
 +#       return x1 + x2
 +#
 +# On s390x if zlib uses a hardware accelerator, func1() creates a single
 +# "final" compressed block whereas func2() produces 3 compressed blocks (the
 +# last one is a final block). On other platforms with no accelerator, func1()
 +# and func2() produce the same compressed data made of a single (final)
 +# compressed block.
 +#
 +# Only the compressed data is different, the decompression returns the original
 +# data:
 +#
 +#   zlib.decompress(func1(data)) == zlib.decompress(func2(data)) == data
 +#
 +# Make the assumption that s390x always has an accelerator to simplify the skip
 +# condition. Windows doesn't have os.uname() but it doesn't support s390x.
 +skip_on_s390x = unittest.skipIf(hasattr(os, 'uname') and os.uname().machine == 's390x',
 +                                 'skipped on s390x')
 +
 def _zlib_runtime_version_tuple(zlib_version=zlib.ZLIB_RUNTIME_VERSION):
     # Register "1.2.3" as "1.2.3.0"
     # or "1.2.0-linux","1.2.0.f","1.2.0.f-linux"
@@ -187,6 +217,7 @@ class CompressTestCase(BaseCompressTestCase, unittest.TestCase):
                                          bufsize=zlib.DEF_BUF_SIZE),
                          HAMLET_SCENE)
 +    @skip_on_s390x
     def test_speech128(self):
         # compress more data
         data = HAMLET_SCENE * 128
@@ -238,6 +269,7 @@ class CompressTestCase(BaseCompressTestCase, unittest.TestCase):
 class CompressObjectTestCase(BaseCompressTestCase, unittest.TestCase):
     # Test compression object
 +    @skip_on_s390x
     def test_pair(self):
         # straightforward compress/decompress objects
         datasrc = HAMLET_SCENE * 128
 diff --git a/Misc/NEWS.d/next/Tests/2022-02-03-09-45-26.bpo-46623.vxzuhV.rst b/Misc/NEWS.d/next/Tests/2022-02-03-09-45-26.bpo-46623.vxzuhV.rst
 new file mode 100644
 index 0000000..be085c0
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Tests/2022-02-03-09-45-26.bpo-46623.vxzuhV.rst
@@ -0,0 +1,2 @@
 +Skip test_pair() and test_speech128() of test_zlib on s390x since they fail
 +if zlib uses the s390x hardware accelerator. Patch by Victor Stinner.
 -- 
 2.46.0
--- a/SOURCES/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch
+++ b/SOURCES/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch
@ -1,248 +0,0 @@
 From 4df4fad359c280f2328b98ea9b4414f244624a58 Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Mon, 18 Dec 2023 20:15:33 +0100
 Subject: [PATCH] Make it possible to disable strict parsing in email module
 ---
 Doc/library/email.utils.rst       | 26 +++++++++++
 Lib/email/utils.py                | 54 ++++++++++++++++++++++-
 Lib/test/test_email/test_email.py | 72 ++++++++++++++++++++++++++++++-
 3 files changed, 149 insertions(+), 3 deletions(-)
 diff --git a/Doc/library/email.utils.rst b/Doc/library/email.utils.rst
 index d1e1898591..7aef773b5f 100644
 --- a/Doc/library/email.utils.rst
 +++ b/Doc/library/email.utils.rst
@@ -69,6 +69,19 @@ of the new API.
    If *strict* is true, use a strict parser which rejects malformed inputs.
 +   The default setting for *strict* is set to ``True``, but you can override
 +   it by setting the environment variable ``PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING``
 +   to non-empty string.
 +
 +   Additionally, you can permanently set the default value for *strict* to
 +   ``False`` by creating the configuration file ``/etc/python/email.cfg``
 +   with the following content:
 +
 +   .. code-block:: ini
 +
 +      [email_addr_parsing]
 +      PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true
 +
    .. versionchanged:: 3.9.20
       Add *strict* optional parameter and reject malformed inputs by default.
@@ -97,6 +110,19 @@ of the new API.
    If *strict* is true, use a strict parser which rejects malformed inputs.
 +   The default setting for *strict* is set to ``True``, but you can override
 +   it by setting the environment variable ``PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING``
 +   to non-empty string.
 +
 +   Additionally, you can permanently set the default value for *strict* to
 +   ``False`` by creating the configuration file ``/etc/python/email.cfg``
 +   with the following content:
 +
 +   .. code-block:: ini
 +
 +      [email_addr_parsing]
 +      PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true
 +
    Here's a simple example that gets all the recipients of a message::
       from email.utils import getaddresses
 diff --git a/Lib/email/utils.py b/Lib/email/utils.py
 index f83b7e5d7e..b8e90ceb8e 100644
 --- a/Lib/email/utils.py
 +++ b/Lib/email/utils.py
@@ -48,6 +48,46 @@ TICK = "'"
 specialsre = re.compile(r'[][\\()<>@,:;".]')
 escapesre = re.compile(r'[\\"]')
 +_EMAIL_CONFIG_FILE = "/etc/python/email.cfg"
 +_cached_strict_addr_parsing = None
 +
 +
 +def _use_strict_email_parsing():
 +    """"Cache implementation for _cached_strict_addr_parsing"""
 +    global _cached_strict_addr_parsing
 +    if _cached_strict_addr_parsing is None:
 +        _cached_strict_addr_parsing = _use_strict_email_parsing_impl()
 +    return _cached_strict_addr_parsing
 +
 +
 +def _use_strict_email_parsing_impl():
 +    """Returns True if strict email parsing is not disabled by
 +    config file or env variable.
 +    """
 +    disabled = bool(os.environ.get("PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING"))
 +    if disabled:
 +        return False
 +
 +    try:
 +        file = open(_EMAIL_CONFIG_FILE)
 +    except FileNotFoundError:
 +        pass
 +    else:
 +        with file:
 +            import configparser
 +            config = configparser.ConfigParser(
 +                interpolation=None,
 +                comment_prefixes=('#', ),
 +
 +            )
 +            config.read_file(file)
 +            disabled = config.getboolean('email_addr_parsing', "PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING", fallback=None)
 +
 +    if disabled:
 +        return False
 +
 +    return True
 +
 def _has_surrogates(s):
     """Return True if s contains surrogate-escaped binary data."""
@@ -149,7 +189,7 @@ def _strip_quoted_realnames(addr):
 supports_strict_parsing = True
 -def getaddresses(fieldvalues, *, strict=True):
 +def getaddresses(fieldvalues, *, strict=None):
     """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
     When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
@@ -158,6 +198,11 @@ def getaddresses(fieldvalues, *, strict=True):
     If strict is true, use a strict parser which rejects malformed inputs.
     """
 +    # If default is used, it's True unless disabled
 +    # by env variable or config file.
 +    if strict == None:
 +        strict = _use_strict_email_parsing()
 +
     # If strict is true, if the resulting list of parsed addresses is greater
     # than the number of fieldvalues in the input list, a parsing error has
     # occurred and consequently a list containing a single empty 2-tuple [('',
@@ -330,7 +375,7 @@ def parsedate_to_datetime(data):
             tzinfo=datetime.timezone(datetime.timedelta(seconds=tz)))
 -def parseaddr(addr, *, strict=True):
 +def parseaddr(addr, *, strict=None):
     """
     Parse addr into its constituent realname and email address parts.
@@ -339,6 +384,11 @@ def parseaddr(addr, *, strict=True):
     If strict is True, use a strict parser which rejects malformed inputs.
     """
 +    # If default is used, it's True unless disabled
 +    # by env variable or config file.
 +    if strict == None:
 +        strict = _use_strict_email_parsing()
 +
     if not strict:
         addrs = _AddressList(addr).addresslist
         if not addrs:
 diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py
 index ce36efc1b1..05ea201b68 100644
 --- a/Lib/test/test_email/test_email.py
 +++ b/Lib/test/test_email/test_email.py
@@ -7,6 +7,9 @@ import time
 import base64
 import unittest
 import textwrap
 +import contextlib
 +import tempfile
 +import os
 from io import StringIO, BytesIO
 from itertools import chain
@@ -41,7 +44,7 @@ from email import iterators
 from email import base64mime
 from email import quoprimime
 -from test.support import unlink, start_threads
 +from test.support import unlink, start_threads, EnvironmentVarGuard, swap_attr
 from test.test_email import openfile, TestEmailBase
 # These imports are documented to work, but we are testing them using a
@@ -3313,6 +3316,73 @@ Foo
         # Test email.utils.supports_strict_parsing attribute
         self.assertEqual(email.utils.supports_strict_parsing, True)
 +    def test_parsing_errors_strict_set_via_env_var(self):
 +        address = 'alice@example.org )Alice('
 +        empty = ('', '')
 +
 +        # Reset cached default value to make the function
 +        # reload the config file provided below.
 +        utils._cached_strict_addr_parsing = None
 +
 +        # Strict disabled via env variable, old behavior expected
 +        with EnvironmentVarGuard() as environ:
 +            environ["PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING"] = "1"
 +
 +            self.assertEqual(utils.getaddresses([address]),
 +                             [('', 'alice@example.org'), ('', ''), ('', 'Alice')])
 +            self.assertEqual(utils.parseaddr([address]), ('', address))
 +
 +        # Clear cache again
 +        utils._cached_strict_addr_parsing = None
 +
 +        # Default strict=True, empty result expected
 +        self.assertEqual(utils.getaddresses([address]), [empty])
 +        self.assertEqual(utils.parseaddr([address]), empty)
 +
 +        # Clear cache again
 +        utils._cached_strict_addr_parsing = None
 +
 +        # Empty string in env variable = strict parsing enabled (default)
 +        with EnvironmentVarGuard() as environ:
 +            environ["PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING"] = ""
 +
 +            # Default strict=True, empty result expected
 +            self.assertEqual(utils.getaddresses([address]), [empty])
 +            self.assertEqual(utils.parseaddr([address]), empty)
 +
 +    @contextlib.contextmanager
 +    def _email_strict_parsing_conf(self):
 +        """Context for the given email strict parsing configured in config file"""
 +        with tempfile.TemporaryDirectory() as tmpdirname:
 +            filename = os.path.join(tmpdirname, 'conf.cfg')
 +            with swap_attr(utils, "_EMAIL_CONFIG_FILE", filename):
 +                with open(filename, 'w') as file:
 +                    file.write('[email_addr_parsing]\n')
 +                    file.write('PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true')
 +                utils._EMAIL_CONFIG_FILE = filename
 +                yield
 +
 +    def test_parsing_errors_strict_disabled_via_config_file(self):
 +        address = 'alice@example.org )Alice('
 +        empty = ('', '')
 +
 +        # Reset cached default value to make the function
 +        # reload the config file provided below.
 +        utils._cached_strict_addr_parsing = None
 +
 +        # Strict disabled via config file, old results expected
 +        with self._email_strict_parsing_conf():
 +            self.assertEqual(utils.getaddresses([address]),
 +                             [('', 'alice@example.org'), ('', ''), ('', 'Alice')])
 +            self.assertEqual(utils.parseaddr([address]), ('', address))
 +
 +        # Clear cache again
 +        utils._cached_strict_addr_parsing = None
 +
 +        # Default strict=True, empty result expected
 +        self.assertEqual(utils.getaddresses([address]), [empty])
 +        self.assertEqual(utils.parseaddr([address]), empty)
 +
     def test_getaddresses_nasty(self):
         for addresses, expected in (
             (['"Sürname, Firstname" <to@example.com>'],
 -- 
 2.43.0
--- a/SOURCES/00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch
+++ b/SOURCES/00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch
@ -1,63 +0,0 @@
 From 60d40d7095983e0bc23a103b2050adc519dc7fe3 Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Fri, 3 May 2024 14:17:48 +0200
 Subject: [PATCH] Expect failures in tests not working properly with expat with
 a fixed CVE in RHEL
 ---
 Lib/test/test_pyexpat.py   | 1 +
 Lib/test/test_sax.py       | 1 +
 Lib/test/test_xml_etree.py | 3 +++
 3 files changed, 5 insertions(+)
 diff --git a/Lib/test/test_pyexpat.py b/Lib/test/test_pyexpat.py
 index 43cbd27..27b1502 100644
 --- a/Lib/test/test_pyexpat.py
 +++ b/Lib/test/test_pyexpat.py
@@ -793,6 +793,7 @@ class ReparseDeferralTest(unittest.TestCase):
         self.assertEqual(started, ['doc'])
 +    @unittest.expectedFailure
     def test_reparse_deferral_disabled(self):
         started = []
 diff --git a/Lib/test/test_sax.py b/Lib/test/test_sax.py
 index 9b3014a..646c92d 100644
 --- a/Lib/test/test_sax.py
 +++ b/Lib/test/test_sax.py
@@ -1240,6 +1240,7 @@ class ExpatReaderTest(XmlTestBase):
         self.assertEqual(result.getvalue(), start + b"<doc></doc>")
 +    @unittest.expectedFailure
     def test_flush_reparse_deferral_disabled(self):
         result = BytesIO()
         xmlgen = XMLGenerator(result)
 diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py
 index 9c382d1..62f2871 100644
 --- a/Lib/test/test_xml_etree.py
 +++ b/Lib/test/test_xml_etree.py
@@ -1424,9 +1424,11 @@ class XMLPullParserTest(unittest.TestCase):
         self.assert_event_tags(parser, [('end', 'root')])
         self.assertIsNone(parser.close())
 +    @unittest.expectedFailure
     def test_simple_xml_chunk_1(self):
         self.test_simple_xml(chunk_size=1, flush=True)
 +    @unittest.expectedFailure
     def test_simple_xml_chunk_5(self):
         self.test_simple_xml(chunk_size=5, flush=True)
@@ -1651,6 +1653,7 @@ class XMLPullParserTest(unittest.TestCase):
         self.assert_event_tags(parser, [('end', 'doc')])
 +    @unittest.expectedFailure
     def test_flush_reparse_deferral_disabled(self):
         parser = ET.XMLPullParser(events=('start', 'end'))
 -- 
 2.44.0
--- a/SOURCES/Python-3.9.17.tar.xz.asc
+++ b/SOURCES/Python-3.9.17.tar.xz.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmR/AFcACgkQsmmV4xAl
 BWg7Fg/7Bq3qKbUD+4LYCOEESdu1MQm4bxfySqFLrzfe0YML/Xvei3ot/MsoTxY+
 9dwLivBab6YVDw3x65Zm2Y1sKAwcKn80qcwfxkxKPFVzeFAIYaO48zACJ5gvNEwk
 tXxEcDV0Nirs5ksqjs439eWXFFSZJJjHUxrBKwVVXoVTl9P3wbvKzeAUGuWMdvBt
 8RYtaHMt24w+mtFBdBM5ODl9qHD30HvEdHItF1HFtnnIR2mvE5W3dNkytrEWckq7
 urrQZlIFqSffnK89oNrQBGQC1dipzfgb3Vdk52usIVq+3J9VeWEmw8my/HUtf6LM
 uSETKCDM6POcC1Hjn3Zar8pVg/5IrGfag2aOWPQwRf5+py+nHO9a8P0nAz1TvygJ
 Q4FPcGCRyxa6gw9TEoO3zutQrHG2q+bvr61hSx3bcnlTk5EwTgblxOw9A5L++uzQ
 JK6vkPIaid4KboIOgpgw2xYWu8uVl2KtEyOeNrvZubuYqKh3xy25lNZT0tT6Axtv
 jOKC84FSvp5fLRAAHAr9B6uycKRlNY2Ca6t8FkkD0v2NgsRVM2Mc11/i/NS+EFKc
 hCZgAvbIEX17DQQNcmki1FWeJ0LfoE7PZgte7f6o1J9lcBYhmfC6nIWJ6Q3zZX/y
 96EESfeEshigdMEwlkCtYSJTc5/WpdiZ0LQyI0x/RQFb8Q4XHS0=
 =xjRt
 -----END PGP SIGNATURE-----
--- a/SOURCES/Python-3.9.20.tar.xz.asc
+++ b/SOURCES/Python-3.9.20.tar.xz.asc
@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCAAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmbcKf0ACgkQsmmV4xAl
 BWh4rg//R5E1EjsifYqhLeIyT+JnrBvbTZeEcdxPXevsgilojYmrxBUKuXXViul0
 YZFaoDf6wjbHh6NMNgUpqcOH/5S/LsFZvuEcrw0jyGlMr0AMA4KLmNvQ9Wxf+wp4
 mUmhymQx555nVivsdPiziNnDwubZeA870ZllYEMWP5vXw7p2LbnlZvn7A+LSKjqM
 S/6xbiKYVexK3vHY/uG0xo4z24FySfvs0/PF11JfRJCxm9+bli7FmHOoFMwpOO6S
 caZLok4987YWOcPIPY6h+o2sFhDqHs8POGKd8k+0KQNQs5UbEQ4t/eKgnaoATkGn
 nfcAGXSjX5RSv5uXPzBUc0PulYo6EalIn1b5fu96La/FEg9GLMR/n9g75Fgm/j9L
 QGYu/DSaastY/c7Ot4QVyB6pxbQKjM438yneQrjhKBILGla4Crh1k6yRCx93j/TH
 hF9kiuRf7jtLIGTp0cnquELGnatmL1RhOySn/1Y+asMR+oK8d+XQab//w4VsAt7C
 SIfVXg25PUgZoaiYj/qIjLK9vkcj/EZ1IacivP5qBWb3O1E8gzSV8Z9duGT8Ef3P
 ch4M/pd6hefVVVfyCoazB3gwDs68O6U2BIRdYLRlet8AuKTBysQKFwOo3EcCMmJV
 W20KutPnERCzt8jeJdzFd0z3po9mvxNTKDLYaABtNI6NN00LcsM=
 =svjf
 -----END PGP SIGNATURE-----
--- a/SPECS/python39.spec
+++ b/SPECS/python39.spec
@ -13,7 +13,7 @@ URL: https://www.python.org/
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
-%global general_version %{pybasever}.20
+%global general_version %{pybasever}.17
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
@ -182,13 +182,6 @@ ExcludeArch: i686
 %global py_INSTSONAME_optimized libpython%{LDVERSION_optimized}.so.%{py_SOVERSION}
 %global py_INSTSONAME_debug     libpython%{LDVERSION_debug}.so.%{py_SOVERSION}
 # The -O flag for the compiler, optimized builds
 # https://fedoraproject.org/wiki/Changes/Python_built_with_gcc_O3
 %global optflags_optimized -O3
 # The -O flag for the compiler, debug builds
 # -Wno-cpp avoids some warnings with -O0
 %global optflags_debug -O0 -Wno-cpp
 # Disable automatic bytecompilation. The python3 binary is not yet be
 # available in /usr/bin when Python is built. Also, the bytecompilation fails
 # on files that test invalid syntax.
@ -424,41 +417,12 @@ Patch378: 00378-support-expat-2-4-5.patch
 # 00397 #
 # Add filters for tarfile extraction (CVE-2007-4559, PEP-706)
-# First patch fixes determination of symlink targets, which were treated
+# The first patch backports the upstream fix:
-# as relative to the root of the archive,
+# - https://github.com/python/cpython/pull/104382
 # rather than the directory containing the symlink.
 # Not yet upstream as of this writing.
 # The second patch is Red Hat configuration, see KB for documentation:
 # - https://access.redhat.com/articles/7004769
 Patch397: 00397-tarfile-filter.patch
 # 00414 #
 #
 # Skip test_pair() and test_speech128() of test_zlib on s390x since
 # they fail if zlib uses the s390x hardware accelerator.
 Patch414: 00414-skip_test_zlib_s390x.patch
 # 00415 #
 # [CVE-2023-27043] gh-102988: Reject malformed addresses in email.parseaddr() (#111116)
 #
 # Detect email address parsing errors and return empty tuple to
 # indicate the parsing error (old API). Add an optional 'strict'
 # parameter to getaddresses() and parseaddr() functions. Patch by
 # Thomas Dwyer.
 #
 # Upstream PR: https://github.com/python/cpython/pull/111116
 #
 # This patch implements the possibility to restore the old behavior via
 # config file or environment variable.
 Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch
 # 00422 # a353cebef737c41420dc7ae2469dd657371b8881
 # Fix tests for XMLPullParser with Expat 2.6.0
 #
 # Feeding the parser by too small chunks defers parsing to prevent
 # CVE-2023-52425. Future versions of Expat may be more reactive.
 Patch422: 00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -871,9 +835,6 @@ rm Lib/ensurepip/_bundled/*.whl
 %apply_patch -q %{PATCH353}
 %apply_patch -q %{PATCH378}
 %apply_patch -q %{PATCH397}
 %apply_patch -q %{PATCH414}
 %apply_patch -q %{PATCH415}
 %apply_patch -q %{PATCH422}
 # Remove all exe files to ensure we are not shipping prebuilt binaries
 # note that those are only used to create Microsoft Windows installers
@ -950,7 +911,6 @@ BuildPython() {
  ConfName=$1
  ExtraConfigArgs=$2
  MoreCFlags=$3
  MoreCFlagsNodist=$4
  # Each build is done in its own directory
  ConfDir=build/$ConfName
@ -985,7 +945,7 @@ BuildPython() {
  $ExtraConfigArgs \
  %{nil}
-%global flags_override EXTRA_CFLAGS="$MoreCFlags" CFLAGS_NODIST="$CFLAGS_NODIST $MoreCFlags $MoreCFlagsNodist"
+%global flags_override EXTRA_CFLAGS="$MoreCFlags" CFLAGS_NODIST="$CFLAGS_NODIST $MoreCFlags"
 %if %{without bootstrap}
  # Regenerate generated files (needs python3)
@ -1008,14 +968,12 @@ BuildPython() {
 # See also: https://bugzilla.redhat.com/show_bug.cgi?id=1818857
 BuildPython debug \
  "--without-ensurepip --with-pydebug" \
-  "%{optflags_debug}" \
+  "-O0 -Wno-cpp"
  ""
 %endif # with debug_build
 BuildPython optimized \
  "--without-ensurepip %{optimizations_flag}" \
-  "" \
+  ""
  "%{optflags_optimized}"
 # ======================================================
 # Installing the built code:
@ -1114,7 +1072,7 @@ EOF
 %if %{with debug_build}
 InstallPython debug \
  %{py_INSTSONAME_debug} \
-  "%{optflags_debug}" \
+  -O0 \
  %{LDVERSION_debug}
 %endif # with debug_build
@ -2048,56 +2006,6 @@ fi
 # ======================================================
 %changelog
 * Mon Sep 09 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.9.20-1
 - Update to 3.9.20
 Resolves: RHEL-60007
 * Fri Aug 23 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.9.19-7
 - Security fix for CVE-2024-8088
 Resolves: RHEL-55954
 * Tue Aug 13 2024 Lumír Balhar <lbalhar@redhat.com> - 3.9.19-6
 - Security fix for CVE-2024-6923
 Resolves: RHEL-53102
 * Thu Jul 25 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.9.19-5
 - Properly propagate the optimization flags to C extensions
 * Thu Jul 18 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.9.19-4
 - Build Python with -O3
 - https://fedoraproject.org/wiki/Changes/Python_built_with_gcc_O3
 * Thu Jul 18 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.9.19-3
 - Security fix for CVE-2024-4032
 Resolves: RHEL-44094
 * Tue Jun 11 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.9.19-2
 - Enable importing of hash-based .pyc files under FIPS mode
 Resolves: RHEL-40786
 * Mon Apr 22 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.9.19-1
 - Update to 3.9.19
 - Security fixes for CVE-2023-6597 and CVE-2024-0450
 - Fix tests for XMLPullParser with Expat with fixed CVE
 Resolves: RHEL-33676, RHEL-33688
 * Wed Jan 17 2024 Lumír Balhar <lbalhar@redhat.com> - 3.9.18-3
 - Skip tests failing on s390x
 Resolves: RHEL-21905
 * Tue Jan 16 2024 Lumír Balhar <lbalhar@redhat.com> - 3.9.18-2
 - Security fix for CVE-2023-27043
 Resolves: RHEL-5561
 * Thu Sep 07 2023 Charalampos Stratakis <cstratak@redhat.com> - 3.9.18-1
 - Update to 3.9.18
 - Security fix for CVE-2023-40217
 Resolves: RHEL-3238
 * Wed Aug 09 2023 Petr Viktorin <pviktori@redhat.com> - 3.9.17-2
 - Fix symlink handling in the fix for CVE-2023-24329
 Resolves: rhbz#263261
 * Mon Jul 17 2023 Charalampos Stratakis <cstratak@redhat.com> - 3.9.17-1
 - Rebase to 3.9.17
 - Security fix for CVE-2023-24329
`@ -1 +1 @@`
	`SOURCES/Python-3.9.20.tar.xz`	`SOURCES/Python-3.9.17.tar.xz`
`@ -1 +1 @@`
	`52902dd820d2d41c47ef927ecebb24a96a51cc4b SOURCES/Python-3.9.20.tar.xz`	`34a6d24cef87fbf22b943d4fe22100a9bf0b3782 SOURCES/Python-3.9.17.tar.xz`