diff --git a/SOURCES/00377-CVE-2022-0391.patch b/SOURCES/00377-CVE-2022-0391.patch
new file mode 100644
index 0000000..aebe53d
--- /dev/null
+++ b/SOURCES/00377-CVE-2022-0391.patch
@@ -0,0 +1,170 @@
+From 6c472d3a1d334d4eeb4a25eba7bf3b01611bf667 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Thu, 6 May 2021 09:56:01 -0700
+Subject: [PATCH] [3.6] bpo-43882 - urllib.parse should sanitize urls
+ containing ASCII newline and tabs (GH-25924)
+
+Co-authored-by: Gregory P. Smith <greg@krypto.org>
+Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
+(cherry picked from commit 76cd81d60310d65d01f9d7b48a8985d8ab89c8b4)
+Co-authored-by: Senthil Kumaran <senthil@uthcode.com>
+(cherry picked from commit 515a7bc4e13645d0945b46a8e1d9102b918cd407)
+
+Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
+---
+ Doc/library/urllib.parse.rst | 13 +++++
+ Lib/test/test_urlparse.py | 48 +++++++++++++++++++
+ Lib/urllib/parse.py | 10 ++++
+ .../2021-04-25-07-46-37.bpo-43882.Jpwx85.rst | 6 +++
+ 4 files changed, 77 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2021-04-25-07-46-37.bpo-43882.Jpwx85.rst
+
+diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst
+index 3c2e37ef2093a..b717d7cc05b2e 100644
+--- a/Doc/library/urllib.parse.rst
++++ b/Doc/library/urllib.parse.rst
+@@ -288,6 +288,9 @@ or on combining URL components into a URL string.
+ ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
+ decomposed before parsing, no error will be raised.
+
++ Following the `WHATWG spec`_ that updates RFC 3986, ASCII newline
++ ``\n``, ``\r`` and tab ``\t`` characters are stripped from the URL.
++
+ .. versionchanged:: 3.6
+ Out-of-range port numbers now raise :exc:`ValueError`, instead of
+ returning :const:`None`.
+@@ -296,6 +299,10 @@ or on combining URL components into a URL string.
+ Characters that affect netloc parsing under NFKC normalization will
+ now raise :exc:`ValueError`.
+
++ .. versionchanged:: 3.6.14
++ ASCII newline and tab characters are stripped from the URL.
++
++.. _WHATWG spec: https://url.spec.whatwg.org/#concept-basic-url-parser
+
+ .. function:: urlunsplit(parts)
+
+@@ -633,6 +640,10 @@ task isn't already covered by the URL parsing functions above.
+
+ .. seealso::
+
++ `WHATWG`_ - URL Living standard
++ Working Group for the URL Standard that defines URLs, domains, IP addresses, the
++ application/x-www-form-urlencoded format, and their API.
++
+ :rfc:`3986` - Uniform Resource Identifiers
+ This is the current standard (STD66). Any changes to urllib.parse module
+ should conform to this. Certain deviations could be observed, which are
+@@ -656,3 +667,5 @@ task isn't already covered by the URL parsing functions above.
+
+ :rfc:`1738` - Uniform Resource Locators (URL)
+ This specifies the formal syntax and semantics of absolute URLs.
++
++.. _WHATWG: https://url.spec.whatwg.org/
+diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
+index e3088b2f39bd7..3509278a01694 100644
+--- a/Lib/test/test_urlparse.py
++++ b/Lib/test/test_urlparse.py
+@@ -612,6 +612,54 @@ def test_urlsplit_attributes(self):
+ with self.assertRaisesRegex(ValueError, "out of range"):
+ p.port
+
++ def test_urlsplit_remove_unsafe_bytes(self):
++ # Remove ASCII tabs and newlines from input, for http common case scenario.
++ url = "h\nttp://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
++ p = urllib.parse.urlsplit(url)
++ self.assertEqual(p.scheme, "http")
++ self.assertEqual(p.netloc, "www.python.org")
++ self.assertEqual(p.path, "/javascript:alert('msg')/")
++ self.assertEqual(p.query, "query=something")
++ self.assertEqual(p.fragment, "fragment")
++ self.assertEqual(p.username, None)
++ self.assertEqual(p.password, None)
++ self.assertEqual(p.hostname, "www.python.org")
++ self.assertEqual(p.port, None)
++ self.assertEqual(p.geturl(), "http://www.python.org/javascript:alert('msg')/?query=something#fragment")
++
++ # Remove ASCII tabs and newlines from input as bytes, for http common case scenario.
++ url = b"h\nttp://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
++ p = urllib.parse.urlsplit(url)
++ self.assertEqual(p.scheme, b"http")
++ self.assertEqual(p.netloc, b"www.python.org")
++ self.assertEqual(p.path, b"/javascript:alert('msg')/")
++ self.assertEqual(p.query, b"query=something")
++ self.assertEqual(p.fragment, b"fragment")
++ self.assertEqual(p.username, None)
++ self.assertEqual(p.password, None)
++ self.assertEqual(p.hostname, b"www.python.org")
++ self.assertEqual(p.port, None)
++ self.assertEqual(p.geturl(), b"http://www.python.org/javascript:alert('msg')/?query=something#fragment")
++
++ # any scheme
++ url = "x-new-scheme\t://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
++ p = urllib.parse.urlsplit(url)
++ self.assertEqual(p.geturl(), "x-new-scheme://www.python.org/javascript:alert('msg')/?query=something#fragment")
++
++ # Remove ASCII tabs and newlines from input as bytes, any scheme.
++ url = b"x-new-scheme\t://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
++ p = urllib.parse.urlsplit(url)
++ self.assertEqual(p.geturl(), b"x-new-scheme://www.python.org/javascript:alert('msg')/?query=something#fragment")
++
++ # Unsafe bytes is not returned from urlparse cache.
++ # scheme is stored after parsing, sending an scheme with unsafe bytes *will not* return an unsafe scheme
++ url = "https://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
++ scheme = "htt\nps"
++ for _ in range(2):
++ p = urllib.parse.urlsplit(url, scheme=scheme)
++ self.assertEqual(p.scheme, "https")
++ self.assertEqual(p.geturl(), "https://www.python.org/javascript:alert('msg')/?query=something#fragment")
++
+ def test_attributes_bad_port(self):
+ """Check handling of invalid ports."""
+ for bytes in (False, True):
+diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
+index 66056bf589bf6..ac6e7a9cee0b9 100644
+--- a/Lib/urllib/parse.py
++++ b/Lib/urllib/parse.py
+@@ -76,6 +76,9 @@
+ '0123456789'
+ '+-.')
+
++# Unsafe bytes to be removed per WHATWG spec
++_UNSAFE_URL_BYTES_TO_REMOVE = ['\t', '\r', '\n']
++
+ # XXX: Consider replacing with functools.lru_cache
+ MAX_CACHE_SIZE = 20
+ _parse_cache = {}
+@@ -409,6 +412,11 @@ def _checknetloc(netloc):
+ raise ValueError("netloc '" + netloc + "' contains invalid " +
+ "characters under NFKC normalization")
+
++def _remove_unsafe_bytes_from_url(url):
++ for b in _UNSAFE_URL_BYTES_TO_REMOVE:
++ url = url.replace(b, "")
++ return url
++
+ def urlsplit(url, scheme='', allow_fragments=True):
+ """Parse a URL into 5 components:
+ <scheme>://<netloc>/<path>?<query>#<fragment>
+@@ -416,6 +424,8 @@ def urlsplit(url, scheme='', allow_fragments=True):
+ Note that we don't break the components up in smaller bits
+ (e.g. netloc is a single string) and we don't expand % escapes."""
+ url, scheme, _coerce_result = _coerce_args(url, scheme)
++ url = _remove_unsafe_bytes_from_url(url)
++ scheme = _remove_unsafe_bytes_from_url(scheme)
+ allow_fragments = bool(allow_fragments)
+ key = url, scheme, allow_fragments, type(url), type(scheme)
+ cached = _parse_cache.get(key, None)
+diff --git a/Misc/NEWS.d/next/Security/2021-04-25-07-46-37.bpo-43882.Jpwx85.rst b/Misc/NEWS.d/next/Security/2021-04-25-07-46-37.bpo-43882.Jpwx85.rst
+new file mode 100644
+index 0000000000000..a326d079dff4a
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2021-04-25-07-46-37.bpo-43882.Jpwx85.rst
+@@ -0,0 +1,6 @@
++The presence of newline or tab characters in parts of a URL could allow
++some forms of attacks.
++
++Following the controlling specification for URLs defined by WHATWG
++:func:`urllib.parse` now removes ASCII newlines and tabs from URLs,
++preventing such attacks.
diff --git a/SOURCES/00378-support-expat-2-4-5.patch b/SOURCES/00378-support-expat-2-4-5.patch
new file mode 100644
index 0000000..4b1e441
--- /dev/null
+++ b/SOURCES/00378-support-expat-2-4-5.patch
@@ -0,0 +1,98 @@
+From a5b78c6f1c802f6023bd4d7a248dc83be1eef6a3 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 21 Feb 2022 15:48:32 +0100
+Subject: [PATCH] 00378: Support expat 2.4.5
+
+Curly brackets were never allowed in namespace URIs
+according to RFC 3986, and so-called namespace-validating
+XML parsers have the right to reject them a invalid URIs.
+
+libexpat >=2.4.5 has become strcter in that regard due to
+related security issues; with ET.XML instantiating a
+namespace-aware parser under the hood, this test has no
+future in CPython.
+
+References:
+- https://datatracker.ietf.org/doc/html/rfc3968
+- https://www.w3.org/TR/xml-names/
+
+Also, test_minidom.py: Support Expat >=2.4.5
+
+Upstream: https://bugs.python.org/issue46811
+
+Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
+---
+ Lib/test/test_minidom.py | 12 +++++++++---
+ Lib/test/test_xml_etree.py | 6 ------
+ .../Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst | 1 +
+ 3 files changed, 10 insertions(+), 9 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst
+
+diff --git a/Lib/test/test_minidom.py b/Lib/test/test_minidom.py
+index d55e25e..e947382 100644
+--- a/Lib/test/test_minidom.py
++++ b/Lib/test/test_minidom.py
+@@ -5,10 +5,12 @@ import pickle
+ from test import support
+ import unittest
+
++import pyexpat
+ import xml.dom.minidom
+
+ from xml.dom.minidom import parse, Node, Document, parseString
+ from xml.dom.minidom import getDOMImplementation
++from xml.parsers.expat import ExpatError
+
+
+ tstfile = support.findfile("test.xml", subdir="xmltestdata")
+@@ -1156,8 +1158,10 @@ class MinidomTest(unittest.TestCase):
+
+ # Verify that character decoding errors raise exceptions instead
+ # of crashing
+- self.assertRaises(UnicodeDecodeError, parseString,
+- b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>')
++ self.assertRaises(ExpatError, parseString,
++ b'<fran\xe7ais></fran\xe7ais>')
++ self.assertRaises(ExpatError, parseString,
++ b'<franais>Comment \xe7a va ? Tr\xe8s bien ?</franais>')
+
+ doc.unlink()
+
+@@ -1602,7 +1606,9 @@ class MinidomTest(unittest.TestCase):
+ self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE)
+
+ def testExceptionOnSpacesInXMLNSValue(self):
+- with self.assertRaisesRegex(ValueError, 'Unsupported syntax'):
++ context = self.assertRaisesRegex(ExpatError, 'syntax error')
++
++ with context:
+ parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
+
+ def testDocRemoveChild(self):
+diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py
+index b01709e..acaa519 100644
+--- a/Lib/test/test_xml_etree.py
++++ b/Lib/test/test_xml_etree.py
+@@ -1668,12 +1668,6 @@ class BugsTest(unittest.TestCase):
+ b"<?xml version='1.0' encoding='ascii'?>\n"
+ b'<body>tãg</body>')
+
+- def test_issue3151(self):
+- e = ET.XML('<prefix:localname xmlns:prefix="${stuff}"/>')
+- self.assertEqual(e.tag, '{${stuff}}localname')
+- t = ET.ElementTree(e)
+- self.assertEqual(ET.tostring(e), b'<ns0:localname xmlns:ns0="${stuff}" />')
+-
+ def test_issue6565(self):
+ elem = ET.XML("<body><tag/></body>")
+ self.assertEqual(summarize_list(elem), ['tag'])
+diff --git a/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst b/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst
+new file mode 100644
+index 0000000..6969bd1
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst
+@@ -0,0 +1 @@
++Make test suite support Expat >=2.4.5
+--
+2.35.1
+
diff --git a/SOURCES/00382-cve-2015-20107.patch b/SOURCES/00382-cve-2015-20107.patch
new file mode 100644
index 0000000..9e981e2
--- /dev/null
+++ b/SOURCES/00382-cve-2015-20107.patch
@@ -0,0 +1,150 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Fri, 3 Jun 2022 11:43:35 +0200
+Subject: [PATCH] 00382: CVE-2015-20107
+
+Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
+
+Upstream: https://github.com/python/cpython/issues/68966
+
+Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
+---
+ Doc/library/mailcap.rst | 12 +++++++++
+ Lib/mailcap.py | 26 +++++++++++++++++--
+ Lib/test/test_mailcap.py | 8 ++++--
+ ...2-04-27-18-25-30.gh-issue-68966.gjS8zs.rst | 4 +++
+ 4 files changed, 46 insertions(+), 4 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
+
+diff --git a/Doc/library/mailcap.rst b/Doc/library/mailcap.rst
+index 896afd1d73..849d0bc05f 100644
+--- a/Doc/library/mailcap.rst
++++ b/Doc/library/mailcap.rst
+@@ -54,6 +54,18 @@ standard. However, mailcap files are supported on most Unix systems.
+ use) to determine whether or not the mailcap line applies. :func:`findmatch`
+ will automatically check such conditions and skip the entry if the check fails.
+
++ .. versionchanged:: 3.11
++
++ To prevent security issues with shell metacharacters (symbols that have
++ special effects in a shell command line), ``findmatch`` will refuse
++ to inject ASCII characters other than alphanumerics and ``@+=:,./-_``
++ into the returned command line.
++
++ If a disallowed character appears in *filename*, ``findmatch`` will always
++ return ``(None, None)`` as if no entry was found.
++ If such a character appears elsewhere (a value in *plist* or in *MIMEtype*),
++ ``findmatch`` will ignore all mailcap entries which use that value.
++ A :mod:`warning <warnings>` will be raised in either case.
+
+ .. function:: getcaps()
+
+diff --git a/Lib/mailcap.py b/Lib/mailcap.py
+index bd0fc0981c..dcd4b449e8 100644
+--- a/Lib/mailcap.py
++++ b/Lib/mailcap.py
+@@ -2,6 +2,7 @@
+
+ import os
+ import warnings
++import re
+
+ __all__ = ["getcaps","findmatch"]
+
+@@ -13,6 +14,11 @@ def lineno_sort_key(entry):
+ else:
+ return 1, 0
+
++_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search
++
++class UnsafeMailcapInput(Warning):
++ """Warning raised when refusing unsafe input"""
++
+
+ # Part 1: top-level interface.
+
+@@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]):
+ entry to use.
+
+ """
++ if _find_unsafe(filename):
++ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)
++ warnings.warn(msg, UnsafeMailcapInput)
++ return None, None
+ entries = lookup(caps, MIMEtype, key)
+ # XXX This code should somehow check for the needsterminal flag.
+ for e in entries:
+ if 'test' in e:
+ test = subst(e['test'], filename, plist)
++ if test is None:
++ continue
+ if test and os.system(test) != 0:
+ continue
+ command = subst(e[key], MIMEtype, filename, plist)
+- return command, e
++ if command is not None:
++ return command, e
+ return None, None
+
+ def lookup(caps, MIMEtype, key=None):
+@@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, plist=[]):
+ elif c == 's':
+ res = res + filename
+ elif c == 't':
++ if _find_unsafe(MIMEtype):
++ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)
++ warnings.warn(msg, UnsafeMailcapInput)
++ return None
+ res = res + MIMEtype
+ elif c == '{':
+ start = i
+@@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, plist=[]):
+ i = i+1
+ name = field[start:i]
+ i = i+1
+- res = res + findparam(name, plist)
++ param = findparam(name, plist)
++ if _find_unsafe(param):
++ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)
++ warnings.warn(msg, UnsafeMailcapInput)
++ return None
++ res = res + param
+ # XXX To do:
+ # %n == number of parts if type is multipart/*
+ # %F == list of alternating type and filename for parts
+diff --git a/Lib/test/test_mailcap.py b/Lib/test/test_mailcap.py
+index c08423c670..920283d9a2 100644
+--- a/Lib/test/test_mailcap.py
++++ b/Lib/test/test_mailcap.py
+@@ -121,7 +121,8 @@ class HelperFunctionTest(unittest.TestCase):
+ (["", "audio/*", "foo.txt"], ""),
+ (["echo foo", "audio/*", "foo.txt"], "echo foo"),
+ (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"),
+- (["echo %t", "audio/*", "foo.txt"], "echo audio/*"),
++ (["echo %t", "audio/*", "foo.txt"], None),
++ (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"),
+ (["echo \\%t", "audio/*", "foo.txt"], "echo %t"),
+ (["echo foo", "audio/*", "foo.txt", plist], "echo foo"),
+ (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3")
+@@ -205,7 +206,10 @@ class FindmatchTest(unittest.TestCase):
+ ('"An audio fragment"', audio_basic_entry)),
+ ([c, "audio/*"],
+ {"filename": fname},
+- ("/usr/local/bin/showaudio audio/*", audio_entry)),
++ (None, None)),
++ ([c, "audio/wav"],
++ {"filename": fname},
++ ("/usr/local/bin/showaudio audio/wav", audio_entry)),
+ ([c, "message/external-body"],
+ {"plist": plist},
+ ("showexternal /dev/null default john python.org /tmp foo bar", message_entry))
+diff --git a/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
+new file mode 100644
+index 0000000000..da81a1f699
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
+@@ -0,0 +1,4 @@
++The deprecated mailcap module now refuses to inject unsafe text (filenames,
++MIME types, parameters) into shell commands. Instead of using such text, it
++will warn and act as if a match was not found (or for test commands, as if
++the test failed).
diff --git a/SPECS/python3.spec b/SPECS/python3.spec
index 785689a..b8fc19e 100644
--- a/SPECS/python3.spec
+++ b/SPECS/python3.spec
@@ -14,7 +14,7 @@ URL: https://www.python.org/
# WARNING When rebasing to a new Python version,
# remember to update the python3-docs package as well
Version: %{pybasever}.8
-Release: 45%{?dist}
+Release: 47%{?dist}
License: Python
@@ -651,6 +651,50 @@ Patch370: 00370-GIL-monotonic-clock.patch
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2036020
Patch372: 00372-CVE-2021-4189.patch
+# 00377 #
+# CVE-2022-0391: urlparse does not sanitize URLs containing ASCII newline and tabs
+#
+# ASCII newline and tab characters are stripped from the URL.
+#
+# Upstream: https://bugs.python.org/issue43882
+# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2047376
+Patch377: 00377-CVE-2022-0391.patch
+
+# 00378 #
+# Support expat 2.4.5
+#
+# Curly brackets were never allowed in namespace URIs
+# according to RFC 3986, and so-called namespace-validating
+# XML parsers have the right to reject them a invalid URIs.
+#
+# libexpat >=2.4.5 has become strcter in that regard due to
+# related security issues; with ET.XML instantiating a
+# namespace-aware parser under the hood, this test has no
+# future in CPython.
+#
+# References:
+# - https://datatracker.ietf.org/doc/html/rfc3968
+# - https://www.w3.org/TR/xml-names/
+#
+# Also, test_minidom.py: Support Expat >=2.4.5
+#
+# The patch has diverged from upstream as the python test
+# suite was relying on checking the expat version, whereas
+# in RHEL fixes get backported instead of rebasing packages.
+#
+# Upstream: https://bugs.python.org/issue46811
+Patch378: 00378-support-expat-2-4-5.patch
+
+# 00382 #
+# CVE-2015-20107
+#
+# Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
+#
+# Upstream: https://github.com/python/cpython/issues/68966
+#
+# Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
+Patch382: 00382-cve-2015-20107.patch
+
# (New patches go here ^^^)
#
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -990,6 +1034,9 @@ git apply %{PATCH351}
%patch369 -p1
%patch370 -p1
%patch372 -p1
+%patch377 -p1
+%patch378 -p1
+%patch382 -p1
# Remove files that should be generated by the build
# (This is after patching, so that we can use patches directly from upstream)
@@ -1915,6 +1962,15 @@ fi
# ======================================================
%changelog
+* Tue Jun 14 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-47
+- Security fix for CVE-2015-20107
+Resolves: rhbz#2075390
+
+* Wed Mar 09 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-46
+- Security fix for CVE-2022-0391: urlparse does not sanitize URLs containing ASCII newline and tabs
+- Fix the test suite support for Expat >= 2.4.5
+Resolves: rhbz#2047376
+
* Fri Jan 07 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-45
- Security fix for CVE-2021-4189: ftplib should not use the host from the PASV response
Resolves: rhbz#2036020