diff --git a/SOURCES/00378-support-expat-2-4-5.patch b/SOURCES/00378-support-expat-2-4-5.patch
new file mode 100644
index 0000000..4b1e441
--- /dev/null
+++ b/SOURCES/00378-support-expat-2-4-5.patch
@@ -0,0 +1,98 @@
+From a5b78c6f1c802f6023bd4d7a248dc83be1eef6a3 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 21 Feb 2022 15:48:32 +0100
+Subject: [PATCH] 00378: Support expat 2.4.5
+
+Curly brackets were never allowed in namespace URIs
+according to RFC 3986, and so-called namespace-validating
+XML parsers have the right to reject them a invalid URIs.
+
+libexpat >=2.4.5 has become strcter in that regard due to
+related security issues; with ET.XML instantiating a
+namespace-aware parser under the hood, this test has no
+future in CPython.
+
+References:
+- https://datatracker.ietf.org/doc/html/rfc3968
+- https://www.w3.org/TR/xml-names/
+
+Also, test_minidom.py: Support Expat >=2.4.5
+
+Upstream: https://bugs.python.org/issue46811
+
+Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
+---
+ Lib/test/test_minidom.py | 12 +++++++++---
+ Lib/test/test_xml_etree.py | 6 ------
+ .../Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst | 1 +
+ 3 files changed, 10 insertions(+), 9 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst
+
+diff --git a/Lib/test/test_minidom.py b/Lib/test/test_minidom.py
+index d55e25e..e947382 100644
+--- a/Lib/test/test_minidom.py
++++ b/Lib/test/test_minidom.py
+@@ -5,10 +5,12 @@ import pickle
+ from test import support
+ import unittest
+
++import pyexpat
+ import xml.dom.minidom
+
+ from xml.dom.minidom import parse, Node, Document, parseString
+ from xml.dom.minidom import getDOMImplementation
++from xml.parsers.expat import ExpatError
+
+
+ tstfile = support.findfile("test.xml", subdir="xmltestdata")
+@@ -1156,8 +1158,10 @@ class MinidomTest(unittest.TestCase):
+
+ # Verify that character decoding errors raise exceptions instead
+ # of crashing
+- self.assertRaises(UnicodeDecodeError, parseString,
+- b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>')
++ self.assertRaises(ExpatError, parseString,
++ b'<fran\xe7ais></fran\xe7ais>')
++ self.assertRaises(ExpatError, parseString,
++ b'<franais>Comment \xe7a va ? Tr\xe8s bien ?</franais>')
+
+ doc.unlink()
+
+@@ -1602,7 +1606,9 @@ class MinidomTest(unittest.TestCase):
+ self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE)
+
+ def testExceptionOnSpacesInXMLNSValue(self):
+- with self.assertRaisesRegex(ValueError, 'Unsupported syntax'):
++ context = self.assertRaisesRegex(ExpatError, 'syntax error')
++
++ with context:
+ parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
+
+ def testDocRemoveChild(self):
+diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py
+index b01709e..acaa519 100644
+--- a/Lib/test/test_xml_etree.py
++++ b/Lib/test/test_xml_etree.py
+@@ -1668,12 +1668,6 @@ class BugsTest(unittest.TestCase):
+ b"<?xml version='1.0' encoding='ascii'?>\n"
+ b'<body>tãg</body>')
+
+- def test_issue3151(self):
+- e = ET.XML('<prefix:localname xmlns:prefix="${stuff}"/>')
+- self.assertEqual(e.tag, '{${stuff}}localname')
+- t = ET.ElementTree(e)
+- self.assertEqual(ET.tostring(e), b'<ns0:localname xmlns:ns0="${stuff}" />')
+-
+ def test_issue6565(self):
+ elem = ET.XML("<body><tag/></body>")
+ self.assertEqual(summarize_list(elem), ['tag'])
+diff --git a/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst b/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst
+new file mode 100644
+index 0000000..6969bd1
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst
+@@ -0,0 +1 @@
++Make test suite support Expat >=2.4.5
+--
+2.35.1
+
diff --git a/SOURCES/00399-CVE-2023-24329.patch b/SOURCES/00399-CVE-2023-24329.patch
new file mode 100644
index 0000000..0860553
--- /dev/null
+++ b/SOURCES/00399-CVE-2023-24329.patch
@@ -0,0 +1,142 @@
+From ba7a1989c7231a733e3c04417cc941d026066964 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 22 May 2023 03:42:37 -0700
+Subject: [PATCH] 00399: CVE-2023-24329
+
+gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508)
+
+`urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595.
+
+This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).
+
+Backported from Python 3.12
+
+(cherry picked from commit f48a96a28012d28ae37a2f4587a780a5eb779946)
+
+Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
+Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
+---
+ Lib/test/test_urlparse.py | 61 ++++++++++++++++++++++++++++++++++++++-
+ Lib/urllib/parse.py | 12 ++++++++
+ 2 files changed, 72 insertions(+), 1 deletion(-)
+
+diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
+index 68f633c..8dd9795 100644
+--- a/Lib/test/test_urlparse.py
++++ b/Lib/test/test_urlparse.py
+@@ -624,6 +624,65 @@ class UrlParseTestCase(unittest.TestCase):
+ with self.assertRaisesRegex(ValueError, "out of range"):
+ p.port
+
++ def test_urlsplit_strip_url(self):
++ noise = bytes(range(0, 0x20 + 1))
++ base_url = "http://User:Pass@www.python.org:080/doc/?query=yes#frag"
++
++ url = noise.decode("utf-8") + base_url
++ p = urllib.parse.urlsplit(url)
++ self.assertEqual(p.scheme, "http")
++ self.assertEqual(p.netloc, "User:Pass@www.python.org:080")
++ self.assertEqual(p.path, "/doc/")
++ self.assertEqual(p.query, "query=yes")
++ self.assertEqual(p.fragment, "frag")
++ self.assertEqual(p.username, "User")
++ self.assertEqual(p.password, "Pass")
++ self.assertEqual(p.hostname, "www.python.org")
++ self.assertEqual(p.port, 80)
++ self.assertEqual(p.geturl(), base_url)
++
++ url = noise + base_url.encode("utf-8")
++ p = urllib.parse.urlsplit(url)
++ self.assertEqual(p.scheme, b"http")
++ self.assertEqual(p.netloc, b"User:Pass@www.python.org:080")
++ self.assertEqual(p.path, b"/doc/")
++ self.assertEqual(p.query, b"query=yes")
++ self.assertEqual(p.fragment, b"frag")
++ self.assertEqual(p.username, b"User")
++ self.assertEqual(p.password, b"Pass")
++ self.assertEqual(p.hostname, b"www.python.org")
++ self.assertEqual(p.port, 80)
++ self.assertEqual(p.geturl(), base_url.encode("utf-8"))
++
++ # Test that trailing space is preserved as some applications rely on
++ # this within query strings.
++ query_spaces_url = "https://www.python.org:88/doc/?query= "
++ p = urllib.parse.urlsplit(noise.decode("utf-8") + query_spaces_url)
++ self.assertEqual(p.scheme, "https")
++ self.assertEqual(p.netloc, "www.python.org:88")
++ self.assertEqual(p.path, "/doc/")
++ self.assertEqual(p.query, "query= ")
++ self.assertEqual(p.port, 88)
++ self.assertEqual(p.geturl(), query_spaces_url)
++
++ p = urllib.parse.urlsplit("www.pypi.org ")
++ # That "hostname" gets considered a "path" due to the
++ # trailing space and our existing logic... YUCK...
++ # and re-assembles via geturl aka unurlsplit into the original.
++ # django.core.validators.URLValidator (at least through v3.2) relies on
++ # this, for better or worse, to catch it in a ValidationError via its
++ # regular expressions.
++ # Here we test the basic round trip concept of such a trailing space.
++ self.assertEqual(urllib.parse.urlunsplit(p), "www.pypi.org ")
++
++ # with scheme as cache-key
++ url = "//www.python.org/"
++ scheme = noise.decode("utf-8") + "https" + noise.decode("utf-8")
++ for _ in range(2):
++ p = urllib.parse.urlsplit(url, scheme=scheme)
++ self.assertEqual(p.scheme, "https")
++ self.assertEqual(p.geturl(), "https://www.python.org/")
++
+ def test_attributes_bad_port(self):
+ """Check handling of invalid ports."""
+ for bytes in (False, True):
+@@ -631,7 +690,7 @@ class UrlParseTestCase(unittest.TestCase):
+ for port in ("foo", "1.5", "-1", "0x10"):
+ with self.subTest(bytes=bytes, parse=parse, port=port):
+ netloc = "www.example.net:" + port
+- url = "http://" + netloc
++ url = "http://" + netloc + "/"
+ if bytes:
+ netloc = netloc.encode("ascii")
+ url = url.encode("ascii")
+diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
+index fa8827a..6a470b2 100644
+--- a/Lib/urllib/parse.py
++++ b/Lib/urllib/parse.py
+@@ -25,6 +25,10 @@ currently not entirely compliant with this RFC due to defacto
+ scenarios for parsing, and for backward compatibility purposes, some
+ parsing quirks from older RFCs are retained. The testcases in
+ test_urlparse.py provides a good indicator of parsing behavior.
++
++The WHATWG URL Parser spec should also be considered. We are not compliant with
++it either due to existing user code API behavior expectations (Hyrum's Law).
++It serves as a useful guide when making changes.
+ """
+
+ import re
+@@ -76,6 +80,10 @@ scheme_chars = ('abcdefghijklmnopqrstuvwxyz'
+ '0123456789'
+ '+-.')
+
++# Leading and trailing C0 control and space to be stripped per WHATWG spec.
++# == "".join([chr(i) for i in range(0, 0x20 + 1)])
++_WHATWG_C0_CONTROL_OR_SPACE = '\x00\x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f '
++
+ # XXX: Consider replacing with functools.lru_cache
+ MAX_CACHE_SIZE = 20
+ _parse_cache = {}
+@@ -416,6 +424,10 @@ def urlsplit(url, scheme='', allow_fragments=True):
+ Note that we don't break the components up in smaller bits
+ (e.g. netloc is a single string) and we don't expand % escapes."""
+ url, scheme, _coerce_result = _coerce_args(url, scheme)
++ # Only lstrip url as some applications rely on preserving trailing space.
++ # (https://url.spec.whatwg.org/#concept-basic-url-parser would strip both)
++ url = url.lstrip(_WHATWG_C0_CONTROL_OR_SPACE)
++ scheme = scheme.strip(_WHATWG_C0_CONTROL_OR_SPACE)
+ allow_fragments = bool(allow_fragments)
+ key = url, scheme, allow_fragments, type(url), type(scheme)
+ cached = _parse_cache.get(key, None)
+--
+2.40.1
+
diff --git a/SPECS/python3.spec b/SPECS/python3.spec
index 09546fb..97268c7 100644
--- a/SPECS/python3.spec
+++ b/SPECS/python3.spec
@@ -14,7 +14,7 @@ URL: https://www.python.org/
# WARNING When rebasing to a new Python version,
# remember to update the python3-docs package as well
Version: %{pybasever}.8
-Release: 18%{?dist}
+Release: 19%{?dist}
License: Python
@@ -469,6 +469,43 @@ Patch351: 00351-avoid-infinite-loop-in-the-tarfile-module.patch
# Fixed upstream: https://bugs.python.org/issue41004
Patch352: 00352-resolve-hash-collisions-for-ipv4interface-and-ipv6interface.patch
+# 00378 #
+# Support expat 2.4.5
+#
+# Curly brackets were never allowed in namespace URIs
+# according to RFC 3986, and so-called namespace-validating
+# XML parsers have the right to reject them a invalid URIs.
+#
+# libexpat >=2.4.5 has become strcter in that regard due to
+# related security issues; with ET.XML instantiating a
+# namespace-aware parser under the hood, this test has no
+# future in CPython.
+#
+# References:
+# - https://datatracker.ietf.org/doc/html/rfc3968
+# - https://www.w3.org/TR/xml-names/
+#
+# Also, test_minidom.py: Support Expat >=2.4.5
+#
+# The patch has diverged from upstream as the python test
+# suite was relying on checking the expat version, whereas
+# in RHEL fixes get backported instead of rebasing packages.
+#
+# Upstream: https://bugs.python.org/issue46811
+Patch378: 00378-support-expat-2-4-5.patch
+
+# 00399 #
+# CVE-2023-24329
+#
+# gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508)
+#
+# `urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595.
+#
+# This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%%20any%%20leading%%20and%%20trailing%%20C0%%20control%%20or%%20space%%20from%%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).
+#
+# Backported from Python 3.12
+Patch399: 00399-CVE-2023-24329.patch
+
# (New patches go here ^^^)
#
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -798,6 +835,8 @@ sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/en
git apply %{PATCH351}
%patch352 -p1
+%patch378 -p1
+%patch399 -p1
# Remove files that should be generated by the build
# (This is after patching, so that we can use patches directly from upstream)
@@ -1186,9 +1225,6 @@ CheckPython() {
-wW --slowest --findleaks \
-x test_distutils \
-x test_bdist_rpm \
- %ifarch %{arm}
- -x test_gdb \
- %endif
%ifarch %{mips64}
-x test_ctypes \
%endif
@@ -1674,6 +1710,11 @@ CheckPython optimized
# ======================================================
%changelog
+* Mon May 29 2023 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-19
+- Security fix for CVE-2023-24329
+- Fix the test suite support for Expat >= 2.4.5
+Resolves: rhbz#2173917
+
* Fri Jul 31 2020 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-18
- Avoid infinite loop when reading specially crafted TAR files (CVE-2019-20907)
Resolves: rhbz#1856481