diff --git a/.gitignore b/.gitignore
index 47eb58c..cc7a512 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/Python-3.8.11.tar.xz
+SOURCES/Python-3.8.13.tar.xz
diff --git a/.rh-python38-python.metadata b/.rh-python38-python.metadata
index 3ec451b..9e639dc 100644
--- a/.rh-python38-python.metadata
+++ b/.rh-python38-python.metadata
@@ -1 +1 @@
-1561060627fd171de19c53eb374cd92d2f297bff SOURCES/Python-3.8.11.tar.xz
+fb46587353f092d91caeddb07f82bb66a5115468 SOURCES/Python-3.8.13.tar.xz
diff --git a/SOURCES/00189-use-rpm-wheels.patch b/SOURCES/00189-use-rpm-wheels.patch
index 498c727..1a764dd 100644
--- a/SOURCES/00189-use-rpm-wheels.patch
+++ b/SOURCES/00189-use-rpm-wheels.patch
@@ -1,4 +1,4 @@
-From 91c30b058ad9ab85debef8ffc058656c689fd1ac Mon Sep 17 00:00:00 2001
+From a7146f029f38c7fc25ddfa09529aefbe8035620a Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
 Date: Wed, 15 Aug 2018 15:36:29 +0200
 Subject: [PATCH] 00189: Instead of bundled wheels, use our RPM packaged wheels
@@ -8,11 +8,11 @@ We keep them in /usr/share/python-wheels
 Downstream only: upstream bundles
 We might eventually pursuit upstream support, but it's low prio
 ---
- Lib/ensurepip/__init__.py | 33 +++++++++++++++++++++++----------
- 1 file changed, 23 insertions(+), 10 deletions(-)
+ Lib/ensurepip/__init__.py | 36 ++++++++++++++++++++++++++----------
+ 1 file changed, 26 insertions(+), 10 deletions(-)
 
 diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py
-index 597a1ef..9206d11 100644
+index b291e9a..ed17b22 100644
 --- a/Lib/ensurepip/__init__.py
 +++ b/Lib/ensurepip/__init__.py
 @@ -1,6 +1,7 @@
@@ -24,14 +24,15 @@ index 597a1ef..9206d11 100644
  import sys
  import runpy
  import tempfile
-@@ -9,9 +10,24 @@ import subprocess
+@@ -9,8 +10,26 @@ import subprocess
  
  __all__ = ["version", "bootstrap"]
- 
+ _PACKAGE_NAMES = ('setuptools', 'pip')
 -_SETUPTOOLS_VERSION = "56.0.0"
+-_PIP_VERSION = "22.0.4"
++
 +_WHEEL_DIR = "/opt/rh/rh-python38/root/usr/share/python38-wheels/"
- 
--_PIP_VERSION = "21.1.1"
++
 +_wheels = {}
 +
 +def _get_most_recent_wheel_version(pkg):
@@ -48,10 +49,11 @@ index 597a1ef..9206d11 100644
 +_SETUPTOOLS_VERSION = _get_most_recent_wheel_version("setuptools")
 +
 +_PIP_VERSION = _get_most_recent_wheel_version("pip")
- 
++
  _PROJECTS = [
      ("setuptools", _SETUPTOOLS_VERSION, "py3"),
-@@ -101,13 +117,10 @@ def _bootstrap(*, root=None, upgrade=False, user=False,
+     ("pip", _PIP_VERSION, "py3"),
+@@ -99,13 +118,10 @@ def _bootstrap(*, root=None, upgrade=False, user=False,
          # additional paths that need added to sys.path
          additional_paths = []
          for project, version, py_tag in _PROJECTS:
@@ -70,5 +72,5 @@ index 597a1ef..9206d11 100644
              additional_paths.append(os.path.join(tmpdir, wheel_name))
  
 -- 
-2.31.1
+2.35.1
 
diff --git a/SOURCES/00365-CVE-2021-29921.patch b/SOURCES/00365-CVE-2021-29921.patch
deleted file mode 100644
index b3f8176..0000000
--- a/SOURCES/00365-CVE-2021-29921.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-diff --git a/Doc/library/ipaddress.rst b/Doc/library/ipaddress.rst
-index 2cdfddb..d464d2a 100644
---- a/Doc/library/ipaddress.rst
-+++ b/Doc/library/ipaddress.rst
-@@ -104,8 +104,7 @@ write code that handles both IP versions correctly.  Address objects are
-    1. A string in decimal-dot notation, consisting of four decimal integers in
-       the inclusive range 0--255, separated by dots (e.g. ``192.168.0.1``). Each
-       integer represents an octet (byte) in the address. Leading zeroes are
--      tolerated only for values less than 8 (as there is no ambiguity
--      between the decimal and octal interpretations of such strings).
-+      not tolerated to prevent confusion with octal notation.
-    2. An integer that fits into 32 bits.
-    3. An integer packed into a :class:`bytes` object of length 4 (most
-       significant octet first).
-diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py
-index 28b7b61..d351f07 100644
---- a/Lib/ipaddress.py
-+++ b/Lib/ipaddress.py
-@@ -1173,6 +1173,11 @@ class _BaseV4:
-         if len(octet_str) > 3:
-             msg = "At most 3 characters permitted in %r"
-             raise ValueError(msg % octet_str)
-+        # Handle leading zeros as strict as glibc's inet_pton()
-+        # See security bug bpo-36384
-+        if octet_str != '0' and octet_str[0] == '0':
-+            msg = "Leading zeros are not permitted in %r"
-+            raise ValueError(msg % octet_str)
-         # Convert to integer (we know digits are legal)
-         octet_int = int(octet_str, 10)
-         if octet_int > 255:
-diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py
-index 2f1c5b6..1297b83 100644
---- a/Lib/test/test_ipaddress.py
-+++ b/Lib/test/test_ipaddress.py
-@@ -97,10 +97,23 @@ class CommonTestMixin:
- class CommonTestMixin_v4(CommonTestMixin):
- 
-     def test_leading_zeros(self):
--        self.assertInstancesEqual("000.000.000.000", "0.0.0.0")
--        self.assertInstancesEqual("192.168.000.001", "192.168.0.1")
--        self.assertInstancesEqual("016.016.016.016", "16.16.16.16")
--        self.assertInstancesEqual("001.000.008.016", "1.0.8.16")
-+        # bpo-36384: no leading zeros to avoid ambiguity with octal notation
-+        msg = "Leading zeros are not permitted in '\d+'"
-+        addresses = [
-+            "000.000.000.000",
-+            "192.168.000.001",
-+            "016.016.016.016",
-+            "192.168.000.001",
-+            "001.000.008.016",
-+            "01.2.3.40",
-+            "1.02.3.40",
-+            "1.2.03.40",
-+            "1.2.3.040",
-+        ]
-+        for address in addresses:
-+            with self.subTest(address=address):
-+                with self.assertAddressError(msg):
-+                    self.factory(address)
- 
-     def test_int(self):
-         self.assertInstancesEqual(0, "0.0.0.0")
diff --git a/SOURCES/00378-support-expat-2-4-5.patch b/SOURCES/00378-support-expat-2-4-5.patch
new file mode 100644
index 0000000..de91016
--- /dev/null
+++ b/SOURCES/00378-support-expat-2-4-5.patch
@@ -0,0 +1,35 @@
+diff --git a/Lib/test/test_minidom.py b/Lib/test/test_minidom.py
+index 06c9107..d7307b4 100644
+--- a/Lib/test/test_minidom.py
++++ b/Lib/test/test_minidom.py
+@@ -1149,14 +1149,10 @@ class MinidomTest(unittest.TestCase):
+ 
+         # Verify that character decoding errors raise exceptions instead
+         # of crashing
+-        if pyexpat.version_info >= (2, 4, 5):
+-            self.assertRaises(ExpatError, parseString,
+-                    b'<fran\xe7ais></fran\xe7ais>')
+-            self.assertRaises(ExpatError, parseString,
+-                    b'<franais>Comment \xe7a va ? Tr\xe8s bien ?</franais>')
+-        else:
+-            self.assertRaises(UnicodeDecodeError, parseString,
+-                b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>')
++        self.assertRaises(ExpatError, parseString,
++                b'<fran\xe7ais></fran\xe7ais>')
++        self.assertRaises(ExpatError, parseString,
++                b'<franais>Comment \xe7a va ? Tr\xe8s bien ?</franais>')
+ 
+         doc.unlink()
+ 
+@@ -1601,10 +1597,7 @@ class MinidomTest(unittest.TestCase):
+         self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE)
+ 
+     def testExceptionOnSpacesInXMLNSValue(self):
+-        if pyexpat.version_info >= (2, 4, 5):
+-            context = self.assertRaisesRegex(ExpatError, 'syntax error')
+-        else:
+-            context = self.assertRaisesRegex(ValueError, 'Unsupported syntax')
++        context = self.assertRaisesRegex(ExpatError, 'syntax error')
+ 
+         with context:
+             parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
diff --git a/SPECS/python.spec b/SPECS/python.spec
index 72478b9..68777f6 100644
--- a/SPECS/python.spec
+++ b/SPECS/python.spec
@@ -20,11 +20,11 @@ URL: https://www.python.org/
 
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
-%global general_version %{pybasever}.11
+%global general_version %{pybasever}.13
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 2%{?dist}
+Release: 1%{?dist}
 License: Python
 
 # ==================================
@@ -379,11 +379,16 @@ Patch329: 00329-fips.patch
 # Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1928904
 Patch359: 00359-CVE-2021-23336.patch
 
-# 00365 #
-# CVE-2021-29921: Improper input validation of octal strings in the ipaddress module
-# Upstream: https://bugs.python.org/issue36384
-# Main bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1957458
-Patch365: 00365-CVE-2021-29921.patch
+# 00378 #
+# Support expat 2.4.5
+#
+# This patch modifies the upstream code as to not account
+# for the version specific expat assertions, since in RHEL
+# we provide security fixes through backports and not a
+# version upgrade.
+#
+# Upstream: https://bugs.python.org/issue46811
+Patch378: 00378-support-expat-2-4-5.patch
 
 # (New patches go here ^^^)
 #
@@ -718,7 +723,7 @@ rm Lib/ensurepip/_bundled/*.whl
 %patch328 -p1
 %patch329 -p1
 %patch359 -p1
-%patch365 -p1
+%patch378 -p1
 
 cat %{PATCH300} | sed -e "s/__SCL_NAME__/%{?scl}/" \
                 | patch -p1
@@ -1702,6 +1707,11 @@ CheckPython optimized
 # ======================================================
 
 %changelog
+* Wed Mar 16 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.8.13-1
+- Update to 3.8.13
+- Fix test suite issues with the latest expat security update
+Resolves: rhbz#2068592
+
 * Thu Jul 22 2021 Charalampos Stratakis <cstratak@redhat.com> - 3.8.11-2
 - Security fix for CVE-2021-29921: Leading zeros in IPv4 addresses are no longer tolerated
 Resolves: rhbz#1957458