Removed rpms
============


Added rpms
==========


Package Source Changes
======================

glib2
+- require dbus-launch only if dbus-service is wanted. This helps
+  with stripping down container-only builds (jsc#PED-8153)
+
glibc
+- glibc-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch:
+  nscd: Stack-based buffer overflow in netgroup cache
+  (CVE-2024-33599, bsc#1223423)
+- glibc-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch:
+  nscd: Avoid null pointer crashes after notfound response
+  (CVE-2024-33600, bsc#1223424)
+- glibc-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch:
+  nscd: Do not send missing not-found response in addgetnetgrentX
+  (CVE-2024-33600, bsc#1223424)
+- glibc-CVE-2024-33601-CVE-2024-33602-nscd-netgroup-Use-two.patch:
+  netgroup: Use two buffers in addgetnetgrentX (CVE-2024-33601,
+  CVE-2024-33602, bsc#1223425)
+
+- iconv-iso-2022-cn-ext.patch: iconv: ISO-2022-CN-EXT: fix out-of-bound
+  writes when writing escape sequence (CVE-2024-2961, bsc#1222992)
+
kernel-default
+- Update kabi files: updated for post-PublicRC
+- commit f978f5f
+
+- Update
+  patches.suse/Bluetooth-btrtl-fix-out-of-bounds-memory-access.patch
+  (git-fixes CVE-2024-26890 bsc#1223192).
+- Update
+  patches.suse/RDMA-mlx5-Fix-fortify-source-warning-while-accessing.patch
+  (jsc#PED-3311 CVE-2024-26907 bsc#1223203).
+- Update
+  patches.suse/Revert-drm-amd-flush-any-delayed-gfxoff-on-suspend-e.patch
+  (git-fixes CVE-2024-26916 bsc#1223137).
+- Update
+  patches.suse/crypto-xilinx-call-finalize-with-bh-disabled.patch
+  (git-fixes CVE-2024-26877 bsc#1223140).
+- Update
+  patches.suse/dm-call-the-resume-method-on-internal-suspend-65e8.patch
+  (git-fixes CVE-2024-26880 bsc#1223188).
+- Update
+  patches.suse/drm-amd-display-Fix-dcn35-8k30-Underflow-Corruption-.patch
+  (git-fixes CVE-2024-26913 bsc#1223204).
+- Update
+  patches.suse/drm-amd-display-fix-incorrect-mpc_combine-array-size.patch
+  (git-fixes CVE-2024-26914 bsc#1223205).
+- Update patches.suse/drm-amdgpu-Reset-IH-OVERFLOW_CLEAR-bit.patch
+  (git-fixes CVE-2024-26915 bsc#1223207).
+- Update
+  patches.suse/firmware-arm_scmi-Fix-double-free-in-SMC-transport-c.patch
+  (git-fixes CVE-2024-26893 bsc#1223196).
+- Update
+  patches.suse/net-tls-fix-use-after-free-with-partial-reads-and-as.patch
+  (bsc#1221858 CVE-2024-26582 bsc#1220214).
+- Update
+  patches.suse/wifi-ath9k-delay-all-of-ath9k_wmi_event_tasklet-unti.patch
+  (git-fixes CVE-2024-26897 bsc#1223323).
+- Update
+  patches.suse/wifi-mt76-mt7921e-fix-use-after-free-in-free_irq.patch
+  (git-fixes CVE-2024-26892 bsc#1223195).
+- Update
+  patches.suse/wifi-wilc1000-prevent-use-after-free-on-vif-when-cle.patch
+  (git-fixes CVE-2024-26895 bsc#1223197).
+- commit d9b565f
+
+- Bluetooth: hci_sync: Using hci_cmd_sync_submit when removing
+  Adv Monitor (bsc#1219216).
+- commit 81c5485
+
+- Update
+  patches.suse/0001-fs-hugetlb-fix-NULL-pointer-dereference-in-hugetlbs_.patch
+  (bsc#1219264 CVE-2024-0841 CVE-2024-26688 bsc#1222482).
+- Update
+  patches.suse/0002-iommu-vt-d-Don-t-issue-ATS-Invalidation-request-when.patch
+  (git-fixes CVE-2024-26891 bsc#1223037).
+- Update
+  patches.suse/ACPI-processor_idle-Fix-memory-leak-in-acpi_processo.patch
+  (git-fixes CVE-2024-26894 bsc#1223043).
+- Update
+  patches.suse/ASoC-qcom-Fix-uninitialized-pointer-dmactl.patch
+  (git-fixes CVE-2024-26799 bsc#1222415).
+- Update
+  patches.suse/Bluetooth-Avoid-potential-use-after-free-in-hci_erro.patch
+  (git-fixes CVE-2024-26801 bsc#1222413).
+- Update patches.suse/Bluetooth-af_bluetooth-Fix-deadlock.patch
+  (git-fixes CVE-2024-26886 bsc#1223044).
+- Update
+  patches.suse/IB-hfi1-Fix-a-memleak-in-init_credit_return.patch
+  (git-fixes CVE-2024-26839 bsc#1222975).
+- Update
+  patches.suse/RDMA-irdma-Fix-KASAN-issue-with-tasklet.patch
+  (git-fixes CVE-2024-26838 bsc#1222974).
+- Update
+  patches.suse/RDMA-srpt-Do-not-register-event-handler-until-srpt-d.patch
+  (git-fixes CVE-2024-26872 bsc#1223115).
+- Update
+  patches.suse/afs-Fix-endless-loop-in-directory-parsing.patch
+  (git-fixes CVE-2024-26848 bsc#1223030).
+- Update
+  patches.suse/afs-Increase-buffer-size-in-afs_update_volume_status.patch
+  (git-fixes CVE-2024-26736 bsc#1222586).
+- Update
+  patches.suse/btrfs-fix-double-free-of-anonymous-device-after-snap.patch
+  (bsc#1219126 CVE-2024-23850 CVE-2024-26792 bsc#1222430).
+- Update
+  patches.suse/cachefiles-fix-memory-leak-in-cachefiles_add_cache.patch
+  (bsc#1220265 CVE-2024-26840 bsc#1222976).
+- Update
+  patches.suse/ceph-prevent-use-after-free-in-encode_cap_msg.patch
+  (bsc#1221391 CVE-2024-26689 bsc#1222503).
+- Update
+  patches.suse/clk-meson-Add-missing-clocks-to-axg_clk_regmaps.patch
+  (git-fixes CVE-2024-26879 bsc#1223066).
+- Update
+  patches.suse/crypto-algif_hash-Remove-bogus-SGL-free-on-zero-leng.patch
+  (git-fixes CVE-2024-26824 bsc#1223081).
+- Update
+  patches.suse/dmaengine-fsl-qdma-init-irq-after-reg-initialization.patch
+  (git-fixes CVE-2024-26788 bsc#1222783).
+- Update
+  patches.suse/dmaengine-idxd-Ensure-safe-user-copy-of-completion-r.patch
+  (bsc#1221428 git-fixes CVE-2024-26746 bsc#1222444).
+- Update
+  patches.suse/drm-amd-display-Fix-MST-Null-Ptr-for-RV.patch
+  (git-fixes CVE-2024-26700 bsc#1222870).
+- Update
+  patches.suse/drm-amd-display-Fix-memory-leak-in-dm_sw_fini.patch
+  (git-fixes CVE-2024-26833 bsc#1223036).
+- Update
+  patches.suse/drm-amd-display-Fix-potential-null-pointer-dereferen.patch
+  (git-fixes CVE-2024-26729 bsc#1222552).
+- Update
+  patches.suse/drm-amd-display-Prevent-potential-buffer-overflow-in.patch
+  (git-fixes CVE-2024-26797 bsc#1222425).
+- Update
+  patches.suse/drm-bridge-adv7511-fix-crash-on-irq-during-probe.patch
+  (git-fixes CVE-2024-26876 bsc#1223119).
+- Update
+  patches.suse/drm-buddy-Fix-alloc_range-error-handling-code.patch
+  (git-fixes CVE-2024-26911 bsc#1223055).
+- Update
+  patches.suse/drm-mediatek-Fix-a-null-pointer-crash-in-mtk_drm_crt.patch
+  (git-fixes CVE-2024-26874 bsc#1223048).
+- Update
+  patches.suse/drm-nouveau-fix-several-DMA-buffer-leaks.patch
+  (git-fixes CVE-2024-26912 bsc#1223064).
+- Update
+  patches.suse/efi-runtime-Fix-potential-overflow-of-soft-reserved-.patch
+  (git-fixes CVE-2024-26843 bsc#1223014).
+- Update
+  patches.suse/fbcon-always-restore-the-old-font-data-in-fbcon_do_s.patch
+  (git-fixes CVE-2024-26798 bsc#1222798).
+- Update
+  patches.suse/i40e-Do-not-allow-untrusted-VF-to-remove-administrat.patch
+  (git-fixes CVE-2024-26830 bsc#1223012).
+- Update
+  patches.suse/iio-adc-ad4130-zero-initialize-clock-init-data.patch
+  (git-fixes CVE-2024-26711 bsc#1222420).
+- Update
+  patches.suse/md-Don-t-suspend-the-array-for-interrupted-reshape-9e46.patch
+  (git-fixes CVE-2024-26755 bsc#1222529).
+- Update patches.suse/media-ir_toy-fix-a-memleak-in-irtoy_tx.patch
+  (git-fixes CVE-2024-26829 bsc#1223027).
+- Update
+  patches.suse/media-pvrusb2-fix-uaf-in-pvr2_context_set_notify.patch
+  (git-fixes CVE-2024-26875 bsc#1223118).
+- Update
+  patches.suse/msft-hv-2942-hv_netvsc-Register-VF-in-netvsc_probe-if-NET_DEVICE_.patch
+  (git-fixes CVE-2024-26820 bsc#1223078).
+- Update
+  patches.suse/net-bnx2x-Prevent-access-to-a-freed-page-in-page_poo.patch
+  (bsc#1215322 CVE-2024-26859 bsc#1223049).
+- Update
+  patches.suse/net-veth-clear-GRO-when-clearing-XDP-even-when-down.patch
+  (git-fixes CVE-2024-26803 bsc#1222788).
+- Update
+  patches.suse/nfc-nci-free-rx_data_reassembly-skb-on-NCI-device-cl.patch
+  (git-fixes CVE-2024-26825 bsc#1223065).
+- Update
+  patches.suse/nilfs2-fix-data-corruption-in-dsync-block-recovery-f.patch
+  (git-fixes CVE-2024-26697 bsc#1222550).
+- Update
+  patches.suse/nilfs2-fix-hang-in-nilfs_lookup_dirty_data_buffers.patch
+  (git-fixes CVE-2024-26696 bsc#1222549).
+- Update
+  patches.suse/powerpc-iommu-Fix-the-missing-iommu_group_put-during.patch
+  (jsc#PED-7779 jsc#PED-7780 git-fixes CVE-2024-26709
+  bsc#1222418).
+- Update
+  patches.suse/powerpc-kasan-Limit-KASAN-thread-size-increase-to-32.patch
+  (bsc#1215199 CVE-2024-26710 bsc#1222419).
+- Update
+  patches.suse/powerpc-pseries-iommu-DLPAR-add-doesn-t-completely-i.patch
+  (bsc#1215199 bsc#1219077 ltc#204477 CVE-2024-26738 bsc#1222607).
+- Update
+  patches.suse/powerpc-rtas-use-correct-function-name-for-resetting.patch
+  (bsc#1215199 CVE-2024-26847 bsc#1223026).
+- Update patches.suse/ppp_async-limit-MRU-to-64K.patch (git-fixes
+  CVE-2024-26675 bsc#1222379).
+- Update
+  patches.suse/scsi-Revert-scsi-fcoe-Fix-potential-deadlock-on-fip-ctlr_lock.patch
+  (git-fixes bsc#1219141 CVE-2024-26917 bsc#1223056).
+- Update
+  patches.suse/wifi-iwlwifi-mvm-fix-a-crash-when-we-run-out-of-stat.patch
+  (git-fixes CVE-2024-26693 bsc#1222451).
+- Update
+  patches.suse/wifi-mac80211-fix-race-condition-on-enabling-fast-xm.patch
+  (git-fixes CVE-2024-26779 bsc#1222772).
+- Update
+  patches.suse/wifi-wfx-fix-memory-leak-when-starting-AP.patch
+  (git-fixes CVE-2024-26896 bsc#1223042).
+- Update
+  patches.suse/xen-events-close-evtchn-after-mapping-cleanup.patch
+  (git-fixes CVE-2024-26687 bsc#1222435).
+- commit a69636a
+
+- Update
+  patches.suse/iio-core-fix-memleak-in-iio_device_register_sysfs.patch
+  (git-fixes CVE-2023-52643 bsc#1222960).
+- Update
+  patches.suse/media-rc-bpf-attach-detach-requires-write-permission.patch
+  (git-fixes CVE-2023-52642 bsc#1223031).
+- Update
+  patches.suse/wifi-b43-Stop-wake-correct-queue-in-DMA-Tx-path-when.patch
+  (git-fixes CVE-2023-52644 bsc#1222961).
+- commit 2c2d37f
+
+- Update patch reference of iio fix (CVE-2024-26702 bsc#1222424)
+- commit 9436142
+
+- nvme-tcp: strict pdu pacing to avoid send stalls on TLS
+  (bsc#1221858).
+- tls: fix peeking with sync+async decryption (bsc#1221858).
+- tls: don't skip over different type records from the rx_list
+  (bsc#1221858).
+- tls: stop recv() if initial process_rx_list gave us non-DATA
+  (bsc#1221858).
+- tls: break out of main loop when PEEK gets a non-data record
+  (bsc#1221858).
+- net: tls: fix returned read length with async decrypt
+  (bsc#1221858).
+- net: tls: fix use-after-free with partial reads and async
+  (bsc#1221858).
+- net: tls, fix WARNIING in __sk_msg_free (bsc#1221858).
+- commit 9d8d293
+
libproxy:backend
+- Do not use %elif by now since SLE, Leap does not have an rpm
+  supporting the tag.
+
+- Drop pkgconfig(libsoup-3.0) BuildRequires: no longer needed.
+
libproxy:client
+- Do not use %elif by now since SLE, Leap does not have an rpm
+  supporting the tag.
+
+- Drop pkgconfig(libsoup-3.0) BuildRequires: no longer needed.
+
python311
+- Add CVE-2023-52425-libexpat-2.6.0-backport.patch to fix tests with
+  patched libexpat below 2.6.0 that doesn't update the version number,
+  just in SLE.
+
+- Remove not needed upstream patches:
+  * libexpat260.patch
+  * CVE-2023-6597-TempDir-cleaning-symlink.patch, bsc#1219666
+- Update to 3.11.9:
+  * Security
+  - gh-115398: Allow controlling Expat >=2.6.0 reparse deferral
+    (CVE-2023-52425,  bsc#1219559) by adding five new methods:
+    xml.etree.ElementTree.XMLParser.flush()
+    xml.etree.ElementTree.XMLPullParser.flush()
+    xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
+    xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
+    xml.sax.expatreader.ExpatParser.flush()
+  - gh-115399: Update bundled libexpat to 2.6.0
+  - gh-115243: Fix possible crashes in collections.deque.index()
+    when the deque is concurrently modified.
+  - gh-114572: ssl.SSLContext.cert_store_stats() and
+    ssl.SSLContext.get_ca_certs() now correctly lock access to the
+    certificate store, when the ssl.SSLContext is shared across
+    multiple threads.
+  * Core and Builtins
+  - gh-116296: Fix possible refleak in object.__reduce__() internal
+    error handling.
+  - gh-116034: Fix location of the error on a failed assertion.
+  - gh-115823: Properly calculate error ranges in the parser when
+    raising SyntaxError exceptions caused by invalid byte sequences.
+    Patch by Pablo Galindo
+  - gh-112087: For an empty reverse iterator for list will be
+    reduced to reversed(). Patch by Donghee Na.
+  - gh-115011: Setters for members with an unsigned integer type now
+    support the same range of valid values for objects that has a
+    __index__() method as for int.
+  - gh-96497: Fix incorrect resolution of mangled class variables
+    used in assignment expressions in comprehensions.
+  * Library
+  - gh-117310: Fixed an unlikely early & extra Py_DECREF triggered
+    crash in ssl when creating a new _ssl._SSLContext if CPython was
+    built implausibly such that the default cipher list is empty or
+    the SSL library it was linked against reports a failure from its
+    C SSL_CTX_set_cipher_list() API.
+  - gh-117178: Fix regression in lazy loading of self-referential
+    modules, introduced in gh-114781.
+  - gh-117084: Fix zipfile extraction for directory entries with the
+    name containing backslashes on Windows.
+  - gh-117110: Fix a bug that prevents subclasses of typing.Any to
+    be instantiated with arguments. Patch by Chris Fu.
+  - gh-90872: On Windows, subprocess.Popen.wait() no longer calls
+    WaitForSingleObject() with a negative timeout: pass 0 ms if the
+    timeout is negative. Patch by Victor Stinner.
+  - gh-116957: configparser: Don’t leave ConfigParser values in an
+    invalid state (stored as a list instead of a str) after an
+    earlier read raised DuplicateSectionError or
+    DuplicateOptionError.
+  - gh-90095: Ignore empty lines and comments in .pdbrc
+  - gh-116764: Restore support of None and other false values in
+    urllib.parse functions parse_qs() and parse_qsl(). Also, they
+    now raise a TypeError for non-zero integers and non-empty
+    sequences.
+  - gh-116811: In PathFinder.invalidate_caches, delegate to
+    MetadataPathFinder.invalidate_caches.
+  - gh-116600: Fix repr() for global Flag members.
+  - gh-116484: Change automatically generated tkinter.Checkbutton
+    widget names to avoid collisions with automatically generated
+    tkinter.ttk.Checkbutton widget names within the same parent
+    widget.
+  - gh-116401: Fix blocking os.fwalk() and shutil.rmtree() on
+    opening named pipe.
+  - gh-116143: Fix a race in pydoc _start_server, eliminating a
+    window in which _start_server can return a thread that is
+    “serving” but without a docserver set.
+  - gh-116325: typing: raise SyntaxError instead of AttributeError
+    on forward references as empty strings.
+  - gh-90535: Fix support of interval values > 1 in
+    logging.TimedRotatingFileHandler for when='MIDNIGHT' and
+    when='Wx'.
+  - gh-115978: Disable preadv(), readv(), pwritev(), and writev() on
+    WASI.
+  - Under wasmtime for WASI 0.2, these functions don’t pass
+    test_posix
+    (https://github.com/bytecodealliance/wasmtime/issues/7830).
+  - gh-88352: Fix the computation of the next rollover time in the
+    logging.TimedRotatingFileHandler handler. computeRollover() now
+    always returns a timestamp larger than the specified time and
+    works correctly during the DST change. doRollover() no longer
+    overwrite the already rolled over file, saving from data loss
+    when run at midnight or during repeated time at the DST change.
+  - gh-87115: Set __main__.__spec__ to None when running a script
+    with pdb
+  - gh-76511: Fix UnicodeEncodeError in email.Message.as_string()
+    that results when a message that claims to be in the ascii
+    character set actually has non-ascii characters. Non-ascii
+    characters are now replaced with the U+FFFD replacement
+    character, like in the replace error handler.
+  - gh-75988: Fixed unittest.mock.create_autospec() to pass the call
+    through to the wrapped object to return the real result.
+  - gh-115881: Fix issue where ast.parse() would incorrectly flag
+    conditional context managers (such as with (x() if y else z()):
+    ...) as invalid syntax if feature_version=(3, 8) was passed.
+    This reverts changes to the grammar made as part of gh-94949.
+  - gh-115886: Fix silent truncation of the name with an embedded
+    null character in multiprocessing.shared_memory.SharedMemory.
+  - gh-115809: Improve algorithm for computing which rolled-over log
+    files to delete in logging.TimedRotatingFileHandler. It is now
+    reliable for handlers without namer and with arbitrary
+    deterministic namer that leaves the datetime part in the file
+    name unmodified.
+  - gh-74668: urllib.parse functions parse_qs() and parse_qsl() now
+    support bytes arguments containing raw and percent-encoded
+    non-ASCII data.
+  - gh-67044: csv.writer() now always quotes or escapes '\r' and
+    '\n', regardless of lineterminator value.
+  - gh-115712: csv.writer() now quotes empty fields if delimiter is
+    a space and skipinitialspace is true and raises exception if
+    quoting is not possible.
+  - gh-115618: Fix improper decreasing the reference count for None
+    argument in property methods getter(), setter() and deleter().
+  - gh-115570: A DeprecationWarning is no longer omitted on access
+    to the __doc__ attributes of the deprecated typing.io and
+    typing.re pseudo-modules.
+  - gh-112006: Fix inspect.unwrap() for types with the __wrapper__
+    data descriptor.
+  - gh-101293: Support callables with the __call__() method and
+    types with __new__() and __init__() methods set to class
+    methods, static methods, bound methods, partial functions, and
+    other types of methods and descriptors in
+    inspect.Signature.from_callable().
+  - gh-115392: Fix a bug in doctest where incorrect line numbers
+    would be reported for decorated functions.
+  - gh-114563: Fix several format() bugs when using the C
+    implementation of Decimal: * memory leak in some rare cases when
+    using the z format option (coerce negative 0) * incorrect output
+    when applying the z format option to type F (fixed-point with
+    capital NAN / INF) * incorrect output when applying the # format
+    option (alternate form)
+  - gh-115197: urllib.request no longer resolves the hostname before
+    checking it against the system’s proxy bypass list on macOS and
+    Windows.
+  - gh-115198: Fix support of Docutils >= 0.19 in distutils.
+  - gh-115165: Most exceptions are now ignored when attempting to
+    set the __orig_class__ attribute on objects returned when
+    calling typing generic aliases (including generic aliases
+    created using typing.Annotated). Previously only AttributeError
+    was ignored. Patch by Dave Shawley.
+  - gh-115133: Fix tests for XMLPullParser with Expat 2.6.0.
+  - gh-115059: io.BufferedRandom.read1() now flushes the underlying
+    write buffer.
+  - gh-79382: Trailing ** no longer allows to match files and
+    non-existing paths in recursive glob().
+  - gh-114763: Protect modules loaded with importlib.util.LazyLoader
+    from race conditions when multiple threads try to access
+    attributes before the loading is complete.
+  - gh-97959: Fix rendering class methods, bound methods, method and
+    function aliases in pydoc. Class methods no longer have “method
+    of builtins.type instance” note. Corresponding notes are now
+    added for class and unbound methods. Method and function aliases
+    now have references to the module or the class where the origin
+    was defined if it differs from the current. Bound methods are
+    now listed in the static methods section. Methods of builtin
+    classes are now supported as well as methods of Python classes.
+  - gh-112281: Allow creating union of types for typing.Annotated
+    with unhashable metadata.
+  - gh-111775: Fix importlib.resources.simple.ResourceHandle.open()
+    for text mode, added missed stream argument.
+  - gh-90095: Make .pdbrc and -c work with any valid pdb commands.
+  - gh-107155: Fix incorrect output of help(x) where x is a lambda
+    function, which has an __annotations__ dictionary attribute with
+    a "return" key.
+  - gh-105866: Fixed _get_slots bug which caused error when defining
+    dataclasses with slots and a weakref_slot.
+  - gh-60346: Fix ArgumentParser inconsistent with parse_known_args.
+  - gh-100985: Update HTTPSConnection to consistently wrap IPv6
+    Addresses when using a proxy.
+  - gh-100884: email: fix misfolding of comma in address-lists over
+    multiple lines in combination with unicode encoding.
+  - gh-95782: Fix io.BufferedReader.tell(),
+    io.BufferedReader.seek(), _pyio.BufferedReader.tell(),
+    io.BufferedRandom.tell(), io.BufferedRandom.seek() and
+    _pyio.BufferedRandom.tell() being able to return negative
+    offsets.
+  - gh-96310: Fix a traceback in argparse when all options in a
+    mutually exclusive group are suppressed.
+  - gh-93205: Fixed a bug in
+    logging.handlers.TimedRotatingFileHandler where multiple
+    rotating handler instances pointing to files with the same name
+    but different extensions would conflict and not delete the
+    correct files.
+  - bpo-44865: Add missing call to localization function in
+    argparse.
+  - bpo-43952: Fix multiprocessing.connection.Listener.accept() to
+    accept empty bytes as authkey. Not accepting empty bytes as key
+    causes it to hang indefinitely.
+  - bpo-42125: linecache: get module name from __spec__ if
+    available. This allows getting source code for the __main__
+    module when a custom loader is used.
+  - gh-66543: Make mimetypes.guess_type() properly parsing of URLs
+    with only a host name, URLs containing fragment or query, and
+    filenames with only a UNC sharepoint on Windows. Based on patch
+    by Dong-hee Na.
+  - bpo-33775: Add ‘default’ and ‘version’ help text for
+    localization in argparse.
+  * Documentation
+  - gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under “XML
+    vulnerabilities”.
+  - gh-115233: Fix an example for LoggerAdapter in the Logging
+    Cookbook.
+  * Tests
+  - gh-83434: Disable JUnit XML output (--junit-xml=FILE command
+    line option) in regrtest when hunting for reference leaks (-R
+    option). Patch by Victor Stinner.
+  - gh-117187: Fix XML tests for vanilla Expat <2.6.0.
+  - gh-115979: Update test_importlib so that it passes under WASI
+    SDK 21.
+  - gh-116307: Added import helper isolated_modules as CleanImport
+    does not remove modules imported during the context.
+  - gh-115720: Leak tests (-R, --huntrleaks) now show a summary of
+    the number of leaks found in each iteration.
+  - gh-115122: Add --bisect option to regrtest test runner: run
+    failed tests with test.bisect_cmd to identify failing tests.
+    Patch by Victor Stinner.
+  - gh-115596: Fix ProgramPriorityTests in test_os permanently
+    changing the process priority.
+  - gh-115198: Fix test_check_metadata_deprecate in distutils tests
+    with a newer Docutils.
+  * Build
+  - gh-116313: Get WASI builds to work under wasmtime 18 w/ WASI
+    0.2/preview2 primitives.
+  - gh-115167: Avoid vendoring vcruntime140_threads.dll when
+    building with Visual Studio 2022 version 17.8.
+  * Windows
+  - gh-116773: Fix instances of <_overlapped.Overlapped object at
+    0xXXX> still has pending operation at deallocation, the process
+    may crash.
+  - gh-91227: Fix the asyncio ProactorEventLoop implementation so
+    that sending a datagram to an address that is not listening does
+    not prevent receiving any more datagrams.
+  - gh-115554: The installer now has more strict rules about
+    updating the Python Launcher for Windows. In general, most users
+    only have a single launcher installed and will see no
+    difference. When multiple launchers have been installed, the
+    option to install the launcher is disabled until all but one
+    have been removed. Downgrading the launcher (which was never
+    allowed) is now more obviously blocked.
+  - gh-115543: Python Launcher for Windows can now detect Python
+    3.13 when installed from the Microsoft Store, and will install
+    Python 3.12 by default when PYLAUNCHER_ALLOW_INSTALL is set.
+  - gh-115009: Update Windows installer to use SQLite 3.45.1.
+  * IDLE
+  - gh-88516: On macOS show a proxy icon in the title bar of editor
+    windows to match platform behaviour.
+  * Tools/Demos
+  - gh-113516: Don’t set LDSHARED when building for WASI.
+  * C API
+  - gh-117021: Fix integer overflow in PyLong_AsPid() on non-Windows
+    64-bit platforms.
+
+- Add reference to CVE-2024-0450 (bsc#1221854) to changelog.
+
+- Because of bsc#1189495 we have to revert use of %autopatch.
+
+- Rewrite %prep to use %autosetup et al. for compatibility with
+  rpm 4.20.
+
+- bsc#1221260 add bsc1221260-test_asyncio-ResourceWarning.patch
+  to eliminate ResourceWarning which broke the test suite in
+  test_asyncio.
+
+- Use the system-wide crypto-policies [bsc#1211301]
+  * Use the system default cipher list instead of hardcoded values
+  * Add the --with-ssl-default-suites=openssl configure option
+
+- (bsc#1219666, CVE-2023-6597) Add
+  CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
+  gh#python/cpython!99930) fixing symlink bug in cleanup of
+  tempfile.TemporaryDirectory.
+
+- Remove double definition of /usr/bin/idle%%{version} in
+  %%files.
+
+- Add upstream patch libexpat260.patch, Fix tests for XMLPullParser
+  with Expat 2.6.0, gh#python/cpython#115289
+
+- Update to 3.11.8:
+  - Security
+  - gh-113659: Skip .pth files with names starting with a dot or
+    hidden file attribute.
+  - Core and Builtins
+  - gh-114887: Changed socket type validation in
+    create_datagram_endpoint() to accept all non-stream sockets.
+    This fixes a regression in compatibility with raw sockets.
+  - gh-114388: Fix a RuntimeWarning emitted when assign an
+    integer-like value that is not an instance of int to an
+    attribute that corresponds to a C struct member of type T_UINT
+    and T_ULONG. Fix a double RuntimeWarning emitted when assign a
+    negative integer value to an attribute that corresponds to a C
+    struct member of type T_UINT.
+  - gh-89811: Check for a valid tp_version_tag before performing
+    bytecode specializations that rely on this value being usable.
+  - gh-113602: Fix an error that was causing the parser to try to
+    overwrite existing errors and crashing in the process. Patch by
+    Pablo Galindo
+  - gh-113566: Fix a 3.11-specific crash when the repr of a Future
+    is requested after the module has already been
+    garbage-collected.
+  - gh-106905: Use per AST-parser state rather than global state to
+    track recursion depth within the AST parser to prevent potential
+    race condition due to simultaneous parsing.
+  - The issue primarily showed up in 3.11 by multithreaded users of
+    ast.parse(). In 3.12 a change to when garbage collection can be
+    triggered prevented the race condition from occurring.
+  - gh-112716: Fix SystemError in the import statement and in
+    __reduce__() methods of builtin types when __builtins__ is not a
+    dict.
+  - gh-105967: Workaround a bug in Apple’s macOS platform zlib
+    library where zlib.crc32() and binascii.crc32() could produce
+    incorrect results on multi-gigabyte inputs. Including when using
+    zipfile on zips containing large data.
+  - gh-94606: Fix UnicodeEncodeError when
+    email.message.get_payload() reads a message with a Unicode
+    surrogate character and the message content is not well-formed
+    for surrogateescape encoding. Patch by Sidney Markowitz.
+  - Library
+  - gh-114965: Update bundled pip to 24.0
+  - gh-114959: tarfile no longer ignores errors when trying to
+    extract a directory on top of a file.
+  - gh-109475: Fix support of explicit option value “–” in argparse
+    (e.g. --option=--).
+  - gh-110190: Fix ctypes structs with array on Windows ARM64
+    platform by setting MAX_STRUCT_SIZE to 32 in stgdict. Patch by
+    Diego Russo
+  - gh-113280: Fix a leak of open socket in rare cases when error
+    occurred in ssl.SSLSocket creation.
+  - gh-77749: email.policy.EmailPolicy.fold() now always encodes
+    non-ASCII characters in headers if utf8 is false.
+  - gh-114492: Make the result of termios.tcgetattr() reproducible
+    on Alpine Linux. Previously it could leave a random garbage in
+    some fields.
+  - gh-75128: Ignore an OSError in
+    asyncio.BaseEventLoop.create_server() when IPv6 is available but
+    the interface cannot actually support it.
+  - gh-114257: Dismiss the FileNotFound error in
+    ctypes.util.find_library() and just return None on Linux.
+  - gh-101438: Avoid reference cycle in ElementTree.iterparse. The
+    iterator returned by ElementTree.iterparse may hold on to a file
+    descriptor. The reference cycle prevented prompt clean-up of the
+    file descriptor if the returned iterator was not exhausted.
+  - gh-104522: OSError raised when run a subprocess now only has
+    filename attribute set to cwd if the error was caused by a
+    failed attempt to change the current directory.
+  - gh-109534: Fix a reference leak in
+    asyncio.selector_events.BaseSelectorEventLoop when SSL
+    handshakes fail. Patch contributed by Jamie Phan.
+  - gh-114077: Fix possible OverflowError in
+    socket.socket.sendfile() when pass count larger than 2 GiB on
+    32-bit platform.
+  - gh-114014: Fixed a bug in fractions.Fraction where an invalid
+    string using d in the decimals part creates a different error
+    compared to other invalid letters/characters. Patch by Jeremiah
+    Gabriel Pascual.
+  - gh-113951: Fix the behavior of tag_unbind() methods of
+    tkinter.Text and tkinter.Canvas classes with three arguments.
+    Previously, widget.tag_unbind(tag, sequence, funcid) destroyed
+    the current binding for sequence, leaving sequence unbound, and
+    deleted the funcid command. Now it removes only funcid from the
+    binding for sequence, keeping other commands, and deletes the
+    funcid command. It leaves sequence unbound only if funcid was
+    the last bound command.
+  - gh-113877: Fix tkinter method winfo_pathname() on 64-bit
+    Windows.
+  - gh-113781: Silence unraisable AttributeError when warnings are
+    emitted during Python finalization.
+  - gh-113594: Fix UnicodeEncodeError in email when re-fold lines
+    that contain unknown-8bit encoded part followed by
+    non-unknown-8bit encoded part.
+  - gh-113538: In asyncio.StreamReaderProtocol.connection_made(),
+    there is callback that logs an error if the task wrapping the
+    “connected callback” fails. This callback would itself fail if
+    the task was cancelled. Prevent this by checking whether the
+    task was cancelled first. If so, close the transport but don’t
+    log an error.
+  - gh-85567: Fix resource warnings for unclosed files in pickle and
+    pickletools command line interfaces.
+  - gh-101225: Increase the backlog for
+    multiprocessing.connection.Listener objects created by
+    multiprocessing.manager and multiprocessing.resource_sharer to
+    significantly reduce the risk of getting a connection refused
+    error when creating a multiprocessing.connection.Connection to
+    them.
+  - gh-113543: Make sure that webbrowser.MacOSXOSAScript sends
+    webbrowser.open audit event.
+  - gh-113028: When a second reference to a string appears in the
+    input to pickle, and the Python implementation is in use, we are
+    guaranteed that a single copy gets pickled and a single object
+    is shared when reloaded. Previously, in protocol 0, when a
+    string contained certain characters (e.g. newline) it resulted
+    in duplicate objects.
+  - gh-113421: Fix multiprocessing logger for %(filename)s.
+  - gh-113358: Fix rendering tracebacks for exceptions with a broken
+    __getattr__.
+  - gh-113214: Fix an AttributeError during asyncio SSL protocol
+    aborts in SSL-over-SSL scenarios.
+  - gh-113246: Update bundled pip to 23.3.2.
+  - gh-113199: Make http.client.HTTPResponse.read1 and
+    http.client.HTTPResponse.readline close IO after reading all
+    data when content length is known. Patch by Illia Volochii.
+  - gh-113188: Fix shutil.copymode() and shutil.copystat() on
+    Windows. Previously they worked differenly if dst is a symbolic
+    link: they modified the permission bits of dst itself rather
+    than the file it points to if follow_symlinks is true or src is
+    not a symbolic link, and did not modify the permission bits if
+    follow_symlinks is false and src is a symbolic link.
+  - gh-61648: Detect line numbers of properties in doctests.
+  - gh-112559: signal.signal() and signal.getsignal() no longer call
+    repr on callable handlers. asyncio.run() and
+    asyncio.Runner.run() no longer call repr on the task results.
+    Patch by Yilei Yang.
+  - gh-110190: Fix ctypes structs with array on PPC64LE platform by
+    setting MAX_STRUCT_SIZE to 64 in stgdict. Patch by Diego Russo.
+  - gh-79429: Ignore FileNotFoundError when remove a temporary
+    directory in the multiprocessing finalizer.
+  - gh-79325: Fix an infinite recursion error in
+    tempfile.TemporaryDirectory() cleanup on Windows.
+  - gh-110190: Fix ctypes structs with array on Arm platform by
+    setting MAX_STRUCT_SIZE to 32 in stgdict. Patch by Diego Russo.
+  - gh-81194: Fix a crash in socket.if_indextoname() with specific
+    value (UINT_MAX). Fix an integer overflow in
+    socket.if_indextoname() on 64-bit non-Windows platforms.
+  - gh-75666: Fix the behavior of tkinter widget’s unbind() method
+    with two arguments. Previously, widget.unbind(sequence, funcid)
+    destroyed the current binding for sequence, leaving sequence
+    unbound, and deleted the funcid command. Now it removes only
+    funcid from the binding for sequence, keeping other commands,
+    and deletes the funcid command. It leaves sequence unbound only
+    if funcid was the last bound command.
+  - gh-110345: Show the Tcl/Tk patchlevel (rather than version) in
+    tkinter._test().
+  - gh-109858: Protect zipfile from “quoted-overlap” zipbomb. It now
+    raises BadZipFile when try to read an entry that overlaps with
+    other entry or central directory (bsc#1221854, CVE-2024-0450).
+  - gh-38807: Fix race condition in trace. Instead of checking if a
+    directory exists and creating it, directly call os.makedirs()
+    with the kwarg exist_ok=True.
+  - gh-75705: Set unixfrom envelope in mailbox.mbox and
+    mailbox.MMDF.
+  - gh-105102: Allow ctypes.Union to be nested in ctypes.Structure
+    when the system endianness is the opposite of the classes.
+  - gh-104282: Fix null pointer dereference in
+    lzma._decode_filter_properties() due to improper handling of BCJ
+    filters with properties of zero length. Patch by Radislav
+    Chugunov.
+  - gh-102512: When os.fork() is called from a foreign thread (aka
+    _DummyThread), the type of the thread in a child process is
+    changed to _MainThread. Also changed its name and daemonic
+    status, it can be now joined.
+  - gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup,
+    which now no longer dereferences symlinks when working around
+    file system permission errors.
+  - bpo-43153: On Windows, tempfile.TemporaryDirectory previously
+    masked a PermissionError with NotADirectoryError during
+    directory cleanup. It now correctly raises PermissionError if
+    errors are not ignored. Patch by Andrei Kulakov and Ken Jin.
+  - bpo-35332: The shutil.rmtree() function now ignores errors when
+    calling os.close() when ignore_errors is True, and os.close() no
+    longer retried after error.
+  - bpo-35928: io.TextIOWrapper now correctly handles the decoding
+    buffer after read() and write().
+  - bpo-26791: shutil.move() now moves a symlink into a directory
+    when that directory is the target of the symlink. This provides
+    the same behavior as the mv shell command. The previous behavior
+    raised an exception. Patch by Jeffrey Kintscher.
+  - bpo-36959: Fix some error messages for invalid ISO format string
+    combinations in strptime() that referred to directives not
+    contained in the format string. Patch by Gordon P. Hemsley.
+  - bpo-18060: Fixed a class inheritance issue that can cause
+    segfaults when deriving two or more levels of subclasses from a
+    base class of Structure or Union.
+  - Documentation
+  - gh-110746: Improved markup for valid options/values for methods
+    ttk.treeview.column and ttk.treeview.heading, and for Layouts.
+  - gh-95649: Document that the asyncio module contains code taken
+    from v0.16.0 of the uvloop project, as well as the required MIT
+    licensing information.
+  - Tests
+  - gh-109980: Fix test_tarfile_vs_tar in test_shutil for macOS,
+    where system tar can include more information in the archive
+    than shutil.make_archive.
+  - gh-112769: The tests now correctly compare zlib version when
+    zlib.ZLIB_RUNTIME_VERSION contains non-integer suffixes. For
+    example zlib-ng defines the version as 1.3.0.zlib-ng.
+  - gh-105089: Fix
+    test.test_zipfile.test_core.TestWithDirectory.test_create_directory_with_write
+    test in AIX by doing a bitwise AND of 0xFFFF on mode , so that
+    it will be in sync with zinfo.external_attr
+  - bpo-40648: Test modes that file can get with chmod() on Windows.
+  - Build
+  - gh-101778: Fix build error when there’s a dangling symlink in
+    the directory containing ffi.h.
+  - gh-112305: Fixed the check-clean-src step performed on out of
+    tree builds to detect errant $(srcdir)/Python/frozen_modules/*.h
+    files and recommend appropriate source tree cleanup steps to get
+    a working build again.
+  - bpo-11102: The os.major(), os.makedev(), and os.minor()
+    functions are now available on HP-UX v3.
+  - bpo-36351: Do not set ipv6type when cross-compiling.
+  - IDLE
+  - gh-96905: In idlelib code, stop redefining built-ins ‘dict’ and
+    ‘object’.
+  - gh-72284: Improve the lists of features, editor key bindings,
+    and shell key bingings in the IDLE doc.
+  - gh-113903: Fix rare failure of test.test_idle, in
+    test_configdialog.
+  - gh-113729: Fix the “Help -> IDLE Doc” menu bug in 3.11.7 and
+    3.12.1.
+  - gh-113269: Fix test_editor hang on macOS Catalina.
+  - gh-112898: Fix processing unsaved files when quitting IDLE on
+    macOS.
+  - gh-103820: Revise IDLE bindings so that events from mouse button
+    4/5 on non-X11 windowing systems (i.e. Win32 and Aqua) are not
+    mistaken for scrolling.
+  - bpo-13586: Enter the selected text when opening the “Replace”
+    dialog.
+  - Tools/Demos
+  - gh-109991: Update GitHub CI workflows to use OpenSSL 3.0.13 and
+    multissltests to use 1.1.1w, 3.0.13, 3.1.5, and 3.2.1.
+  - gh-115015: Fix a bug in Argument Clinic that generated incorrect
+    code for methods with no parameters that use the METH_METHOD |
+    METH_FASTCALL | METH_KEYWORDS calling convention. Only the
+    positional parameter count was checked; any keyword argument
+    passed would be silently accepted.
+- Refresh all patches:
+  - CVE-2023-27043-email-parsing-errors.patch
+  - F00251-change-user-install-location.patch
+  - bpo-31046_ensurepip_honours_prefix.patch
+  - distutils-reproducible-compile.patch
+  - fix_configure_rst.patch
+  - python-3.3.0b1-fix_date_time_compiler.patch
+  - python-3.3.0b1-localpath.patch
+  - python-3.3.0b1-test-posix_fadvise.patch
+  - skip_if_buildbot-extend.patch
+  - subprocess-raise-timeout.patch
+  - support-expat-CVE-2022-25236-patched.patch
+
+- Update patch fix_configure_rst.patch
+- Update to 3.11.7:
+  - Core and Builtins
+  - gh-112625: Fixes a bug where a bytearray object could be cleared
+    while iterating over an argument in the bytearray.join() method
+    that could result in reading memory after it was freed.
+  - gh-112388: Fix an error that was causing the parser to try to
+    overwrite tokenizer errors. Patch by pablo Galindo
+  - gh-112387: Fix error positions for decoded strings with
+    backwards tokenize errors. Patch by Pablo Galindo
+  - gh-112266: Change docstrings of __dict__ and __weakref__.
+  - gh-109181: Speed up Traceback object creation by lazily compute
+    the line number. Patch by Pablo Galindo
+  - gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004
+    codecs read out of bounds
+  - gh-111366: Fix an issue in the codeop that was causing
+    SyntaxError exceptions raised in the presence of invalid syntax
+    to not contain precise error messages. Patch by Pablo Galindo
+  - gh-111380: Fix a bug that was causing SyntaxWarning to appear
+    twice when parsing if invalid syntax is encountered later. Patch
+    by Pablo galindo
+  - gh-88116: Traceback location ranges involving wide unicode
+    characters (like emoji and asian characters) now are properly
+    highlighted. Patch by Batuhan Taskaya and Pablo Galindo.
+  - gh-94438: Fix a regression that prevented jumping across is None
+    and is not None when debugging. Patch by Savannah Ostrowski.
+  - gh-110696: Fix incorrect error message for invalid argument
+    unpacking. Patch by Pablo Galindo
+  - gh-110237: Fix missing error checks for calls to PyList_Append
+    in _PyEval_MatchClass.
+  - gh-109216: Fix possible memory leak in BUILD_MAP.
+  - Library
+  - gh-112618: Fix a caching bug relating to typing.Annotated.
+    Annotated[str, True] is no longer identical to Annotated[str,
+    1].
+  - gh-112509: Fix edge cases that could cause a key to be present
+    in both the __required_keys__ and __optional_keys__ attributes
+    of a typing.TypedDict. Patch by Jelle Zijlstra.
+  - gh-94722: Fix bug where comparison between instances of DocTest
+    fails if one of them has None as its lineno.
+  - gh-112105: Make readline.set_completer_delims() work with
+    libedit
+  - gh-111942: Fix SystemError in the TextIOWrapper constructor with
+    non-encodable “errors” argument in non-debug mode.
+  - gh-109538: Issue warning message instead of having RuntimeError
+    be displayed when event loop has already been closed at
+    StreamWriter.__del__().
+  - gh-111942: Fix crashes in io.TextIOWrapper.reconfigure() when
+    pass invalid arguments, e.g. non-string encoding.
+  - gh-111804: Remove posix.fallocate() under WASI as the underlying
+    posix_fallocate() is not available in WASI preview2.
+  - gh-111841: Fix truncating arguments on an embedded null
+    character in os.putenv() and os.unsetenv() on Windows.
+  - gh-111541: Fix doctest for SyntaxError not-builtin subclasses.
+  - gh-110894: Call loop exception handler for exceptions in
+    client_connected_cb of asyncio.start_server() so that
+    applications can handle it. Patch by Kumar Aditya.
+  - gh-111531: Fix reference leaks in bind_class() and bind_all()
+    methods of tkinter widgets.
+  - gh-111356: Added io.text_encoding(), io.DEFAULT_BUFFER_SIZE, and
+    io.IncrementalNewlineDecoder to io.__all__.
+  - gh-68166: Remove mention of not supported “vsapi” element type
+    in tkinter.ttk.Style.element_create(). Add tests for
+    element_create() and other ttk.Style methods. Add examples for
+    element_create() in the documentation.
+  - gh-111251: Fix _blake2 not checking for errors when
+    initializing.
+  - gh-111174: Fix crash in io.BytesIO.getbuffer() called repeatedly
+    for empty BytesIO.
+  - gh-111187: Postpone removal version for
+    locale.getdefaultlocale() to Python 3.15.
+  - gh-111159: Fix doctest output comparison for exceptions with
+    notes.
+  - gh-110910: Fix invalid state handling in asyncio.TaskGroup and
+    asyncio.Timeout. They now raise proper RuntimeError if they are
+    improperly used and are left in consistent state after this.
+  - gh-111092: Make turtledemo run without default root enabled.
+  - gh-110590: Fix a bug in _sre.compile() where TypeError would be
+    overwritten by OverflowError when the code argument was a list
+    of non-ints.
+  - gh-65052: Prevent pdb from crashing when trying to display
+    undisplayable objects
+  - gh-110519: Deprecation warning about non-integer number in
+    gettext now alwais refers to the line in the user code where
+    gettext function or method is used. Previously it could refer to
+    a line in gettext code.
+  - gh-110378: contextmanager() and asynccontextmanager() context
+    managers now close an invalid underlying generator object that
+    yields more then one value.
+  - gh-110365: Fix termios.tcsetattr() bug that was overwritting
+    existing errors during parsing integers from term list.
+  - gh-110196: Add __reduce__ method to IPv6Address in order to keep
+    scope_id
+  - gh-109747: Improve errors for unsupported look-behind patterns.
+    Now re.error is raised instead of OverflowError or RuntimeError
+    for too large width of look-behind pattern.
+  - gh-109786: Fix possible reference leaks and crash when re-enter
+    the __next__() method of itertools.pairwise.
+  - gh-108791: Improved error handling in pdb command line
+    interface, making it produce more concise error messages.
+  - gh-73561: Omit the interface scope from an IPv6 address when
+    used as Host header by http.client.
+  - gh-86826: zipinfo now supports the full range of values in the
+    TZ string determined by RFC 8536 and detects all invalid
+    formats. Both Python and C implementations now raise exceptions
+    of the same type on invalid data.
+  - bpo-41422: Fixed memory leaks of pickle.Pickler and
+    pickle.Unpickler involving cyclic references via the internal
+    memo mapping.
+  - bpo-40262: The ssl.SSLSocket.recv_into() method no longer
+    requires the buffer argument to implement __len__ and supports
+    buffers with arbitrary item size.
+  - bpo-35191: Fix unexpected integer truncation in
+    socket.setblocking() which caused it to interpret multiples of
+    2**32 as False.
+  - Documentation
+  - gh-108826: dis module command-line interface is now mentioned in
+    documentation.
+  - Tests
+  - gh-110367: Make regrtest --verbose3 option compatible with
+  - -huntrleaks -jN options. The ./python -m test -j1 -R 3:3
+  - -verbose3 command now works as expected. Patch by Victor
+    Stinner.
+  - gh-111309: distutils tests can now be run via unittest.
+  - gh-111165: Remove no longer used functions run_unittest() and
+    run_doctest() and class BasicTestRunner from the test.support
+    module.
+  - gh-110932: Fix regrtest if the SOURCE_DATE_EPOCH environment
+    variable is defined: use the variable value as the random seed.
+    Patch by Victor Stinner.
+  - gh-110995: test_gdb: Fix detection of gdb built without Python
+    scripting support. Patch by Victor Stinner.
+  - gh-110918: Test case matching patterns specified by options
+  - -match, --ignore, --matchfile and --ignorefile are now tested
+    in the order of specification, and the last match determines
+    whether the test case be run or ignored.
+  - gh-110647: Fix test_stress_modifying_handlers() of test_signal.
+    Patch by Victor Stinner.
+  - gh-103053: Fix test_tools.test_freeze on FreeBSD: run “make
+    distclean” instead of “make clean” in the copied source
+    directory to remove also the “python” program. Patch by Victor
+    Stinner.
+  - gh-110167: Fix a deadlock in test_socket when server fails with
+    a timeout but the client is still running in its thread. Don’t
+    hold a lock to call cleanup functions in doCleanups(). One of
+    the cleanup function waits until the client completes, whereas
+    the client could deadlock if it called addCleanup() in such
+    situation. Patch by Victor Stinner.
+  - gh-110388: Add tests for tty.
+  - gh-81002: Add tests for termios.
+  - gh-110267: Add tests for pickling and copying PyStructSequence
+    objects. Patched by Xuehai Pan.
+  - gh-109974: Fix race conditions in test_threading lock tests.
+    Wait until a condition is met rather than using time.sleep()
+    with a hardcoded number of seconds. Patch by Victor Stinner.
+  - gh-109972: Split test_gdb.py file into a test_gdb package made
+    of multiple tests, so tests can now be run in parallel. Patch by
+    Victor Stinner.
+  - gh-104736: Fix test_gdb on Python built with LLVM clang 16 on
+    Linux ppc64le (ex: Fedora 38). Search patterns in gdb “bt”
+    command output to detect when gdb fails to retrieve the
+    traceback. For example, skip a test if Backtrace stopped: frame
+    did not save the PC is found. Patch by Victor Stinner.
+  - gh-108927: Fixed order dependence in running tests in the same
+    process when a test that has submodules (e.g. test_importlib)
+    follows a test that imports its submodule (e.g.
+    test_importlib.util) and precedes a test (e.g. test_unittest or
+    test_compileall) that uses that submodule.
+  - Build
+  - gh-103053: “make check-clean-src” now also checks if the
+    “python” program is found in the source directory: fail with an
+    error if it does exist. Patch by Victor Stinner.
+  - gh-109191: Fix compile error when building with recent versions
+    of libedit.
+  - IDLE
+  - bpo-35668: Add docstrings to the IDLE debugger module. Fix two
+    bugs: initialize Idb.botframe (should be in Bdb); in
+    Idb.in_rpc_code, check whether prev_frame is None before trying
+    to use it. Greatly expand test_debugger.
+  - C API
+  - gh-112438: Fix support of format units “es”, “et”, “es#”, and
+    “et#” in nested tuples in PyArg_ParseTuple()-like functions.
+  - gh-109521: PyImport_GetImporter() now sets RuntimeError if it
+    fails to get sys.path_hooks or sys.path_importer_cache or they
+    are not list and dict correspondingly. Previously it could
+    return NULL without setting error in obscure cases, crash or
+    raise SystemError if these attributes have wrong type.
+
+- Refresh CVE-2023-27043-email-parsing-errors.patch to
+  gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
+- Thus we can remove Revert-gh105127-left-tests.patch, which is
+  now useless.
+
+- Remove not needed patch 103213-fetch-CONFIG_ARGS.patch
+- Refresh patches:
+  - bpo-31046_ensurepip_honours_prefix.patch
+  - fix_configure_rst.patch
+- Update to 3.11.6:
+  - Core and Builtins
+  - gh-109351: Fix crash when compiling an invalid AST involving a
+    named (walrus) expression.
+  - gh-109207: Fix a SystemError in __repr__ of symtable entry
+    object.
+  - gh-109179: Fix bug where the C traceback display drops notes
+    from SyntaxError.
+  - gh-88943: Improve syntax error for non-ASCII character that
+    follows a numerical literal. It now points on the invalid
+    non-ASCII character, not on the valid numerical literal.
+  - gh-108959: Fix caret placement for error locations for subscript
+    and binary operations that involve non-semantic parentheses and
+    spaces. Patch by Pablo Galindo
+  - gh-108520: Fix
+    multiprocessing.synchronize.SemLock.__setstate__() to properly
+    initialize multiprocessing.synchronize.SemLock._is_fork_ctx.
+    This fixes a regression when passing a SemLock accross nested
+    processes.
+  - Rename multiprocessing.synchronize.SemLock.is_fork_ctx to
+    multiprocessing.synchronize.SemLock._is_fork_ctx to avoid
+    exposing it as public API.
+  - Library
+  - gh-110036: On Windows, multiprocessing Popen.terminate() now
+    catchs PermissionError and get the process exit code. If the
+    process is still running, raise again the PermissionError.
+    Otherwise, the process terminated as expected: store its exit
+    code. Patch by Victor Stinner.
+  - gh-110038: Fixed an issue that caused KqueueSelector.select() to
+    not return all the ready events in some cases when a file
+    descriptor is registered for both read and write.
+  - gh-109631: re functions such as re.findall(), re.split(),
+    re.search() and re.sub() which perform short repeated matches
+    can now be interrupted by user.
+  - gh-109593: Avoid deadlocking on a reentrant call to the
+    multiprocessing resource tracker. Such a reentrant call, though
+    unlikely, can happen if a GC pass invokes the finalizer for a
+    multiprocessing object such as SemLock.
+  - gh-109613: Fix os.stat() and os.DirEntry.stat(): check for
+    exceptions. Previously, on Python built in debug mode, these
+    functions could trigger a fatal Python error (and abort the
+    process) when a function succeeded with an exception set. Patch
+    by Victor Stinner.
+  - gh-109375: The pdb alias command now prevents registering
+    aliases without arguments.
+  - gh-107219: Fix a race condition in concurrent.futures. When a
+    process in the process pool was terminated abruptly (while the
+    future was running or pending), close the connection write end.
+    If the call queue is blocked on sending bytes to a worker
+    process, closing the connection write end interrupts the send,
+    so the queue can be closed. Patch by Victor Stinner.
+  - gh-50644: Attempts to pickle or create a shallow or deep copy of
+    codecs streams now raise a TypeError. Previously, copying failed
+    with a RecursionError, while pickling produced wrong results
+    that eventually caused unpickling to fail with a RecursionError.
+  - gh-108987: Fix _thread.start_new_thread() race condition. If a
+    thread is created during Python finalization, the newly spawned
+    thread now exits immediately instead of trying to access freed
+    memory and lead to a crash. Patch by Victor Stinner.
+  - gh-108843: Fix an issue in ast.unparse() when unparsing
+    f-strings containing many quote types.
+  - gh-108682: Enum: raise TypeError if super().__new__() is called
+    from a custom __new__.
+  - gh-105829: Fix concurrent.futures.ProcessPoolExecutor deadlock
+  - gh-64662: Fix support for virtual tables in
+    sqlite3.Connection.iterdump(). Patch by Aviv Palivoda.
+  - gh-107913: Fix possible losses of errno and winerror values in
+    OSError exceptions if they were cleared or modified by the
+    cleanup code before creating the exception object.
+  - gh-104372: On Linux where subprocess can use the vfork() syscall
+    for faster spawning, prevent the parent process from blocking
+    other threads by dropping the GIL while it waits for the
+    vfork’ed child process exec() outcome. This prevents spawning a
+    binary from a slow filesystem from blocking the rest of the
+    application.
+  - gh-84867: unittest.TestLoader no longer loads test cases from
+    exact unittest.TestCase and unittest.FunctionTestCase classes.
+  - Documentation
+  - gh-109209: The minimum Sphinx version required for the
+    documentation is now 4.2.
+  - gh-105052: Update timeit doc to specify that time in seconds is
+    just the default.
+  - gh-102823: Document the return type of x // y when x and y have
+    type float.
+  - Tests
+  - gh-110031: Skip test_threading tests using thread+fork if Python
+    is built with Address Sanitizer (ASAN). Patch by Victor Stinner.
+  - gh-110088: Fix test_asyncio timeouts: don’t measure the maximum
+    duration, a test should not measure a CI performance. Only
+    measure the minimum duration when a task has a timeout or delay.
+    Add CLOCK_RES to test_asyncio.utils. Patch by Victor Stinner.
+  - gh-110033: Fix test_interprocess_signal() of test_signal. Make
+    sure that the subprocess.Popen object is deleted before the test
+    raising an exception in a signal handler. Otherwise,
+    Popen.__del__() can get the exception which is logged as
+    Exception ignored in: ... and the test fails. Patch by Victor
+    Stinner.
+  - gh-109594: Fix test_timeout() of
+    test_concurrent_futures.test_wait. Remove the future which may
+    or may not complete depending if it takes longer than the
+    timeout ot not. Keep the second future which does not complete
+    before wait() timeout. Patch by Victor Stinner.
+  - gh-109748: Fix test_zippath_from_non_installed_posix() of
+    test_venv: don’t copy __pycache__/ sub-directories, because they
+    can be modified by other Python tests running in parallel. Patch
+    by Victor Stinner.
+  - gh-103053: Skip test_freeze_simple_script() of
+    test_tools.test_freeze if Python is built with ./configure
+  - -enable-optimizations, which means with Profile Guided
+    Optimization (PGO): it just makes the test too slow. The freeze
+    tool is tested by many other CIs with other (faster) compiler
+    flags. Patch by Victor Stinner.
+  - gh-109396: Fix test_socket.test_hmac_sha1() in FIPS mode. Use a
+    longer key: FIPS mode requires at least of at least 112 bits.
+    The previous key was only 32 bits. Patch by Victor Stinner.
+  - gh-104736: Fix test_gdb on Python built with LLVM clang 16 on
+    Linux ppc64le (ex: Fedora 38). Search patterns in gdb “bt”
+    command output to detect when gdb fails to retrieve the
+    traceback. For example, skip a test if Backtrace stopped: frame
+    did not save the PC is found. Patch by Victor Stinner.
+  - gh-109237: Fix test_site.test_underpth_basic() when the working
+    directory contains at least one non-ASCII character: encode the
+    ._pth file to UTF-8 and enable the UTF-8 Mode to use UTF-8 for
+    the child process stdout. Patch by Victor Stinner.
+  - gh-109230: Fix test_pyexpat.test_exception(): it can now be run
+    from a directory different than Python source code directory.
+    Before, the test failed in this case. Skip the test if
+    Modules/pyexpat.c source is not available. Skip also the test on
+    Python implementations other than CPython. Patch by Victor
+    Stinner.
+  - gh-109015: Fix test_asyncio, test_imaplib and test_socket tests
+    on FreeBSD if the TCP blackhole is enabled (sysctl
+    net.inet.tcp.blackhole). Skip the few tests which failed with
+    ETIMEDOUT which such non standard configuration. Currently, the
+    FreeBSD GCP image enables TCP and UDP blackhole (sysctl
+    net.inet.tcp.blackhole=2 and sysctl net.inet.udp.blackhole=1).
+    Patch by Victor Stinner.
+  - gh-91960: Skip test_gdb if gdb is unable to retrieve Python
+    frame objects: if a frame is <optimized out>. When Python is
+    built with “clang -Og”, gdb can fail to retrive the frame
+    parameter of _PyEval_EvalFrameDefault(). In this case, tests
+    like py_bt() are likely to fail. Without getting access to
+    Python frames, python-gdb.py is mostly clueless on retrieving
+    the Python traceback. Moreover, test_gdb is no longer skipped on
+    macOS if Python is built with Clang. Patch by Victor Stinner.
+  - gh-108962: Skip test_tempfile.test_flags() if chflags() fails
+    with “OSError: [Errno 45] Operation not supported” (ex: on
+    FreeBSD 13). Patch by Victor Stinner.
+  - gh-89392: Removed support of test_main() function in tests. They
+    now always use normal unittest test runner.
+  - gh-108851: Fix test_tomllib recursion tests for WASI buildbots:
+    reduce the recursion limit and compute the maximum nested
+    array/dict depending on the current available recursion limit.
+    Patch by Victor Stinner.
+  - gh-108851: Add get_recursion_available() and
+    get_recursion_depth() functions to the test.support module.
+    Patch by Victor Stinner.
+  - gh-108822: regrtest now computes statistics on all tests:
+    successes, failures and skipped. test_netrc, test_pep646_syntax
+    and test_xml_etree now return results in their test_main()
+    function. Patch by Victor Stinner and Alex Waygood.
+  - gh-108388: Convert test_concurrent_futures to a package of 7
+    sub-tests. Patch by Victor Stinner.
+  - gh-108388: Split test_multiprocessing_fork,
+    test_multiprocessing_forkserver and test_multiprocessing_spawn
+    into test packages. Each package is made of 4 sub-tests:
+    processes, threads, manager and misc. It allows running more
+    tests in parallel and so reduce the total test duration. Patch
+    by Victor Stinner.
+  - gh-101634: When running the Python test suite with -jN option,
+    if a worker stdout cannot be decoded from the locale encoding
+    report a failed testn so the exitcode is non-zero. Patch by
+    Victor Stinner.
+  - gh-100086: The Python test runner (libregrtest) now logs Python
+    build information like “debug” vs “release” build, or LTO and
+    PGO optimizations. Patch by Victor Stinner.
+  - gh-98903: The Python test suite now fails wit exit code 4 if no
+    tests ran. It should help detecting typos in test names and test
+    methods.
+  - gh-95027: On Windows, when the Python test suite is run with the
+  - jN option, the ANSI code page is now used as the encoding for
+    the stdout temporary file, rather than using UTF-8 which can
+    lead to decoding errors. Patch by Victor Stinner.
+  - gh-93353: regrtest now checks if a test leaks temporary files or
+    directories if run with -jN option. Patch by Victor Stinner.
+  - Build
+  - gh-63760: Fix Solaris build: no longer redefine the
+    gethostname() function. Solaris defines the function since 2005.
+    Patch by Victor Stinner, original patch by Jakub Kulík.
+  - gh-108740: Fix a race condition in make regen-all. The
+    deepfreeze.c source and files generated by Argument Clinic are
+    now generated or updated before generating “global objects”.
+    Previously, some identifiers may miss depending on the order in
+    which these files were generated. Patch by Victor Stinner.
+  - Windows
+  - gh-109991: Update Windows build to use OpenSSL 3.0.11.
+  - gh-107565: Update Windows build to use OpenSSL 3.0.10.
+  - macOS
+  - gh-109991: Update macOS installer to use OpenSSL 3.0.11.
+  - Tools/Demos
+  - gh-109991: Update GitHub CI workflows to use OpenSSL 3.0.11 and
+    multissltests to use 1.1.1w, 3.0.11, and 3.1.3.
+
python311:base
+- Add CVE-2023-52425-libexpat-2.6.0-backport.patch to fix tests with
+  patched libexpat below 2.6.0 that doesn't update the version number,
+  just in SLE.
+
+- Remove not needed upstream patches:
+  * libexpat260.patch
+  * CVE-2023-6597-TempDir-cleaning-symlink.patch, bsc#1219666
+- Update to 3.11.9:
+  * Security
+  - gh-115398: Allow controlling Expat >=2.6.0 reparse deferral
+    (CVE-2023-52425,  bsc#1219559) by adding five new methods:
+    xml.etree.ElementTree.XMLParser.flush()
+    xml.etree.ElementTree.XMLPullParser.flush()
+    xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
+    xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
+    xml.sax.expatreader.ExpatParser.flush()
+  - gh-115399: Update bundled libexpat to 2.6.0
+  - gh-115243: Fix possible crashes in collections.deque.index()
+    when the deque is concurrently modified.
+  - gh-114572: ssl.SSLContext.cert_store_stats() and
+    ssl.SSLContext.get_ca_certs() now correctly lock access to the
+    certificate store, when the ssl.SSLContext is shared across
+    multiple threads.
+  * Core and Builtins
+  - gh-116296: Fix possible refleak in object.__reduce__() internal
+    error handling.
+  - gh-116034: Fix location of the error on a failed assertion.
+  - gh-115823: Properly calculate error ranges in the parser when
+    raising SyntaxError exceptions caused by invalid byte sequences.
+    Patch by Pablo Galindo
+  - gh-112087: For an empty reverse iterator for list will be
+    reduced to reversed(). Patch by Donghee Na.
+  - gh-115011: Setters for members with an unsigned integer type now
+    support the same range of valid values for objects that has a
+    __index__() method as for int.
+  - gh-96497: Fix incorrect resolution of mangled class variables
+    used in assignment expressions in comprehensions.
+  * Library
+  - gh-117310: Fixed an unlikely early & extra Py_DECREF triggered
+    crash in ssl when creating a new _ssl._SSLContext if CPython was
+    built implausibly such that the default cipher list is empty or
+    the SSL library it was linked against reports a failure from its
+    C SSL_CTX_set_cipher_list() API.
+  - gh-117178: Fix regression in lazy loading of self-referential
+    modules, introduced in gh-114781.
+  - gh-117084: Fix zipfile extraction for directory entries with the
+    name containing backslashes on Windows.
+  - gh-117110: Fix a bug that prevents subclasses of typing.Any to
+    be instantiated with arguments. Patch by Chris Fu.
+  - gh-90872: On Windows, subprocess.Popen.wait() no longer calls
+    WaitForSingleObject() with a negative timeout: pass 0 ms if the
+    timeout is negative. Patch by Victor Stinner.
+  - gh-116957: configparser: Don’t leave ConfigParser values in an
+    invalid state (stored as a list instead of a str) after an
+    earlier read raised DuplicateSectionError or
+    DuplicateOptionError.
+  - gh-90095: Ignore empty lines and comments in .pdbrc
+  - gh-116764: Restore support of None and other false values in
+    urllib.parse functions parse_qs() and parse_qsl(). Also, they
+    now raise a TypeError for non-zero integers and non-empty
+    sequences.
+  - gh-116811: In PathFinder.invalidate_caches, delegate to
+    MetadataPathFinder.invalidate_caches.
+  - gh-116600: Fix repr() for global Flag members.
+  - gh-116484: Change automatically generated tkinter.Checkbutton
+    widget names to avoid collisions with automatically generated
+    tkinter.ttk.Checkbutton widget names within the same parent
+    widget.
+  - gh-116401: Fix blocking os.fwalk() and shutil.rmtree() on
+    opening named pipe.
+  - gh-116143: Fix a race in pydoc _start_server, eliminating a
+    window in which _start_server can return a thread that is
+    “serving” but without a docserver set.
+  - gh-116325: typing: raise SyntaxError instead of AttributeError
+    on forward references as empty strings.
+  - gh-90535: Fix support of interval values > 1 in
+    logging.TimedRotatingFileHandler for when='MIDNIGHT' and
+    when='Wx'.
+  - gh-115978: Disable preadv(), readv(), pwritev(), and writev() on
+    WASI.
+  - Under wasmtime for WASI 0.2, these functions don’t pass
+    test_posix
+    (https://github.com/bytecodealliance/wasmtime/issues/7830).
+  - gh-88352: Fix the computation of the next rollover time in the
+    logging.TimedRotatingFileHandler handler. computeRollover() now
+    always returns a timestamp larger than the specified time and
+    works correctly during the DST change. doRollover() no longer
+    overwrite the already rolled over file, saving from data loss
+    when run at midnight or during repeated time at the DST change.
+  - gh-87115: Set __main__.__spec__ to None when running a script
+    with pdb
+  - gh-76511: Fix UnicodeEncodeError in email.Message.as_string()
+    that results when a message that claims to be in the ascii
+    character set actually has non-ascii characters. Non-ascii
+    characters are now replaced with the U+FFFD replacement
+    character, like in the replace error handler.
+  - gh-75988: Fixed unittest.mock.create_autospec() to pass the call
+    through to the wrapped object to return the real result.
+  - gh-115881: Fix issue where ast.parse() would incorrectly flag
+    conditional context managers (such as with (x() if y else z()):
+    ...) as invalid syntax if feature_version=(3, 8) was passed.
+    This reverts changes to the grammar made as part of gh-94949.
+  - gh-115886: Fix silent truncation of the name with an embedded
+    null character in multiprocessing.shared_memory.SharedMemory.
+  - gh-115809: Improve algorithm for computing which rolled-over log
+    files to delete in logging.TimedRotatingFileHandler. It is now
+    reliable for handlers without namer and with arbitrary
+    deterministic namer that leaves the datetime part in the file
+    name unmodified.
+  - gh-74668: urllib.parse functions parse_qs() and parse_qsl() now
+    support bytes arguments containing raw and percent-encoded
+    non-ASCII data.
+  - gh-67044: csv.writer() now always quotes or escapes '\r' and
+    '\n', regardless of lineterminator value.
+  - gh-115712: csv.writer() now quotes empty fields if delimiter is
+    a space and skipinitialspace is true and raises exception if
+    quoting is not possible.
+  - gh-115618: Fix improper decreasing the reference count for None
+    argument in property methods getter(), setter() and deleter().
+  - gh-115570: A DeprecationWarning is no longer omitted on access
+    to the __doc__ attributes of the deprecated typing.io and
+    typing.re pseudo-modules.
+  - gh-112006: Fix inspect.unwrap() for types with the __wrapper__
+    data descriptor.
+  - gh-101293: Support callables with the __call__() method and
+    types with __new__() and __init__() methods set to class
+    methods, static methods, bound methods, partial functions, and
+    other types of methods and descriptors in
+    inspect.Signature.from_callable().
+  - gh-115392: Fix a bug in doctest where incorrect line numbers
+    would be reported for decorated functions.
+  - gh-114563: Fix several format() bugs when using the C
+    implementation of Decimal: * memory leak in some rare cases when
+    using the z format option (coerce negative 0) * incorrect output
+    when applying the z format option to type F (fixed-point with
+    capital NAN / INF) * incorrect output when applying the # format
+    option (alternate form)
+  - gh-115197: urllib.request no longer resolves the hostname before
+    checking it against the system’s proxy bypass list on macOS and
+    Windows.
+  - gh-115198: Fix support of Docutils >= 0.19 in distutils.
+  - gh-115165: Most exceptions are now ignored when attempting to
+    set the __orig_class__ attribute on objects returned when
+    calling typing generic aliases (including generic aliases
+    created using typing.Annotated). Previously only AttributeError
+    was ignored. Patch by Dave Shawley.
+  - gh-115133: Fix tests for XMLPullParser with Expat 2.6.0.
+  - gh-115059: io.BufferedRandom.read1() now flushes the underlying
+    write buffer.
+  - gh-79382: Trailing ** no longer allows to match files and
+    non-existing paths in recursive glob().
+  - gh-114763: Protect modules loaded with importlib.util.LazyLoader
+    from race conditions when multiple threads try to access
+    attributes before the loading is complete.
+  - gh-97959: Fix rendering class methods, bound methods, method and
+    function aliases in pydoc. Class methods no longer have “method
+    of builtins.type instance” note. Corresponding notes are now
+    added for class and unbound methods. Method and function aliases
+    now have references to the module or the class where the origin
+    was defined if it differs from the current. Bound methods are
+    now listed in the static methods section. Methods of builtin
+    classes are now supported as well as methods of Python classes.
+  - gh-112281: Allow creating union of types for typing.Annotated
+    with unhashable metadata.
+  - gh-111775: Fix importlib.resources.simple.ResourceHandle.open()
+    for text mode, added missed stream argument.
+  - gh-90095: Make .pdbrc and -c work with any valid pdb commands.
+  - gh-107155: Fix incorrect output of help(x) where x is a lambda
+    function, which has an __annotations__ dictionary attribute with
+    a "return" key.
+  - gh-105866: Fixed _get_slots bug which caused error when defining
+    dataclasses with slots and a weakref_slot.
+  - gh-60346: Fix ArgumentParser inconsistent with parse_known_args.
+  - gh-100985: Update HTTPSConnection to consistently wrap IPv6
+    Addresses when using a proxy.
+  - gh-100884: email: fix misfolding of comma in address-lists over
+    multiple lines in combination with unicode encoding.
+  - gh-95782: Fix io.BufferedReader.tell(),
+    io.BufferedReader.seek(), _pyio.BufferedReader.tell(),
+    io.BufferedRandom.tell(), io.BufferedRandom.seek() and
+    _pyio.BufferedRandom.tell() being able to return negative
+    offsets.
+  - gh-96310: Fix a traceback in argparse when all options in a
+    mutually exclusive group are suppressed.
+  - gh-93205: Fixed a bug in
+    logging.handlers.TimedRotatingFileHandler where multiple
+    rotating handler instances pointing to files with the same name
+    but different extensions would conflict and not delete the
+    correct files.
+  - bpo-44865: Add missing call to localization function in
+    argparse.
+  - bpo-43952: Fix multiprocessing.connection.Listener.accept() to
+    accept empty bytes as authkey. Not accepting empty bytes as key
+    causes it to hang indefinitely.
+  - bpo-42125: linecache: get module name from __spec__ if
+    available. This allows getting source code for the __main__
+    module when a custom loader is used.
+  - gh-66543: Make mimetypes.guess_type() properly parsing of URLs
+    with only a host name, URLs containing fragment or query, and
+    filenames with only a UNC sharepoint on Windows. Based on patch
+    by Dong-hee Na.
+  - bpo-33775: Add ‘default’ and ‘version’ help text for
+    localization in argparse.
+  * Documentation
+  - gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under “XML
+    vulnerabilities”.
+  - gh-115233: Fix an example for LoggerAdapter in the Logging
+    Cookbook.
+  * Tests
+  - gh-83434: Disable JUnit XML output (--junit-xml=FILE command
+    line option) in regrtest when hunting for reference leaks (-R
+    option). Patch by Victor Stinner.
+  - gh-117187: Fix XML tests for vanilla Expat <2.6.0.
+  - gh-115979: Update test_importlib so that it passes under WASI
+    SDK 21.
+  - gh-116307: Added import helper isolated_modules as CleanImport
+    does not remove modules imported during the context.
+  - gh-115720: Leak tests (-R, --huntrleaks) now show a summary of
+    the number of leaks found in each iteration.
+  - gh-115122: Add --bisect option to regrtest test runner: run
+    failed tests with test.bisect_cmd to identify failing tests.
+    Patch by Victor Stinner.
+  - gh-115596: Fix ProgramPriorityTests in test_os permanently
+    changing the process priority.
+  - gh-115198: Fix test_check_metadata_deprecate in distutils tests
+    with a newer Docutils.
+  * Build
+  - gh-116313: Get WASI builds to work under wasmtime 18 w/ WASI
+    0.2/preview2 primitives.
+  - gh-115167: Avoid vendoring vcruntime140_threads.dll when
+    building with Visual Studio 2022 version 17.8.
+  * Windows
+  - gh-116773: Fix instances of <_overlapped.Overlapped object at
+    0xXXX> still has pending operation at deallocation, the process
+    may crash.
+  - gh-91227: Fix the asyncio ProactorEventLoop implementation so
+    that sending a datagram to an address that is not listening does
+    not prevent receiving any more datagrams.
+  - gh-115554: The installer now has more strict rules about
+    updating the Python Launcher for Windows. In general, most users
+    only have a single launcher installed and will see no
+    difference. When multiple launchers have been installed, the
+    option to install the launcher is disabled until all but one
+    have been removed. Downgrading the launcher (which was never
+    allowed) is now more obviously blocked.
+  - gh-115543: Python Launcher for Windows can now detect Python
+    3.13 when installed from the Microsoft Store, and will install
+    Python 3.12 by default when PYLAUNCHER_ALLOW_INSTALL is set.
+  - gh-115009: Update Windows installer to use SQLite 3.45.1.
+  * IDLE
+  - gh-88516: On macOS show a proxy icon in the title bar of editor
+    windows to match platform behaviour.
+  * Tools/Demos
+  - gh-113516: Don’t set LDSHARED when building for WASI.
+  * C API
+  - gh-117021: Fix integer overflow in PyLong_AsPid() on non-Windows
+    64-bit platforms.
+
+- Add reference to CVE-2024-0450 (bsc#1221854) to changelog.
+
+- Because of bsc#1189495 we have to revert use of %autopatch.
+
+- Rewrite %prep to use %autosetup et al. for compatibility with
+  rpm 4.20.
+
+- bsc#1221260 add bsc1221260-test_asyncio-ResourceWarning.patch
+  to eliminate ResourceWarning which broke the test suite in
+  test_asyncio.
+
+- Use the system-wide crypto-policies [bsc#1211301]
+  * Use the system default cipher list instead of hardcoded values
+  * Add the --with-ssl-default-suites=openssl configure option
+
+- (bsc#1219666, CVE-2023-6597) Add
+  CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
+  gh#python/cpython!99930) fixing symlink bug in cleanup of
+  tempfile.TemporaryDirectory.
+
+- Remove double definition of /usr/bin/idle%%{version} in
+  %%files.
+
+- Add upstream patch libexpat260.patch, Fix tests for XMLPullParser
+  with Expat 2.6.0, gh#python/cpython#115289
+
+- Update to 3.11.8:
+  - Security
+  - gh-113659: Skip .pth files with names starting with a dot or
+    hidden file attribute.
+  - Core and Builtins
+  - gh-114887: Changed socket type validation in
+    create_datagram_endpoint() to accept all non-stream sockets.
+    This fixes a regression in compatibility with raw sockets.
+  - gh-114388: Fix a RuntimeWarning emitted when assign an
+    integer-like value that is not an instance of int to an
+    attribute that corresponds to a C struct member of type T_UINT
+    and T_ULONG. Fix a double RuntimeWarning emitted when assign a
+    negative integer value to an attribute that corresponds to a C
+    struct member of type T_UINT.
+  - gh-89811: Check for a valid tp_version_tag before performing
+    bytecode specializations that rely on this value being usable.
+  - gh-113602: Fix an error that was causing the parser to try to
+    overwrite existing errors and crashing in the process. Patch by
+    Pablo Galindo
+  - gh-113566: Fix a 3.11-specific crash when the repr of a Future
+    is requested after the module has already been
+    garbage-collected.
+  - gh-106905: Use per AST-parser state rather than global state to
+    track recursion depth within the AST parser to prevent potential
+    race condition due to simultaneous parsing.
+  - The issue primarily showed up in 3.11 by multithreaded users of
+    ast.parse(). In 3.12 a change to when garbage collection can be
+    triggered prevented the race condition from occurring.
+  - gh-112716: Fix SystemError in the import statement and in
+    __reduce__() methods of builtin types when __builtins__ is not a
+    dict.
+  - gh-105967: Workaround a bug in Apple’s macOS platform zlib
+    library where zlib.crc32() and binascii.crc32() could produce
+    incorrect results on multi-gigabyte inputs. Including when using
+    zipfile on zips containing large data.
+  - gh-94606: Fix UnicodeEncodeError when
+    email.message.get_payload() reads a message with a Unicode
+    surrogate character and the message content is not well-formed
+    for surrogateescape encoding. Patch by Sidney Markowitz.
+  - Library
+  - gh-114965: Update bundled pip to 24.0
+  - gh-114959: tarfile no longer ignores errors when trying to
+    extract a directory on top of a file.
+  - gh-109475: Fix support of explicit option value “–” in argparse
+    (e.g. --option=--).
+  - gh-110190: Fix ctypes structs with array on Windows ARM64
+    platform by setting MAX_STRUCT_SIZE to 32 in stgdict. Patch by
+    Diego Russo
+  - gh-113280: Fix a leak of open socket in rare cases when error
+    occurred in ssl.SSLSocket creation.
+  - gh-77749: email.policy.EmailPolicy.fold() now always encodes
+    non-ASCII characters in headers if utf8 is false.
+  - gh-114492: Make the result of termios.tcgetattr() reproducible
+    on Alpine Linux. Previously it could leave a random garbage in
+    some fields.
+  - gh-75128: Ignore an OSError in
+    asyncio.BaseEventLoop.create_server() when IPv6 is available but
+    the interface cannot actually support it.
+  - gh-114257: Dismiss the FileNotFound error in
+    ctypes.util.find_library() and just return None on Linux.
+  - gh-101438: Avoid reference cycle in ElementTree.iterparse. The
+    iterator returned by ElementTree.iterparse may hold on to a file
+    descriptor. The reference cycle prevented prompt clean-up of the
+    file descriptor if the returned iterator was not exhausted.
+  - gh-104522: OSError raised when run a subprocess now only has
+    filename attribute set to cwd if the error was caused by a
+    failed attempt to change the current directory.
+  - gh-109534: Fix a reference leak in
+    asyncio.selector_events.BaseSelectorEventLoop when SSL
+    handshakes fail. Patch contributed by Jamie Phan.
+  - gh-114077: Fix possible OverflowError in
+    socket.socket.sendfile() when pass count larger than 2 GiB on
+    32-bit platform.
+  - gh-114014: Fixed a bug in fractions.Fraction where an invalid
+    string using d in the decimals part creates a different error
+    compared to other invalid letters/characters. Patch by Jeremiah
+    Gabriel Pascual.
+  - gh-113951: Fix the behavior of tag_unbind() methods of
+    tkinter.Text and tkinter.Canvas classes with three arguments.
+    Previously, widget.tag_unbind(tag, sequence, funcid) destroyed
+    the current binding for sequence, leaving sequence unbound, and
+    deleted the funcid command. Now it removes only funcid from the
+    binding for sequence, keeping other commands, and deletes the
+    funcid command. It leaves sequence unbound only if funcid was
+    the last bound command.
+  - gh-113877: Fix tkinter method winfo_pathname() on 64-bit
+    Windows.
+  - gh-113781: Silence unraisable AttributeError when warnings are
+    emitted during Python finalization.
+  - gh-113594: Fix UnicodeEncodeError in email when re-fold lines
+    that contain unknown-8bit encoded part followed by
+    non-unknown-8bit encoded part.
+  - gh-113538: In asyncio.StreamReaderProtocol.connection_made(),
+    there is callback that logs an error if the task wrapping the
+    “connected callback” fails. This callback would itself fail if
+    the task was cancelled. Prevent this by checking whether the
+    task was cancelled first. If so, close the transport but don’t
+    log an error.
+  - gh-85567: Fix resource warnings for unclosed files in pickle and
+    pickletools command line interfaces.
+  - gh-101225: Increase the backlog for
+    multiprocessing.connection.Listener objects created by
+    multiprocessing.manager and multiprocessing.resource_sharer to
+    significantly reduce the risk of getting a connection refused
+    error when creating a multiprocessing.connection.Connection to
+    them.
+  - gh-113543: Make sure that webbrowser.MacOSXOSAScript sends
+    webbrowser.open audit event.
+  - gh-113028: When a second reference to a string appears in the
+    input to pickle, and the Python implementation is in use, we are
+    guaranteed that a single copy gets pickled and a single object
+    is shared when reloaded. Previously, in protocol 0, when a
+    string contained certain characters (e.g. newline) it resulted
+    in duplicate objects.
+  - gh-113421: Fix multiprocessing logger for %(filename)s.
+  - gh-113358: Fix rendering tracebacks for exceptions with a broken
+    __getattr__.
+  - gh-113214: Fix an AttributeError during asyncio SSL protocol
+    aborts in SSL-over-SSL scenarios.
+  - gh-113246: Update bundled pip to 23.3.2.
+  - gh-113199: Make http.client.HTTPResponse.read1 and
+    http.client.HTTPResponse.readline close IO after reading all
+    data when content length is known. Patch by Illia Volochii.
+  - gh-113188: Fix shutil.copymode() and shutil.copystat() on
+    Windows. Previously they worked differenly if dst is a symbolic
+    link: they modified the permission bits of dst itself rather
+    than the file it points to if follow_symlinks is true or src is
+    not a symbolic link, and did not modify the permission bits if
+    follow_symlinks is false and src is a symbolic link.
+  - gh-61648: Detect line numbers of properties in doctests.
+  - gh-112559: signal.signal() and signal.getsignal() no longer call
+    repr on callable handlers. asyncio.run() and
+    asyncio.Runner.run() no longer call repr on the task results.
+    Patch by Yilei Yang.
+  - gh-110190: Fix ctypes structs with array on PPC64LE platform by
+    setting MAX_STRUCT_SIZE to 64 in stgdict. Patch by Diego Russo.
+  - gh-79429: Ignore FileNotFoundError when remove a temporary
+    directory in the multiprocessing finalizer.
+  - gh-79325: Fix an infinite recursion error in
+    tempfile.TemporaryDirectory() cleanup on Windows.
+  - gh-110190: Fix ctypes structs with array on Arm platform by
+    setting MAX_STRUCT_SIZE to 32 in stgdict. Patch by Diego Russo.
+  - gh-81194: Fix a crash in socket.if_indextoname() with specific
+    value (UINT_MAX). Fix an integer overflow in
+    socket.if_indextoname() on 64-bit non-Windows platforms.
+  - gh-75666: Fix the behavior of tkinter widget’s unbind() method
+    with two arguments. Previously, widget.unbind(sequence, funcid)
+    destroyed the current binding for sequence, leaving sequence
+    unbound, and deleted the funcid command. Now it removes only
+    funcid from the binding for sequence, keeping other commands,
+    and deletes the funcid command. It leaves sequence unbound only
+    if funcid was the last bound command.
+  - gh-110345: Show the Tcl/Tk patchlevel (rather than version) in
+    tkinter._test().
+  - gh-109858: Protect zipfile from “quoted-overlap” zipbomb. It now
+    raises BadZipFile when try to read an entry that overlaps with
+    other entry or central directory (bsc#1221854, CVE-2024-0450).
+  - gh-38807: Fix race condition in trace. Instead of checking if a
+    directory exists and creating it, directly call os.makedirs()
+    with the kwarg exist_ok=True.
+  - gh-75705: Set unixfrom envelope in mailbox.mbox and
+    mailbox.MMDF.
+  - gh-105102: Allow ctypes.Union to be nested in ctypes.Structure
+    when the system endianness is the opposite of the classes.
+  - gh-104282: Fix null pointer dereference in
+    lzma._decode_filter_properties() due to improper handling of BCJ
+    filters with properties of zero length. Patch by Radislav
+    Chugunov.
+  - gh-102512: When os.fork() is called from a foreign thread (aka
+    _DummyThread), the type of the thread in a child process is
+    changed to _MainThread. Also changed its name and daemonic
+    status, it can be now joined.
+  - gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup,
+    which now no longer dereferences symlinks when working around
+    file system permission errors.
+  - bpo-43153: On Windows, tempfile.TemporaryDirectory previously
+    masked a PermissionError with NotADirectoryError during
+    directory cleanup. It now correctly raises PermissionError if
+    errors are not ignored. Patch by Andrei Kulakov and Ken Jin.
+  - bpo-35332: The shutil.rmtree() function now ignores errors when
+    calling os.close() when ignore_errors is True, and os.close() no
+    longer retried after error.
+  - bpo-35928: io.TextIOWrapper now correctly handles the decoding
+    buffer after read() and write().
+  - bpo-26791: shutil.move() now moves a symlink into a directory
+    when that directory is the target of the symlink. This provides
+    the same behavior as the mv shell command. The previous behavior
+    raised an exception. Patch by Jeffrey Kintscher.
+  - bpo-36959: Fix some error messages for invalid ISO format string
+    combinations in strptime() that referred to directives not
+    contained in the format string. Patch by Gordon P. Hemsley.
+  - bpo-18060: Fixed a class inheritance issue that can cause
+    segfaults when deriving two or more levels of subclasses from a
+    base class of Structure or Union.
+  - Documentation
+  - gh-110746: Improved markup for valid options/values for methods
+    ttk.treeview.column and ttk.treeview.heading, and for Layouts.
+  - gh-95649: Document that the asyncio module contains code taken
+    from v0.16.0 of the uvloop project, as well as the required MIT
+    licensing information.
+  - Tests
+  - gh-109980: Fix test_tarfile_vs_tar in test_shutil for macOS,
+    where system tar can include more information in the archive
+    than shutil.make_archive.
+  - gh-112769: The tests now correctly compare zlib version when
+    zlib.ZLIB_RUNTIME_VERSION contains non-integer suffixes. For
+    example zlib-ng defines the version as 1.3.0.zlib-ng.
+  - gh-105089: Fix
+    test.test_zipfile.test_core.TestWithDirectory.test_create_directory_with_write
+    test in AIX by doing a bitwise AND of 0xFFFF on mode , so that
+    it will be in sync with zinfo.external_attr
+  - bpo-40648: Test modes that file can get with chmod() on Windows.
+  - Build
+  - gh-101778: Fix build error when there’s a dangling symlink in
+    the directory containing ffi.h.
+  - gh-112305: Fixed the check-clean-src step performed on out of
+    tree builds to detect errant $(srcdir)/Python/frozen_modules/*.h
+    files and recommend appropriate source tree cleanup steps to get
+    a working build again.
+  - bpo-11102: The os.major(), os.makedev(), and os.minor()
+    functions are now available on HP-UX v3.
+  - bpo-36351: Do not set ipv6type when cross-compiling.
+  - IDLE
+  - gh-96905: In idlelib code, stop redefining built-ins ‘dict’ and
+    ‘object’.
+  - gh-72284: Improve the lists of features, editor key bindings,
+    and shell key bingings in the IDLE doc.
+  - gh-113903: Fix rare failure of test.test_idle, in
+    test_configdialog.
+  - gh-113729: Fix the “Help -> IDLE Doc” menu bug in 3.11.7 and
+    3.12.1.
+  - gh-113269: Fix test_editor hang on macOS Catalina.
+  - gh-112898: Fix processing unsaved files when quitting IDLE on
+    macOS.
+  - gh-103820: Revise IDLE bindings so that events from mouse button
+    4/5 on non-X11 windowing systems (i.e. Win32 and Aqua) are not
+    mistaken for scrolling.
+  - bpo-13586: Enter the selected text when opening the “Replace”
+    dialog.
+  - Tools/Demos
+  - gh-109991: Update GitHub CI workflows to use OpenSSL 3.0.13 and
+    multissltests to use 1.1.1w, 3.0.13, 3.1.5, and 3.2.1.
+  - gh-115015: Fix a bug in Argument Clinic that generated incorrect
+    code for methods with no parameters that use the METH_METHOD |
+    METH_FASTCALL | METH_KEYWORDS calling convention. Only the
+    positional parameter count was checked; any keyword argument
+    passed would be silently accepted.
+- Refresh all patches:
+  - CVE-2023-27043-email-parsing-errors.patch
+  - F00251-change-user-install-location.patch
+  - bpo-31046_ensurepip_honours_prefix.patch
+  - distutils-reproducible-compile.patch
+  - fix_configure_rst.patch
+  - python-3.3.0b1-fix_date_time_compiler.patch
+  - python-3.3.0b1-localpath.patch
+  - python-3.3.0b1-test-posix_fadvise.patch
+  - skip_if_buildbot-extend.patch
+  - subprocess-raise-timeout.patch
+  - support-expat-CVE-2022-25236-patched.patch
+
+- Update patch fix_configure_rst.patch
+- Update to 3.11.7:
+  - Core and Builtins
+  - gh-112625: Fixes a bug where a bytearray object could be cleared
+    while iterating over an argument in the bytearray.join() method
+    that could result in reading memory after it was freed.
+  - gh-112388: Fix an error that was causing the parser to try to
+    overwrite tokenizer errors. Patch by pablo Galindo
+  - gh-112387: Fix error positions for decoded strings with
+    backwards tokenize errors. Patch by Pablo Galindo
+  - gh-112266: Change docstrings of __dict__ and __weakref__.
+  - gh-109181: Speed up Traceback object creation by lazily compute
+    the line number. Patch by Pablo Galindo
+  - gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004
+    codecs read out of bounds
+  - gh-111366: Fix an issue in the codeop that was causing
+    SyntaxError exceptions raised in the presence of invalid syntax
+    to not contain precise error messages. Patch by Pablo Galindo
+  - gh-111380: Fix a bug that was causing SyntaxWarning to appear
+    twice when parsing if invalid syntax is encountered later. Patch
+    by Pablo galindo
+  - gh-88116: Traceback location ranges involving wide unicode
+    characters (like emoji and asian characters) now are properly
+    highlighted. Patch by Batuhan Taskaya and Pablo Galindo.
+  - gh-94438: Fix a regression that prevented jumping across is None
+    and is not None when debugging. Patch by Savannah Ostrowski.
+  - gh-110696: Fix incorrect error message for invalid argument
+    unpacking. Patch by Pablo Galindo
+  - gh-110237: Fix missing error checks for calls to PyList_Append
+    in _PyEval_MatchClass.
+  - gh-109216: Fix possible memory leak in BUILD_MAP.
+  - Library
+  - gh-112618: Fix a caching bug relating to typing.Annotated.
+    Annotated[str, True] is no longer identical to Annotated[str,
+    1].
+  - gh-112509: Fix edge cases that could cause a key to be present
+    in both the __required_keys__ and __optional_keys__ attributes
+    of a typing.TypedDict. Patch by Jelle Zijlstra.
+  - gh-94722: Fix bug where comparison between instances of DocTest
+    fails if one of them has None as its lineno.
+  - gh-112105: Make readline.set_completer_delims() work with
+    libedit
+  - gh-111942: Fix SystemError in the TextIOWrapper constructor with
+    non-encodable “errors” argument in non-debug mode.
+  - gh-109538: Issue warning message instead of having RuntimeError
+    be displayed when event loop has already been closed at
+    StreamWriter.__del__().
+  - gh-111942: Fix crashes in io.TextIOWrapper.reconfigure() when
+    pass invalid arguments, e.g. non-string encoding.
+  - gh-111804: Remove posix.fallocate() under WASI as the underlying
+    posix_fallocate() is not available in WASI preview2.
+  - gh-111841: Fix truncating arguments on an embedded null
+    character in os.putenv() and os.unsetenv() on Windows.
+  - gh-111541: Fix doctest for SyntaxError not-builtin subclasses.
+  - gh-110894: Call loop exception handler for exceptions in
+    client_connected_cb of asyncio.start_server() so that
+    applications can handle it. Patch by Kumar Aditya.
+  - gh-111531: Fix reference leaks in bind_class() and bind_all()
+    methods of tkinter widgets.
+  - gh-111356: Added io.text_encoding(), io.DEFAULT_BUFFER_SIZE, and
+    io.IncrementalNewlineDecoder to io.__all__.
+  - gh-68166: Remove mention of not supported “vsapi” element type
+    in tkinter.ttk.Style.element_create(). Add tests for
+    element_create() and other ttk.Style methods. Add examples for
+    element_create() in the documentation.
+  - gh-111251: Fix _blake2 not checking for errors when
+    initializing.
+  - gh-111174: Fix crash in io.BytesIO.getbuffer() called repeatedly
+    for empty BytesIO.
+  - gh-111187: Postpone removal version for
+    locale.getdefaultlocale() to Python 3.15.
+  - gh-111159: Fix doctest output comparison for exceptions with
+    notes.
+  - gh-110910: Fix invalid state handling in asyncio.TaskGroup and
+    asyncio.Timeout. They now raise proper RuntimeError if they are
+    improperly used and are left in consistent state after this.
+  - gh-111092: Make turtledemo run without default root enabled.
+  - gh-110590: Fix a bug in _sre.compile() where TypeError would be
+    overwritten by OverflowError when the code argument was a list
+    of non-ints.
+  - gh-65052: Prevent pdb from crashing when trying to display
+    undisplayable objects
+  - gh-110519: Deprecation warning about non-integer number in
+    gettext now alwais refers to the line in the user code where
+    gettext function or method is used. Previously it could refer to
+    a line in gettext code.
+  - gh-110378: contextmanager() and asynccontextmanager() context
+    managers now close an invalid underlying generator object that
+    yields more then one value.
+  - gh-110365: Fix termios.tcsetattr() bug that was overwritting
+    existing errors during parsing integers from term list.
+  - gh-110196: Add __reduce__ method to IPv6Address in order to keep
+    scope_id
+  - gh-109747: Improve errors for unsupported look-behind patterns.
+    Now re.error is raised instead of OverflowError or RuntimeError
+    for too large width of look-behind pattern.
+  - gh-109786: Fix possible reference leaks and crash when re-enter
+    the __next__() method of itertools.pairwise.
+  - gh-108791: Improved error handling in pdb command line
+    interface, making it produce more concise error messages.
+  - gh-73561: Omit the interface scope from an IPv6 address when
+    used as Host header by http.client.
+  - gh-86826: zipinfo now supports the full range of values in the
+    TZ string determined by RFC 8536 and detects all invalid
+    formats. Both Python and C implementations now raise exceptions
+    of the same type on invalid data.
+  - bpo-41422: Fixed memory leaks of pickle.Pickler and
+    pickle.Unpickler involving cyclic references via the internal
+    memo mapping.
+  - bpo-40262: The ssl.SSLSocket.recv_into() method no longer
+    requires the buffer argument to implement __len__ and supports
+    buffers with arbitrary item size.
+  - bpo-35191: Fix unexpected integer truncation in
+    socket.setblocking() which caused it to interpret multiples of
+    2**32 as False.
+  - Documentation
+  - gh-108826: dis module command-line interface is now mentioned in
+    documentation.
+  - Tests
+  - gh-110367: Make regrtest --verbose3 option compatible with
+  - -huntrleaks -jN options. The ./python -m test -j1 -R 3:3
+  - -verbose3 command now works as expected. Patch by Victor
+    Stinner.
+  - gh-111309: distutils tests can now be run via unittest.
+  - gh-111165: Remove no longer used functions run_unittest() and
+    run_doctest() and class BasicTestRunner from the test.support
+    module.
+  - gh-110932: Fix regrtest if the SOURCE_DATE_EPOCH environment
+    variable is defined: use the variable value as the random seed.
+    Patch by Victor Stinner.
+  - gh-110995: test_gdb: Fix detection of gdb built without Python
+    scripting support. Patch by Victor Stinner.
+  - gh-110918: Test case matching patterns specified by options
+  - -match, --ignore, --matchfile and --ignorefile are now tested
+    in the order of specification, and the last match determines
+    whether the test case be run or ignored.
+  - gh-110647: Fix test_stress_modifying_handlers() of test_signal.
+    Patch by Victor Stinner.
+  - gh-103053: Fix test_tools.test_freeze on FreeBSD: run “make
+    distclean” instead of “make clean” in the copied source
+    directory to remove also the “python” program. Patch by Victor
+    Stinner.
+  - gh-110167: Fix a deadlock in test_socket when server fails with
+    a timeout but the client is still running in its thread. Don’t
+    hold a lock to call cleanup functions in doCleanups(). One of
+    the cleanup function waits until the client completes, whereas
+    the client could deadlock if it called addCleanup() in such
+    situation. Patch by Victor Stinner.
+  - gh-110388: Add tests for tty.
+  - gh-81002: Add tests for termios.
+  - gh-110267: Add tests for pickling and copying PyStructSequence
+    objects. Patched by Xuehai Pan.
+  - gh-109974: Fix race conditions in test_threading lock tests.
+    Wait until a condition is met rather than using time.sleep()
+    with a hardcoded number of seconds. Patch by Victor Stinner.
+  - gh-109972: Split test_gdb.py file into a test_gdb package made
+    of multiple tests, so tests can now be run in parallel. Patch by
+    Victor Stinner.
+  - gh-104736: Fix test_gdb on Python built with LLVM clang 16 on
+    Linux ppc64le (ex: Fedora 38). Search patterns in gdb “bt”
+    command output to detect when gdb fails to retrieve the
+    traceback. For example, skip a test if Backtrace stopped: frame
+    did not save the PC is found. Patch by Victor Stinner.
+  - gh-108927: Fixed order dependence in running tests in the same
+    process when a test that has submodules (e.g. test_importlib)
+    follows a test that imports its submodule (e.g.
+    test_importlib.util) and precedes a test (e.g. test_unittest or
+    test_compileall) that uses that submodule.
+  - Build
+  - gh-103053: “make check-clean-src” now also checks if the
+    “python” program is found in the source directory: fail with an
+    error if it does exist. Patch by Victor Stinner.
+  - gh-109191: Fix compile error when building with recent versions
+    of libedit.
+  - IDLE
+  - bpo-35668: Add docstrings to the IDLE debugger module. Fix two
+    bugs: initialize Idb.botframe (should be in Bdb); in
+    Idb.in_rpc_code, check whether prev_frame is None before trying
+    to use it. Greatly expand test_debugger.
+  - C API
+  - gh-112438: Fix support of format units “es”, “et”, “es#”, and
+    “et#” in nested tuples in PyArg_ParseTuple()-like functions.
+  - gh-109521: PyImport_GetImporter() now sets RuntimeError if it
+    fails to get sys.path_hooks or sys.path_importer_cache or they
+    are not list and dict correspondingly. Previously it could
+    return NULL without setting error in obscure cases, crash or
+    raise SystemError if these attributes have wrong type.
+
+- Refresh CVE-2023-27043-email-parsing-errors.patch to
+  gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
+- Thus we can remove Revert-gh105127-left-tests.patch, which is
+  now useless.
+
+- Remove not needed patch 103213-fetch-CONFIG_ARGS.patch
+- Refresh patches:
+  - bpo-31046_ensurepip_honours_prefix.patch
+  - fix_configure_rst.patch
+- Update to 3.11.6:
+  - Core and Builtins
+  - gh-109351: Fix crash when compiling an invalid AST involving a
+    named (walrus) expression.
+  - gh-109207: Fix a SystemError in __repr__ of symtable entry
+    object.
+  - gh-109179: Fix bug where the C traceback display drops notes
+    from SyntaxError.
+  - gh-88943: Improve syntax error for non-ASCII character that
+    follows a numerical literal. It now points on the invalid
+    non-ASCII character, not on the valid numerical literal.
+  - gh-108959: Fix caret placement for error locations for subscript
+    and binary operations that involve non-semantic parentheses and
+    spaces. Patch by Pablo Galindo
+  - gh-108520: Fix
+    multiprocessing.synchronize.SemLock.__setstate__() to properly
+    initialize multiprocessing.synchronize.SemLock._is_fork_ctx.
+    This fixes a regression when passing a SemLock accross nested
+    processes.
+  - Rename multiprocessing.synchronize.SemLock.is_fork_ctx to
+    multiprocessing.synchronize.SemLock._is_fork_ctx to avoid
+    exposing it as public API.
+  - Library
+  - gh-110036: On Windows, multiprocessing Popen.terminate() now
+    catchs PermissionError and get the process exit code. If the
+    process is still running, raise again the PermissionError.
+    Otherwise, the process terminated as expected: store its exit
+    code. Patch by Victor Stinner.
+  - gh-110038: Fixed an issue that caused KqueueSelector.select() to
+    not return all the ready events in some cases when a file
+    descriptor is registered for both read and write.
+  - gh-109631: re functions such as re.findall(), re.split(),
+    re.search() and re.sub() which perform short repeated matches
+    can now be interrupted by user.
+  - gh-109593: Avoid deadlocking on a reentrant call to the
+    multiprocessing resource tracker. Such a reentrant call, though
+    unlikely, can happen if a GC pass invokes the finalizer for a
+    multiprocessing object such as SemLock.
+  - gh-109613: Fix os.stat() and os.DirEntry.stat(): check for
+    exceptions. Previously, on Python built in debug mode, these
+    functions could trigger a fatal Python error (and abort the
+    process) when a function succeeded with an exception set. Patch
+    by Victor Stinner.
+  - gh-109375: The pdb alias command now prevents registering
+    aliases without arguments.
+  - gh-107219: Fix a race condition in concurrent.futures. When a
+    process in the process pool was terminated abruptly (while the
+    future was running or pending), close the connection write end.
+    If the call queue is blocked on sending bytes to a worker
+    process, closing the connection write end interrupts the send,
+    so the queue can be closed. Patch by Victor Stinner.
+  - gh-50644: Attempts to pickle or create a shallow or deep copy of
+    codecs streams now raise a TypeError. Previously, copying failed
+    with a RecursionError, while pickling produced wrong results
+    that eventually caused unpickling to fail with a RecursionError.
+  - gh-108987: Fix _thread.start_new_thread() race condition. If a
+    thread is created during Python finalization, the newly spawned
+    thread now exits immediately instead of trying to access freed
+    memory and lead to a crash. Patch by Victor Stinner.
+  - gh-108843: Fix an issue in ast.unparse() when unparsing
+    f-strings containing many quote types.
+  - gh-108682: Enum: raise TypeError if super().__new__() is called
+    from a custom __new__.
+  - gh-105829: Fix concurrent.futures.ProcessPoolExecutor deadlock
+  - gh-64662: Fix support for virtual tables in
+    sqlite3.Connection.iterdump(). Patch by Aviv Palivoda.
+  - gh-107913: Fix possible losses of errno and winerror values in
+    OSError exceptions if they were cleared or modified by the
+    cleanup code before creating the exception object.
+  - gh-104372: On Linux where subprocess can use the vfork() syscall
+    for faster spawning, prevent the parent process from blocking
+    other threads by dropping the GIL while it waits for the
+    vfork’ed child process exec() outcome. This prevents spawning a
+    binary from a slow filesystem from blocking the rest of the
+    application.
+  - gh-84867: unittest.TestLoader no longer loads test cases from
+    exact unittest.TestCase and unittest.FunctionTestCase classes.
+  - Documentation
+  - gh-109209: The minimum Sphinx version required for the
+    documentation is now 4.2.
+  - gh-105052: Update timeit doc to specify that time in seconds is
+    just the default.
+  - gh-102823: Document the return type of x // y when x and y have
+    type float.
+  - Tests
+  - gh-110031: Skip test_threading tests using thread+fork if Python
+    is built with Address Sanitizer (ASAN). Patch by Victor Stinner.
+  - gh-110088: Fix test_asyncio timeouts: don’t measure the maximum
+    duration, a test should not measure a CI performance. Only
+    measure the minimum duration when a task has a timeout or delay.
+    Add CLOCK_RES to test_asyncio.utils. Patch by Victor Stinner.
+  - gh-110033: Fix test_interprocess_signal() of test_signal. Make
+    sure that the subprocess.Popen object is deleted before the test
+    raising an exception in a signal handler. Otherwise,
+    Popen.__del__() can get the exception which is logged as
+    Exception ignored in: ... and the test fails. Patch by Victor
+    Stinner.
+  - gh-109594: Fix test_timeout() of
+    test_concurrent_futures.test_wait. Remove the future which may
+    or may not complete depending if it takes longer than the
+    timeout ot not. Keep the second future which does not complete
+    before wait() timeout. Patch by Victor Stinner.
+  - gh-109748: Fix test_zippath_from_non_installed_posix() of
+    test_venv: don’t copy __pycache__/ sub-directories, because they
+    can be modified by other Python tests running in parallel. Patch
+    by Victor Stinner.
+  - gh-103053: Skip test_freeze_simple_script() of
+    test_tools.test_freeze if Python is built with ./configure
+  - -enable-optimizations, which means with Profile Guided
+    Optimization (PGO): it just makes the test too slow. The freeze
+    tool is tested by many other CIs with other (faster) compiler
+    flags. Patch by Victor Stinner.
+  - gh-109396: Fix test_socket.test_hmac_sha1() in FIPS mode. Use a
+    longer key: FIPS mode requires at least of at least 112 bits.
+    The previous key was only 32 bits. Patch by Victor Stinner.
+  - gh-104736: Fix test_gdb on Python built with LLVM clang 16 on
+    Linux ppc64le (ex: Fedora 38). Search patterns in gdb “bt”
+    command output to detect when gdb fails to retrieve the
+    traceback. For example, skip a test if Backtrace stopped: frame
+    did not save the PC is found. Patch by Victor Stinner.
+  - gh-109237: Fix test_site.test_underpth_basic() when the working
+    directory contains at least one non-ASCII character: encode the
+    ._pth file to UTF-8 and enable the UTF-8 Mode to use UTF-8 for
+    the child process stdout. Patch by Victor Stinner.
+  - gh-109230: Fix test_pyexpat.test_exception(): it can now be run
+    from a directory different than Python source code directory.
+    Before, the test failed in this case. Skip the test if
+    Modules/pyexpat.c source is not available. Skip also the test on
+    Python implementations other than CPython. Patch by Victor
+    Stinner.
+  - gh-109015: Fix test_asyncio, test_imaplib and test_socket tests
+    on FreeBSD if the TCP blackhole is enabled (sysctl
+    net.inet.tcp.blackhole). Skip the few tests which failed with
+    ETIMEDOUT which such non standard configuration. Currently, the
+    FreeBSD GCP image enables TCP and UDP blackhole (sysctl
+    net.inet.tcp.blackhole=2 and sysctl net.inet.udp.blackhole=1).
+    Patch by Victor Stinner.
+  - gh-91960: Skip test_gdb if gdb is unable to retrieve Python
+    frame objects: if a frame is <optimized out>. When Python is
+    built with “clang -Og”, gdb can fail to retrive the frame
+    parameter of _PyEval_EvalFrameDefault(). In this case, tests
+    like py_bt() are likely to fail. Without getting access to
+    Python frames, python-gdb.py is mostly clueless on retrieving
+    the Python traceback. Moreover, test_gdb is no longer skipped on
+    macOS if Python is built with Clang. Patch by Victor Stinner.
+  - gh-108962: Skip test_tempfile.test_flags() if chflags() fails
+    with “OSError: [Errno 45] Operation not supported” (ex: on
+    FreeBSD 13). Patch by Victor Stinner.
+  - gh-89392: Removed support of test_main() function in tests. They
+    now always use normal unittest test runner.
+  - gh-108851: Fix test_tomllib recursion tests for WASI buildbots:
+    reduce the recursion limit and compute the maximum nested
+    array/dict depending on the current available recursion limit.
+    Patch by Victor Stinner.
+  - gh-108851: Add get_recursion_available() and
+    get_recursion_depth() functions to the test.support module.
+    Patch by Victor Stinner.
+  - gh-108822: regrtest now computes statistics on all tests:
+    successes, failures and skipped. test_netrc, test_pep646_syntax
+    and test_xml_etree now return results in their test_main()
+    function. Patch by Victor Stinner and Alex Waygood.
+  - gh-108388: Convert test_concurrent_futures to a package of 7
+    sub-tests. Patch by Victor Stinner.
+  - gh-108388: Split test_multiprocessing_fork,
+    test_multiprocessing_forkserver and test_multiprocessing_spawn
+    into test packages. Each package is made of 4 sub-tests:
+    processes, threads, manager and misc. It allows running more
+    tests in parallel and so reduce the total test duration. Patch
+    by Victor Stinner.
+  - gh-101634: When running the Python test suite with -jN option,
+    if a worker stdout cannot be decoded from the locale encoding
+    report a failed testn so the exitcode is non-zero. Patch by
+    Victor Stinner.
+  - gh-100086: The Python test runner (libregrtest) now logs Python
+    build information like “debug” vs “release” build, or LTO and
+    PGO optimizations. Patch by Victor Stinner.
+  - gh-98903: The Python test suite now fails wit exit code 4 if no
+    tests ran. It should help detecting typos in test names and test
+    methods.
+  - gh-95027: On Windows, when the Python test suite is run with the
+  - jN option, the ANSI code page is now used as the encoding for
+    the stdout temporary file, rather than using UTF-8 which can
+    lead to decoding errors. Patch by Victor Stinner.
+  - gh-93353: regrtest now checks if a test leaks temporary files or
+    directories if run with -jN option. Patch by Victor Stinner.
+  - Build
+  - gh-63760: Fix Solaris build: no longer redefine the
+    gethostname() function. Solaris defines the function since 2005.
+    Patch by Victor Stinner, original patch by Jakub Kulík.
+  - gh-108740: Fix a race condition in make regen-all. The
+    deepfreeze.c source and files generated by Argument Clinic are
+    now generated or updated before generating “global objects”.
+    Previously, some identifiers may miss depending on the order in
+    which these files were generated. Patch by Victor Stinner.
+  - Windows
+  - gh-109991: Update Windows build to use OpenSSL 3.0.11.
+  - gh-107565: Update Windows build to use OpenSSL 3.0.10.
+  - macOS
+  - gh-109991: Update macOS installer to use OpenSSL 3.0.11.
+  - Tools/Demos
+  - gh-109991: Update GitHub CI workflows to use OpenSSL 3.0.11 and
+    multissltests to use 1.1.1w, 3.0.11, and 3.1.3.
+
qemu
+- Backports and bugfixes:
+  * hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum() (bsc#1222841, CVE-2024-3567)
+  * hw/virtio/virtio-crypto: Protect from DMA re-entrancy bugs (bsc#1222843, CVE-2024-3446)
+  * hw/char/virtio-serial-bus: Protect from DMA re-entrancy bugs (bsc#1222843, CVE-2024-3446)
+  * hw/display/virtio-gpu: Protect from DMA re-entrancy bugs (bsc#1222843, CVE-2024-3446)
+  * hw/virtio: Introduce virtio_bh_new_guarded() helper (bsc#1222843, CVE-2024-3446)
+  * hw/sd/sdhci: Do not update TRNMOD when Command Inhibit (DAT) is set (bsc#1222845, CVE-2024-3447)
+  * hw/nvme: Use pcie_sriov_num_vfs() (bsc#1220065, CVE-2024-26328)
+
+- Update to version 8.2.2. Full changelog here:
+  https://lore.kernel.org/qemu-devel/1709577077.783602.1474596.nullmailer@tls.msk.ru/
+  Some upstream backports:
+  * chardev/char-socket: Fix TLS io channels sending too much data to the backend
+  * tests/unit/test-util-sockets: Remove temporary file after test
+  * hw/usb/bus.c: PCAP adding 0xA in Windows version
+  * hw/intc/Kconfig: Fix GIC settings when using "--without-default-devices"
+  * gitlab: force allow use of pip in Cirrus jobs
+  * tests/vm: avoid re-building the VM images all the time
+  * tests/vm: update openbsd image to 7.4
+  * target/i386: leave the A20 bit set in the final NPT walk
+  * target/i386: remove unnecessary/wrong application of the A20 mask
+  * target/i386: Fix physical address truncation
+  * target/i386: check validity of VMCB addresses
+  * target/i386: mask high bits of CR3 in 32-bit mode
+  * pl031: Update last RTCLR value on write in case it's read back
+  * hw/nvme: fix invalid endian conversion
+  * update edk2 binaries to edk2-stable202402
+  * update edk2 submodule to edk2-stable202402
+  * target/ppc: Fix crash on machine check caused by ifetch
+  * target/ppc: Fix lxv/stxv MSR facility check
+  * .gitlab-ci.d/windows.yml: Drop msys2-32bit job
+  * system/vl: Update description for input grab key
+  * docs/system: Update description for input grab key
+  * hw/hppa/Kconfig: Fix building with "configure --without-default-devices"
+  * tests/qtest: Depend on dbus_display1_dep
+  * meson: Explicitly specify dbus-display1.h dependency
+  * audio: Depend on dbus_display1_dep
+  * ui/console: Fix console resize with placeholder surface
+  * ui/clipboard: add asserts for update and request
+  * ui/clipboard: mark type as not available when there is no data
+  * ui: reject extended clipboard message if not activated
+  * target/i386: Generate an illegal opcode exception on cmp instructions with lock prefix
+  * i386/cpuid: Move leaf 7 to correct group
+  * i386/cpuid: Decrease cpuid_i when skipping CPUID leaf 1F
+  * i386/cpu: Mask with XCR0/XSS mask for FEAT_XSAVE_XCR0_HI and FEAT_XSAVE_XSS_HI leafs
+  * i386/cpu: Clear FEAT_XSAVE_XSS_LO/HI leafs when CPUID_EXT_XSAVE is not available
+  * .gitlab-ci/windows.yml: Don't install libusb or spice packages on 32-bit
+  * iotests: Make 144 deterministic again
+  * target/arm: Don't get MDCR_EL2 in pmu_counter_enabled() before checking ARM_FEATURE_PMU
+  * target/arm: Fix SVE/SME gross MTE suppression checks
+  * target/arm: Handle mte in do_ldrq, do_ldro
+- Address bsc#1220310. Backported upstream commits:
+  * ppc/spapr: Initialize max_cpus limit to SPAPR_IRQ_NR_IPIS
+  * ppc/spapr: Introduce SPAPR_IRQ_NR_IPIS to refer IRQ range for CPU IPIs.
+