python313-core-3.13.5-160000.2.2

- Add CVE-2025-8194-tarfile-no-neg-offsets.patch which now
  validates archives to ensure member offsets are non-negative
  (gh#python/cpython#130577, CVE-2025-8194, bsc#1247249).

- Fix gil/nogil package description, bsc#1246229

- Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst
  case quadratic complexity when processing certain crafted
  malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705).

- Add bsc1243155-sphinx-non-determinism.patch (bsc#1243155) to
  generate ids for audit_events using docname (reproducible
  builds).

- Use one core to build doc. This will make sphinx doc build
  reproducible.
  bsc#1243155

- adjusted sofilename for "nogil" build correctly.

- Update to 3.13.5:
  - Tests
  - gh-135120: Add test.support.subTests().
  - Library
  - gh-133967: Do not normalize locale name ‘C.UTF-8’ to
    ‘en_US.UTF-8’.
  - gh-135326: Restore support of integer-like objects with
    __index__() in random.getrandbits().
  - gh-135321: Raise a correct exception for values greater
    than 0x7fffffff for the BINSTRING opcode in the C
    implementation of pickle.
  - gh-135276: Backported bugfixes in zipfile.Path from
    zipp 3.23. Fixed .name, .stem and other basename-based
    properties on Windows when working with a zipfile on disk.
  - gh-134151: email: Fix TypeError in
    email.utils.decode_params() when sorting RFC 2231
    continuations that contain an unnumbered section.
  - gh-134152: email: Fix parsing of email message ID with
    invalid domain.
  - gh-127081: Fix libc thread safety issues with os by
    replacing getlogin with getlogin_r re-entrant version.
  - gh-131884: Fix formatting issues in json.dump() when both
    indent and skipkeys are used.
  - Core and Builtins
  - gh-135171: Roll back changes to generator and list
    comprehensions that went into 3.13.4 to fix gh-127682,
    but which involved semantic and bytecode changes not
    appropriate for a bugfix release.
  - C API
  - gh-134989: Fix Py_RETURN_NONE, Py_RETURN_TRUE and
    Py_RETURN_FALSE macros in the limited C API 3.11 and
    older: don’t treat Py_None, Py_True and Py_False as
    immortal. Patch by Victor Stinner.
  - gh-134989: Implement PyObject_DelAttr() and
    PyObject_DelAttrString() as macros in the limited C API
    3.12 and older. Patch by Victor Stinner.
- Substantially rewritten doc-py38-to-py36.patch patch to be more
  flexible and covering even unexpected changes.

- Update to 3.13.4:
  - Security
  - gh-135034: Fixes multiple issues that allowed tarfile
    extraction filters (filter="data" and filter="tar") to be
    bypassed using crafted symlinks and hard links.
    Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
    (bsc#1244059), CVE-2025-4330 (bsc#1244060), and
    CVE-2025-4517 (bsc#1244032). Also addresses CVE-2025-4435
    (gh#135034, bsc#1244061).
  - gh-133767: Fix use-after-free in the “unicode-escape”
    decoder with a non-“strict” error handler (CVE-2025-4516,
    bsc#1243273).
  - gh-128840: Short-circuit the processing of long IPv6
    addresses early in ipaddress to prevent excessive memory
    consumption and a minor denial-of-service.
  - Library
  - gh-134718: ast.dump() now only omits None and [] values if
    they are default values.
  - gh-128840: Fix parsing long IPv6 addresses with embedded
    IPv4 address.
  - gh-134696: Built-in HACL* and OpenSSL implementations of
    hash function constructors now correctly accept the same
    documented named arguments. For instance, md5() could be
    previously invoked as md5(data=data) or md5(string=string)
    depending on the underlying implementation but these calls
    were not compatible. Patch by Bénédikt Tran.
  - gh-134210: curses.window.getch() now correctly handles
    signals. Patch by Bénédikt Tran.
  - gh-80334: multiprocessing.freeze_support() now checks for
    work on any “spawn” start method platform rather than only
    on Windows.
  - gh-114177: Fix asyncio to not close subprocess pipes which
    would otherwise error out when the event loop is already
    closed.
  - gh-134152: Fixed UnboundLocalError that could occur during
    email header parsing if an expected trailing delimiter is
    missing in some contexts.
  - gh-62184: Remove import of C implementation of io.FileIO
    from Python implementation which has its own implementation
  - gh-133982: Emit RuntimeWarning in the Python implementation
    of io when the file-like object is not closed explicitly in
    the presence of multiple I/O layers.
  - gh-133890: The tarfile module now handles
    UnicodeEncodeError in the same way as OSError when cannot
    extract a member.
  - gh-134097: Fix interaction of the new REPL and -X
    showrefcount command line option.
  - gh-133889: The generated directory listing page in
    http.server.SimpleHTTPRequestHandler now only shows the
    decoded path component of the requested URL, and not the
    query and fragment.
  - gh-134098: Fix handling paths that end with
    a percent-encoded slash (%2f or %2F) in
    http.server.SimpleHTTPRequestHandler.
  - gh-134062: ipaddress: fix collisions in __hash__() for
    IPv4Network and IPv6Network objects.
  - gh-133745: In 3.13.3 we accidentally changed the signature
    of the asyncio create_task() family of methods and how it
    calls a custom task factory in a backwards incompatible
    way. Since some 3rd party libraries have already made
    changes to work around the issue that might break if
    we simply reverted the changes, we’re instead changing
    things to be backwards compatible with 3.13.2 while still
    supporting those workarounds for 3.13.3. In particular, the
    special-casing of name and context is back (until 3.14) and
    consequently eager tasks may still find that their name
    hasn’t been set before they execute their first yielding
    await.
  - gh-71253: Raise ValueError in open() if opener returns a
    negative file-descriptor in the Python implementation of io
    to match the C implementation.
  - gh-77057: Fix handling of invalid markup declarations in
    html.parser.HTMLParser.
  - gh-133489: random.getrandbits() can now generate more that
    231 bits. random.randbytes() can now generate more that 256
    MiB.
  - gh-133290: Fix attribute caching issue when setting
    ctypes._Pointer._type_ in the undocumented and deprecated
    ctypes.SetPointerType() function and the undocumented
    set_type() method.
  - gh-132876: ldexp() on Windows doesn’t round subnormal
    results before Windows 11, but should. Python’s
    math.ldexp() wrapper now does round them, so results may
    change slightly, in rare cases of very small results, on
    Windows versions before 11.
  - gh-133089: Use original timeout value for
    subprocess.TimeoutExpired when the func subprocess.run()
    is called with a timeout instead of sometimes a confusing
    partial remaining time out value used internally on the
    final wait().
  - gh-133009: xml.etree.ElementTree: Fix a crash in
    Element.__deepcopy__ when the element is concurrently
    mutated. Patch by Bénédikt Tran.
  - gh-132995: Bump the version of pip bundled in ensurepip to
    version 25.1.1
  - gh-132017: Fix error when pyrepl is suspended, then resumed
    and terminated.
  - gh-132673: Fix a crash when using _align_ = 0 and _fields_
    = [] in a ctypes.Structure.
  - gh-132527: Include the valid typecode ‘w’ in the error
    message when an invalid typecode is passed to array.array.
  - gh-132439: Fix PyREPL on Windows: characters entered via
    AltGr are swallowed. Patch by Chris Eibl.
  - gh-132429: Fix support of Bluetooth sockets on NetBSD and
    DragonFly BSD.
  - gh-132106: QueueListener.start now raises a RuntimeError if
    the listener is already started.
  - gh-132417: Fix a NULL pointer dereference when a C function
    called using ctypes with restype py_object returns NULL.
  - gh-132385: Fix instance error suggestions trigger potential
    exceptions in object.__getattr__() in traceback.
  - gh-132308: A traceback.TracebackException now correctly
    renders the __context__ and __cause__ attributes from
    falsey Exception, and the exceptions attribute from falsey
    ExceptionGroup.
  - gh-132250: Fixed the SystemError in cProfile when locating
    the actual C function of a method raises an exception.
  - gh-132063: Prevent exceptions that evaluate as
    falsey (namely, when their __bool__ method returns
    False or their __len__ method returns 0) from being
    ignored by concurrent.futures.ProcessPoolExecutor and
    concurrent.futures.ThreadPoolExecutor.
  - gh-119605: Respect follow_wrapped for __init__() and
    __new__() methods when getting the class signature for a
    class with inspect.signature(). Preserve class signature
    after wrapping with warnings.deprecated(). Patch by Xuehai
    Pan.
  - gh-91555: Ignore log messages generated during handling of
    log messages, to avoid deadlock or infinite recursion.
  - gh-131434: Improve error reporting for incorrect format in
    time.strptime().
  - gh-131127: Systems using LibreSSL now successfully build.
  - gh-130999: Avoid exiting the new REPL and offer suggestions
    even if there are non-string candidates when errors occur.
  - gh-130941: Fix configparser.ConfigParser parsing empty
    interpolation with allow_no_value set to True.
  - gh-129098: Fix REPL traceback reporting when using
    compile() with an inexisting file. Patch by Bénédikt Tran.
  - gh-130631: http.cookiejar.join_header_words() is now more
    similar to the original Perl version. It now quotes the
    same set of characters and always quote values that end
    with "\n".
  - gh-129719: Fix missing socket.CAN_RAW_ERR_FILTER constant
    in the socket module on Linux systems. It was missing since
    Python 3.11.
  - gh-124096: Turn on virtual terminal mode and enable
    bracketed paste in REPL on Windows console. (If the
    terminal does not support bracketed paste, enabling it does
    nothing.)
  - gh-122559: Remove __reduce__() and __reduce_ex__() methods
    that always raise TypeError in the C implementation
    of io.FileIO, io.BufferedReader, io.BufferedWriter
    and io.BufferedRandom and replace them with default
    __getstate__() methods that raise TypeError. This restores
    fine details of behavior of Python 3.11 and older versions.
  - gh-122179: hashlib.file_digest() now raises BlockingIOError
    when no data is available during non-blocking I/O. Before,
    it added spurious null bytes to the digest.
  - gh-86155: html.parser.HTMLParser.close() no longer loses
    data when the <script> tag is not closed. Patch by Waylan
    Limberg.
  - gh-69426: Fix html.parser.HTMLParser to not unescape
    character entities in attribute values if they are followed
    by an ASCII alphanumeric or an equals sign.
  - bpo-44172: Keep a reference to original curses windows in
    subwindows so that the original window does not get deleted
    before subwindows.
  - Tests
  - gh-133744: Fix multiprocessing interrupt test. Add an event
    to synchronize the parent process with the child process:
    wait until the child process starts sleeping. Patch by
    Victor Stinner.
  - gh-133639: Fix
    TestPyReplAutoindent.test_auto_indent_default() doesn’t run
    input_code.
  - gh-133131: The iOS testbed will now select the most
    recently released “SE-class” device for testing if a device
    isn’t explicitly specified.
  - gh-109981: The test helper that counts the list of open
    file descriptors now uses the optimised /dev/fd approach on
    all Apple platforms, not just macOS. This avoids crashes
    caused by guarded file descriptors.
  - IDLE
  - gh-112936: fix IDLE: no Shell menu item in single-process
    mode.
  - Documentation
  - gh-107006: Move documentation and example code for
    threading.local from its docstring to the official docs.
  - Core and Builtins
  - gh-134908: Fix crash when iterating over lines in a text
    file on the free threaded build.
  - gh-127682: No longer call __iter__ twice in list
    comprehensions. This brings the behavior of list
    comprehensions in line with other forms of iteration
  - gh-134381: Fix RuntimeError when using a not-started
    threading.Thread after calling os.fork()
  - gh-128066: Fixes an edge case where PyREPL improperly threw
    an error when Python is invoked on a read only filesystem
    while trying to write history file entries.
  - gh-134100: Fix a use-after-free bug that occurs when an
    imported module isn’t in sys.modules after its initial
    import. Patch by Nico-Posada.
  - gh-133703: Fix hashtable in dict can be bigger than
    intended in some situations.
  - gh-132869: Fix crash in the free threading build when
    accessing an object attribute that may be concurrently
    inserted or deleted.
  - gh-132762: fromkeys() no longer loops forever when adding
    a small set of keys to a large base dict. Patch by Angela
    Liss.
  - gh-133543: Fix a possible memory leak that could occur when
    directly accessing instance dictionaries (__dict__) that
    later become part of a reference cycle.
  - gh-133516: Raise ValueError when constants True, False or
    None are used as an identifier after NFKC normalization.
  - gh-133441: Fix crash upon setting an attribute with a dict
    subclass. Patch by Victor Stinner.
  - gh-132942: Fix two races in the type lookup cache. This
    affected the free-threaded build and could cause crashes
    (apparently quite difficult to trigger).
  - gh-132713: Fix repr(list) race condition: hold a strong
    reference to the item while calling repr(item). Patch by
    Victor Stinner.
  - gh-132747: Fix a crash when calling __get__() of a method
    with a None second argument.
  - gh-132542: Update Thread.native_id after fork(2) to ensure
    accuracy. Patch by Noam Cohen.
  - gh-124476: Fix decoding from the locale encoding in the
    C.UTF-8 locale.
  - gh-131927: Compiler warnings originating from the same
    module and line number are now only emitted once, matching
    the behaviour of warnings emitted from user code. This can
    also be configured with warnings filters.
  - gh-127682: No longer call __iter__ twice when creating and
    executing a generator expression. Creating a generator
    expression from a non-interable will raise only when the
    generator expression is executed. This brings the behavior
    of generator expressions in line with other generators.
  - gh-131878: Handle uncaught exceptions in the main input
    loop for the new REPL.
  - gh-131878: Fix support of unicode characters with two or
    more codepoints on Windows in the new REPL.
  - gh-130804: Fix support of unicode characters on Windows in
    the new REPL.
  - gh-130070: Fixed an assertion error for exec() passed a
    string source and a non-None closure. Patch by Bartosz
    Sławecki.
  - gh-129958: Fix a bug that was allowing newlines
    inconsitently in format specifiers for single-quoted
    f-strings. Patch by Pablo Galindo.
  - C API
  - gh-132909: Fix an overflow when handling the K format in
    Py_BuildValue(). Patch by Bénédikt Tran.
- Remove upstreamed patches:
  - CVE-2025-4516-DecodeError-handler.patch
  - gh-132535-rsrc-warn-test_timeout.patch

- Don't use %elif, it is supported only from rpm 4.15.0, which is
  not in SLE-15.

- Add CVE-2025-4516-DecodeError-handler.patch fixing
  CVE-2025-4516 (bsc#1243273) blocking DecodeError handling
  vulnerability, which could lead to DoS.

- Update to 3.13.11:
  - gh-142145: Remove quadratic behavior in xml.minidom node ID
    cache clearing (CVE-2025-12084, bsc#1254997).
  - gh-119451: Fix a potential memory denial of service in the
    http.client module. When connecting to a malicious server,
    it could cause an arbitrary amount of memory to be
    allocated. This could have led to symptoms including
    a MemoryError, swapping, out of memory (OOM) killed
    processes or containers, or even system crashes
    (bsc#1254400, CVE-2025-13836).
  - gh-119452: Fix a potential memory denial of service in the
    http.server module. When a malicious user is connected to
    the CGI server on Windows, it could cause an arbitrary
    amount of memory to be allocated. This could have led to
    symptoms including a MemoryError, swapping, out of memory
    (OOM) killed processes or containers, or even system
    crashes.
- Library
  - gh-140797: Revert changes to the undocumented re.Scanner
    class. Capturing groups are still allowed for backward
    compatibility, although using them can lead to incorrect
    result. They will be forbidden in future Python versions.
  - gh-142206: The resource tracker in the multiprocessing
    module now uses the original communication protocol, as in
    Python 3.14.0 and below, by default. This avoids issues
    with upgrading Python while it is running. (Note that such
    ‘in-place’ upgrades are not tested.) The tracker remains
    compatible with subprocesses that use new protocol (that
    is, subprocesses using Python 3.13.10, 3.14.1 and 3.15).
- Core and Builtins
  - gh-142218: Fix crash when inserting into a split table
    dictionary with a non str key that matches an existing key.
- Update to 3.13.10:
- Tools/Demos
  - gh-141442: The iOS testbed now correctly handles test
    arguments that contain spaces.
- Tests
  - gh-140482: Preserve and restore the state of stty echo as
    part of the test environment.
  - gh-140082: Update python -m test to set FORCE_COLOR=1 when
    being run with color enabled so that unittest which is run
    by it with redirected output will output in color.
  - gh-136442: Use exitcode 1 instead of 5 if
    unittest.TestCase.setUpClass() raises an exception
- Security
  - gh-139700: Check consistency of the zip64 end of central
    directory record. Support records with “zip64 extensible
    data” if there are no bytes prepended to the ZIP file.
    (CVE-2025-8291, bsc#1251305)
  - gh-137836: Add support of the “plaintext” element, RAWTEXT
    elements “xmp”, “iframe”, “noembed” and “noframes”, and
    optionally RAWTEXT element “noscript” in
    html.parser.HTMLParser.
  - gh-136063: email.message: ensure linear complexity for
    legacy HTTP parameters parsing. Patch by Bénédikt Tran.
  - gh-136065: Fix quadratic complexity in
    os.path.expandvars() (CVE-2025-6075, bsc#1252974).
  - gh-119342: Fix a potential memory denial of service in the
    plistlib module. When reading a Plist file received from
    untrusted source, it could cause an arbitrary amount of
    memory to be allocated. This could have led to symptoms
    including a MemoryError, swapping, out of memory (OOM)
    killed processes or containers, or even system crashes
    (CVE-2025-13837, bsc#1254401).
- Library
  - gh-74389: When the stdin being used by a subprocess.Popen
    instance is closed, this is now ignored in
    subprocess.Popen.communicate() instead of leaving the class
    in an inconsistent state.
  - gh-87512: Fix subprocess.Popen.communicate() timeout
    handling on Windows when writing large input. Previously,
    the timeout was ignored during stdin writing, causing the
    method to block indefinitely if the child process did not
    consume input quickly. The stdin write is now performed in
    a background thread, allowing the timeout to be properly
    enforced.
  - gh-141473: When subprocess.Popen.communicate() was called
    with input and a timeout and is called for a second time
    after a TimeoutExpired exception before the process has
    died, it should no longer hang.
  - gh-59000: Fix pdb breakpoint resolution for class methods
    when the module defining the class is not imported.
  - gh-141570: Support file-like object raising OSError from
    fileno() in color detection (_colorize.can_colorize()).
    This can occur when sys.stdout is redirected.
  - gh-141659: Fix bad file descriptor errors from
    _posixsubprocess on AIX.
  - gh-141497: ipaddress: ensure that the methods
    IPv4Network.hosts() and IPv6Network.hosts() always return
    an iterator.
  - gh-140938: The statistics.stdev() and statistics.pstdev()
    functions now raise a ValueError when the input contains an
    infinity or a NaN.
  - gh-124111: Updated Tcl threading configuration in _tkinter
    to assume that threads are always available in Tcl 9 and
    later.
  - gh-137109: The os.fork and related forking APIs will no
    longer warn in the common case where Linux or macOS
    platform APIs return the number of threads in a process and
    find the answer to be 1 even when a os.register_at_fork()
    after_in_parent= callback (re)starts a thread.
  - gh-141314: Fix assertion failure in io.TextIOWrapper.tell()
    when reading files with standalone carriage return (\r)
    line endings.
  - gh-141311: Fix assertion failure in io.BytesIO.readinto()
    and undefined behavior arising when read position is above
    capcity in io.BytesIO.
  - gh-141141: Fix a thread safety issue with
    base64.b85decode(). Contributed by Benel Tayar.
  - gh-140911: collections: Ensure that the methods
    UserString.rindex() and UserString.index() accept
    collections.UserString instances as the sub argument.
  - gh-140797: The undocumented re.Scanner class now forbids
    regular expressions containing capturing groups in its
    lexicon patterns. Patterns using capturing groups could
    previously lead to crashes with segmentation fault. Use
    non-capturing groups (?:…) instead.
  - gh-140815: faulthandler now detects if a frame or a code
    object is invalid or freed. Patch by Victor Stinner.
  - gh-100218: Correctly set errno when socket.if_nametoindex()
    or socket.if_indextoname() raise an OSError. Patch by
    Bénédikt Tran.
  - gh-140875: Fix handling of unclosed character references
    (named and numerical) followed by the end of file in
    html.parser.HTMLParser with convert_charrefs=False.
  - gh-140734: multiprocessing: fix off-by-one error when
    checking the length of a temporary socket file path. Patch
    by Bénédikt Tran.
  - gh-140874: Bump the version of pip bundled in ensurepip to
    version 25.3
  - gh-140691: In urllib.request, when opening a FTP URL fails
    because a data connection cannot be made, the control
    connection’s socket is now closed to avoid
    a ResourceWarning.
  - gh-103847: Fix hang when cancelling process created by
    asyncio.create_subprocess_exec() or
    asyncio.create_subprocess_shell(). Patch by Kumar Aditya.
  - gh-140590: Fix arguments checking for the
    functools.partial.__setstate__() that may lead to internal
    state corruption and crash. Patch by Sergey Miryanov.
  - gh-140634: Fix a reference counting bug in
    os.sched_param.__reduce__().
  - gh-140633: Ignore AttributeError when setting a module’s
    __file__ attribute when loading an extension module
    packaged as Apple Framework.
  - gh-140593: xml.parsers.expat: Fix a memory leak that could
    affect users with ElementDeclHandler() set to a custom
    element declaration handler. Patch by Sebastian Pipping.
  - gh-140607: Inside io.RawIOBase.read(), validate that the
    count of bytes returned by io.RawIOBase.readinto() is valid
    (inside the provided buffer).
  - gh-138162: Fix logging.LoggerAdapter with merge_extra=True
    and without the extra argument.
  - gh-140474: Fix memory leak in array.array when creating
    arrays from an empty str and the u type code.
  - gh-140272: Fix memory leak in the clear() method of the
    dbm.gnu database.
  - gh-140041: Fix import of ctypes on Android and Cygwin when
    ABI flags are present.
  - gh-139905: Add suggestion to error message for
    typing.Generic subclasses when cls.__parameters__ is
    missing due to a parent class failing to call
    super().__init_subclass__() in its __init_subclass__.
  - gh-139845: Fix to not print KeyboardInterrupt twice in
    default asyncio REPL.
  - gh-139783: Fix inspect.getsourcelines() for the case when
    a decorator is followed by a comment or an empty line.
  - gh-70765: http.server: fix default handling of HTTP/0.9
    requests in BaseHTTPRequestHandler. Previously,
    BaseHTTPRequestHandler.parse_request() incorrectly waited
    for headers in the request although those are not supported
    in HTTP/0.9. Patch by Bénédikt Tran.
  - gh-139391: Fix an issue when, on non-Windows platforms, it
    was not possible to gracefully exit a python -m asyncio
    process suspended by Ctrl+Z and later resumed by fg other
    than with kill.
  - gh-101828: Fix 'shift_jisx0213', 'shift_jis_2004',
    'euc_jisx0213' and 'euc_jis_2004' codecs truncating null
    chars as they were treated as part of multi-character
    sequences.
  - gh-139246: fix: paste zero-width in default repl width is
    wrong.
  - gh-90949: Add SetAllocTrackerActivationThreshold() and
    SetAllocTrackerMaximumAmplification() to xmlparser objects
    to prevent use of disproportional amounts of dynamic memory
    from within an Expat parser. Patch by Bénédikt Tran.
  - gh-139065: Fix trailing space before a wrapped long word if
    the line length is exactly width in textwrap.
  - gh-138993: Dedent credits text.
  - gh-138859: Fix generic type parameterization raising
    a TypeError when omitting a ParamSpec that has a default
    which is not a list of types.
  - gh-138775: Use of python -m with base64 has been fixed to
    detect input from a terminal so that it properly notices
    EOF.
  - gh-98896: Fix a failure in multiprocessing resource_tracker
    when SharedMemory names contain colons. Patch by Rani
    Pinchuk.
  - gh-75989: tarfile.TarFile.extractall() and
    tarfile.TarFile.extract() now overwrite symlinks when
    extracting hardlinks. (Contributed by Alexander Enrique
    Urieles Nieto in gh-75989.)
  - gh-83424: Allows creating a ctypes.CDLL without name when
    passing a handle as an argument.
  - gh-136234: Fix asyncio.WriteTransport.writelines() to be
    robust to connection failure, by using the same behavior as
    write().
  - gh-136057: Fixed the bug in pdb and bdb where next and step
    can’t go over the line if a loop exists in the line.
  - gh-135307: email: Fix exception in set_content() when
    encoding text and max_line_length is set to 0 or None
    (unlimited).
  - gh-134453: Fixed subprocess.Popen.communicate() input=
    handling of memoryview instances that were non-byte shaped
    on POSIX platforms. Those are now properly cast to a byte
    shaped view instead of truncating the input. Windows
    platforms did not have this bug.
  - gh-102431: Clarify constraints for “logical” arguments in
    methods of decimal.Context.
- IDLE
  - gh-96491: Deduplicate version number in IDLE shell title
    bar after saving to a file.
- Documentation
  - gh-141994: xml.sax.handler: Make Documentation of
    xml.sax.handler.feature_external_ges warn of opening up to
    external entity attacks. Patch by Sebastian Pipping.
  - gh-140578: Remove outdated sencence in the documentation
    for multiprocessing, that implied that
    concurrent.futures.ThreadPoolExecutor did not exist.
- Core and Builtins
  - gh-142048: Fix quadratically increasing garbage collection
    delays in free-threaded build.
  - gh-141930: When importing a module, use Python’s regular
    file object to ensure that writes to .pyc files are
    complete or an appropriate error is raised.
  - gh-120158: Fix inconsistent state when enabling or
    disabling monitoring events too many times.
  - gh-141579: Fix sys.activate_stack_trampoline() to properly
    support the perf_jit backend. Patch by Pablo Galindo.
  - gh-141312: Fix the assertion failure in the __setstate__
    method of the range iterator when a non-integer argument is
    passed. Patch by Sergey Miryanov.
  - gh-140939: Fix memory leak when bytearray or bytes is
    formated with the
    %*b format with a large width that results in
    %a MemoryError.
  - gh-140530: Fix a reference leak when raise exc from cause
    fails. Patch by Bénédikt Tran.
  - gh-140576: Fixed crash in tokenize.generate_tokens() in
    case of specific incorrect input. Patch by Mikhail Efimov.
  - gh-140551: Fixed crash in dict if dict.clear() is called at
    the lookup stage. Patch by Mikhail Efimov and Inada Naoki.
  - gh-140471: Fix potential buffer overflow in ast.AST node
    initialization when encountering malformed _fields
    containing non-str.
  - gh-140406: Fix memory leak when an object’s __hash__()
    method returns an object that isn’t an int.
  - gh-140306: Fix memory leaks in cross-interpreter channel
    operations and shared namespace handling.
  - gh-140301: Fix memory leak of PyConfig in subinterpreters.
  - gh-140000: Fix potential memory leak when a reference cycle
    exists between an instance of typing.TypeAliasType,
    typing.TypeVar, typing.ParamSpec, or typing.TypeVarTuple
    and its __name__ attribute. Patch by Mikhail Efimov.
  - gh-139748: Fix reference leaks in error branches of
    functions accepting path strings or bytes such as compile()
    and os.system(). Patch by Bénédikt Tran.
  - gh-139516: Fix lambda colon erroneously start format spec
    in f-string in tokenizer.
  - gh-139640: Fix swallowing some syntax warnings in different
    modules if they accidentally have the same message and are
    emitted from the same line. Fix duplicated warnings in the
    finally block.
  - gh-137400: Fix a crash in the free threading build when
    disabling profiling or tracing across all threads with
    PyEval_SetProfileAllThreads() or
    PyEval_SetTraceAllThreads() or their Python equivalents
    threading.settrace_all_threads() and
    threading.setprofile_all_threads().
  - gh-133400: Fixed Ctrl+D (^D) behavior in _pyrepl module to
    match old pre-3.13 REPL behavior.
- C API
  - gh-140042: Removed the sqlite3_shutdown call that could
    cause closing connections for sqlite when used with
    multiple sub interpreters.
  - gh-140487: Fix Py_RETURN_NOTIMPLEMENTED in limited C API
    3.11 and older: don’t treat Py_NotImplemented as immortal.
    Patch by Victor Stinner.
- Remove upstreamed patches:
  - CVE-2025-13836-http-resp-cont-len.patch
  - CVE-2025-8291-consistency-zip64.patch
  - CVE-2025-6075-expandvars-perf-degrad.patch

- Add pass-test_write_read_limited_history.patch:
  Fix readline history truncation when length is reduced
  The `readline.set_history_length()` function did not previously
  truncate the in-memory history when the new length was set to
  a value smaller than the current number of history items. This
  could lead to unexpected behavior where `get_history_length()`
  would still report the old length and writing the history to a
  file would write more entries than the new limit.
  This patch modifies `set_history_length()` to explicitly
  remove the oldest history entries using `remove_history()`
  when the length is decreased, ensuring the in-memory history
  is correctly truncated to the new limit. This brings the
  function's behavior in line with expectations and fixes
  failures in `test_write_read_limited_history`.

- Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple
  quadratic complexity vulnerabilities of os.path.expandvars()
  (CVE-2025-6075, bsc#1252974).

- Add CVE-2025-8291-consistency-zip64.patch which checks
  consistency of the zip64 end of central directory record, and
  preventing obfuscation of the payload, i.e., you scanning for
  malicious content in a ZIP file with one ZIP parser (let's say
  a Rust one) then unpack it in production with another (e.g.,
  the Python one) and get malicious content that the other parser
  did not see (CVE-2025-8291, bsc#1251305)
- Readjust patches while synchronizing between openSUSE and SLE trees:
  - F00251-change-user-install-location.patch
  - doc-py38-to-py36.patch
  - gh126985-mv-pyvenv.cfg2getpath.patch

- Update to 3.13.9:
  - Library
  - gh-139783: Fix inspect.getsourcelines() for the case when a
    decorator is followed by a comment or an empty line.
- Update to 3.13.8:
  - macOS
  - gh-124111: Update macOS installer to use Tcl/Tk 8.6.17.
  - gh-139573: Updated bundled version of OpenSSL to 3.0.18.
  - Windows
  - gh-139573: Updated bundled version of OpenSSL to 3.0.18.
  - gh-138896: Fix error installing C runtime on non-updated Windows
    machines
  - Tools/Demos
  - gh-139330: SBOM generation tool didn’t cross-check the version
    and checksum values against the Modules/expat/refresh.sh script,
    leading to the values becoming out-of-date during routine
    updates.
  - gh-137873: The iOS test runner has been simplified, resolving
    some issues that have been observed using the runner in GitHub
    Actions and Azure Pipelines test environments.
  - Tests
  - gh-139208: Fix regrtest --fast-ci --verbose: don’t ignore the
  - -verbose option anymore. Patch by Victor Stinner.
  - Security
  - gh-139400: xml.parsers.expat: Make sure that parent Expat
    parsers are only garbage-collected once they are no longer
    referenced by subparsers created by
    ExternalEntityParserCreate(). Patch by Sebastian Pipping.
  - gh-139283: sqlite3: correctly handle maximum number of rows to
    fetch in Cursor.fetchmany and reject negative values for
    Cursor.arraysize. Patch by Bénédikt Tran.
  - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser
    according to the HTML5 standard: ] ]> and ]] > no longer end the
    CDATA section. Add private method _set_support_cdata() which can
    be used to specify how to parse <[CDATA[ — as a CDATA section in
    foreign content (SVG or MathML) or as a bogus comment in the
    HTML namespace.
  - Library
  - gh-139312: Upgrade bundled libexpat to 2.7.3
  - gh-139289: Do a real lazy-import on rlcompleter in pdb and
    restore the existing completer after importing rlcompleter.
  - gh-139210: Fix use-after-free when reporting unknown event in
    xml.etree.ElementTree.iterparse(). Patch by Ken Jin.
  - gh-138860: Lazy import rlcompleter in pdb to avoid deadlock in
    subprocess.
  - gh-112729: Fix crash when calling _interpreters.create when the
    process is out of memory.
  - gh-139076: Fix a bug in the pydoc module that was hiding
    functions in a Python module if they were implemented in an
    extension module and the module did not have __all__.
  - gh-138998: Update bundled libexpat to 2.7.2
  - gh-130567: Fix possible crash in locale.strxfrm() due to a
    platform bug on macOS.
  - gh-138779: Support device numbers larger than 2**63-1 for the
    st_rdev field of the os.stat_result structure.
  - gh-128636: Fix crash in PyREPL when os.environ is overwritten
    with an invalid value for mac
  - gh-88375: Fix normalization of the robots.txt rules and URLs in
    the urllib.robotparser module. No longer ignore trailing ?.
    Distinguish raw special characters ?, = and & from the
    percent-encoded ones.
  - gh-138515: email is added to Emscripten build.
  - gh-111788: Fix parsing errors in the urllib.robotparser module.
    Don’t fail trying to parse weird paths. Don’t fail trying to
    decode non-UTF-8 robots.txt files.
  - gh-138432: zoneinfo.reset_tzpath() will now convert any
    os.PathLike objects it receives into strings before adding them
    to TZPATH. It will raise TypeError if anything other than a
    string is found after this conversion. If given an os.PathLike
    object that represents a relative path, it will now raise
    ValueError instead of TypeError, and present a more informative
    error message.
  - gh-138008: Fix segmentation faults in the ctypes module due to
    invalid argtypes. Patch by Dung Nguyen.
  - gh-60462: Fix locale.strxfrm() on Solaris (and possibly other
    platforms).
  - gh-138204: Forbid expansion of shared anonymous memory maps on
    Linux, which caused a bus error.
  - gh-138010: Fix an issue where defining a class with a
    @warnings.deprecated-decorated base class may not invoke the
    correct __init_subclass__() method in cases involving multiple
    inheritance. Patch by Brian Schubert.
  - gh-138133: Prevent infinite traceback loop when sending CTRL^C
    to Python through strace.
  - gh-134869: Fix an issue where pressing Ctrl+C during tab
    completion in the REPL would leave the autocompletion menu in a
    corrupted state.
  - gh-137317: inspect.signature() now correctly handles classes
    that use a descriptor on a wrapped __init__() or __new__()
    method. Contributed by Yongyu Yan.
  - gh-137754: Fix import of the zoneinfo module if the C
    implementation of the datetime module is not available.
  - gh-137490: Handle ECANCELED in the same way as EINTR in
    signal.sigwaitinfo() on NetBSD.
  - gh-137477: Fix inspect.getblock(), inspect.getsourcelines() and
    inspect.getsource() for generator expressions.
  - gh-137017: Fix threading.Thread.is_alive to remain True until
    the underlying OS thread is fully cleaned up. This avoids false
    negatives in edge cases involving thread monitoring or premature
    threading.Thread.is_alive calls.
  - gh-136134: SMTP.auth_cram_md5() now raises an SMTPException
    instead of a ValueError if Python has been built without MD5
    support. In particular, SMTP clients will not attempt to use
    this method even if the remote server is assumed to support it.
    Patch by Bénédikt Tran.
  - gh-136134: IMAP4.login_cram_md5 now raises an IMAP4.error if
    CRAM-MD5 authentication is not supported. Patch by Bénédikt
    Tran.
  - gh-135386: Fix opening a dbm.sqlite3 database for reading from
    read-only file or directory.
  - gh-126631: Fix multiprocessing forkserver bug which prevented
    __main__ from being preloaded.
  - gh-123085: In a bare call to importlib.resources.files(), ensure
    the caller’s frame is properly detected when importlib.resources
    is itself available as a compiled module only (no source).
  - gh-118981: Fix potential hang in
    multiprocessing.popen_spawn_posix that can happen when the child
    proc dies early by closing the child fds right away.
  - gh-78319: UTF8 support for the IMAP APPEND command has been made
    RFC compliant.
  - bpo-38735: Fix failure when importing a module from the root
    directory on unix-like platforms with sys.pycache_prefix set.
  - bpo-41839: Allow negative priority values from
    os.sched_get_priority_min() and os.sched_get_priority_max()
    functions.
  - Core and Builtins
  - gh-134466: Don’t run PyREPL in a degraded environment where
    setting termios attributes is not allowed.
  - gh-71810: Raise OverflowError for (-1).to_bytes() for signed
    conversions when bytes count is zero. Patch by Sergey B
    Kirpichev.
  - gh-105487: Remove non-existent __copy__(), __deepcopy__(), and
    __bases__ from the __dir__() entries of types.GenericAlias.
  - gh-134163: Fix a hang when the process is out of memory inside
    an exception handler.
  - gh-138479: Fix a crash when a generic object’s __typing_subst__
    returns an object that isn’t a tuple.
  - gh-137576: Fix for incorrect source code being shown in
    tracebacks from the Basic REPL when PYTHONSTARTUP is given.
    Patch by Adam Hartz.
  - gh-132744: Certain calls now check for runaway recursion and
    respect the system recursion limit.
  - C API
  - gh-87135: Attempting to acquire the GIL after runtime
    finalization has begun in a different thread now causes the
    thread to hang rather than terminate, which avoids potential
    crashes or memory corruption caused by attempting to terminate a
    thread that is running code not specifically designed to support
    termination. In most cases this hanging is harmless since the
    process will soon exit anyway.
    While not officially marked deprecated until 3.14,
    PyThread_exit_thread is no longer called internally and remains
    solely for interface compatibility. Its behavior is inconsistent
    across platforms, and it can only be used safely in the unlikely
    case that every function in the entire call stack has been
    designed to support the platform-dependent termination
    mechanism. It is recommended that users of this function change
    their design to not require thread termination. In the unlikely
    case that thread termination is needed and can be done safely,
    users may migrate to calling platform-specific APIs such as
    pthread_exit (POSIX) or _endthreadex (Windows) directly.
  - Build
  - gh-135734: Python can correctly be configured and built with
    ./configure --enable-optimizations --disable-test-modules.
    Previously, the profile data generation step failed due to PGO
    tests where immortalization couldn’t be properly suppressed.
    Patch by Bénédikt Tran.

- Add gh139257-Support-docutils-0.22.patch to fix build with latest
  docutils (>=0.22) gh#python/cpython#139257

- Drop AppStream: this results in a different cycle than
  appstream-glib. As the appdata.xml is controlled by ourselves, we
  can get away with just manually validating it when changing it.

- Require AppStream to validate appdata file instead of deprecated
  appstream-glib.
- Update idle3.appdata.xml to pass the more pedantic appstreamcli.

- Add gh138131-exclude-pycache-from-digest.patch fixing reproducible
  build for python-nogil.
  (bsc#1244680, gh#python/cpython#138131)

- Update to 3.13.7:
  - gh-137583: Fix a deadlock introduced in 3.13.6 when a call
    to ssl.SSLSocket.recv was blocked in one thread, and then
    another method on the object (such as ssl.SSLSocket.send) was
    subsequently called in another thread.
  - gh-137044: Return large limit values as positive integers
    instead of negative integers in resource.getrlimit().
    Accept large values and reject negative values (except
    RLIM_INFINITY) for limits in resource.setrlimit().
  - gh-136914: Fix retrieval of doctest.DocTest.lineno
    for objects decorated with functools.cache() or
    functools.cached_property.
  - gh-131788: Make ResourceTracker.send from multiprocessing
    re-entrant safe
  - gh-136155: We are now checking for fatal errors in EPUB
    builds in CI.
  - gh-137400: Fix a crash in the free threading build when
    disabling profiling or tracing across all threads with
    PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads()
    or their Python equivalents threading.settrace_all_threads()
    and threading.setprofile_all_threads().
- Remove upstreamed patch:
  - gh137583-only-lock-SSL-context.patch