00476: CVE-2026-1299

pythongh-144125: email: verify headers are sound in BytesGenerator
(cherry picked from commit 052e55e)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Denis Ledoux <[email protected]>
Co-authored-by: Denis Ledoux <[email protected]>
Co-authored-by: Petr Viktorin <[email protected]>
Co-authored-by: Bas Bloemsaat <[email protected]>

00477: Raise an error when importing stdlib modules compiled for a di…

…fferent Python version

This is a downstream workaround "implementing"
python#137212 -
the mechanism for the check exists in Python 3.15+, where it needs to be
added to the standard library modules.
In Fedora, we need it also in previous Python versions, as we experience
segmentation fault when importing stdlib modules after update while
Python is running.

_tkinter, _tracemalloc and readline are not calling PyModuleDef_Init,
which is modified with this patch, hence they need a
direct call to the check function.

Co-Authored-By: Karolina Surma <[email protected]>

00475: CVE-2025-15367

pythongh-143923: Reject control characters in POP3 commands

(cherry-picked from commit b234a2b)

00475: CVE-2025-15367

pythongh-143923: Reject control characters in POP3 commands

(cherry-picked from commit b234a2b)

00475: CVE-2025-15367

pythongh-143923: Reject control characters in POP3 commands

(cherry-picked from commit b234a2b)

00475: CVE-2025-15367

Reject control characters in POP3 commands

00475: CVE-2025-15367

pythongh-143923: Reject control characters in POP3 commands

(cherry-picked from commit b234a2b)

00476: CVE-2026-1299

pythongh-144125: email: verify headers are sound in BytesGenerator

(cherry picked from commit 8cdf620)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Denis Ledoux <[email protected]>
Co-authored-by: Denis Ledoux <[email protected]>
Co-authored-by: Petr Viktorin <[email protected]>
Co-authored-by: Bas Bloemsaat <[email protected]>

The fix for the CVE uncovered a known issue in handling
policy.linesep lengths fixed by:

bpo-34424: Handle different policy.linesep lengths correctly. (python#8803)

(cherry-picked from commit 45b2f88)

Co-authored-by: Jens Troeger <[email protected]>

00466: Downstream only: Skip tests not working with older expat version

We want to run these tests in Fedora and EPEL 10, but not in EPEL 9,
which has too old version of expat. We set the upper bound version
in the conditionalized skip to a release available in CentOS Stream 10,
which is tested as working.

00471: CVE-2025-12084

* pythongh-142145: Remove quadratic behavior in node ID cache clearing (pythonGH-142146)
* pythongh-142754: Ensure that Element & Attr instances have the ownerDocument attribute (pythonGH-142794)
(cherry picked from commit 1cc7551)
(cherry picked from commit 08d8e18)
(cherry picked from commit 8d2d7bb)

Co-authored-by: Jacob Walls <[email protected]>
Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Petr Viktorin <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>