import python3.11-3.11.7-1.el9_4.3

.python3.11.checksum

-69ef25b4a9e66e43733ed37bcae564a97fcc8bb748abf86448ba17ee17f244ea
+ff74218a4228e9cdaf2b575a562f1b59f15cfa952060f2ec332d3d1bd984619b

SOURCES/00329-fips.patch

-From ecc5137120f471c22ff6dcb1bd128561c31e023c Mon Sep 17 00:00:00 2001
+From 4345f8ea8a56a58ef8a48439c0e201702d1012a2 Mon Sep 17 00:00:00 2001
 From: Charalampos Stratakis <cstratak@redhat.com>
 Date: Thu, 12 Dec 2019 16:58:31 +0100
 Subject: [PATCH 1/7] Expose blake2b and blake2s hashes from OpenSSL
@@ -205,10 +205,10 @@ index 5d84f4a..011026a 100644
 -/*[clinic end generated code: output=69f2374071bff707 input=a9049054013a1b77]*/
 +/*[clinic end generated code: output=c6a9af5563972eda input=a9049054013a1b77]*/
 -- 
-2.43.0
+2.45.0
 
 
-From 0198d467525e79cb4be4418708719af3eaee7a40 Mon Sep 17 00:00:00 2001
+From 1f79be1a11ad6811913c239da980c5bab0f1c538 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <pviktori@redhat.com>
 Date: Thu, 1 Aug 2019 17:57:05 +0200
 Subject: [PATCH 2/7] Use a stronger hash in multiprocessing handshake
@@ -253,10 +253,10 @@ index 8b81f99..69c0b7e 100644
      response = connection.recv_bytes(256)        # reject large message
      if response != WELCOME:
 -- 
-2.43.0
+2.45.0
 
 
-From a7822e2e1f21529e9730885bd8c9c6ab7c704d5b Mon Sep 17 00:00:00 2001
+From e069ed2dcd0edf0de489eb387267fb35a92ed506 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <pviktori@redhat.com>
 Date: Thu, 25 Jul 2019 17:19:06 +0200
 Subject: [PATCH 3/7] Disable Python's hash implementations in FIPS mode,
@@ -460,10 +460,10 @@ index 52d5c1f..56aff78 100644
  PY_STDLIB_MOD([_crypt],
    [], [test "$ac_cv_crypt_crypt" = yes],
 -- 
-2.43.0
+2.45.0
 
 
-From e9ce6d33544559172dbebbe0c0dfba2757c62331 Mon Sep 17 00:00:00 2001
+From 2e0c5086f4a52803595e19795111278c3c80ee2f Mon Sep 17 00:00:00 2001
 From: Charalampos Stratakis <cstratak@redhat.com>
 Date: Fri, 29 Jan 2021 14:16:21 +0100
 Subject: [PATCH 4/7] Use python's fall back crypto implementations only if we
@@ -623,10 +623,10 @@ index 01d12f5..a7cdb07 100644
      def test_pbkdf2_hmac_py(self):
          with warnings_helper.check_warnings():
 -- 
-2.43.0
+2.45.0
 
 
-From 641c617775b6973ed84711a2602ba190fe064474 Mon Sep 17 00:00:00 2001
+From 0e1d2a67ef66cccc9afa4a515dc34ce587946f22 Mon Sep 17 00:00:00 2001
 From: Charalampos Stratakis <cstratak@redhat.com>
 Date: Wed, 31 Jul 2019 15:43:43 +0200
 Subject: [PATCH 5/7] Test equivalence of hashes for the various digests with
@@ -783,10 +783,10 @@ index a7cdb07..c071f28 100644
  class KDFTests(unittest.TestCase):
  
 -- 
-2.43.0
+2.45.0
 
 
-From a706c8342f0f9307d44c43c203702e1476fe73b4 Mon Sep 17 00:00:00 2001
+From f1c9ecbb2e2f08d792fb0557058824eed23abb7b Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <pviktori@redhat.com>
 Date: Mon, 26 Aug 2019 19:39:48 +0200
 Subject: [PATCH 6/7] Guard against Python HMAC in FIPS mode
@@ -900,290 +900,41 @@ index a39a2c4..0742a1c 100644
      def test_realcopy_old(self):
          # Testing if the copy method created a real copy.
 -- 
-2.43.0
+2.45.0
 
+From a0c3f9ac5a4e60ab22418a3196ae46ba34e9477b Mon Sep 17 00:00:00 2001
+From: Nikita Sobolev <mail@sobolevn.me>
+Date: Thu, 24 Nov 2022 01:47:31 +0300
+Subject: [PATCH 7/7] closes gh-99508: fix `TypeError` in
+ `Lib/importlib/_bootstrap_external.py` (GH-99635)
 
-From 03f1dedfe5d29af20fb3686d76b045384d41d8dd Mon Sep 17 00:00:00 2001
-From: Petr Viktorin <encukou@gmail.com>
-Date: Wed, 25 Aug 2021 16:44:43 +0200
-Subject: [PATCH 7/7] Disable hash-based PYCs in FIPS mode
-
-If FIPS mode is on, we can't use siphash-based HMAC
-(_Py_KeyedHash), so:
-
-- Unchecked hash PYCs can be imported, but not created
-- Checked hash PYCs can not be imported nor created
-- The default mode is timestamp-based PYCs, even if
-  SOURCE_DATE_EPOCH is set.
-
-If FIPS mode is off, there are no changes in behavior.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1835169
 ---
- Lib/py_compile.py                             |  2 ++
- Lib/test/support/__init__.py                  | 14 +++++++++++++
- Lib/test/test_cmd_line_script.py              |  2 ++
- Lib/test/test_compileall.py                   | 11 +++++++++-
- Lib/test/test_imp.py                          |  2 ++
- .../test_importlib/source/test_file_loader.py |  6 ++++++
- Lib/test/test_py_compile.py                   | 11 ++++++++--
- Lib/test/test_zipimport.py                    |  2 ++
- Python/import.c                               | 20 +++++++++++++++++++
- 9 files changed, 67 insertions(+), 3 deletions(-)
+ Lib/importlib/_bootstrap_external.py                           | 3 ++-
+ .../next/Library/2022-11-21-10-45-54.gh-issue-99508.QqVbby.rst | 2 ++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2022-11-21-10-45-54.gh-issue-99508.QqVbby.rst
 
-diff --git a/Lib/py_compile.py b/Lib/py_compile.py
-index db52725..5fca65e 100644
---- a/Lib/py_compile.py
-+++ b/Lib/py_compile.py
-@@ -70,7 +70,9 @@ class PycInvalidationMode(enum.Enum):
- 
- 
- def _get_default_invalidation_mode():
-+    import _hashlib
-     if (os.environ.get('SOURCE_DATE_EPOCH') and not
-+            _hashlib.get_fips_mode() and not
-             os.environ.get('RPM_BUILD_ROOT')):
-         return PycInvalidationMode.CHECKED_HASH
-     else:
-diff --git a/Lib/test/support/__init__.py b/Lib/test/support/__init__.py
-index dc7a6e6..646b328 100644
---- a/Lib/test/support/__init__.py
-+++ b/Lib/test/support/__init__.py
-@@ -2203,6 +2203,20 @@ def sleeping_retry(timeout, err_msg=None, /,
-         delay = min(delay * 2, max_delay)
- 
- 
-+def fails_in_fips_mode(expected_error):
-+    import _hashlib
-+    if _hashlib.get_fips_mode():
-+        def _decorator(func):
-+            def _wrapper(self, *args, **kwargs):
-+                with self.assertRaises(expected_error):
-+                    func(self, *args, **kwargs)
-+            return _wrapper
-+    else:
-+        def _decorator(func):
-+            return func
-+    return _decorator
-+
-+
- @contextlib.contextmanager
- def adjust_int_max_str_digits(max_digits):
-     """Temporarily change the integer string conversion length limit."""
-diff --git a/Lib/test/test_cmd_line_script.py b/Lib/test/test_cmd_line_script.py
-index 7fcd563..476b557 100644
---- a/Lib/test/test_cmd_line_script.py
-+++ b/Lib/test/test_cmd_line_script.py
-@@ -286,6 +286,7 @@ class CmdLineTest(unittest.TestCase):
-             self._check_script(zip_name, run_name, zip_name, zip_name, '',
-                                zipimport.zipimporter)
- 
-+    @support.fails_in_fips_mode(ImportError)
-     def test_zipfile_compiled_checked_hash(self):
-         with os_helper.temp_dir() as script_dir:
-             script_name = _make_test_script(script_dir, '__main__')
-@@ -296,6 +297,7 @@ class CmdLineTest(unittest.TestCase):
-             self._check_script(zip_name, run_name, zip_name, zip_name, '',
-                                zipimport.zipimporter)
- 
-+    @support.fails_in_fips_mode(ImportError)
-     def test_zipfile_compiled_unchecked_hash(self):
-         with os_helper.temp_dir() as script_dir:
-             script_name = _make_test_script(script_dir, '__main__')
-diff --git a/Lib/test/test_compileall.py b/Lib/test/test_compileall.py
-index 9cd92ad..4ec29a1 100644
---- a/Lib/test/test_compileall.py
-+++ b/Lib/test/test_compileall.py
-@@ -806,14 +806,23 @@ class CommandLineTestsBase:
-         out = self.assertRunOK('badfilename')
-         self.assertRegex(out, b"Can't list 'badfilename'")
- 
--    def test_pyc_invalidation_mode(self):
-+    @support.fails_in_fips_mode(AssertionError)
-+    def test_pyc_invalidation_mode_checked(self):
-         script_helper.make_script(self.pkgdir, 'f1', '')
-         pyc = importlib.util.cache_from_source(
-             os.path.join(self.pkgdir, 'f1.py'))
-+
-         self.assertRunOK('--invalidation-mode=checked-hash', self.pkgdir)
-         with open(pyc, 'rb') as fp:
-             data = fp.read()
-         self.assertEqual(int.from_bytes(data[4:8], 'little'), 0b11)
-+
-+    @support.fails_in_fips_mode(AssertionError)
-+    def test_pyc_invalidation_mode_unchecked(self):
-+        script_helper.make_script(self.pkgdir, 'f1', '')
-+        pyc = importlib.util.cache_from_source(
-+            os.path.join(self.pkgdir, 'f1.py'))
-+
-         self.assertRunOK('--invalidation-mode=unchecked-hash', self.pkgdir)
-         with open(pyc, 'rb') as fp:
-             data = fp.read()
-diff --git a/Lib/test/test_imp.py b/Lib/test/test_imp.py
-index 4062afd..6bc276d 100644
---- a/Lib/test/test_imp.py
-+++ b/Lib/test/test_imp.py
-@@ -352,6 +352,7 @@ class ImportTests(unittest.TestCase):
-         import _frozen_importlib
-         self.assertEqual(_frozen_importlib.__spec__.origin, "frozen")
- 
-+    @support.fails_in_fips_mode(ImportError)
-     def test_source_hash(self):
-         self.assertEqual(_imp.source_hash(42, b'hi'), b'\xfb\xd9G\x05\xaf$\x9b~')
-         self.assertEqual(_imp.source_hash(43, b'hi'), b'\xd0/\x87C\xccC\xff\xe2')
-@@ -371,6 +372,7 @@ class ImportTests(unittest.TestCase):
-             res = script_helper.assert_python_ok(*args)
-             self.assertEqual(res.out.strip().decode('utf-8'), expected)
- 
-+    @support.fails_in_fips_mode(ImportError)
-     def test_find_and_load_checked_pyc(self):
-         # issue 34056
-         with os_helper.temp_cwd():
-diff --git a/Lib/test/test_importlib/source/test_file_loader.py b/Lib/test/test_importlib/source/test_file_loader.py
-index 378dcbe..7b223a1 100644
---- a/Lib/test/test_importlib/source/test_file_loader.py
-+++ b/Lib/test/test_importlib/source/test_file_loader.py
-@@ -16,6 +16,7 @@ import types
- import unittest
- import warnings
- 
-+from test import support
- from test.support.import_helper import make_legacy_pyc, unload
- 
- from test.test_py_compile import without_source_date_epoch
-@@ -238,6 +239,7 @@ class SimpleTest(abc.LoaderTests):
-                 loader.load_module('bad name')
- 
-     @util.writes_bytecode_files
-+    @support.fails_in_fips_mode(ImportError)
-     def test_checked_hash_based_pyc(self):
-         with util.create_modules('_temp') as mapping:
-             source = mapping['_temp']
-@@ -269,6 +271,7 @@ class SimpleTest(abc.LoaderTests):
-             )
- 
-     @util.writes_bytecode_files
-+    @support.fails_in_fips_mode(ImportError)
-     def test_overridden_checked_hash_based_pyc(self):
-         with util.create_modules('_temp') as mapping, \
-              unittest.mock.patch('_imp.check_hash_based_pycs', 'never'):
-@@ -294,6 +297,7 @@ class SimpleTest(abc.LoaderTests):
-             self.assertEqual(mod.state, 'old')
- 
-     @util.writes_bytecode_files
-+    @support.fails_in_fips_mode(ImportError)
-     def test_unchecked_hash_based_pyc(self):
-         with util.create_modules('_temp') as mapping:
-             source = mapping['_temp']
-@@ -324,6 +328,7 @@ class SimpleTest(abc.LoaderTests):
-             )
- 
-     @util.writes_bytecode_files
-+    @support.fails_in_fips_mode(ImportError)
-     def test_overridden_unchecked_hash_based_pyc(self):
-         with util.create_modules('_temp') as mapping, \
-              unittest.mock.patch('_imp.check_hash_based_pycs', 'always'):
-@@ -433,6 +438,7 @@ class BadBytecodeTest:
-                                                del_source=del_source)
-             test('_temp', mapping, bc_path)
- 
-+    @support.fails_in_fips_mode(ImportError)
-     def _test_partial_hash(self, test, *, del_source=False):
-         with util.create_modules('_temp') as mapping:
-             bc_path = self.manipulate_bytecode(
-diff --git a/Lib/test/test_py_compile.py b/Lib/test/test_py_compile.py
-index 9b420d2..dd6460a 100644
---- a/Lib/test/test_py_compile.py
-+++ b/Lib/test/test_py_compile.py
-@@ -143,13 +143,16 @@ class PyCompileTestsBase:
-             importlib.util.cache_from_source(bad_coding)))
- 
-     def test_source_date_epoch(self):
-+        import _hashlib
-         py_compile.compile(self.source_path, self.pyc_path)
-         self.assertTrue(os.path.exists(self.pyc_path))
-         self.assertFalse(os.path.exists(self.cache_path))
-         with open(self.pyc_path, 'rb') as fp:
-             flags = importlib._bootstrap_external._classify_pyc(
-                 fp.read(), 'test', {})
--        if os.environ.get('SOURCE_DATE_EPOCH'):
-+        if _hashlib.get_fips_mode():
-+            expected_flags = 0b00
-+        elif os.environ.get('SOURCE_DATE_EPOCH'):
-             expected_flags = 0b11
-         else:
-             expected_flags = 0b00
-@@ -180,7 +183,8 @@ class PyCompileTestsBase:
-         # Specifying optimized bytecode should lead to a path reflecting that.
-         self.assertIn('opt-2', py_compile.compile(self.source_path, optimize=2))
- 
--    def test_invalidation_mode(self):
-+    @support.fails_in_fips_mode(ImportError)
-+    def test_invalidation_mode_checked(self):
-         py_compile.compile(
-             self.source_path,
-             invalidation_mode=py_compile.PycInvalidationMode.CHECKED_HASH,
-@@ -189,6 +193,9 @@ class PyCompileTestsBase:
-             flags = importlib._bootstrap_external._classify_pyc(
-                 fp.read(), 'test', {})
-         self.assertEqual(flags, 0b11)
-+
-+    @support.fails_in_fips_mode(ImportError)
-+    def test_invalidation_mode_unchecked(self):
-         py_compile.compile(
-             self.source_path,
-             invalidation_mode=py_compile.PycInvalidationMode.UNCHECKED_HASH,
-diff --git a/Lib/test/test_zipimport.py b/Lib/test/test_zipimport.py
-index 59a5200..81fadb3 100644
---- a/Lib/test/test_zipimport.py
-+++ b/Lib/test/test_zipimport.py
-@@ -190,6 +190,7 @@ class UncompressedZipImportTestCase(ImportHooksBaseTestCase):
-                  TESTMOD + pyc_ext: (NOW, test_pyc)}
-         self.doTest(pyc_ext, files, TESTMOD)
- 
-+    @support.fails_in_fips_mode(ImportError)
-     def testUncheckedHashBasedPyc(self):
-         source = b"state = 'old'"
-         source_hash = importlib.util.source_hash(source)
-@@ -204,6 +205,7 @@ class UncompressedZipImportTestCase(ImportHooksBaseTestCase):
-             self.assertEqual(mod.state, 'old')
-         self.doTest(None, files, TESTMOD, call=check)
- 
-+    @support.fails_in_fips_mode(ImportError)
-     @unittest.mock.patch('_imp.check_hash_based_pycs', 'always')
-     def test_checked_hash_based_change_pyc(self):
-         source = b"state = 'old'"
-diff --git a/Python/import.c b/Python/import.c
-index 39144d3..b439059 100644
---- a/Python/import.c
-+++ b/Python/import.c
-@@ -2449,6 +2449,26 @@ static PyObject *
- _imp_source_hash_impl(PyObject *module, long key, Py_buffer *source)
- /*[clinic end generated code: output=edb292448cf399ea input=9aaad1e590089789]*/
- {
-+    PyObject *_hashlib = PyImport_ImportModule("_hashlib");
-+    if (_hashlib == NULL) {
-+        return NULL;
-+    }
-+    PyObject *fips_mode_obj = PyObject_CallMethod(_hashlib, "get_fips_mode", NULL);
-+    Py_DECREF(_hashlib);
-+    if (fips_mode_obj == NULL) {
-+        return NULL;
-+    }
-+    int fips_mode = PyObject_IsTrue(fips_mode_obj);
-+    Py_DECREF(fips_mode_obj);
-+    if (fips_mode < 0) {
-+        return NULL;
-+    }
-+    if (fips_mode) {
-+        PyErr_SetString(
-+            PyExc_ImportError,
-+            "hash-based PYC validation (siphash24) not available in FIPS mode");
-+        return NULL;
-+    };
-     union {
-         uint64_t x;
-         char data[sizeof(uint64_t)];
+diff --git a/Lib/importlib/_bootstrap_external.py b/Lib/importlib/_bootstrap_external.py
+index e53f6ac..bdc491e 100644
+--- a/Lib/importlib/_bootstrap_external.py
++++ b/Lib/importlib/_bootstrap_external.py
+@@ -1077,7 +1077,8 @@ class SourceLoader(_LoaderBasics):
+                 source_mtime is not None):
+             if hash_based:
+                 if source_hash is None:
+-                    source_hash = _imp.source_hash(source_bytes)
++                    source_hash = _imp.source_hash(_RAW_MAGIC_NUMBER,
++                                                   source_bytes)
+                 data = _code_to_hash_pyc(code_object, source_hash, check_source)
+             else:
+                 data = _code_to_timestamp_pyc(code_object, source_mtime,
+diff --git a/Misc/NEWS.d/next/Library/2022-11-21-10-45-54.gh-issue-99508.QqVbby.rst b/Misc/NEWS.d/next/Library/2022-11-21-10-45-54.gh-issue-99508.QqVbby.rst
+new file mode 100644
+index 0000000..82720d1
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2022-11-21-10-45-54.gh-issue-99508.QqVbby.rst
+@@ -0,0 +1,2 @@
++Fix ``TypeError`` in ``Lib/importlib/_bootstrap_external.py`` while calling
++``_imp.source_hash()``.
 -- 
-2.43.0
-
+2.45.0

SOURCES/00431-CVE-2024-4032.patch

+From ba431579efdcbaed7a96f2ac4ea0775879a332fb Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Thu, 25 Apr 2024 14:45:48 +0200
+Subject: [PATCH] [3.11] gh-113171: gh-65056: Fix "private" (non-global) IP
+ address ranges (GH-113179) (GH-113186) (GH-118177) (#118227)
+
+---
+ Doc/library/ipaddress.rst                     | 43 +++++++-
+ Doc/whatsnew/3.11.rst                         |  9 ++
+ Lib/ipaddress.py                              | 99 +++++++++++++++----
+ Lib/test/test_ipaddress.py                    | 21 +++-
+ ...-03-14-01-38-44.gh-issue-113171.VFnObz.rst |  9 ++
+ 5 files changed, 157 insertions(+), 24 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2024-03-14-01-38-44.gh-issue-113171.VFnObz.rst
+
+diff --git a/Doc/library/ipaddress.rst b/Doc/library/ipaddress.rst
+index 03dc956cd1352a..f57fa15aa5b930 100644
+--- a/Doc/library/ipaddress.rst
++++ b/Doc/library/ipaddress.rst
+@@ -178,18 +178,53 @@ write code that handles both IP versions correctly.  Address objects are
+ 
+    .. attribute:: is_private
+ 
+-      ``True`` if the address is allocated for private networks.  See
++      ``True`` if the address is defined as not globally reachable by
+       iana-ipv4-special-registry_ (for IPv4) or iana-ipv6-special-registry_
+-      (for IPv6).
++      (for IPv6) with the following exceptions:
++
++      * ``is_private`` is ``False`` for the shared address space (``100.64.0.0/10``)
++      * For IPv4-mapped IPv6-addresses the ``is_private`` value is determined by the
++        semantics of the underlying IPv4 addresses and the following condition holds
++        (see :attr:`IPv6Address.ipv4_mapped`)::
++
++            address.is_private == address.ipv4_mapped.is_private
++
++      ``is_private`` has value opposite to :attr:`is_global`, except for the shared address space
++      (``100.64.0.0/10`` range) where they are both ``False``.
++
++      .. versionchanged:: 3.11.10
++
++         Fixed some false positives and false negatives.
++
++         * ``192.0.0.0/24`` is considered private with the exception of ``192.0.0.9/32`` and
++           ``192.0.0.10/32`` (previously: only the ``192.0.0.0/29`` sub-range was considered private).
++         * ``64:ff9b:1::/48`` is considered private.
++         * ``2002::/16`` is considered private.
++         * There are exceptions within ``2001::/23`` (otherwise considered private): ``2001:1::1/128``,
++           ``2001:1::2/128``, ``2001:3::/32``, ``2001:4:112::/48``, ``2001:20::/28``, ``2001:30::/28``.
++           The exceptions are not considered private.
+ 
+    .. attribute:: is_global
+ 
+-      ``True`` if the address is allocated for public networks.  See
++      ``True`` if the address is defined as globally reachable by
+       iana-ipv4-special-registry_ (for IPv4) or iana-ipv6-special-registry_
+-      (for IPv6).
++      (for IPv6) with the following exception:
++
++      For IPv4-mapped IPv6-addresses the ``is_private`` value is determined by the
++      semantics of the underlying IPv4 addresses and the following condition holds
++      (see :attr:`IPv6Address.ipv4_mapped`)::
++
++         address.is_global == address.ipv4_mapped.is_global
++
++      ``is_global`` has value opposite to :attr:`is_private`, except for the shared address space
++      (``100.64.0.0/10`` range) where they are both ``False``.
+ 
+       .. versionadded:: 3.4
+ 
++      .. versionchanged:: 3.11.10
++
++         Fixed some false positives and false negatives, see :attr:`is_private` for details.
++
+    .. attribute:: is_unspecified
+ 
+       ``True`` if the address is unspecified.  See :RFC:`5735` (for IPv4)
+diff --git a/Doc/whatsnew/3.11.rst b/Doc/whatsnew/3.11.rst
+index f670fa1f097aa1..42b61c75c7e621 100644
+--- a/Doc/whatsnew/3.11.rst
++++ b/Doc/whatsnew/3.11.rst
+@@ -2727,3 +2727,12 @@ OpenSSL
+ * Windows builds and macOS installers from python.org now use OpenSSL 3.0.
+ 
+ .. _libb2: https://www.blake2.net/
++
++Notable changes in 3.11.10
++==========================
++
++ipaddress
++---------
++
++* Fixed ``is_global`` and ``is_private`` behavior in ``IPv4Address``,
++  ``IPv6Address``, ``IPv4Network`` and ``IPv6Network``.
+diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py
+index 16ba16cd7de49a..567beb37e06318 100644
+--- a/Lib/ipaddress.py
++++ b/Lib/ipaddress.py
+@@ -1086,7 +1086,11 @@ def is_private(self):
+         """
+         return any(self.network_address in priv_network and
+                    self.broadcast_address in priv_network
+-                   for priv_network in self._constants._private_networks)
++                   for priv_network in self._constants._private_networks) and all(
++                    self.network_address not in network and
++                    self.broadcast_address not in network
++                    for network in self._constants._private_networks_exceptions
++                )
+ 
+     @property
+     def is_global(self):
+@@ -1333,18 +1337,41 @@ def is_reserved(self):
+     @property
+     @functools.lru_cache()
+     def is_private(self):
+-        """Test if this address is allocated for private networks.
++        """``True`` if the address is defined as not globally reachable by
++        iana-ipv4-special-registry_ (for IPv4) or iana-ipv6-special-registry_
++        (for IPv6) with the following exceptions:
+ 
+-        Returns:
+-            A boolean, True if the address is reserved per
+-            iana-ipv4-special-registry.
++        * ``is_private`` is ``False`` for ``100.64.0.0/10``
++        * For IPv4-mapped IPv6-addresses the ``is_private`` value is determined by the
++            semantics of the underlying IPv4 addresses and the following condition holds
++            (see :attr:`IPv6Address.ipv4_mapped`)::
+ 
++                address.is_private == address.ipv4_mapped.is_private
++
++        ``is_private`` has value opposite to :attr:`is_global`, except for the ``100.64.0.0/10``
++        IPv4 range where they are both ``False``.
+         """
+-        return any(self in net for net in self._constants._private_networks)
++        return (
++            any(self in net for net in self._constants._private_networks)
++            and all(self not in net for net in self._constants._private_networks_exceptions)
++        )
+ 
+     @property
+     @functools.lru_cache()
+     def is_global(self):
++        """``True`` if the address is defined as globally reachable by
++        iana-ipv4-special-registry_ (for IPv4) or iana-ipv6-special-registry_
++        (for IPv6) with the following exception:
++
++        For IPv4-mapped IPv6-addresses the ``is_private`` value is determined by the
++        semantics of the underlying IPv4 addresses and the following condition holds
++        (see :attr:`IPv6Address.ipv4_mapped`)::
++
++            address.is_global == address.ipv4_mapped.is_global
++
++        ``is_global`` has value opposite to :attr:`is_private`, except for the ``100.64.0.0/10``
++        IPv4 range where they are both ``False``.
++        """
+         return self not in self._constants._public_network and not self.is_private
+ 
+     @property
+@@ -1548,13 +1575,15 @@ class _IPv4Constants:
+ 
+     _public_network = IPv4Network('100.64.0.0/10')
+ 
++    # Not globally reachable address blocks listed on
++    # https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
+     _private_networks = [
+         IPv4Network('0.0.0.0/8'),
+         IPv4Network('10.0.0.0/8'),
+         IPv4Network('127.0.0.0/8'),
+         IPv4Network('169.254.0.0/16'),
+         IPv4Network('172.16.0.0/12'),
+-        IPv4Network('192.0.0.0/29'),
++        IPv4Network('192.0.0.0/24'),
+         IPv4Network('192.0.0.170/31'),
+         IPv4Network('192.0.2.0/24'),
+         IPv4Network('192.168.0.0/16'),
+@@ -1565,6 +1594,11 @@ class _IPv4Constants:
+         IPv4Network('255.255.255.255/32'),
+         ]
+ 
++    _private_networks_exceptions = [
++        IPv4Network('192.0.0.9/32'),
++        IPv4Network('192.0.0.10/32'),
++    ]
++
+     _reserved_network = IPv4Network('240.0.0.0/4')
+ 
+     _unspecified_address = IPv4Address('0.0.0.0')
+@@ -2010,27 +2044,42 @@ def is_site_local(self):
+     @property
+     @functools.lru_cache()
+     def is_private(self):
+-        """Test if this address is allocated for private networks.
++        """``True`` if the address is defined as not globally reachable by
++        iana-ipv4-special-registry_ (for IPv4) or iana-ipv6-special-registry_
++        (for IPv6) with the following exceptions:
+ 
+-        Returns:
+-            A boolean, True if the address is reserved per
+-            iana-ipv6-special-registry, or is ipv4_mapped and is
+-            reserved in the iana-ipv4-special-registry.
++        * ``is_private`` is ``False`` for ``100.64.0.0/10``
++        * For IPv4-mapped IPv6-addresses the ``is_private`` value is determined by the
++            semantics of the underlying IPv4 addresses and the following condition holds
++            (see :attr:`IPv6Address.ipv4_mapped`)::
+ 
++                address.is_private == address.ipv4_mapped.is_private
++
++        ``is_private`` has value opposite to :attr:`is_global`, except for the ``100.64.0.0/10``
++        IPv4 range where they are both ``False``.
+         """
+         ipv4_mapped = self.ipv4_mapped
+         if ipv4_mapped is not None:
+             return ipv4_mapped.is_private
+-        return any(self in net for net in self._constants._private_networks)
++        return (
++            any(self in net for net in self._constants._private_networks)
++            and all(self not in net for net in self._constants._private_networks_exceptions)
++        )
+ 
+     @property
+     def is_global(self):
+-        """Test if this address is allocated for public networks.
++        """``True`` if the address is defined as globally reachable by
++        iana-ipv4-special-registry_ (for IPv4) or iana-ipv6-special-registry_
++        (for IPv6) with the following exception:
+ 
+-        Returns:
+-            A boolean, true if the address is not reserved per
+-            iana-ipv6-special-registry.
++        For IPv4-mapped IPv6-addresses the ``is_private`` value is determined by the
++        semantics of the underlying IPv4 addresses and the following condition holds
++        (see :attr:`IPv6Address.ipv4_mapped`)::
++
++            address.is_global == address.ipv4_mapped.is_global
+ 
++        ``is_global`` has value opposite to :attr:`is_private`, except for the ``100.64.0.0/10``
++        IPv4 range where they are both ``False``.
+         """
+         return not self.is_private
+ 
+@@ -2271,19 +2320,31 @@ class _IPv6Constants:
+ 
+     _multicast_network = IPv6Network('ff00::/8')
+ 
++    # Not globally reachable address blocks listed on
++    # https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
+     _private_networks = [
+         IPv6Network('::1/128'),
+         IPv6Network('::/128'),
+         IPv6Network('::ffff:0:0/96'),
++        IPv6Network('64:ff9b:1::/48'),
+         IPv6Network('100::/64'),
+         IPv6Network('2001::/23'),
+-        IPv6Network('2001:2::/48'),
+         IPv6Network('2001:db8::/32'),
+-        IPv6Network('2001:10::/28'),
++        # IANA says N/A, let's consider it not globally reachable to be safe
++        IPv6Network('2002::/16'),
+         IPv6Network('fc00::/7'),
+         IPv6Network('fe80::/10'),
+         ]
+ 
++    _private_networks_exceptions = [
++        IPv6Network('2001:1::1/128'),
++        IPv6Network('2001:1::2/128'),
++        IPv6Network('2001:3::/32'),
++        IPv6Network('2001:4:112::/48'),
++        IPv6Network('2001:20::/28'),
++        IPv6Network('2001:30::/28'),
++    ]
++
+     _reserved_networks = [
+         IPv6Network('::/8'), IPv6Network('100::/8'),
+         IPv6Network('200::/7'), IPv6Network('400::/6'),
+diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py
+index fc27628af17f8d..16c34163a007a2 100644
+--- a/Lib/test/test_ipaddress.py
++++ b/Lib/test/test_ipaddress.py
+@@ -2269,6 +2269,10 @@ def testReservedIpv4(self):
+         self.assertEqual(True, ipaddress.ip_address(
+                 '172.31.255.255').is_private)
+         self.assertEqual(False, ipaddress.ip_address('172.32.0.0').is_private)
++        self.assertFalse(ipaddress.ip_address('192.0.0.0').is_global)
++        self.assertTrue(ipaddress.ip_address('192.0.0.9').is_global)
++        self.assertTrue(ipaddress.ip_address('192.0.0.10').is_global)
++        self.assertFalse(ipaddress.ip_address('192.0.0.255').is_global)
+ 
+         self.assertEqual(True,
+                          ipaddress.ip_address('169.254.100.200').is_link_local)
+@@ -2294,6 +2298,7 @@ def testPrivateNetworks(self):
+         self.assertEqual(True, ipaddress.ip_network("169.254.0.0/16").is_private)
+         self.assertEqual(True, ipaddress.ip_network("172.16.0.0/12").is_private)
+         self.assertEqual(True, ipaddress.ip_network("192.0.0.0/29").is_private)
++        self.assertEqual(False, ipaddress.ip_network("192.0.0.9/32").is_private)
+         self.assertEqual(True, ipaddress.ip_network("192.0.0.170/31").is_private)
+         self.assertEqual(True, ipaddress.ip_network("192.0.2.0/24").is_private)
+         self.assertEqual(True, ipaddress.ip_network("192.168.0.0/16").is_private)
+@@ -2310,8 +2315,8 @@ def testPrivateNetworks(self):
+         self.assertEqual(True, ipaddress.ip_network("::/128").is_private)
+         self.assertEqual(True, ipaddress.ip_network("::ffff:0:0/96").is_private)
+         self.assertEqual(True, ipaddress.ip_network("100::/64").is_private)
+-        self.assertEqual(True, ipaddress.ip_network("2001::/23").is_private)
+         self.assertEqual(True, ipaddress.ip_network("2001:2::/48").is_private)
++        self.assertEqual(False, ipaddress.ip_network("2001:3::/48").is_private)
+         self.assertEqual(True, ipaddress.ip_network("2001:db8::/32").is_private)
+         self.assertEqual(True, ipaddress.ip_network("2001:10::/28").is_private)
+         self.assertEqual(True, ipaddress.ip_network("fc00::/7").is_private)
+@@ -2390,6 +2395,20 @@ def testReservedIpv6(self):
+         self.assertEqual(True, ipaddress.ip_address('0::0').is_unspecified)
+         self.assertEqual(False, ipaddress.ip_address('::1').is_unspecified)
+ 
++        self.assertFalse(ipaddress.ip_address('64:ff9b:1::').is_global)
++        self.assertFalse(ipaddress.ip_address('2001::').is_global)
++        self.assertTrue(ipaddress.ip_address('2001:1::1').is_global)
++        self.assertTrue(ipaddress.ip_address('2001:1::2').is_global)
++        self.assertFalse(ipaddress.ip_address('2001:2::').is_global)
++        self.assertTrue(ipaddress.ip_address('2001:3::').is_global)
++        self.assertFalse(ipaddress.ip_address('2001:4::').is_global)
++        self.assertTrue(ipaddress.ip_address('2001:4:112::').is_global)
++        self.assertFalse(ipaddress.ip_address('2001:10::').is_global)
++        self.assertTrue(ipaddress.ip_address('2001:20::').is_global)
++        self.assertTrue(ipaddress.ip_address('2001:30::').is_global)
++        self.assertFalse(ipaddress.ip_address('2001:40::').is_global)
++        self.assertFalse(ipaddress.ip_address('2002::').is_global)
++
+         # some generic IETF reserved addresses
+         self.assertEqual(True, ipaddress.ip_address('100::').is_reserved)
+         self.assertEqual(True, ipaddress.ip_network('4000::1/128').is_reserved)
+diff --git a/Misc/NEWS.d/next/Library/2024-03-14-01-38-44.gh-issue-113171.VFnObz.rst b/Misc/NEWS.d/next/Library/2024-03-14-01-38-44.gh-issue-113171.VFnObz.rst
+new file mode 100644
+index 00000000000000..f9a72473be4e2c
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2024-03-14-01-38-44.gh-issue-113171.VFnObz.rst
+@@ -0,0 +1,9 @@
++Fixed various false positives and false negatives in
++
++* :attr:`ipaddress.IPv4Address.is_private` (see these docs for details)
++* :attr:`ipaddress.IPv4Address.is_global`
++* :attr:`ipaddress.IPv6Address.is_private`
++* :attr:`ipaddress.IPv6Address.is_global`
++
++Also in the corresponding :class:`ipaddress.IPv4Network` and :class:`ipaddress.IPv6Network`
++attributes.

SOURCES/pgp_keys.asc

------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBFq+ToQBEADRYvIVtbK6owynD3j3nxwpW2KEk/p+aDvtXmc2SR2dBcZ8sFW2
-R5vEsG8d3/D3wgv5pcL3KfNNXQYUnXVbobrFUUWQYc79qIsE3MgiPf5NVOtwKPUR
-i5g9YJgKvpBxkQfqp3LYGm9ZBtwo3DVLA3yn7KsazCmAgTNFJYw7ku1XxgmIzY6K
-5J30DfbJiqDqj4f9GslCCCCH3qiPnuLG/HUyVLHMpbWlaiy9NI0GcaLxjJewHj9w
-W2D2lydkxe5JGo7egUkV3ILcuLVSVKA35SKY27dYqfuyqp9tAzaRbjDYjsYdHA6G
-BqrNrKBn/GwlFDPrVdcvN3ZSY2wMLTxWE3Axc/FweuHxFnou/80FwX7F3JD+oEQ6
-rofmcxOBCC7J98I7HZAhP9jBn88XIS2hztbLq8d6rZJZRtcz0k61VR0ddO+TrFmf
-9rMYCPgCckRtVxeFIVIabrN1IzKynLFeo040h8hSGswd6YKDOVwjJY6Oa6EmVefZ
-a8QSt4+M65RSzH6SEPY008F3nJUAK6MEkzTak+tFltZNrVWu8p2xd1j9nmxAwEhZ
-/lgbxLqzYgaUWmfyHeZ8yVA0MhHzdiAL8nVUEdG3KecIq0RWCJLGLWWIjd6KAJl1
-yAmhRYKK/sjPDsL3elHsFACfZbyx3o5GGQNlas1FYoPLWbaNGaJtgFTF2QARAQAB
-tCtQYWJsbyBHYWxpbmRvIFNhbGdhZG8gPHBhYmxvZ3NhbEBnbWFpbC5jb20+iQJO
-BBMBCgA4FiEEoDXIwZIZuoIezqhrZOYo+NaEaW0FAlq+ToQCGwMFCwkIBwMFFQoJ
-CAsFFgIDAQACHgECF4AACgkQZOYo+NaEaW2bmA/+PXIap2udLoUVOHxnsIBdqYwp
-sv1Aj5lfIJmNhmxPbHShwp1Jg+w4urxe+2Dj5ofKVlIo1i83bQkvnKJMDXDVuc/K
-P6zqhBJ3rT4Q3qx2mzX8bIfQoJ2JHuH4lkP+I7doDcHHRyeNASyk72VdQmU4twNw
-Ibn8nSNV6ThKHdoPYzVnO2rZUFcGIqH5HNsvR+B7cc1MBCHsgURYwSVhSePIFGlZ
-iasdBD6QQkDSe4QWi7AcJFWFElw4kbOKJWxAWsrEk+tMXJVGRjnmL289EmPCx/vx
-BqKy7Mse0yWCSRR3vB+O6TB1S5SgEyEgqlYsfGNv1qf/rfRD4KkyCbNU3LhY1Aim
-vJP4pDW+KFxTk2Ks8vrx8gOSd2aFqPeO/pFDrpsF7PD62XwsfoXu4xc5V0Giw7r1
-Nai0nax7kOrldNF8TbbtRjW0jmoC7wLIDujAkwDIOroZ0CXA3N4HVHdSbrHm/urX
-nyxJXupXAQNwGx64JCBcbF2fp3Kvu1VAXBEFnd01KaopthHcbG5pA50Kl2Vhe+98
-OdezUX42fHkQpQkB7HgtXfm6W1bw6YRBamrNvs1OoHBYmUjlECpe566IIu25Hc8s
-x3qA+6eca7iqizyLG+WyMT8ZIYTWGAS59jxwR4esqGczbbZPSAPHFwLbGv7Wr0Rd
-TPu5B0FcKpDkTd4IxQW5Ag0EWr5O2gEQAMjLe4CtbSfofmJrz5wfNkMVsZ81Gbqe
-MoYd3dtkJnQYERUj8flzBj3ucaxGJ+Cuf7ybh3naPopKvEI1q0vkcgCDqrEgXK//
-jKJbP28uPSMGhOG28q4PbamG55gy5FtM3ezzAxPWWKe9qBpV65GMmFy7eBQx2iJs
-yiDIOOQQ4kraS+cTqNFimEXAGLCOQRNLcwIZzwAAHoW7HEpNUfVwaBD9kMlbo1ND
-I60IKcNrNcmcmRxhJqfxjj8YBMwcKHO6GBE3AVpaE/+UO9zyr4TH+0YuQUgxKlPW
-Dkg5XlkDo0S1GyLY5e9ckIDIlkTdDa2pOkoE2yB5MQCEga3YiHrKUVTTWaxn9XVJ
-6x5ZjUF6bgSWGkrG5dUqSYoO1iDMuNVjtiujNyf/rvfj5cNxS7/lgxchhQKZHZXL
-WVqxlneeVJ6s0P4+ROVG9ga2Sve7aUJ6wXIewZwulBcV2sE/W/DgxHgLBi53CUQt
-vEzFzKvo48GnDqL5VYjA7l0HMYHd4GksCLi8E8U6Cgj+imXiM8voL7pHRZfs8mY8
-udR+UT4e1Scl2MYP2qBJ9/17B/X52B3s1EZdqI/r+hfOyqrhPs+dbAN0mtMPn68+
-nrvY1+nscvrSYEP6ZBlc9Hp2mgJdb6IcTvINXBEeLRjgc3pjViva443pkiFp9Axm
-ecOckMKP3uSlABEBAAGJBGwEGAEKACAWIQSgNcjBkhm6gh7OqGtk5ij41oRpbQUC
-Wr5O2gIbAgJACRBk5ij41oRpbcF0IAQZAQoAHRYhBM/cokWxBDzypfl4Zf/odAQW
-i9hHBQJavk7aAAoJEP/odAQWi9hHr7YP/RCLre1CmOoWYpAtoa1yVCeYMDV6eQgL
-B488/BEZHQE1zbrYy16XkhORob3JF/kUMjmJW7XaFF8FrWvRcdj/xaUGbOOEulKg
-v+8zWfswYQRiZ4/JlwER4vRLi6fTE89MVER6Fkj2ASD4D2cifY+EztD4flV3sq3s
-vIogGFaN9IvdrdeptOVGXs1RmAyoTsiS2mKQ6xsGh8B9ZAm55W8fBOGiSzLX21Xk
-Ofdw53BrFQxn3cu/JgIKpdeZxgukcvEAI62B6X+YL6Na4j0eqEGLzsNtU1+xeJlo
-WtVvmRwnRHGSxF6fzIZ3mk/p/aFiXAEq/xITCTY6tDv7x7pFE/RpdlJZyNJ+R5Y4
-SQiuDsylxNCa/4G5EB6q+7iVYtbEQ9MnZg2phowEE42tlj0rz8/rvDK3LH3xibot
-KHIodCWKlWByxH99u2PuHUQ0c1oCVBUE1KkruMpvI236DpU/dvdq4JLSg/fWrys/
-VIjqLZgsIE5g/KO9XqngWHkLcBLh4CNAmHJ8Iia+s+/rfgsejQWB5uJb6eYg2JjB
-4WP1EI0rULM6fdrCNB+MJ36wE2Lnb4bfT0phOMgjjH5/Ki7ZCbkxkOsBs4SRjiS+
-weCsmpAtMqodWY/Cnw9pWSA/qLSRD5/mKeb9SO6OZ/OPfAatwnGHsvZ2sAueC6rR
-04W5BfXZWrnJUXQP/id/EKE1Ksp5fKoxSCbkKTCig+Sf5Afwe36yFN+niZBqzn5b
-BgL/HIKaZM97oDHersPPANeEgS+JVlBf95iKIYnQbZP43FLVbvOuaINhBIVtFO54
-2Y7EYwl41kP7ILDElVy36KAmdQyBAfrjnZiRA70xShOxApLug1L0lxhR3YfmLwNi
-RJ0V6KnYDKf0pfdhO9VFyFFWUojX1usn2SmSsXNizsNtvRqHXzPnX0rbJzZ9+N4O
-9k1nxygYFG/2R/jGonVmTjRzcAHrAkNJETMWXMA7/8wRMDwluz8j+cCldey9x8Vk
-JwgLGnZSbQtVpcFAnm5r/36Gt+9wc1VWMyrUrVr6Z679aqAbG7PMaeR5h5ygMj1k
-VqRTYAUPSk1f8bZKRssQkQwEbp9dVIjm9SsR8VT7/tB+UuB85dABxgHfv3psJRT+
-tL8g9V7kSZqQfcLNGmvEVvr2Zl9NtxwXtsFM2OBprxCenwb+e9Ppm1LjfJG/NE72
-mAnOERfDaiLt4bqNo36Ei5sGCJ4Fx61phzNBXzkdRNM47i8J5UZRKFkE91c99BVM
-HKUaY61NRK24fR0zP98ftDU82YFw0VRFJpTeBrO5ivN1MlQxUPzUWxKxMxO+20wa
-UOXroEw11Tb4SRLGOla1pCl6lCUPJRy9IzadPDgTr/OTMkob/snt/XLdnV5/uQIN
-BFq+TvoBEAC8Oy1g6pPWBbrCMhIq7VWY2fjylJ1fwg5BPXkOKVK1dsGYO4QD7oW9
-L0aSqcFSNFGF9Cl0Ri4TFXZC3hnG4HeSXUWApuKdBLn21H3jba36Ay1oGcGfdm0v
-Zght4c6BlMVBpGCw2wIkJbUNEy6InMM+O8CCbbaH3iJkJ4141P7pODHignx5AmZI
-conMui4YOhC+IXQXynVEv1Juk7erB1Nh1RcRvsA4lb44HWx49lIwe85ejOmoZ0O3
-6f9NJRer6bV0+rHWmg4IV5Q9h/Gn4IhEDZxA0DZl1RQI7dMgaMbIFbXGq7Kgzstz
-EUnOoy29hXodxVmwIsMrAiQUYtwJ9hW+ESsw47+W2iPHVgviGWl7r/SgcgMYmf6m
-5kiTBtwU7BQPS9G3zwwP2Rm3AA/6g39Q+tQKjOwi1I8+GZsY2On44Zly7BreBNg5
-4gJgdAGcMOYU9etr050clH3UpTYcAEtX++ahtOKhJgLIPNcIAQNlnifqvU0VYpgw
-R4YpZ7hgg+AVDzC73PIM0lFI0XiDuqChbxE+K1jmLXWe5iJF0dzgVTwP+PmsifNZ
-Wg3+YxSsS+hDMPQ2xPiQN49gT4JJDHcDuyhHyCGYgyMiVJCsku9KrkubbfVRivyN
-ZF2Zfo3f+nbrRxsftz0yjAq8byCvb0V0XOpt4pJ/ddlug9ytRxALNwARAQABiQI2
-BBgBCgAgFiEEoDXIwZIZuoIezqhrZOYo+NaEaW0FAlq+TvoCGwwACgkQZOYo+NaE
-aW3urA//UQ/cKQ7HvWjcLphzQOZc+6m5YL0wxvZkSjemU7mqjZdpacteIvRAoers
-EqXHc208liIBtNfRzoreXdcXNzie65xXkrRnWoHVH/fTWy4lOnHr2CMXLeHjUgg/
-M6PYi8+sARm05YFB8nsYhlhx3IdLhcfeVVbJedQKO0yL3CK1okT30DUVq5Lq6X/K
-DC6AxuJR3D6UMSoT0WLaoX8qbhAp88qLynInfBVL18d97h916WPLTPeP0eHwhwND
-bYtKDCMDuKQ9XX5+QsNH0RmbxlX274LHrUMMvkLKxcfCBvP+iuqrBeIuoeVzXYJZ
-j7ZJtEH79bW44eecl/CY/STFYgSQ2XGTp2BI2q60wAmtKlNhwxY5ena0FgyFl6Tm
-5OBHW/Pwo+ndQJGfbrCyWkTgRay9c8er3gl3GQYIBH6X0kCiG7h/Epj0b5CHOPU5
-hCw0kEB8MB4poTIjeiY+Q01472/lQ68CL3DX158hR5d3XaPSIxAN+qFsfB1o316p
-yjxhfK1MD/IfrOgjlggPPnc/KmLkCzpgdwKcZwLCdZq9hYBvF1Zs34HbaVMYbWTK
-uxLowtXGU43vatCXXqmPOvl4/g4tZD6rysJDgOrHQnEHzT+Napn07s0BRC0IbbNn
-FynUrkr5KMSuRz7Hg7xMApENOrb0nqdHSUJ914ZpuMIS6RhJgGu5Ag0EWr5PIAEQ
-ALfh9vPD2B+miHDTMADI8aRZ7g9tnzynZYkk3+2sCiiusetsQQ+HIPJ/ASEJB7On
-ane9dyT/LTRhrK9qaxgVMimk2COXB/xyh7Mnw7nJgFU0aRSbtX0vbvQz2suSzrQ6
-9mPKzan28JGoClqB0bw1vwf3VjjxHV2dgD57CmqFPv7kAC/2a56dE+etzXattZAL
-+2JWTpmfQ0ePRRadtBm0VahQhnU8x0+jvAVrEawqpVW83ozYFyW/0WInM2J7jHgQ
-16OosY4lj5L/DxpVxaArhRFoRfWPXfC37iE8Mou/I95isvPQIhp1wTo4jG0KM02B
-oIVbp/QRNBQ6WtpOzvJs1gqQiJJTfqbKJXQ3NDEY9crpVS83HJ+Zv99PNsyNkFjG
-QpU84U3ZhsI4ygjdY45mpZueqI1RVcRQdu8Hgvoo/78Q/Sir6gMGop3mVdVo2guI
-kFcJrXh0Xk3ech4aVqrmKx/mPXGwOAQU0DAul4RW3fKg1QxQE7Tlw3+95Ee/+q5j
-HARL0uDbCJpRO8Sl8NDEuL32n/2Ot6kQeCSHrU7KJRYAkTxkKvr8zNow7hFhHFPE
-SnHvTnskI6noh0VY6NwMhmLvhm0wKkRxZPzUNc3sgLvbK1NymIZ9aKCZamzhZrmG
-vnblEz/OSLwGUua465H3hM1vvBQiartj7+6ZqWIkSmBPABEBAAGJAjYEGAEKACAW
-IQSgNcjBkhm6gh7OqGtk5ij41oRpbQUCWr5PIAIbIAAKCRBk5ij41oRpbWmeEACG
-+axtDC8UoNp9ORiYwEWLzZWDuugE+ah7DYYGD4Vs633FXVZW3SgM/bFtJ/0Lg8CF
-74jI4LMHyIjDzEjcoItwnhBLix+kUoJTvrY58GPydwekLuw1p4KXLqtRs4fsZbNQ
-YTknl4jYtRWoxO98x7tun7Gq2gqmJkIB2uj630fKz5cBk6p6oDFKjzyrHe+V7BiK
-3okQPaD4x7hq8OnTy7lOy92ZZAqztS4tNEb4DkYW1MpuwsJ7hbBZitc1siI+FVVb
-GjVVGZz6ssXoW67Tz8+VxdWJxNLXlv27eMcj4sme5S0th/YYNA5fRRv6zuzqZAru
-YNGLpYYU7JLvZJ+3lCwa5j5ycOGBF0GvsGs6gj6h+CHkjR/BgzAgWC+GgUgslt6q
-aH04rWtV6rVz+Y91LcrX5P6OM4anmXD3Gp3kl35AypXb4KyASF19+11RUziD4Z7q
-wQEWfbwOltNyZv2lD8s2jPr7P02axWRQUbZAEhxRmvOQev/FZPyCF6gqUo/HxRbQ
-y3bzmnipyHSv1DlXNfCFCHvN8kGyZnRWARqIKRg+j9ediJgOUqlLhg6KmrTVxd5v
-3Dfv52PW2UODDTM20s3cQGuX/UswzMRwPI/+P44iCMwEKdm7duM/5oisZT9Vhy7g
-P15MreFZLcZvUVgjqgy0u57cstyGK1Bo9e2sFcK2fA==
-=6Zb4
------END PGP PUBLIC KEY BLOCK-----

SPECS/python3.11.spec

@@ -20,7 +20,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 1%{?dist}.1
+Release: 1%{?dist}.3
 License: Python
 
 
@@ -370,6 +370,11 @@ Patch422: 00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch
 # Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2276518
 Patch426: 00426-CVE-2023-6597.patch
 
+# 00431 #
+# CVE-2024-4032: incorrect IPv4 and IPv6 private ranges
+# Upstream issue: https://github.com/python/cpython/issues/113171
+Patch431: 00431-CVE-2024-4032.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -1645,6 +1650,14 @@ CheckPython optimized
 # ======================================================
 
 %changelog
+* Thu Jul 04 2024 Lumír Balhar <lbalhar@redhat.com> - 3.11.7-1.3
+- Security fix for CVE-2024-4032
+Resolves: RHEL-44097
+
+* Tue Jun 11 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.11.7-1.2
+- Enable importing of hash-based .pyc files under FIPS mode
+Resolves: RHEL-40785
+
 * Thu May 16 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.11.7-1.1
 - Security fix for CVE-2023-6597
 - Fix tests for XMLPullParser with Expat with fixed CVE