diff --git a/python-pip.spec b/python-pip.spec
index 2681318bb039494462827ee4678257df83a65855..aba78b50bc4ba8105425bf014cc399e65a390af5 100644
--- a/python-pip.spec
+++ b/python-pip.spec
@@ -15,7 +15,7 @@
 Name:           python-%{srcname}
 # When updating, update the bundled libraries versions bellow!
 Version:        9.0.3
-Release:        23%{anolis_release}%{?dist}
+Release:        23%{anolis_release}%{?dist}.1
 Summary:        A tool for installing and managing Python packages
 
 Group:          Development/Libraries
@@ -130,6 +130,12 @@ Patch11:        CVE-2021-3572.patch
 #   https://www.python.org/dev/peps/pep-0592/
 # Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2000135
 Patch12:        skip_yanked_releases.patch
+
+# CVE-2007-4559, PEP-721, PEP-706: Use tarfile.data_filter for extracting
+# - Minimal downstream-only patch, to be replaced by upstream solution
+#   proposed in https://github.com/pypa/pip/pull/12214
+# - Patch for vendored distlib, accepted upstream:
+#   https://github.com/pypa/distlib/pull/201
 Patch13:        CVE-2007-4559-tarfile.patch
 
 Patch1000:        0001-add-pip-loongarch.conf.patch
@@ -169,6 +175,9 @@ Requires:  platform-python-setuptools
 
 BuildRequires:  ca-certificates
 Requires:       ca-certificates
+# pip has to require explicit version of platform-python that provides
+# filters in tarfile module (fix for CVE-2007-4559).
+Requires:       platform-python >= 3.6.8-55
 
 # Virtual provides for the packages bundled by pip.
 # See the python2 list above for instructions.
@@ -221,6 +230,8 @@ A documentation for a tool for installing and managing Python packages
 %if %{without bootstrap}
 %package -n python3-%{srcname}-wheel
 Summary:        The pip wheel
+# Older Python does not provide tarfile filters (fix for CVE-2007-4559).
+Conflicts:      platform-python < 3.6.8-55
 
 # Virtual provides for the packages bundled by pip.
 # You can find the versions in pip/_vendor/vendor.txt file.
@@ -295,6 +306,10 @@ rm pip/_vendor/ordereddict.py
 rm -v pip/_vendor/distlib/*.exe
 sed -i '/\.exe/d' setup.py
 
+# Backports for Python 2
+rm pip/_vendor/distlib/_backport/tarfile.py
+rm pip/_vendor/distlib/_backport/shutil.py
+
 %build
 %if %{without bootstrap}
 %py3_build_wheel
@@ -394,13 +409,17 @@ py.test-%{python3_version} -m 'not network'
 %endif
 
 %changelog
-* Mon Dec 18 2023 Kaiqiang Wang <wangkaiqiang@inspur.com> - 9.0.3-23.0.1
-- Use tarfile.data_filter for extracting (CVE-2007-4559, PEP-721, PEP-706)
-- Resolves: RHBZ#2218241
-
-* Fri Jul 22 2022 huajingyun <huajingyun@loongson.cn> - 9.0.3-22.0.1
+* Wed Apr 17 2024 huajingyun <huajingyun@loongson.cn> - 9.0.3-23.0.1.1
 - Add pypi.loongnix.cn
 
+* Wed Feb 14 2024 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-23.1
+- Require Python with tarfile filters
+Resolves: RHEL-25449
+
+* Tue Aug 08 2023 Petr Viktorin <pviktori@redhat.com> - 9.0.3-23
+- Use tarfile.data_filter for extracting (CVE-2007-4559, PEP-721, PEP-706)
+Resolves: RHBZ#2218241
+
 * Wed Oct 06 2021 Charalampos Stratakis <cstratak@redhat.com> - 9.0.3-22
 - Remove bundled windows executables
 - Resolves: rhbz#2006788