diff --git a/backport-CVE-2024-11168.patch b/backport-CVE-2024-11168.patch
new file mode 100644
index 0000000000000000000000000000000000000000..2b92b1f26eef1395279d06dc4041fbb7144a979b
--- /dev/null
+++ b/backport-CVE-2024-11168.patch
@@ -0,0 +1,113 @@
+From 29f348e232e82938ba2165843c448c2b291504c5 Mon Sep 17 00:00:00 2001
+From: JohnJamesUtley <81572567+JohnJamesUtley@users.noreply.github.com>
+Date: Sat, 26 Oct 2024 03:43:25 +0800
+Subject: [PATCH] gh-103848: Adds checks to ensure that bracketed hosts found
+ by urlsplit are of IPv6 or IPvFuture format (#103849)
+
+* Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format
+
+---------
+
+Co-authored-by: Gregory P. Smith <greg@krypto.org>
+
+---
+ Lib/test/test_urlparse.py                     | 26 +++++++++++++++++++
+ Lib/urllib/parse.py                           | 16 +++++++++++-
+ ...-04-26-09-54-25.gh-issue-103848.aDSnpR.rst |  2 ++
+ 3 files changed, 43 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2023-04-26-09-54-25.gh-issue-103848.aDSnpR.rst
+
+diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
+index 6528ea2..0860485 100644
+--- a/Lib/test/test_urlparse.py
++++ b/Lib/test/test_urlparse.py
+@@ -1089,6 +1089,32 @@ class UrlParseTestCase(unittest.TestCase):
+         self.assertEqual(p2.scheme, 'tel')
+         self.assertEqual(p2.path, '+31641044153')
+ 
++    def test_invalid_bracketed_hosts(self):
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[192.0.2.146]/Path?Query')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[important.com:8000]/Path?Query')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[v123r.IP]/Path?Query')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[v12ae]/Path?Query')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[v.IP]/Path?Query')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[v123.]/Path?Query')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[v]/Path?Query')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af::2309::fae7:1234]/Path?Query')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af:2309::fae7:1234:2342:438e:192.0.2.146]/Path?Query')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@]v6a.ip[/Path')
++
++    def test_splitting_bracketed_hosts(self):
++        p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]/path?query')
++        self.assertEqual(p1.hostname, 'v6a.ip')
++        self.assertEqual(p1.username, 'user')
++        self.assertEqual(p1.path, '/path')
++        p2 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7%test]/path?query')
++        self.assertEqual(p2.hostname, '0439:23af:2309::fae7%test')
++        self.assertEqual(p2.username, 'user')
++        self.assertEqual(p2.path, '/path')
++        p3 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7:1234:192.0.2.146%test]/path?query')
++        self.assertEqual(p3.hostname, '0439:23af:2309::fae7:1234:192.0.2.146%test')
++        self.assertEqual(p3.username, 'user')
++        self.assertEqual(p3.path, '/path')
++
+     def test_port_casting_failure_message(self):
+         message = "Port could not be cast to integer value as 'oracle'"
+         p1 = urllib.parse.urlparse('http://Server=sde; Service=sde:oracle')
+diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
+index 495ac42..883e629 100644
+--- a/Lib/urllib/parse.py
++++ b/Lib/urllib/parse.py
+@@ -36,6 +36,7 @@ import sys
+ import types
+ import collections
+ import warnings
++import ipaddress
+ 
+ __all__ = ["urlparse", "urlunparse", "urljoin", "urldefrag",
+            "urlsplit", "urlunsplit", "urlencode", "parse_qs",
+@@ -442,6 +443,17 @@ def _checknetloc(netloc):
+             raise ValueError("netloc '" + netloc + "' contains invalid " +
+                              "characters under NFKC normalization")
+ 
++# Valid bracketed hosts are defined in
++# https://www.rfc-editor.org/rfc/rfc3986#page-49 and https://url.spec.whatwg.org/
++def _check_bracketed_host(hostname):
++    if hostname.startswith('v'):
++        if not re.match(r"\Av[a-fA-F0-9]+\..+\Z", hostname):
++            raise ValueError(f"IPvFuture address is invalid")
++    else:
++        ip = ipaddress.ip_address(hostname) # Throws Value Error if not IPv6 or IPv4
++        if isinstance(ip, ipaddress.IPv4Address):
++            raise ValueError(f"An IPv4 address cannot be in brackets")
++
+ def urlsplit(url, scheme='', allow_fragments=True):
+     """Parse a URL into 5 components:
+     <scheme>://<netloc>/<path>?<query>#<fragment>
+@@ -488,12 +500,14 @@ def urlsplit(url, scheme='', allow_fragments=True):
+                 break
+         else:
+             scheme, url = url[:i].lower(), url[i+1:]
+-
+     if url[:2] == '//':
+         netloc, url = _splitnetloc(url, 2)
+         if (('[' in netloc and ']' not in netloc) or
+                 (']' in netloc and '[' not in netloc)):
+             raise ValueError("Invalid IPv6 URL")
++        if '[' in netloc and ']' in netloc:
++            bracketed_host = netloc.partition('[')[2].partition(']')[0]
++            _check_bracketed_host(bracketed_host)
+     if allow_fragments and '#' in url:
+         url, fragment = url.split('#', 1)
+     if '?' in url:
+diff --git a/Misc/NEWS.d/next/Library/2023-04-26-09-54-25.gh-issue-103848.aDSnpR.rst b/Misc/NEWS.d/next/Library/2023-04-26-09-54-25.gh-issue-103848.aDSnpR.rst
+new file mode 100644
+index 0000000..81e5904
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2023-04-26-09-54-25.gh-issue-103848.aDSnpR.rst
+@@ -0,0 +1,2 @@
++Add checks to ensure that ``[`` bracketed ``]`` hosts found by
++:func:`urllib.parse.urlsplit` are of IPv6 or IPvFuture format.
+-- 
+2.43.0
+
diff --git a/python3.spec b/python3.spec
index 00421e5e7d49e895af8dd8cd72783964de802c19..adc3d85f99e43a96f984d56c30fc3a110d8c911f 100644
--- a/python3.spec
+++ b/python3.spec
@@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language
 URL: https://www.python.org/
 
 Version: 3.9.9
-Release: 33
+Release: 34
 License: Python-2.0
 
 %global branchversion 3.9
@@ -129,6 +129,7 @@ Patch9001: python3-Add-sw64-architecture.patch
 Patch9002: Add-loongarch-support.patch
 Patch9003: avoid-usage-of-md5-in-multiprocessing.patch
 Patch9004: update-openssl-version-for-test-case.patch
+Patch9005: backport-CVE-2024-11168.patch
 
 Provides: python%{branchversion} = %{version}-%{release}
 Provides: python(abi) = %{branchversion}
@@ -251,6 +252,7 @@ rm -r Modules/expat
 %patch9002 -p1
 %patch9003 -p1
 %patch9004 -p1
+%patch9005 -p1
 
 rm Lib/ensurepip/_bundled/*.whl
 rm configure pyconfig.h.in
@@ -873,6 +875,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP"
 %{_mandir}/*/*
 
 %changelog
+* Thu Nov 14 2024 changtao <changtao@kylinos.cn> - 3.9.9-34
+- Type:CVE
+- CVE:CVE-2024-11168
+- SUG:NA
+- DESC:fix CVE-2024-11168
+
 * Tue Nov 05 2024 GuoCe <guoce@kylinos.cn> - 3.9.9-33
 - Type:CVE
 - CVE:CVE-2023-27043