diff --git a/backport-CVE-2024-11168.patch b/backport-CVE-2024-11168.patch
new file mode 100644
index 0000000000000000000000000000000000000000..196eae11bcf861e1a47cdce71300c8f43f8b49eb
--- /dev/null
+++ b/backport-CVE-2024-11168.patch
@@ -0,0 +1,112 @@
+From 29f348e232e82938ba2165843c448c2b291504c5 Mon Sep 17 00:00:00 2001
+From: JohnJamesUtley <81572567+JohnJamesUtley@users.noreply.github.com>
+Date: Sat, 26 Oct 2024 03:43:25 +0800
+Subject: [PATCH] gh-103848: Adds checks to ensure that bracketed hosts found
+ by urlsplit are of IPv6 or IPvFuture format (#103849)
+
+* Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format
+
+---------
+
+Co-authored-by: Gregory P. Smith <greg@krypto.org>
+---
+ Lib/test/test_urlparse.py                     | 26 +++++++++++++++++++
+ Lib/urllib/parse.py                           | 16 +++++++++++-
+ ...-04-26-09-54-25.gh-issue-103848.aDSnpR.rst |  2 ++
+ 3 files changed, 43 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2023-04-26-09-54-25.gh-issue-103848.aDSnpR.rst
+
+diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
+index 31943f3..ed6c19e 100644
+--- a/Lib/test/test_urlparse.py
++++ b/Lib/test/test_urlparse.py
+@@ -1012,6 +1012,32 @@ class UrlParseTestCase(unittest.TestCase):
+         self.assertEqual(p2.scheme, 'tel')
+         self.assertEqual(p2.path, '+31641044153')
+ 
++    def test_invalid_bracketed_hosts(self):
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[192.0.2.146]/Path?Query')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[important.com:8000]/Path?Query')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[v123r.IP]/Path?Query')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[v12ae]/Path?Query')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[v.IP]/Path?Query')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[v123.]/Path?Query')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[v]/Path?Query')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af::2309::fae7:1234]/Path?Query')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af:2309::fae7:1234:2342:438e:192.0.2.146]/Path?Query')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@]v6a.ip[/Path')
++
++    def test_splitting_bracketed_hosts(self):
++        p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]/path?query')
++        self.assertEqual(p1.hostname, 'v6a.ip')
++        self.assertEqual(p1.username, 'user')
++        self.assertEqual(p1.path, '/path')
++        p2 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7%test]/path?query')
++        self.assertEqual(p2.hostname, '0439:23af:2309::fae7%test')
++        self.assertEqual(p2.username, 'user')
++        self.assertEqual(p2.path, '/path')
++        p3 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7:1234:192.0.2.146%test]/path?query')
++        self.assertEqual(p3.hostname, '0439:23af:2309::fae7:1234:192.0.2.146%test')
++        self.assertEqual(p3.username, 'user')
++        self.assertEqual(p3.path, '/path')
++
+     def test_port_casting_failure_message(self):
+         message = "Port could not be cast to integer value as 'oracle'"
+         p1 = urllib.parse.urlparse('http://Server=sde; Service=sde:oracle')
+diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
+index b7965fe..d156969 100644
+--- a/Lib/urllib/parse.py
++++ b/Lib/urllib/parse.py
+@@ -32,6 +32,7 @@ import sys
+ import types
+ import collections
+ import warnings
++import ipaddress
+ 
+ __all__ = ["urlparse", "urlunparse", "urljoin", "urldefrag",
+            "urlsplit", "urlunsplit", "urlencode", "parse_qs",
+@@ -434,6 +435,17 @@ def _checknetloc(netloc):
+             raise ValueError("netloc '" + netloc + "' contains invalid " +
+                              "characters under NFKC normalization")
+ 
++# Valid bracketed hosts are defined in
++# https://www.rfc-editor.org/rfc/rfc3986#page-49 and https://url.spec.whatwg.org/
++def _check_bracketed_host(hostname):
++    if hostname.startswith('v'):
++        if not re.match(r"\Av[a-fA-F0-9]+\..+\Z", hostname):
++            raise ValueError(f"IPvFuture address is invalid")
++    else:
++        ip = ipaddress.ip_address(hostname) # Throws Value Error if not IPv6 or IPv4
++        if isinstance(ip, ipaddress.IPv4Address):
++            raise ValueError(f"An IPv4 address cannot be in brackets")
++
+ def urlsplit(url, scheme='', allow_fragments=True):
+     """Parse a URL into 5 components:
+     <scheme>://<netloc>/<path>?<query>#<fragment>
+@@ -476,12 +488,14 @@ def urlsplit(url, scheme='', allow_fragments=True):
+                 break
+         else:
+             scheme, url = url[:i].lower(), url[i+1:]
+-
+     if url[:2] == '//':
+         netloc, url = _splitnetloc(url, 2)
+         if (('[' in netloc and ']' not in netloc) or
+                 (']' in netloc and '[' not in netloc)):
+             raise ValueError("Invalid IPv6 URL")
++        if '[' in netloc and ']' in netloc:
++            bracketed_host = netloc.partition('[')[2].partition(']')[0]
++            _check_bracketed_host(bracketed_host)
+     if allow_fragments and '#' in url:
+         url, fragment = url.split('#', 1)
+     if '?' in url:
+diff --git a/Misc/NEWS.d/next/Library/2023-04-26-09-54-25.gh-issue-103848.aDSnpR.rst b/Misc/NEWS.d/next/Library/2023-04-26-09-54-25.gh-issue-103848.aDSnpR.rst
+new file mode 100644
+index 0000000..81e5904
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2023-04-26-09-54-25.gh-issue-103848.aDSnpR.rst
+@@ -0,0 +1,2 @@
++Add checks to ensure that ``[`` bracketed ``]`` hosts found by
++:func:`urllib.parse.urlsplit` are of IPv6 or IPvFuture format.
+-- 
+2.43.0
+
diff --git a/python3.spec b/python3.spec
index 8f75f89679212c45780908ce1153a9a7933e8f3e..c6e807c6aa283138b7da2568254ae816db5be888 100644
--- a/python3.spec
+++ b/python3.spec
@@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language
 URL: https://www.python.org/
 
 Version: 3.9.9
-Release: 8
+Release: 9
 License: Python
 
 %global branchversion 3.9
@@ -98,6 +98,7 @@ Patch6001: backport-bpo-46811-Make-test-suite-support-Expat-2.4.5.patch
 Patch6002: backport-bpo-20369-concurrent.futures.wait-now-deduplicates-f.patch
 
 Patch9000: add-the-sm3-method-for-obtaining-the-salt-value.patch
+Patch9001: backport-CVE-2024-11168.patch
 
 Provides: python%{branchversion} = %{version}-%{release}
 Provides: python(abi) = %{branchversion}
@@ -186,6 +187,7 @@ rm -r Modules/expat
 %patch6002 -p1
 
 %patch9000 -p1
+%patch9001 -p1
 
 rm Lib/ensurepip/_bundled/*.whl
 rm configure pyconfig.h.in
@@ -813,6 +815,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP"
 %{_mandir}/*/*
 
 %changelog
+* Thu Nov 14 2024 changtao <changtao@kylinos.cn> - 3.9.9-9
+- Type:CVE
+- CVE:CVE-2024-11168
+- SUG:NA
+- DESC:fix CVE-2024-11168
+
 * Wed Apr 27 2022 liyanan <liyanan32@h-partners.com> - 3.9.9-8
 - fix build  error for openEuler:22.03:LTS:LoongArch