diff --git a/0003-remove-pytest-relaxed-dep.patch b/0003-remove-pytest-relaxed-dep.patch
index d8a6931210ac0f93439982f3f6f61178fb4dc074..820bb306b360a8e9df28ef0f7bda7fb129183911 100644
--- a/0003-remove-pytest-relaxed-dep.patch
+++ b/0003-remove-pytest-relaxed-dep.patch
@@ -1,34 +1,24 @@
 --- a/dev-requirements.txt
 +++ b/dev-requirements.txt
 @@ -2,7 +2,6 @@
- invoke==1.6.0
- invocations==2.6.0
- pytest==4.4.2
--pytest-relaxed==1.1.5
+ invoke>=2.0
+ invocations>=3.2
+ # Testing!
+-pytest-relaxed>=2
  # pytest-xdist for test dir watching and the inv guard task
- pytest-xdist==1.28.0
- mock==2.0.0
---- a/pytest.ini
-+++ b/pytest.ini
-@@ -1,7 +1,4 @@
- [pytest]
--# We use pytest-relaxed just for its utils at the moment, so disable it at the
--# plugin level until we adapt test organization to really use it.
--addopts = -p no:relaxed
- # Loop on failure
- looponfailroots = tests paramiko
- # Ignore some warnings we cannot easily handle.
+ pytest-xdist>=3
+ # Linting!
 --- a/tests/test_client.py
 +++ b/tests/test_client.py
-@@ -34,7 +34,6 @@ import weakref
+@@ -33,7 +33,6 @@ import weakref
  from tempfile import mkstemp
  
  import pytest
 -from pytest_relaxed import raises
- from mock import patch, Mock
+ from unittest.mock import patch, Mock
  
  import paramiko
-@@ -787,11 +786,11 @@ class PasswordPassphraseTests(ClientTest
+@@ -799,11 +798,11 @@ class PasswordPassphraseTests(ClientTest
  
      # TODO: more granular exception pending #387; should be signaling "no auth
      # methods available" because no key and no password
@@ -43,14 +33,14 @@
  
      @requires_sha1_signing
      def test_passphrase_kwarg_used_for_key_passphrase(self):
-@@ -811,15 +810,15 @@ class PasswordPassphraseTests(ClientTest
+@@ -823,15 +822,15 @@ class PasswordPassphraseTests(ClientTest
              password="television",
          )
  
 -    @raises(AuthenticationException)  # TODO: more granular
      @requires_sha1_signing
      def test_password_kwarg_not_used_for_passphrase_when_passphrase_kwarg_given(  # noqa
-         self
+         self,
      ):
          # Sanity: if we're given both fields, the password field is NOT used as
          # a passphrase.
@@ -65,3 +55,4 @@
 +                password="television",
 +                passphrase="wat? lol no",
 +            )
+
diff --git a/0004-remove-icecream-dep.patch b/0004-remove-icecream-dep.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b1385f3a97f9cd81b58adf78ca7c887f6acafb67
--- /dev/null
+++ b/0004-remove-icecream-dep.patch
@@ -0,0 +1,26 @@
+--- a/dev-requirements.txt
++++ b/dev-requirements.txt
+@@ -17,7 +17,5 @@ coverage>=6.2,<7
+ alabaster==0.7.13
+ releases>=2.1
+ watchdog<2
+-# Debuggery
+-icecream>=2.1
+ # Self (sans GSS which is a pain to bother with most of the time)
+ -e ".[invoke]"
+--- a/tests/conftest.py
++++ b/tests/conftest.py
+@@ -22,13 +22,6 @@ from ._loop import LoopSocket
+ from ._stub_sftp import StubServer, StubSFTPServer
+ from ._util import _support
+ 
+-from icecream import ic, install as install_ic
+-
+-
+-# Better print() for debugging - use ic()!
+-install_ic()
+-ic.configureOutput(includeContext=True)
+-
+ 
+ # Perform logging by default; pytest will capture and thus hide it normally,
+ # presenting it on error/failure. (But also allow turning it off when doing
diff --git a/0004-remove-mock-dep.patch b/0004-remove-mock-dep.patch
deleted file mode 100644
index 294fe97bf0afee594ba445db4695c56233168f75..0000000000000000000000000000000000000000
--- a/0004-remove-mock-dep.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-Prefer and use built-in unittest.mock in Python 3.3+ instead
-of unnecessarily requiring the external mock package.  This helps
-distributions that are phasing out Python 2 to remove redundant
-packages.
-
---- a/dev-requirements.txt
-+++ b/dev-requirements.txt
-@@ -4,7 +4,7 @@ invocations==2.6.0
- pytest==4.4.2
- # pytest-xdist for test dir watching and the inv guard task
- pytest-xdist==1.28.0
--mock==2.0.0
-+mock==2.0.0;python_version<"3.3"
- # Linting!
- flake8==3.8.3
- # Formatting!
---- a/tests/test_channelfile.py
-+++ b/tests/test_channelfile.py
-@@ -1,4 +1,7 @@
--from mock import patch, MagicMock
-+try:
-+    from unittest.mock import patch, MagicMock
-+except ImportError:
-+    from mock import patch, MagicMock
- 
- from paramiko import Channel, ChannelFile, ChannelStderrFile, ChannelStdinFile
- 
---- a/tests/test_client.py
-+++ b/tests/test_client.py
-@@ -34,7 +34,10 @@ import weakref
- from tempfile import mkstemp
- 
- import pytest
--from mock import patch, Mock
-+try:
-+    from unittest.mock import patch, Mock
-+except ImportError:
-+    from mock import patch, Mock
- 
- import paramiko
- from paramiko import SSHClient
---- a/tests/test_config.py
-+++ b/tests/test_config.py
-@@ -11,7 +11,11 @@ try:
- except ImportError:
-     Result = None
- 
--from mock import patch
-+try:
-+    from unittest.mock import patch
-+except ImportError:
-+    from mock import patch
-+
- from pytest import raises, mark, fixture
- 
- from paramiko import (
---- a/tests/test_kex.py
-+++ b/tests/test_kex.py
-@@ -24,7 +24,11 @@ from binascii import hexlify, unhexlify
- import os
- import unittest
- 
--from mock import Mock, patch
-+try:
-+    from unittest.mock import Mock, patch
-+except ImportError:
-+    from mock import Mock, patch
-+
- import pytest
- 
- from cryptography.hazmat.backends import default_backend
---- a/tests/test_pkey.py
-+++ b/tests/test_pkey.py
-@@ -41,7 +41,12 @@ from paramiko.common import o600
- 
- from cryptography.exceptions import UnsupportedAlgorithm
- from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateNumbers
--from mock import patch, Mock
-+
-+try:
-+    from unittest.mock import patch, Mock
-+except ImportError:
-+    from mock import patch, Mock
-+
- import pytest
- 
- from .util import _support, is_low_entropy, requires_sha1_signing
---- a/tests/test_proxy.py
-+++ b/tests/test_proxy.py
-@@ -1,7 +1,11 @@
- import signal
- import socket
- 
--from mock import patch
-+try:
-+    from unittest.mock import patch
-+except ImportError:
-+    from mock import patch
-+
- from pytest import raises
- 
- from paramiko import ProxyCommand, ProxyCommandFailure
---- a/tests/test_transport.py
-+++ b/tests/test_transport.py
-@@ -30,7 +30,11 @@ import time
- import threading
- import random
- import unittest
--from mock import Mock
-+
-+try:
-+    from unittest.mock import Mock
-+except ImportError:
-+    from mock import Mock
- 
- from paramiko import (
-     AuthHandler,
diff --git a/paramiko-2.12.0.tar.gz b/paramiko-2.12.0.tar.gz
deleted file mode 100644
index ec10adb6d54e3d50a9a040c9c0334bf85b4cdd20..0000000000000000000000000000000000000000
Binary files a/paramiko-2.12.0.tar.gz and /dev/null differ
diff --git a/paramiko-3.4.0.tar.gz b/paramiko-3.4.0.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..f711c8556bdc3e037bdb819f1c342d9bdf9aa0e0
Binary files /dev/null and b/paramiko-3.4.0.tar.gz differ
diff --git a/python-paramiko.spec b/python-paramiko.spec
index 8551b8e38c72d1087ac204dad258ac22029ebcda..c19f91eb17bf8ef83225288a54c5af94317e5ab8 100644
--- a/python-paramiko.spec
+++ b/python-paramiko.spec
@@ -1,8 +1,8 @@
-%define anolis_release 2
+%define anolis_release 1
 %global srcname paramiko
 
 Name:          python-paramiko
-Version:       2.12.0
+Version:       3.4.0
 Release:       %{anolis_release}%{dist}
 Summary:       SSH2 protocol library for python
 
@@ -15,9 +15,8 @@ Source0:       %{url}/archive/%{version}/%{srcname}-%{version}.tar.gz
 # Can be removed when https://github.com/paramiko/paramiko/pull/1665/ is released
 Patch3:        0003-remove-pytest-relaxed-dep.patch
 
-# Avoid use of deprecated python-mock by using unittest.mock instead
-# Can be removed when https://github.com/paramiko/paramiko/pull/1666/ is released
-Patch4:        0004-remove-mock-dep.patch
+# icecream not packaged in distro, nor needed for regular builds
+Patch4:        0004-remove-icecream-dep.patch
 
 BuildArch:     noarch
 
@@ -37,13 +36,12 @@ encrypted tunnel (this is how sftp works, for example).
 %package -n python%{python3_pkgversion}-%{srcname}
 Summary:       SSH2 protocol library for python
 BuildRequires: python%{python3_pkgversion}-devel
-BuildRequires: %{py3_dist bcrypt} >= 3.1.3
-BuildRequires: %{py3_dist cryptography} >= 2.5
+BuildRequires: %{py3_dist bcrypt} >= 3.2
+BuildRequires: %{py3_dist cryptography} >= 3.3
 BuildRequires: %{py3_dist pyasn1} >= 0.1.7
-BuildRequires: %{py3_dist pynacl} >= 1.0.1
+BuildRequires: %{py3_dist pynacl} >= 1.5
 BuildRequires: %{py3_dist pytest}
 BuildRequires: %{py3_dist setuptools}
-BuildRequires: %{py3_dist six}
 Recommends:    %{py3_dist pyasn1} >= 0.1.7
 
 %description -n python%{python3_pkgversion}-%{srcname}
@@ -76,12 +74,9 @@ sed -i -e '/^#!/,1d' demos/*
 sphinx-build -b html sites/docs/ html/
 rm html/.buildinfo
 
-%check
-PYTHONPATH=%{buildroot}%{python3_sitelib} pytest-%{python3_version}
-
 %files -n python%{python3_pkgversion}-%{srcname}
 %license LICENSE
-%doc NEWS README.rst
+%doc README.rst
 %{python3_sitelib}/%{srcname}-*.egg-info/
 %{python3_sitelib}/%{srcname}/
 
@@ -89,6 +84,9 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} pytest-%{python3_version}
 %doc html/ demos/
 
 %changelog
+* Tue Aug 26 2025 zjl002254423 <zjl02254423@alibaba-inc.com> -3.4.0-1
+- update to 3.4.0 to fix CVE-2023-48795
+
 * Wed Mar 27 2024 Bo Ren <rb01097748@alibaba-inc.com> - 2.12.0-2
 - Rebuild with python3.11