diff --git a/trunk/PKGBUILD b/trunk/PKGBUILD
index fee49e7..e7189f3 100644
--- a/trunk/PKGBUILD
+++ b/trunk/PKGBUILD
@@ -18,20 +18,38 @@ optdepends=('tk: for IDLE'
             'python2-setuptools'
             'python2-pip')
 conflicts=('python<3')
+_gentoo_patches="python-gentoo-patches-${pkgver}_p7"
 source=("https://www.python.org/ftp/python/${pkgver%rc?}/Python-${pkgver}.tar.xz"{,.asc}
-        mtime-workaround.patch)
+        mtime-workaround.patch
+        "https://dev.gentoo.org/~mgorny/dist/python/$_gentoo_patches.tar.xz"
+        py2-ize-the-CJK-codec-test.patch)
 sha512sums=('a7bb62b51f48ff0b6df0b18f5b0312a523e3110f49c3237936bfe56ed0e26838c0274ff5401bda6fc21bf24337477ccac49e8026c5d651e4b4cafb5eb5086f6c'
             'SKIP'
-            '4e761cfd57791e8b72ecdf84c2e03875bf074311130eea5b8e97409fa304fa3468dbd359a511c4e9978e686e662c58054b4174d3e73f845fa9ded2e83a3a8076')
+            '4e761cfd57791e8b72ecdf84c2e03875bf074311130eea5b8e97409fa304fa3468dbd359a511c4e9978e686e662c58054b4174d3e73f845fa9ded2e83a3a8076'
+            'a3cd34f38a717183d9a8d6b91817a6ac989fb8ae4275f35cba4be810813a4c9c45f4e72d16aee33904eddaee77c4719b516392d629d2c4627c840e4ecc6bc121'
+            '67fb8116825f646cbe0f12d9ffb68c2e2006e98721c80c674738315160c0dfdb5f200b8d3229f85dbac2510ba436b0f701e44542ce4494cdd191cd1b8ca0bf0f')
 validpgpkeys=('C01E1CAD5EA2C4F0B8E3571504C367C218ADD4FF')  # Benjamin Peterson
+noextract=("$_gentoo_patches.tar.xz")
 
 prepare() {
+  bsdtar -xf $_gentoo_patches.tar.xz -s /$_gentoo_patches//
+
   cd Python-${pkgver}
 
   # makepkg will touch all files to $SOURCE_DATE_EPOCH which will break pyc file's mtime check.
   # workaround this by touching them to $SOURCE_DATE_EPOCH before running compileall.
   patch -p0 -i ../mtime-workaround.patch
 
+  patch -p1 -i ../0001-bpo-39017-Avoid-infinite-loop-in-the-tarfile-module-.patch #CVE-2019-20907
+  patch -p1 -i ../0002-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch #CVE-2020-8492
+  patch -p1 -i ../0003-bpo-39603-Prevent-header-injection-in-http-methods-G.patch #CVE-2020-26116
+  patch -p1 -i ../0004-bpo-42051-Reject-XML-entity-declarations-in-plist-fi.patch
+  patch -p1 -i ../0005-bpo-41944-No-longer-call-eval-on-content-received-vi.patch #CVE-2020-27619
+  patch -p1 -i ../0006-bpo-40791-Make-compare_digest-more-constant-time.-GH.patch
+  patch -p1 -i ../0007-3.6-closes-bpo-42938-Replace-snprintf-with-Python-un.patch #CVE-2021-3177
+  patch -p1 -i ../0024-3.6-bpo-42967-only-use-as-a-query-string-separator-G.patch #CVE-2021-23336
+  patch -p1 -i ../py2-ize-the-CJK-codec-test.patch
+
   # Temporary workaround for FS#22322
   # See http://bugs.python.org/issue10835 for upstream report
   sed -i "/progname =/s/python/python${_pybasever}/" Python/pythonrun.c