* SECURITY UPDATE: urllib.request.DataHandler accepted data: URLs whose mediatype contained control characters, allowing newline-based HTTP header injection downstream. - debian/patches/CVE-2025-15282.patch: backport of cpython f25509e78e (gh-143925, Seth Larson). Adds a [\\x00-\\x1F\\x7F] regex check in data_open() and a matching test_invalid_mediatype. - CVE-2025-15282 * SECURITY UPDATE: http.cookies.Morsel did not reject control characters in keys / values / coded_value, allowing cookie injection via __setitem__, setdefault, set, and BaseCookie.output. - debian/patches/CVE-2026-0672.patch: backport of cpython 95746b3a13 (gh-143919, Seth Larson). Adds _has_control_character helper and inserts validation in __setitem__, setdefault, set, plus a wrap of BaseCookie.OutputString / output. - CVE-2026-0672 * SECURITY UPDATE: the CVE-2026-0672 fix was incomplete; control characters could still bypass via Morsel.update(), |=, __setstate__ (pickle), and BaseCookie.js_output(). - debian/patches/CVE-2026-3644.patch: backport of cpython 57e88c1cf9 (gh-145599, Stan Ulbrych + Victor Stinner). Adds validation to Morsel.update(), defines explicit Morsel.__ior__ (was inherited from dict and bypassed validation), validates __setstate__ before assigning attributes, and re-validates the assembled output string in js_output(). - CVE-2026-3644 * SECURITY UPDATE: Modules/pyexpat.c conv_content_model could overflow the C stack when an Expat parser with a registered ElementDeclHandler parsed a deeply nested DTD content model, causing a denial-of-service. - debian/patches/CVE-2026-4224.patch: backport of cpython eb0e8be3a7 (gh-145986, Stan Ulbrych + Bénédikt Tran). Wraps conv_content_model with Py_EnterRecursiveCall / Py_LeaveRecursiveCall so deep nesting raises RecursionError instead of crashing. - CVE-2026-4224