* SECURITY UPDATE: base64.b64decode / urlsafe_b64decode silently accepted the '+/' alphabet regardless of altchars. - debian/patches/CVE-2025-12781.patch: backport of cpython 3.x 9060b4ab (gh-125346) - deprecation-only fix that emits a DeprecationWarning / FutureWarning when '+' / '/' appear in input outside the configured alphabet. Behavior is unchanged, matching upstream's deprecation intent. - CVE-2025-12781 * SECURITY UPDATE: wsgiref.headers.Headers did not reject control characters in header names / values. - debian/patches/CVE-2026-0865.patch: combined backport of cpython 22e4d552 (gh-143916, the initial fix that adds a control-char regex check in _convert_string_type) and follow-up 83ecd187 (gh-144762, "Allow HTAB in wsgiref header values" per RFC 9110 Section 5.5). Splits the regex into _name_disallowed_re and _value_disallowed_re, threads a keyword-only `name` parameter through _convert_string_type, and updates every caller to pass name=True or name=False. HTAB is now allowed in header values but still rejected in header names; LF / CR / DEL remain rejected in both. - CVE-2026-0865 * SECURITY UPDATE: http.client did not reject CR/LF in HTTPConnection CONNECT tunnel host / headers, enabling request injection. - debian/patches/CVE-2026-1502.patch: backport of cpython 05ed7ce7 (gh-146211). Validates the tunnel host and each tunnel header name / value via _is_legal_header_name / _is_illegal_header_value before sending. - CVE-2026-1502 * SECURITY UPDATE: http.cookies.Morsel.js_output() emitted an inline intact. - debian/patches/CVE-2026-6019.patch: backport of cpython f795e042 (gh-90309). Base64-encodes the cookie value and emits a self-decoding JavaScript stub instead of an unescaped string literal. Builds on top of the CVE-2026-3644 control-character validation that the repo already carries. - CVE-2026-6019