* SECURITY UPDATE: tarfile applied AREGTYPE -> DIRTYPE normalization even during multi-block GNU long members (GNUTYPE_LONGNAME / GNUTYPE_LONGLINK), enabling a parsing differential vs. other tar implementations. - debian/patches/CVE-2025-13462.patch: backport of cpython 42d754e3 (gh-143934, Seth Larson + Eashwar Ranganathan). Threads a dircheck flag through frombuf / fromtarfile so normalization is skipped on the inner header during GNU long name / link handling. - CVE-2025-13462 * SECURITY UPDATE: wsgiref.headers.Headers did not reject control characters in header names / values, allowing HTTP header injection from WSGI applications. - debian/patches/CVE-2026-0865.patch: combined backport of cpython f7fceed7 (gh-143917) which adds the control-char regex check, 66da7bf6 (gh-143916 HTAB follow-up) which splits the check so HTAB is allowed in header values (RFC 9110 Section 5.5) but still rejected in header names, plus d931725b (gh-144370) which disallows control characters in status in wsgiref.handlers.start_response. - CVE-2026-0865 * SECURITY UPDATE: http.client did not reject CR/LF in HTTPConnection CONNECT tunnel host / per-tunnel-header values, enabling request injection through a proxy tunnel. - debian/patches/CVE-2026-1502.patch: backport of cpython 05ed7ce7 + b1cf9016 (gh-146212, Seth Larson). Adapted to 3.6's per-line self.send() form (no headers=[] list in _tunnel until 3.9+). Validates _tunnel_host and per-header name / value in _tunnel(). - CVE-2026-1502 * SECURITY UPDATE: http.cookies.Morsel.js_output() emitted an inline intact, enabling HTML injection when a cookie value contains . - debian/patches/CVE-2026-6019.patch: backport of cpython 76b3923d (gh-148848, Seth Larson). Base64-encodes the cookie value and emits document.cookie = atob("...") instead of pasting the raw cookie string into the JavaScript snippet. Composes on top of CVE-2026-3644's js_output() control-character recheck (preserved). - CVE-2026-6019