* SECURITY UPDATE: Modules/pyexpat.c conv_content_model could overflow the C stack when an Expat parser with a registered ElementDeclHandler parsed a deeply nested DTD content model, causing a denial-of-service. - debian/patches/CVE-2026-4224.patch: C-level backport of cpython eb0e8be3a7 (gh-145986, Stan Ulbrych + Bénédikt Tran). Wraps conv_content_model with Py_EnterRecursiveCall / Py_LeaveRecursiveCall so deep nesting raises RuntimeError instead of crashing. The upstream Lib/test/test_pyexpat.py test addition is skipped: it depends on test.support.infinite_recursion() which only exists in Python 3.x test.support. - CVE-2026-4224 * SECURITY UPDATE: Lib/Cookie.py Morsel accepts control characters in reserved-attribute values, in key/value/coded_value via .set(), and via the inherited dict.update() / pickle restoration paths, allowing newline-based HTTP header injection via Set-Cookie. The upstream CVE description and py3 fix target Lib/http/cookies.py (which does not exist in py2); a runtime POC confirmed the same vulnerability class is reachable through py2's Cookie module via five distinct write paths. - debian/patches/CVE-2026-0672-CVE-2026-3644.patch: py2 adaptation of cpython 95746b3a13 (gh-143919, Seth Larson) and 57e88c1cf9 (gh-145599, Stan Ulbrych + Victor Stinner). Adds a _has_control_character helper and validates at Morsel.__setitem__, .setdefault, .set, an explicit .update, an explicit .__setstate__, plus re-validates the assembled output in Morsel.js_output and BaseCookie.output (defence-in-depth against direct attribute mutation). The py3 __ior__ hunk is not ported (py2 dict has no `|=` operator). Doctest fixture `keebler="...fudge=\012;"` is updated to drop the embedded newline, mirroring the upstream doctest fix. - CVE-2026-0672, CVE-2026-3644