* SECURITY UPDATE: tarfile AREGTYPE->DIRTYPE misnormalization of multi-block member headers - debian/patches/CVE-2025-13462.patch: in Lib/tarfile.py, add a dircheck flag to frombuf()/fromtarfile() and read the follow-up header of GNU long-name and PAX multi-block members with dircheck=False in _proc_gnulong()/_proc_pax(), so the old-V7 "AREGTYPE name ending in / is a directory" normalization is no longer applied to a follow-up header based on its truncated name. Prevents a crafted tar archive from being interpreted differently by tarfile than by other tools. Backport of upstream commit 42d754e34c (gh-141707), the same fix shipped by Debian in DLA-4583-1; applies to 3.7.3 without code changes (the affected functions are structurally identical). Bundles the upstream regression test test_longname_file_not_directory (test_tarfile.py). - CVE-2025-13462 * SECURITY UPDATE: C stack overflow in pyexpat via deeply nested DTD content model - debian/patches/CVE-2026-4224.patch: guard the recursion in Modules/pyexpat.c conv_content_model() with Py_EnterRecursiveCall()/Py_LeaveRecursiveCall() so a deeply nested inline DTD content model parsed by an Expat parser with a registered ElementDeclHandler raises RecursionError instead of crashing the interpreter. Adapted from upstream commit eb0e8be3a7 (gh-145986); upstream uses the private _Py_EnterRecursiveCall() API, replaced here with the equivalent public 3.7 macros. The upstream regression test is not bundled (it needs 3.7-absent test.support helpers and a 500000-deep model); the fix was verified manually. - CVE-2026-4224 * SECURITY UPDATE: control-character injection in http.cookies (HTTP response splitting) - debian/patches/CVE-2026-3644.patch: reject control characters (\x00-\x1F, \x7F) in Lib/http/cookies.py across all Morsel/BaseCookie paths via a new _has_control_character() helper. CVE-2026-3644 is the incomplete-fix follow-up to CVE-2026-0672 and its upstream fix (commit 57e88c1cf9, gh-145599) depends on the helper introduced by the CVE-2026-0672 base commit (95746b3a13, gh-143919). 3.7.3 shipped neither fix, so this patch bundles both: the base validation in Morsel.__setitem__/setdefault/set and BaseCookie.output, plus the follow-up validation in Morsel.update/__setstate__ and BaseCookie.js_output. Also closes CVE-2026-0672. The upstream Morsel.__ior__ override is omitted: it only exists to neutralize dict.__ior__ (PEP 584, Python 3.9+), which 3.7 does not have, so there is no |= bypass to close. The module docstring doctest and the test_basic keebler fixture in test_http_cookies.py are updated to drop a \012 control character now rejected by load(), and the upstream regression tests test_control_characters/test_control_characters_output are bundled with the test.support.control_characters_c0() helper they require. - CVE-2026-3644