* SECURITY UPDATE: URL parsing accepts ASCII tab/CR/LF (URL smuggling) - debian/patches/CVE-2022-0391.patch: sanitise tab, CR, LF anywhere in URL/scheme inside urlsplit() before cache lookup, plus regression test in Lib/urlparse.py, Lib/test/test_urlparse.py. - CVE-2022-0391 * SECURITY UPDATE: Quadratic complexity in IDNA decoding (DoS) - debian/patches/CVE-2022-45061.patch: replace O(n) outer loop with a single any() guard in nameprep(), plus regression test in Lib/encodings/idna.py, Lib/test/test_codecs.py. - CVE-2022-45061 * SECURITY UPDATE: ReDoS in Cookie._unquote (quadratic backslash parsing) - debian/patches/CVE-2024-7592.patch: replace the quadratic _OctalPatt / _QuotePatt loop with a single linear re.sub-based decoder, plus regression tests in Lib/Cookie.py, Lib/test/test_cookie.py. - CVE-2024-7592 * SECURITY UPDATE: webbrowser.open() argument injection via leading dash - debian/patches/CVE-2026-4519.patch: add BaseBrowser._check_url() and call it from every browser open() to reject URLs whose first non-whitespace char is '-', plus regression test in Lib/webbrowser.py, Lib/test/test_webbrowser.py. Also backports upstream gh-148169 (commit d22922c8a7) to close the %action-substitution bypass: the check is deferred until after %action substitution and the per-arg replace() chain is reordered (%action before %s) so an attacker cannot smuggle a leading dash via the URL. - CVE-2026-4519 * BUILD: replace libdb-dev (<< 1:6.0) with libdb5.3-dev in debian/control{,.in} so the build pulls the explicit Berkeley DB 5.3 development headers available on Ubuntu 20.04 ESM, instead of the virtual libdb-dev package that is no longer satisfied in the ELS build environment.