* SECURITY UPDATE: email BytesGenerator header injection - debian/patches/CVE-2026-1299.patch: verify generated headers in email.generator.BytesGenerator and Generator. Adds the HeaderWriteError exception, NEWLINE_WITHOUT_FWSP / NEWLINE_WITHOUT_FWSP_BYTES regexes, and the Policy.verify_generated_headers attribute, then raises HeaderWriteError when the folded header does not end with the policy linesep or contains a stray newline. Includes the CVE-2024-6923 prerequisite hardening of the string Generator. - CVE-2026-1299 * SECURITY UPDATE: ssl.SSLContext memory race in cert_store_stats / get_ca_certs - debian/patches/CVE-2024-0397.patch: backport the upstream X509_STORE_get1_objects shim and the x509_object_dup helper from cpython 29c97287d205bf2f410f4895ebce3f43b5160524, then switch _ssl__SSLContext_cert_store_stats_impl and _ssl__SSLContext_get_ca_certs_impl to take a deep-copy snapshot of the X509_STORE under lock, freeing the snapshot before returning. Closes a use-after-free triggered by loading certificates concurrently from another thread. - CVE-2024-0397 * SECURITY UPDATE: ipaddress is_private / is_global misclassification - debian/patches/CVE-2024-4032.patch: backport upstream gh-113171 / gh-65056. Update Lib/ipaddress.py to align the _private_networks lists with the IANA special-purpose registries and add _private_networks_exceptions so that is_private / is_global no longer misclassify addresses in 192.0.0.0/24 (with 192.0.0.9 and 192.0.0.10 exceptions), 64:ff9b:1::/48, 2002::/16, and the 2001::/23 sub-range exceptions (2001:1::1, 2001:1::2, 2001:3::/32, 2001:4:112::/48, 2001:20::/28, 2001:30::/28). Includes the matching docs and test updates. - CVE-2024-4032