* SECURITY UPDATE: DoS in case of malicious XML entity declarations - debian/patches/CVE-2022-48565.patch: reject XML entity declarations in plist files - CVE-2022-48565 * SECURITY UPDATE: Bypassing blocklisting methods by supplying a URL that starts with blank characters - debian/patches/CVE-2023-24329.patch, debian/patches/CVE-2023-24329-2.patch: prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character - CVE-2023-24329 * SECURITY UPDATE: ReDoS via specifically-crafted tar archives - debian/patches/CVE-2024-6232.patch: remove backtracking when parsing tarfile - CVE-2024-6232 * SECURITY UPDATE: Excessive CPU usage while parsing a cookie value - debian/patches/CVE-2024-7592.patch: fix quadratic complexity in parsing double-quoted cookie values with backslashes - CVE-2024-7592 * SECURITY UPDATE: CPU DoS by crafting inputs to the IDNA decoder - debian/patches/CVE-2022-45061.patch: fix quadratic time idna decoding - CVE-2022-45061 * SECURITY UPDATE: Use-after-free via heappushpop in heapq - debian/patches/CVE-2022-48560.patch: fix posible crash in heapq with custom comparison operators - debian/patches/CVE-2022-48560-2.patch: add tests for CVE-2022-48560 - CVE-2022-48560 * SECURITY UPDATE: DoS by HTTP client infinite line reading from malicious server after a 100 Continue response - debian/patches/CVE-2021-3737.patch: stop reading a header if it's too long - CVE-2021-3737 * SECURITY UPDATE: A flaw in the urllib.parse module - debian/patches/CVE-2022-0391.patch: make urlparse sanitize URLs containing ASCII newline and tabs - CVE-2022-0391