* SECURITY UPDATE: CVE-2026-7210 + CVE-2026-41080 (paired) — backport the libexpat 16-byte salt API (XML_SetHashSalt16Bytes) into bundled expat 2.4.1 and wire pyexpat/_elementtree to use it. Together these restore proper hash-flood mitigation for xml.parsers.expat and xml.etree.ElementTree. - debian/patches/CVE-2026-7210.patch: backport of cpython 24b8f12544 (gh-149018, Stan Ulbrych). Adds a new 16-byte _Py_HashSecret.expat.hashsalt16 slot in Include/pyhash.h (overlapping the existing padding), extends the PyExpat CAPI in Include/pyexpat.h with SetHashSalt16Bytes, and prefers the new API in Modules/pyexpat.c and Modules/_elementtree.c when built against libexpat exposing it; falls back to the legacy XML_SetHashSalt path otherwise. The two XML_COMBINED_VERSION gates are extended with `|| defined(XML_HAS_HASHSALT16BYTES_BACKPORT)` so the new code path activates against the bundled patched libexpat without bumping its advertised version, while --with-system-expat builds (Alpine) keep the upstream `>= 20800` semantics. - debian/patches/CVE-2026-41080.patch: backport of libexpat PR #1183. Widens the parser's internal hash salt from `unsigned long m_hash_secret_salt` to a full `struct sipkey m_hash_secret_salt_128` (+ an m_hash_secret_salt_set flag), adds the new XML_SetHashSalt16Bytes API and the matching XML_HAS_HASHSALT16BYTES_BACKPORT marker in expat.h, and namespaces the new symbol via pyexpatns.h. Applied to bundled Modules/expat/; on Alpine `prepare()` deletes Modules/expat after the patch, so the libexpat backport is a no-op there and the system libexpat decides whether the new API is available. - CVE-2026-7210 - CVE-2026-41080