* SECURITY UPDATE: xml.parsers.expat and xml.etree.ElementTree used insufficient entropy (a single Py_hash_t) to seed Expat's hash-flooding protection, allowing a crafted XML document to trigger hash flooding (CWE-331). The CPython side and the libexpat side of the fix are paired -- the new XML_SetHashSalt16Bytes call sites are inert unless the linked libexpat exposes the 16-byte salt API. Because alt-python37 statically links the bundled Modules/expat/ tree (libexpat 2.5.0), we backport both halves here. - debian/patches/CVE-2026-7210.patch: backport of cpython 24b8f12544 (gh-149018, Stan Ulbrych). Adds the XML_SetHashSalt16Bytes function pointer to the pyexpat CAPI and uses it with 16 bytes of entropy in pyexpat.c and _elementtree.c when the 16-byte salt API is available; falls back to legacy XML_SetHashSalt otherwise. The original upstream conditional only checks XML_COMBINED_VERSION >= 20800; we widen it to also activate when the feature-test macro XML_HAS_SET_HASH_SALT_16_BYTES is defined, which our bundled expat patch exposes (see CVE-2026-41080.patch). On builds that use system libexpat (--with-system-expat, e.g. Alpine), the macro is absent and the version check still applies normally. - debian/patches/CVE-2026-41080.patch: backport of libexpat PR #1183 (https://github.com/libexpat/libexpat/pull/1183), restricted to the C sources needed for the bundled static link (Modules/expat/expat.h, internal.h, xmlparse.c). Widens the per-parser salt storage to a full struct sipkey (128 bits) and adds XML_SetHashSalt16Bytes. Also defines the alt-python- specific feature-test macro XML_HAS_SET_HASH_SALT_16_BYTES so the CPython side can detect the backported API without bumping XML_COMBINED_VERSION (the bundled tree still reports 2.5.0). Together with CVE-2026-7210 this activates the 16-byte salt path inside pyexpat / xml.etree against the bundled expat, restoring proper hash-flood mitigation. - CVE-2026-7210 - CVE-2026-41080