* SECURITY UPDATE: CVE-2026-7210 + CVE-2026-41080 (paired): backport the libexpat 16-byte salt API (XML_SetHashSalt16Bytes) into bundled expat 2.2.8 and wire pyexpat/_elementtree to use it. Together these restore proper hash-flood mitigation. xml.parsers.expat and xml.etree.ElementTree previously used only the legacy 8-byte XML_SetHashSalt API; that salt is brute-forceable with modern hardware, allowing a crafted XML document to trigger hash collisions and a denial of service. - debian/patches/CVE-2026-7210.patch: backport of cpython 24b8f12544 (gh-149018, Stan Ulbrych). Switches pyexpat and _elementtree to XML_SetHashSalt16Bytes when built/linked against libexpat >= 2.8.0, falling back to the legacy XML_SetHashSalt on older expat. Adds a hashsalt16[16] field to _Py_HashSecret_t in Include/object.h (seeded by _PyRandom_Init alongside prefix / suffix) and a NULL-able SetHashSalt16Bytes function pointer in the pyexpat CAPI struct so _elementtree can dispatch at runtime. No upstream backport to 2.7 exists; upstream backports landed only to 3.14 / 3.15. - debian/patches/CVE-2026-41080.patch: backport of libexpat PR #1183 into the bundled Modules/expat/ tree (libexpat 2.2.8). Widens m_hash_secret_salt from `unsigned long` to a 128-bit `struct sipkey` and adds the new public XML_SetHashSalt16Bytes() entry point. Since pyexpat.so / _elementtree.so are statically linked against this tree, the cpython half now consumes full 16-byte entropy without requiring an external libexpat >= 2.8.0 at runtime. - CVE-2026-7210 - CVE-2026-41080