* SECURITY UPDATE: command injection via control characters in imaplib - debian/patches/CVE-2025-15366-CVE-2025-15367.patch: backport of cpython 6262704b (gh-143921, Seth Michael Larson). imaplib.IMAP4._command() concatenated each argument into the wire-level command without inspecting it, so user-controlled text (e.g. a username passed to IMAP4.login()) containing CR/LF or other control characters could inject a second IMAP command. Adds a module-level _control_chars regex to Lib/imaplib.py and a guard in _command() that rejects any argument containing a byte in [\x00-\x1F\x7F] with ValueError before concatenation. Adds a test_control_characters regression test to Lib/test/test_imaplib.py. - CVE-2025-15366 * SECURITY UPDATE: command injection via control characters in poplib - debian/patches/CVE-2025-15366-CVE-2025-15367.patch: backport of cpython b234a2b6 (gh-143923, Seth Michael Larson). poplib.POP3._putcmd() sent its argument to the server without inspecting it, so user-controlled text passed to user()/pass_()/apop()/rpop()/top() could inject a second POP3 command. Adds a guard in _putcmd() (Lib/poplib.py) that rejects any argument containing a byte in [\x00-\x1F\x7F] with ValueError before sending. Adds a test_control_characters regression test to Lib/test/test_poplib.py. - CVE-2025-15367