python -m http.server no longer allows terminal control characters sent
within a garbage request to be printed to the stderr server log.
This is done by changing the :mod:`http.server`
:class:`BaseHTTPRequestHandler` .log_message method to replace control
characters with a \xHH hex escape before printing.
Avoid publishing list of active per-interpreter audit hooks via the :mod:`gc` module
The IDNA codec decoder used on DNS hostnames by :mod:`socket` or
:mod:`asyncio` related name resolution functions no longer involves a
quadratic algorithm. This prevents a potential CPU denial of service if an
out-of-spec excessive length hostname involving bidirectional characters
were decoded. Some protocols such as :mod:`urllib` http 3xx redirects
potentially allow for an attacker to supply such a name.
Update bundled libexpat to 2.5.0
Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454).
The deprecated mailcap module now refuses to inject unsafe text (filenames, MIME types, parameters) into shell commands. Instead of using such text, it will warn and act as if a match was not found (or for test commands, as if the test failed).