Merge version 3.9.2-1+rpi1+deb11u6 and 3.9.2-1+deb11u7 to produce 3.9.2-1+rpi1+deb11u7

diff --cc debian/changelog
index e2ea4f20e1c11de7944be4534724686897ed7ab6,13b74d388e1b3fb4ca748944219d16b8bcadd503..69ae2a44ebcd125e5b6db5d7591f9dab0dd7e87b
--- 1/debian/changelog
--- 2/debian/changelog
+++ b/debian/changelog
@@@ -1,9 -1,17 +1,24 @@@
- python3.9 (3.9.2-1+rpi1+deb11u6) bullseye-staging; urgency=medium
++python3.9 (3.9.2-1+rpi1+deb11u7) bullseye-staging; urgency=medium
 +
 +  [changes brought forward from 3.9.0~b5-2+rpi1 by Peter Michael Green <plugwash@raspbian.org> at Thu, 30 Jul 2020 10:10:07 +0000]
 +  * Disable testsuite (test_concurrent_futures seems to hang)
 +
-  -- Raspbian forward porter <root@raspbian.org>  Thu, 16 Apr 2026 14:02:46 +0000
++ -- Raspbian forward porter <root@raspbian.org>  Mon, 18 May 2026 18:09:43 +0000
++
+ python3.9 (3.9.2-1+deb11u7) bullseye-security; urgency=high
+ 
+   * Non-maintainer upload by the LTS Team.
+   * Apply upstream patches for the following CVEs:
+     - CVE-2025-13462: Incorrect parsing of TarInfo header when GNU long name
+       and type AREGTYPE are combined
+     - CVE-2026-2297: SourcelessFileLoader does not use io.open_code()
+     - CVE-2026-3644: Reject control characters in more places in
+       http.cookies.Morsel (follow-up of patch for CVE-2026-0672)
+     - CVE-2026-4224: pyexpat.c: Unbounded C recursion in conv_content_model
+       causes crash
+     - CVE-2026-4519: Reject leading dashes in webbrowser.open()
+ 
+  -- Arnaud Rebillout <arnaudr@debian.org>  Thu, 14 May 2026 10:00:00 +0700
  
  python3.9 (3.9.2-1+deb11u6) bullseye-security; urgency=medium