python 3.7 -- multiple vulnerabilities

Python changelog:

bpo-37463: ssl.match_hostname() no longer accepts IPv4 addresses with additional text
after the address and only quad-dotted notation without trailing whitespaces. Some
inet_aton() implementations ignore whitespace and all data after whitespace, e.g.‘127.0.0.1
whatever’.
bpo-35907: CVE-2019-9948: Avoid file reading by disallowing local-file:// and
local_file:// URL schemes in URLopener().open() and URLopener().retrieve() of
urllib.request.
bpo-36742: Fixes mishandling of pre-normalization characters in urlsplit().
bpo-30458: Address CVE-2019-9740 by disallowing URL paths with embedded whitespace
or control characters through into the underlying http client request. Such potentially
malicious header injection URLs now cause an http.client.InvalidURL exception to be
raised.
bpo-33529: Prevent fold function used in email header encoding from entering infinite
loop when there are too many non-ASCII characters in a header.
bpo-35755: shutil.which() now uses os.confstr(“CS_PATH”) if available and if the PATH
environment variable is not set. Remove also the current directory from posixpath.defpath.
On Unix, shutil.which() and the subprocess module no longer search the executable in the
current directory if the PATH environment variable is not set.