The not-yet-released pypy3.6 version includes all vulnerabilities fixed since CPython v3.6.9rc1. I'm working on making a patch set.
Speaking in CPython commits:
b23c0840ce [3.6] bpo-37228: Fix loop.create_datagram_endpoint()'s usage of SO_REUSEADDR (GH-17311). (GH-17571)
83fc70159b bpo-38576: Disallow control characters in hostnames in http.client (GH-18995) (GH-19002)
69cdeeb93e bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (GH-19304)
7df32f844e bpo-39073: validate Address parts to disallow CRLF (GH-19007) (#19224)
f02de961b9 bpo-39603: Prevent header injection in http methods (GH-18485) (GH-21539)
I'm working on getting them fixed upstream. Either way, the fixes will be part of the upcoming 7.3.2 release.
Oh, and these two (that are already fixed in the hg branch):
cfc7ff8d05 [3.6] bpo-41004: Resolve hash collisions for IPv4Interface and IPv6Interface (GH-21033) (GH-21232)
47a2955589 bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (#21485)
Found a few more:
1789bbdd3e bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794) (GH-14817)
13a19139b5 bpo-34155: Dont parse domains containing @ (GH-13079) (GH-14826)
1698cacfb9 bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441)
0716056c49 bpo-38804: Fix REDoS in http.cookiejar (GH-17157) (#17343)
30afc91f5e bpo-38945: UU Encoding: Don't let newline in filename corrupt the output format (GH-17418) (GH-17444)
Well, module 'socket' has no attribute 'sethostname' issue https://bugs.gentoo.org/716998 again reproduces with pypy-7.3.2 and portage 3.0.4-r1
If we fix it we can just stabilize pypy-7.3.2
Maintainers, are these vulnerabilities fixed in 7.3.3 (since it appears to be in the process of being stabled)?
Yes, I'm pretty sure I've got all the backports upstream.
Removed old versions.
(In reply to Michał Górny from comment #8)
> Removed old versions.