Ok, so pypy2.7 has all vulnerabilities of CPython 2.7.17. Speaking in CPython commits:
e176e0c105 [2.7] closes bpo-38576: Disallow control characters in hostnames in http.client. (GH-19052)
69cdeeb93e bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (GH-19304)
f02de961b9 bpo-39603: Prevent header injection in http methods (GH-18485) (GH-21539)
47a2955589 bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (#21485)
I'm working on getting the patches upstream. Either way, they will be part of upcoming pypy 7.3.2 release.
Removed old versions.
(In reply to Michał Górny from comment #2)
> Removed old versions.
Package list is empty or all packages have requested keywords.