Advice on Python 3.9 and CVE-2025-69534

[Arnaud Rebillout]

Hello LTS team,

I've fixed 4 CVEs for Python 3.9 (bullseye), it's more or less ready for 
upload, however I'd like a second opinion on CVE-2025-69534.

The issue was that the HTML parser throws an exception in case of 
malformed HTML-like sequences, and the new behavior (after the fix) is 
that it returns None instead (no more exception).

Reproducer:

```
#!/usr/bin/env python3
import html.parser
html.parser.HTMLParser().feed("<![\n")
```

So, again, with more details. This code throws:
- `NotImplementedError` in bullseye (Python 3.9)
- `AssertionError` in bookworm (Python 3.11)
- nothing and simply return None in latest Python

The fix was backported all the way back to 3.9 by Python itself (as part 
of a larger changeset to improve/fix the HTML parser), it's in 3.9.24.

My question: is it wise to apply this patch and change the behavior? I'm 
worried that caller relies on the parser throwing an exception, and 
starts to misbehave if it doesn't. OTOH, caller probably checks if the 
return value is None, so hopefully the change will go unnoticed?

Or maybe the line of thinking should be: if it was backported by Python 
itself, then no question asked, we should backport it as well.

I'm new to LTS, maybe I'm overthinking. Please advise!

Thanks,

Arnaud