package/python3: security bump to version 3.7.4

package/python3: security bump to version 3.7.4

Fixes the following security issues:

- bpo-37463: ssl.match_hostname() no longer accepts IPv4 addresses with
  additional text after the address and only quad-dotted notation without
  trailing whitespaces.  Some inet_aton() implementations ignore whitespace
  and all data after whitespace, e.g.  ‘127.0.0.1 whatever’.

- bpo-35907: CVE-2019-9948: Avoid file reading by disallowing local-file://
  and local_file:// URL schemes in URLopener().open() and
  URLopener().retrieve() of urllib.request.

- bpo-30458: Address CVE-2019-9740 by disallowing URL paths with embedded
  whitespace or control characters through into the underlying http client
  request.  Such potentially malicious header injection URLs now cause an
  http.client.InvalidURL exception to be raised.

- bpo-33529: Prevent fold function used in email header encoding from
  entering infinite loop when there are too many non-ASCII characters in a
  header.

- bpo-35755: shutil.which() now uses os.confstr("CS_PATH") if available and
  if the PATH environment variable is not set.  Remove also the current
  directory from posixpath.defpath.  On Unix, shutil.which() and the
  subprocess module no longer search the executable in the current directory
  if the PATH environment variable is not set.

Also remove the following upstreamed patches:
  - 0033-bpo-36742-Fixes-handling-of-pre-normalization-charac.patch
  - 0034-bpo-36742-Corrects-fix-to-handle-decomposition-in-us.patch

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
[Peter: mention security fixes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>