backports to older releases will need to be done manually and take care depending on how much of a concern tightening the existing abusive lenient behavior of the http.client API to enforce what characters are allowed in URLs is to stable releases.
I question if this is _really_ worthy of a "security" tag and a CVE (thus its non-high ranking)... it is a bug in the calling program if it blindly uses untrusted data as a URL. What this issue addresses is that we catch that more often and raise an error; a good thing to do for sure, but the stdlib should be the last line of defense.