I'm not sure how appropriate it is to "validate" a header using the Header object.  Header is for *composing* internationalized headers, and does no validation to speak of.  However, if you'd like to write a patch to add this check, I would probably commit it, since it is analogous to issue 5871.

However, since the security issue was already dealt with in issue 5871, this fix would be a convenience (detecting the issue earlier).  On the flip side, it would also be a behavior change, so there might be objections to backporting it.  (Do any programs use Header for things other than composing email messages and actually rely on embedded newlines?  I hope not, but you never know :)

Further, if you use the new policies available in 3.3 and 3.4 (currently provisional, but they are the Way of the Future ;), you don't ever need to use Header objects, and embedded newlines are rejected as soon as you try to assign a string containing them as a header value in a message object.