Paul Howarth's Blog
| << < 2026 / 7 > >> | ||||||
|---|---|---|---|---|---|---|
| Mon | Tue | Wed | Thu | Fri | Sat | Sun |
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 | 31 | ||
Recent Entries
Wednesday 15th July 2026
Fedora Project
Updated perl-Unicode-UTF8 to 0.75 in Rawhide:
Fixed slurp_utf8() leaking the file descriptor if a fatal "utf8" warning (e.g. warnings FATAL => 'utf8') was thrown while reading an ill-formed file
Local Packages
Updated perl-Unicode-UTF8 to 0.75 as per the Fedora version
Tuesday 14th July 2026
Fedora Project
Updated geoipupdate to 8.0.0 in Rawhide:
BREAKING CHANGE: 'geoipupdate' stops updating on the first error
'NewUpdater' in the unexported 'internal/geoipupdate' package no longer mutates 'http.DefaultTransport' when a proxy is configured; the CLI is the only caller, so there is no user-visible behaviour change (GH#488)
Do not retry proxy CONNECT 4xx errors; these are now treated as permanent failures
Updated perl-DBD-CSV to 0.64 in Rawhide:
Next version will require perl-5.12, following DBI
Updated perl-Unicode-UTF8 to 0.74 in Rawhide:
Added slurp_utf8($filename), which reads an entire file and returns its contents decoded from UTF-8 as a character string
Added support for older MSVC C compilers by using __inline in place of the C99 inline keyword on pre-Visual Studio 2015 builds
Fixed SSE2 detection to only enable the SIMD implementation on 64-bit x86 targets, which prevents unsupported SSE2 code from being selected on 32-bit x86 builds (GH#14)
Updated perl-YAML-Syck to 1.47 in F-43, F-44, Rawhide, EPEL-9, EPEL-10.2 and EPEL-10:
- Security:
Fix four libsyck memory-safety CVEs reachable from the default YAML::Syck::Load() path on untrusted input with no special flags (GH#213)
CVE-2026-57075 (CWE-125): Out-of-bounds read in the base64 decoder caused by signed-char indexing of the decode table on !!binary input
CVE-2026-57076 (CWE-416): Use-after-free of an anchor key string shared between the node and the anchors table
CVE-2026-57077 (CWE-125): One-byte out-of-bounds read in the lexer newline scan during block-scalar parsing (incomplete-fix follow-on to CVE-2025-11683)
CVE-2026-13713 (CWE-416/CWE-415): Use-after-free / double-free of an anchor node on anchor redefinition, a remote-crash DoS from a 7-byte input
Harden syck_base64dec() to bounds-check each read so it cannot run past a non-NUL-terminated input buffer (defense-in-depth for callers passing raw buffers; GH#213)
- Bug Fixes:
Fix: Enforce $MaxDepth on Load to prevent C-stack exhaustion from deeply nested YAML/JSON input; YAML::Syck and JSON::Syck Load now default to 512, matching Dump (GH#204)
Fix: Emit YAML canonical forms (.nan, .inf, -.inf) for NaN/Inf values in Dump so they roundtrip with ImplicitTyping instead of reloading as plain strings (GH#201)
- Maintenance:
CI: add an AddressSanitizer job that builds the XS with -fsanitize=address and runs the suite plus the CVE trigger inputs to catch libsyck memory-safety defects; de-pin the libasan version so it tracks the runner's GCC (GH#213)
Local Packages
Updated geoipupdate to 8.0.0 as per the Fedora version
Updated perl-DBD-CSV to 0.64 as per the Fedora version
Updated perl-DBI to 1.651:
Fix inverted comparisons for strings in DBI::SQL::Nano (CVE-2026-15043)
Document that IS NULL matches empty strings in DBI::SQL::Nano
Fix DBD::File to ensure that the table is not a symlink outside of f_dir (CVE-2026-15392)
Fix an out-of-bounds error when a statement handle has no fields but the source row is not empty (CVE-2026-60082)
Add an overridable upper bound $MAX_PATH_DEPTH for DBI::ProfileData (CVE-2026-60081)
Updated perl-Unicode-UTF8 to 0.74 as per the Fedora version
Updated perl-YAML-Syck to 1.47 as per the Fedora version
Monday 13th July 2026
Fedora Project
Updated perl-CPAN-Requirements-Dynamic to 0.003 in Rawhide:
Avoid undefinedness warning in config_defined
Updated perl-Test-Synopsis to 0.18 in Rawhide:
Fix: =for test_synopsis directives are now applied regardless of their position relative to the SYNOPSIS code block (GH#20, regression since 0.14)
Local Packages
Updated perl-CPAN-Requirements-Dynamic to 0.003 as per the Fedora version
Updated perl-Test-Synopsis to 0.18 as per the Fedora version
Friday 10th July 2026
Fedora Project
Updated perl-Sereal-Decoder to 5.008 in Rawhide:
Decoder now supports 'thaw_allow_classes' and 'thaw_deny_action' to control thaw callbacks during decoding
Updated perl-Sereal-Encoder to 5.008 in Rawhide:
Released to match Decoder version
Updated perl-Sereal to 5.008 in Rawhide:
Decoder now supports 'thaw_allow_classes' and 'thaw_deny_action' to control thaw callbacks during decoding
Thursday 9th July 2026
Fedora Project
Updated perl-Module-CPANTS-Analyse (0.99) in EPEL-8 to use relative symlinks rather than absolute symlinks in test (GH#51), which fixes FTBFS with perl-Archive-Tar-2.30-2.el8_10 onwards
Updated perl-Perl-Critic (1.156) in F-44 to run tests with LANG=en_US.UTF-8 to fix pod spelling test with recent update for hunspell-en dictionary
Updated perl-Sereal-Decoder, perl-Sereal-Encoder and perl-Sereal to 5.007 in Rawhide:
Use $Config{ccflags} to compile zstd with, which should fix AIX
Updated perl-Unicode-UTF8 to 0.72 in Rawhide:
read_utf8() now takes a single-pass fast path on PerlIO fast-gets layers, validating/copying/counting straight out of the layer buffer (up to ~11% faster on multibyte-heavy input; see benchmarks/)
Fixed read_utf8() on non-buffered handles stranding the trailing incomplete sequence that was read to satisfy the requested length: the pending bytes are now pushed back with PerlIO_unread() so the following read sees them, matching decode_utf8() when drained to end of file
I added a patch to avoid trying to use 64-bit SSE2 on ix86 (GH#14)
Updated proftpd to 1.3.9c in F-43, F-44, Rawhide, EPEL-10.2 and EPEL-10:
ExecEnviron values not passed due to regression since 1.3.8d (GH#2135)
Stack buffer overflow in MLSD/MLST handling for long path names (GH#2146)
MaxTransfersPerUser no longer enforces configured limits (GH#2158)
AdminControlsACLs for config, get actions not honoured as they should be (GH#2163)
Memcached/Redis-cached JSON TLS session/OCSP entries decoded into fixed buffers without bounds checking (GH#2166)
RewriteMap unescape builtin use causes one-byte out-of-bounds write, fails to reject illegal characters (GH#2173)
SQL group name lookup concatenates client-provided group names without escaping (GH#2188)
Authenticated SFTP sessions can overflow the SFTP packet buffer (GH#2190)
Default Controls socket ACLs unintentionally allow all users access for sending Controls requests (GH#2210)
Local Packages
Updated perl-DateTime-TimeZone to 2.69:
- This release is based on version 2026c of the Olson database
- Contemporary changes for Alberta, CA and Morocco
Updated perl-Unicode-UTF8 to 0.72 as per the Fedora version
Updated proftpd to 1.3.9c as per the Fedora version
Updated proftpd (rc) to 1.3.10rc3:
ExecEnviron values not passed due to regression since 1.3.8d (GH#2135)
FTP TYPE command silently ignores invalid format-control argument instead of returning an error (GH#2141)
Stack buffer overflow in MLSD/MLST handling for long path names (GH#2146)
MaxTransfersPerUser no longer enforces configured limits (GH#2158)
AdminControlsACLs for config, get actions not honoured as they should be (GH#2163)
Memcached/Redis-cached JSON TLS session/OCSP entries decoded into fixed buffers without bounds checking (GH#2166)
RewriteMap unescape builtin use causes one-byte out-of-bounds write, fails to reject illegal characters (GH#2173)
SITE RMDIR command from mod_site_misc does not honour PathAllowFilter, PathDenyFilter as expected (GH#2175)
SFTP SETSTAT, FSETSTAT requests do not honour PathAllowFilter, PathDenyFilter as expected (GH#2180)
SQL group name lookup concatenates client-provided group names without escaping (GH#2188)
Authenticated SFTP sessions can overflow the SFTP packet buffer (GH#2190) & Implement SFTP copy-data extension (GH#2198)
Default Controls socket ACLs unintentionally allow all users access for sending Controls requests (GH#2210)
I added use of memcached when running the API tests, lest the memcached tests would fail
Other Entries
Local Packages refers to my local package repository at http://www.city-fan.org/ftp/contrib/