PaulHowarth/Blog

Paul Howarth's Blog

<< <  2026 / 7 >  >>
Mon Tue Wed Thu Fri Sat Sun
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    

Recent Entries

Wednesday 15th July 2026

Fedora Project

  • Updated perl-Unicode-UTF8 to 0.75 in Rawhide:

    • Fixed slurp_utf8() leaking the file descriptor if a fatal "utf8" warning (e.g. warnings FATAL => 'utf8') was thrown while reading an ill-formed file

Local Packages

  • Updated perl-Unicode-UTF8 to 0.75 as per the Fedora version

Tuesday 14th July 2026

Fedora Project

  • Updated geoipupdate to 8.0.0 in Rawhide:

    • BREAKING CHANGE: 'geoipupdate' stops updating on the first error

    • 'NewUpdater' in the unexported 'internal/geoipupdate' package no longer mutates 'http.DefaultTransport' when a proxy is configured; the CLI is the only caller, so there is no user-visible behaviour change (GH#488)

    • Do not retry proxy CONNECT 4xx errors; these are now treated as permanent failures

  • Updated perl-DBD-CSV to 0.64 in Rawhide:

    • Next version will require perl-5.12, following DBI

  • Updated perl-Unicode-UTF8 to 0.74 in Rawhide:

    • Added slurp_utf8($filename), which reads an entire file and returns its contents decoded from UTF-8 as a character string

    • Added support for older MSVC C compilers by using __inline in place of the C99 inline keyword on pre-Visual Studio 2015 builds

    • Fixed SSE2 detection to only enable the SIMD implementation on 64-bit x86 targets, which prevents unsupported SSE2 code from being selected on 32-bit x86 builds (GH#14)

  • Updated perl-YAML-Syck to 1.47 in F-43, F-44, Rawhide, EPEL-9, EPEL-10.2 and EPEL-10:

  • Security:
    • Fix four libsyck memory-safety CVEs reachable from the default YAML::Syck::Load() path on untrusted input with no special flags (GH#213)

      • CVE-2026-57075 (CWE-125): Out-of-bounds read in the base64 decoder caused by signed-char indexing of the decode table on !!binary input

      • CVE-2026-57076 (CWE-416): Use-after-free of an anchor key string shared between the node and the anchors table

      • CVE-2026-57077 (CWE-125): One-byte out-of-bounds read in the lexer newline scan during block-scalar parsing (incomplete-fix follow-on to CVE-2025-11683)

      • CVE-2026-13713 (CWE-416/CWE-415): Use-after-free / double-free of an anchor node on anchor redefinition, a remote-crash DoS from a 7-byte input

    • Harden syck_base64dec() to bounds-check each read so it cannot run past a non-NUL-terminated input buffer (defense-in-depth for callers passing raw buffers; GH#213)

  • Bug Fixes:
    • Fix: Enforce $MaxDepth on Load to prevent C-stack exhaustion from deeply nested YAML/JSON input; YAML::Syck and JSON::Syck Load now default to 512, matching Dump (GH#204)

    • Fix: Emit YAML canonical forms (.nan, .inf, -.inf) for NaN/Inf values in Dump so they roundtrip with ImplicitTyping instead of reloading as plain strings (GH#201)

  • Maintenance:
    • CI: add an AddressSanitizer job that builds the XS with -fsanitize=address and runs the suite plus the CVE trigger inputs to catch libsyck memory-safety defects; de-pin the libasan version so it tracks the runner's GCC (GH#213)

Local Packages

  • Updated geoipupdate to 8.0.0 as per the Fedora version

  • Updated perl-DBD-CSV to 0.64 as per the Fedora version

  • Updated perl-DBI to 1.651:

    • Fix inverted comparisons for strings in DBI::SQL::Nano (CVE-2026-15043)

    • Document that IS NULL matches empty strings in DBI::SQL::Nano

    • Fix DBD::File to ensure that the table is not a symlink outside of f_dir (CVE-2026-15392)

    • Fix an out-of-bounds error when a statement handle has no fields but the source row is not empty (CVE-2026-60082)

    • Add an overridable upper bound $MAX_PATH_DEPTH for DBI::ProfileData (CVE-2026-60081)

  • Updated perl-Unicode-UTF8 to 0.74 as per the Fedora version

  • Updated perl-YAML-Syck to 1.47 as per the Fedora version

Monday 13th July 2026

Fedora Project

  • Updated perl-CPAN-Requirements-Dynamic to 0.003 in Rawhide:

    • Avoid undefinedness warning in config_defined

  • Updated perl-Test-Synopsis to 0.18 in Rawhide:

    • Fix: =for test_synopsis directives are now applied regardless of their position relative to the SYNOPSIS code block (GH#20, regression since 0.14)

Local Packages

  • Updated perl-CPAN-Requirements-Dynamic to 0.003 as per the Fedora version

  • Updated perl-Test-Synopsis to 0.18 as per the Fedora version

Friday 10th July 2026

Fedora Project

  • Updated perl-Sereal-Decoder to 5.008 in Rawhide:

    • Decoder now supports 'thaw_allow_classes' and 'thaw_deny_action' to control thaw callbacks during decoding

  • Updated perl-Sereal-Encoder to 5.008 in Rawhide:

    • Released to match Decoder version

  • Updated perl-Sereal to 5.008 in Rawhide:

    • Decoder now supports 'thaw_allow_classes' and 'thaw_deny_action' to control thaw callbacks during decoding

Thursday 9th July 2026

Fedora Project

  • Updated perl-Module-CPANTS-Analyse (0.99) in EPEL-8 to use relative symlinks rather than absolute symlinks in test (GH#51), which fixes FTBFS with perl-Archive-Tar-2.30-2.el8_10 onwards

  • Updated perl-Perl-Critic (1.156) in F-44 to run tests with LANG=en_US.UTF-8 to fix pod spelling test with recent update for hunspell-en dictionary

  • Updated perl-Sereal-Decoder, perl-Sereal-Encoder and perl-Sereal to 5.007 in Rawhide:

    • Use $Config{ccflags} to compile zstd with, which should fix AIX

  • Updated perl-Unicode-UTF8 to 0.72 in Rawhide:

    • read_utf8() now takes a single-pass fast path on PerlIO fast-gets layers, validating/copying/counting straight out of the layer buffer (up to ~11% faster on multibyte-heavy input; see benchmarks/)

    • Fixed read_utf8() on non-buffered handles stranding the trailing incomplete sequence that was read to satisfy the requested length: the pending bytes are now pushed back with PerlIO_unread() so the following read sees them, matching decode_utf8() when drained to end of file

  • I added a patch to avoid trying to use 64-bit SSE2 on ix86 (GH#14)

  • Updated proftpd to 1.3.9c in F-43, F-44, Rawhide, EPEL-10.2 and EPEL-10:

    • ExecEnviron values not passed due to regression since 1.3.8d (GH#2135)

    • Stack buffer overflow in MLSD/MLST handling for long path names (GH#2146)

    • MaxTransfersPerUser no longer enforces configured limits (GH#2158)

    • AdminControlsACLs for config, get actions not honoured as they should be (GH#2163)

    • Memcached/Redis-cached JSON TLS session/OCSP entries decoded into fixed buffers without bounds checking (GH#2166)

    • RewriteMap unescape builtin use causes one-byte out-of-bounds write, fails to reject illegal characters (GH#2173)

    • SQL group name lookup concatenates client-provided group names without escaping (GH#2188)

    • Authenticated SFTP sessions can overflow the SFTP packet buffer (GH#2190)

    • Default Controls socket ACLs unintentionally allow all users access for sending Controls requests (GH#2210)

Local Packages

  • Updated perl-DateTime-TimeZone to 2.69:

    • This release is based on version 2026c of the Olson database
    • Contemporary changes for Alberta, CA and Morocco
  • Updated perl-Unicode-UTF8 to 0.72 as per the Fedora version

  • Updated proftpd to 1.3.9c as per the Fedora version

  • Updated proftpd (rc) to 1.3.10rc3:

    • ExecEnviron values not passed due to regression since 1.3.8d (GH#2135)

    • FTP TYPE command silently ignores invalid format-control argument instead of returning an error (GH#2141)

    • Stack buffer overflow in MLSD/MLST handling for long path names (GH#2146)

    • MaxTransfersPerUser no longer enforces configured limits (GH#2158)

    • AdminControlsACLs for config, get actions not honoured as they should be (GH#2163)

    • Memcached/Redis-cached JSON TLS session/OCSP entries decoded into fixed buffers without bounds checking (GH#2166)

    • RewriteMap unescape builtin use causes one-byte out-of-bounds write, fails to reject illegal characters (GH#2173)

    • SITE RMDIR command from mod_site_misc does not honour PathAllowFilter, PathDenyFilter as expected (GH#2175)

    • SFTP SETSTAT, FSETSTAT requests do not honour PathAllowFilter, PathDenyFilter as expected (GH#2180)

    • SQL group name lookup concatenates client-provided group names without escaping (GH#2188)

    • Authenticated SFTP sessions can overflow the SFTP packet buffer (GH#2190) & Implement SFTP copy-data extension (GH#2198)

    • Default Controls socket ACLs unintentionally allow all users access for sending Controls requests (GH#2210)

  • I added use of memcached when running the API tests, lest the memcached tests would fail

Other Entries

Year 2026

January

February

March

April

May

June

July

August

September

October

November

December

Year 2025

January

February

March

April

May

June

July

August

September

October

November

December

Year 2024

January

February

March

April

May

June

July

August

September

October

November

December

Year 2023

January

February

March

April

May

June

July

August

September

October

November

December

Year 2022

January

February

March

April

May

June

July

August

September

October

November

December

Year 2021

January

February

March

April

May

June

July

August

September

October

November

December

Year 2020

January

February

March

April

May

June

July

August

September

October

November

December

Year 2019

January

February

March

April

May

June

July

August

September

October

November

December

Year 2018

January

February

March

April

May

June

July

August

September

October

November

December

Year 2017

January

February

March

April

May

June

July

August

September

October

November

December

Year 2016

January

February

March

April

May

June

July

August

September

October

November

December

Year 2015

January

February

March

April

May

June

July

August

September

October

November

December

Year 2014

January

February

March

April

May

June

July

August

September

October

November

December

Year 2013

January

February

March

April

May

June

July

August

September

October

November

December

Year 2012

January

February

March

April

May

June

July

August

September

October

November

December

Year 2011

January

February

March

April

May

June

July

August

September

October

November

December

Year 2010

January

February

March

April

May

June

July

August

September

October

November

December

Year 2009

January

February

March

April

May

June

July

August

September

October

November

December

Year 2008

January

February

March

April

May

June

July

August

September

October

November

December

Year 2007

January

February

March

April

May

June

July

August

September

October

November

December

Year 2006

January

February

March

April

May

June

July

August

September

October

November

December

{i} Local Packages refers to my local package repository at http://www.city-fan.org/ftp/contrib/


Recent