• Reject Unicode digits and trailing newlines in parser inputs (CVE-2026-45190)

• Reject zero-padded CIDR masks (CVE-2026-45191)

Updated python-paramiko to 4.0.0 in Rawhide:

• Dropped support for Python <3.9

• Migrated packaging metadata and practices to use 'pyproject.toml'

• Removed the now-vestigial 'ed25519' packaging 'extra' (support for this hasn't required additional dependencies in a number of releases now, just the core ones)

• Moved Invoke requirement to core dependencies, and removed 'paramiko[invoke]' from extras

• With those two changes, 'paramiko[all]' becomes much less useful, and has itself been axed

• Removed the very old and wizened 'setup_helper.py', which was only needed on ancient (for this century) versions of macOS

• Removed 'paramiko.__all__', as it was redundant (guessing it dated back to some very old Python versions; anyone using 'import *' these days - shame! - should still be fine as we never had any 'private' members in '__all__' and AFAICT that was the only reason ever to use it in the first place (as 'import *' skips names like '_private')

• Removed support for the DSA (a.k.a. DSS) key algorithm, as it has been badly outdated and insecure for a decade or more at this point, and was recently completely removed from OpenSSH as well (GH#973)

• If you were still using DSA out of sheer inertia: we strongly recommend upgrading to Ed25519 (or maybe ECDSA)
• If you were still using DSA because of target hosts you do not control: please continue using Paramiko 3.x

Updated python-paramiko to 5.0.0 in Rawhide:

• Fix 'Ed25519Key <paramiko.ed25519key.Ed25519Key's internals such that it no longer throws 'AttributeError' during calls to '__repr__' when only partly initialized; this isn't a normal runtime problem (it only happens inside error handling for fatal errors like "not a valid private key") but was perennially complicating test failure diagnosis and similar scenarios

• The 'PKey <paramiko.pkey.PKey>' class family tree reorganized the 'write_private_key' and 'write_private_key_file' methods; with other recent changes, having individual implementations on the child classes made no sense, so key writing is now implemented in 'PKey <paramiko.pkey.PKey>' itself and the included child classes such as 'ECDSAKey <paramiko.ecdsakey.ECDSAKey>' no longer define their own such methods, instead simply exposing their underlying cryptographic private key objects as '.private_key'

• Added a new, optional 'file_format' keyword argument to 'PKey.write_private_key <paramiko.pkey.PKey.write_private_key>' and 'PKey.write_private_key_file <paramiko.pkey.PKey.write_private_key_file>' to allow writing out OpenSSH-style private key files in addition to the legacy PEM format

• Warning: While the default format remains PEM in Paramiko 5, future major releases are likely to change that default to the OpenSSH format; we recommend updating any key-writing code you have to be explicit now, to insulate yourself from such an update

• Raised the minimum modulus size in 'diffie-hellman-group-exchange-sha256' key exchange from 1024 (the original spec's minimum) to 2048 (the contemporary minimum according to RFC-9142, and matching a similar change by OpenSSH ten years ago in 7.2 / 2016)

• Warning: This change may be backwards incompatible if you were targeting servers supporting only this kex method and whose own maximum modulus size for group-exchange was lower than 2048

• Removed GSSAPI support, as the current (buggy, no longer easily testable in CI, poorly understood and not used by the core team) implementation is SHA-1 based and no SHA-256 upgrade appeared to be forthcoming from contributors
• We don't like removing functionality, but this feature has been on the rocks for years and it makes sense to remove it as an insecure support burden; we will definitely consider merging a SHA256-based replacement in the future if a high-quality one appears

• Side note: the GSS related constants in 'paramiko/common.py' have been left in place as they are essentially mapping out known protocol numbers

• Warning: This change is backwards incompatible if you require GSS

• Removed support for key exchange using SHA-1, meaning the kex methods 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', and 'diffie-hellman-group1-sha1' are now gone; implementing classes have been removed/merged/shuffled as required

• Warning: This change is backwards incompatible if you were still supporting old systems that don't implement sha256/sha512 DH kex (or ECDH kex)

• Removed support for verifying/signing with RSA keys using SHA-1 hashing; generally, this means most cases where "ssh-rsa" was used as an algorithm identifier (as opposed to a key material identifier) will no longer accept that string as valid, and the relevant code that actually used e.g. 'hashes.SHA1' no longer does

• Warning: This change is backwards incompatible if you are stuck supporting legacy systems with Paramiko that are unable to use SHA2-based signatures with RSA keys (or other workarounds, such as switching from RSA keys to Ed25519 ones)

• Added a 'password' kwarg to 'PKey.from_type_string <paramiko.pkey.PKey.from_type_string>' so it can handle encrypted keys like most other PKey constructors already could

• Renamed 'PKey.from_path <paramiko.pkey.PKey.from_path>'s 'passphrase' argument to 'password' so it's consistent with all the other methods of instantiating PKey objects

• Warning: This change is backwards incompatible if you were using this relatively new constructor and were doing so to load encrypted keys

• Removed the 'demos/' folder; they've become too big a support burden and we've wanted to remove them for years

• Users who enjoyed the client-side demos should look at our wrapper library, 'Fabric (https://fabfile.org/)'

• We suspect the most-used demo was 'demos/demo-server.py' and may consider adding a variant of it to the actual Python package in future

Updated perl-Net-CIDR-Lite to 0.24 as per the Fedora version

Updated perl-YAML-LibYAML to 0.907.0:

• Turn off cyclic references by default

Updated perl-Business-ISBN-Data to 20260508.001 in Rawhide:

• Data update for 2026-05-08

Updated libgpg-error to 1.61 (https://dev.gnupg.org/T8239):

• Fix possible stack overflow in es_printf for %.100f format (https://dev.gnupg.org/T8240)

• Fix out-of-bounds read in vfnameconcat

• Add cross compile support for wasm*-*-emscripten target

• Update Japanese and Polish translations

Updated perl-Archive-Tar to 3.06:

• Hardlinks not extracted by default; added EXTRACT_HARDLINK flag

• If hardlinks are extracted, they are now subject to the same rules as symlinks with regards to chown and chmod

Updated perl-Test-Most to 0.42 in Rawhide:

• Restore support for 'use Test::Most import => [...]' to select which symbols to export; the 0.39 export rework broke it (GH#18)

Updated perl-Test-Most to 0.42 as per the Fedora version

Updated perl-Authen-Radius to 0.36 in Rawhide:

• Treat EINTR from can_read() as a retryable signal interruption rather than ETIMEOUT, so a signal arriving during recv_packet() no longer triggers a spurious retransmit when the reply is actually in flight

Updated perl-Test-MockModule to 0.185.0 in Rawhide:

• Revert to pre-v0.181.0 behaviour: new() returns singleton-per-package by default again; pass distinct => 1 for v0.181's fresh-object-per-call behaviour (GH#83)

• New: Test::MockModule->original_for($pkg, $sub): Call the original sub from inside a mock closure without capturing $mock

Updated perl-Test-MockModule to 0.185.0 as per the Fedora version

Updated perl-Test-MockModule to 0.184.0 in Rawhide:

• Fix: Restore noop() to return 1 for backward compatibility (GH#80)

Updated perl-Test-MockModule to 0.184.0 as per the Fedora version

Packaged proftpd 1.3.10rc1 with init via mod_systemd using Type=notify-reload, for testing (not in DNF repository, must be downloaded and installed manually)