Thursday 12th March 2026

Fedora Project

• Updated perl-Business-ISBN-Data to 20260311.001 in Rawhide:

  • Data update for 2026-03-11

Local Packages

• Updated perl-Data-Alias to 1.30:

  • Use isGV_with_GP_on when available (CPAN RT#173582)

Wednesday 11th March 2026

Fedora Project

• Branched and built perl-autovivification (0.18) in EPEL-10 and EPEL-10.2

Local Packages

• Updated curl to 8.19.0:

  • cmake: Add 'CURL_BUILD_EVERYTHING' option

  • Initial support for MQTTS

  • tool: Support fractions for --limit-rate and --max-filesize

  • tool_cb_hdr: With -J, use the redirect name as a backup

  • vquic: Drop support for OpenSSL-QUIC
  • Windows: Add build option to use the native CA store
  • Windows: Bump minimum to Vista (from XP)
  • altsvc: Only accept 17 byte dates from files

  • asyn-ares: Abort with OOM error when Curl_dnscache_mk_entry fails

  • async-ares: Blocking resolve timeout handling, better

  • badwords: Move into ./scripts, speed up

  • build: Add missing 'GENERATEDCERTS' files

  • build: Adjust minimum version for some clang picky warnings

  • build: Check 'MSG_NOSIGNAL' directly, drop detection and interim macro

  • build: constify 'memchr()'/'strchr()'/etc. result variables (cont.)

  • build: Detect and include 'inttypes.h' again

  • build: Do not include wolfSSL header in 'curl_setup.h'

  • build: Drop duplicate C includes

  • build: Drop global suppression of '-Wformat-nonliteral', fix fallouts

  • build: Drop unused 'snprintf()' feature check on Windows

  • build: Fix '-Wunused-macros' warnings, and related tidy-ups

  • build: Fix building rare combinations
  • build: Fully omit verbose strings and code when disabled

  • build: Globally suppress DJGPP warnings in 'FD_SET()'

  • build: Merge TrackMemory ('CURLDEBUG') into debug-enabled option

  • build: Move curl stat struct type to the curlx namespace

  • build: Opt-in MSVC to C99-style verbose logging logic

  • build: Require POSIX 'strdup()'

  • build: Tidy up and dedupe 'strdup' functions

  • cf-socket: Ignore SOCK_CLOEXEC etc. for socktype equality checks

  • cf-socket: Use SOCK_CLOEXEC in socket_open when available

  • checksrc-all.pl: Skip non-repository files

  • checksrc: Do not apply 'BANNEDFUNC' to struct member functions

  • checksrc: Warn for leading spaces before the preprocessor hash
  • clang-tidy: Add missing and delete redundant parentheses
  • clang-tidy: Add more missing parentheses in macro values

  • clang-tidy: Avoid/silence 'bugprone-not-null-terminated-result'

  • clang-tidy: Check 'bugprone-macro-parentheses', fix fallouts

  • clang-tidy: Drop redundant conditions reported by 'misc-redundant-expression'

  • clang-tidy: Enable 'bugprone-signed-char-misuse', fix fallouts

  • clang-tidy: Enable more checks
  • clang-tidy: Enable scanning headers
  • clang-tidy: Fix issues found with build-fuzzing
  • clang-tidy: Silence more minor issues found by v22

  • cmake/FindMbedTLS: Add workaround for missing static MSVC 'mbedcrypto.lib' 4.0.0

  • cmake: Add 'CURL_DROP_UNUSED' option to reduce binary sizes

  • cmake: Add native clang-tidy support for tests, with concatenated sources

  • cmake: Always build curlu and curltool test libs in unity mode

  • cmake: Always define 'CURL::win32_winsock' on Windows in 'curl-config.cmake'

  • cmake: Convert 'curl_add_clang_tidy_test_target()' macro to function

  • cmake: Enable binutils ld workaround for all toolchains at build-time

  • cmake: Fix 'LOCATION' property access condition (debug)

  • cmake: Fix 'LOCATION' property read errors in target debug function

  • cmake: Fix building with 'CMAKE_FIND_PACKAGE_PREFER_CONFIG=ON'

  • cmake: Fix confusing error when a dependency is undetected in 'curl-config.cmake'

  • cmake: Fix logic for openssl/zlib binutils ld workaround

  • cmake: Fix passing system header directories to clang-tidy for tests
  • cmake: Fix system include directory position for clang-tidy in tests
  • cmake: Improve clang-tidy test command-line reproduction
  • cmake: Minor fixes to test targets after prev
  • cmake: Normalize uppercase hex winver (for display)

  • cmake: Omit 'curl.rc' from curltool lib

  • cmake: Reference OpenSSL and ZLIB imported targets only when enabled

  • cmake: Replace internal option with a new 'tt' (test tools) target

  • cmake: Silence potential unused var warnings in C++ test snippet
  • cmake: Silence silly Apple clang warnings in C89 mode, test in CI
  • cmake: Silence useless compiler warnings triggered by the FASTBuild generator

  • cmake: Skip binutils ld hack if zlib/openssl target is not 'IMPORTED'

  • cmake: Warn for invalid 'CURL_TARGET_WINDOWS_VERSION' values

  • cmake: Add '*_USE_STATIC_LIBS' options for 9 dependencies

  • config-plan9: Set 'HAVE_STDINT_H' again

  • config2setopts: Acknowledge OOM error from CURLOPT_MIMEPOST

  • config2setopts: Fix for --disable-aws build configuration

  • configure: Drop always true 'if' check (Windows)

  • content_encoding: Return 'identity' if none other exists

  • curl: Add -I and -i to -h important

  • curl: Limit Windows-specific code to Windows builds, other tidy-ups

  • curl_easy_nextheader.md: A new transfer invalidates 'prev'

  • curl_get_line: Drop single-use macro

  • curl_multi_perform.md: Resolve inconsistency

  • curl_ntlm_core: Merge two '#if' blocks

  • curl_setup.h: Drop extra header guard for internal include

  • curl_setup.h: Merge back single-use internal header 'curl_setup_once.h'

  • curl_setup.h: Simplify curl memory macro mappings

  • curl_setup_once: Allow CURL_DEBUGASSERT for customization

  • CURLINFO_CONTENT_LENGTH_DOWNLOAD_T.md: Fix available protocols

  • curlx: Drop unused 'curlx_saferealloc()'

  • digest: Escape double quotes and backslashes in realm and nonce

  • digest: Fix memory leak in auth_create_digest_http_message()

  • digest: Handle quotes in the path

  • docs/INSTALL: Update configure details

  • docs/libcurl: Unify WARNING use

  • docs: Add LibreELEC to DISTROS.md

  • docs: Add reproducible example for generating man page

  • docs: Avoid starting sentences with However,

  • docs: Avoid using the word 'magic'

  • docs: Clarify --ipv4 and --ipv6

  • docs: Document the need for a 64-bit type and stdint.h

  • docs: Drop basically

  • docs: Explicitly call out Slowloris as not a security flaw

  • docs: Fix grammar nitpicks
  • docs: Handle error in 'curl_global_init*' examples

  • docs: Replace instances of the vague qualifier 'quite'

  • docs: Reword explanation of --variable option

  • docs: Some nitpicks
  • docs: Use dot instead of comma at end of sentences

  • easy: Reset errorbuf on eyeballing success

  • easy: Reset pausing when resetting request

  • examples/usercertinmem: Use modern OpenSSL API, drop mentions of RSA

  • examples: Improve OpenSSL certificate examples
  • examples: Omit forward declarations, apply misc fixes
  • FAQ: Syntax improvements

  • fopen.h: Simplify curl memory macro mappings

  • ftp: Replace a 'curlx_free()' with 'curlx_dyn_free()'

  • ftp: Split ftp_state_use_port into sub-functions

  • GOVERNANCE.md: Post-Daniel BDFL

  • gss: Exclude verbose error logic from non-verbose builds
  • h2+h3: Align stream close handling

  • hostip.c: Fix leak of addrinfo

  • hostip6: Remove debug-only code

  • hostip: Fix unreachable code in rare build configuration

  • http/3: Add description for known server error codes

  • http1: Fix potential NULL dereference in 'Curl_h1_req_parse_read()'

  • http: Only send bearer if auth is allowed (CVE-2026-3783)

  • http_aws_sigv4: Fix query normalization of %2b

  • imap: Add a check for Curl_meta_get()

  • imap: Check 'imap_sendf()' printf masks at compile-time

  • imap: Skip literals inside quoted strings
  • include: Avoid recursive macros
  • include: Mask computed auth/proto bitmasks to 32 bits

  • INSTALL-CMAKE.md: Document Apple framework options

  • INSTALL.md: Fix typo

  • INSTALL.md: Suggest '-Wl,-dead_strip' for Apple targets

  • KNOWN_BUGS.md: Absolute Unix domain filename for SOCKS on Windows

  • ldap: Silence clang-tidy v22 warning
  • ldap: Silence potential unused variable warning (OS400)
  • lib: Delete unused local includes
  • lib: Disable websockets early if no http

  • lib: Make sigpipe handling more lazy

  • lib: Reorder protocol functions to avoid forward declarations (email) ( lib: Reorder protocol functions to avoid forward declarations (ftp)
  • lib: Reorder protocol functions to avoid forward declarations (misc cont.)
  • lib: Reorder protocol functions to avoid forward declarations (misc)
  • lib: Reorder protocol functions to avoid forward declarations (ssh)
  • lib: Separate scheme info from protocol implementation
  • lib: Skip compiling code with features disabled

  • lib: Use (u)int64_t instead of long long

  • libcurl docs: Reduce 'since ...' in descriptions

  • libcurl-security.md: Fix typos and add a point about URLs

  • libtests: Drop two redundant 'memset()'s

  • Makefile.am: Delete RPM targets referencing non-existent files

  • Makefile.am: Drop stray VC project files from dist

  • managen: Silence Perl warnings

  • mbedtls: Guard TLS 1.3 + session tickets usage inside ifdef

  • mbedtls: No pinnedpubkey without MBEDTLS_SSL_KEEP_PEER_CERTIFICATE

  • mbedtls: Remove newline from failf() call

  • mbedtls: Split mbed_connect_step1 into sub functions

  • md4, md5: Drop redundant forward declarations

  • md4, md5: Replace custom types with 'uint32_t'

  • memdebug: Include 'backtrace.h' as system header

  • mime: Drop fallback for unused 'R_OK' macro

  • mimepost: Allocate main struct on-demand

  • mk-ca-bundle.pl: Drop support for obsolete/insecure fingerprint algos

  • mod_curltest: Silence unused argument compiler warning

  • mprintf: Drop old sprintf fallback

  • mprintf: Rename internal enum to avoid collision with AmigaOS symbol

  • mprintf: Silence clang-tidy 'readability-suspicious-call-argument'

  • mprintf: Use '_snprintf()' when compiled with VS2013 and older

  • mqtt: Better too-big-message-check
  • mqtt: Fix EOF handling

  • mqtt: Verify Remaining Length for CONNACK and PUBACK

  • msvc: Drop exception, make 'BIT()' a bitfield with Visual Studio

  • msvc: VS2026: Unlock picky warning in cmake, test in CI
  • multi: Avoid a theoretical 32-bit wrap
  • multi: Fix unreachable code compiler warning

  • multi: Probe for IPv6 functionality in multi_init()

  • multi: Split multi_runsingle into sub-functions

  • multi: Update timer unconditionally in multi_remove_handle

  • ngtcp2: Stabilize recv

  • noproxy: Simplify, don't mix const and non-const in strchr()

  • openldap: Avoid forward declarations in ldaps code
  • openssl+ech: Workaround for insecure handshakes

  • openssl: Adapt to OpenSSL master adding const to more APIs

  • OpenSSL: Check reuse of sessions for verify status
  • openssl: Disable local keylog feature if built-in upstream
  • openssl: Fix compiler warning with OpenSSL master
  • openssl: Fix potential NULL dereference when loading certs (Windows)
  • openssl: Fix potential OOB read in debug/verbose logging
  • plan9: Drop special build and orphaned references

  • proxy-auth: Additional tests (CVE-2026-3784)

  • pytest: Remove 03_02

  • quiche: Use PRIu64 for outputting the stream id
  • rand: Drop impossible preprocessor branches (wincrypt)
  • rand: Drop scan-build silencer
  • ratelimit: Download fine-tune

  • request.h: Rename parameter 'buf' to 'req' in Curl_req_send

  • REUSE: Drop broken reference to 'MAIL-ETIQUETTE'

  • rtsp: Fix assertion failure on zero-length RTP payload

  • rtspd: Fix to check 'realloc()' result

  • runtests: Pass config filename to stunnel in native format (Windows)

  • schannel: Refactor: reduce variable scopes, fix comment, fix indent

  • send: Drop 'CURL_UNCONST()' from buffer argument on most platforms

  • setopt: Fix checking range for CURLOPT_MAXCONNECTS

  • setopt: Refuse blobs with zero length

  • setup-os400.h: Drop no longer used custom type 'u_int32_t'

  • sigpipe: unset SA_SIGINFO since it is using sa_handler

  • silent.md: Also mention it shuts off warning messages

  • smb: Free the path in the request struct properly (CVE-2026-3805)

  • smb: Include arpa/inet.h for NonStop

  • socket: Check result of SO_NOSIGPIPE

  • socketpair: Clear 'err' when retrying due to EINTR

  • socketpair: Set SO_NOSIGPIPE where possible

  • socks: Ensure DNS is freed in failure cases

  • src: Simplify declaring 'curl_ca_embed'

  • ssh: De-dupe state change function

  • Stop using the word 'just'

  • sws: Prevent "connection monitor" to say disconnect twice
  • synctime: Fix use of uninitialized buffer on non-Windows

  • system_win32: Replace manual init code with 'curlx_now_init()' call

  • tests/server/sockfilt: Avoid possible endless loop on Windows

  • tests/server: Drop unused 'curlx/version_win32.c'

  • tests/server: Fix to clear the complete 'srvr_sockaddr_union_t' variable

  • tests/server: Tidy-up error messages (Windows)

  • tests: Avoid assignment in 'if' conditions in 'first.h'

  • tests: Convert base64 data to %b64[]

  • tftp: Correct the filename length check
  • timeout handling: Auto-detect effective timeout

  • tls: Add new SSLSUPP flags for several options

  • tls: Remove checks for DEFAULT

  • tool: Enable header separation for HTTPS proxies
  • tool: Improve config error messaging
  • tool: Improve error/warning messages when output filename sanitization fails

  • tool: Rename curl handle and result variable in '--libcurl'-generated code

  • tool: Return code variable consistency

  • tool_cb_hdr: Suppress header output when --out-null

  • tool_cb_prg: Drop duplicate preprocessor logic

  • tool_dirhie: Drop superfluous 'F_OK' fallback (Windows)

  • tool_doswin: Avoid memory-leak with CURL_FN_SANITIZE_*

  • tool_doswin: Avoid Windowsisms in socket code

  • tool_doswin: Document 'ENABLE_VIRTUAL_TERMINAL_PROCESSING' toolchain support

  • tool_getparam: Avoid '-Wcomma' with Apple clang in C89 mode

  • tool_operate: Remove 'else' for VMS

  • tool_operate: Reset the URL --url-query between --next

  • typos: Silence false positives found in C code

  • unit3205: Suppress two clang-tidy false positives

  • URL-SYNTAX.md: Fix port number mistakes for IMAP and LDAP

  • url.c: Code/comment clean-up around conn creation

  • url.h: Fix '-Wdocumentation'

  • url: Fix reuse of connections using HTTP Negotiate (CVE-2026-1965)

  • urlapi: Use U_CURLU_URLDECODE when toggling it off unsigned

  • urldata.h: Remove two forward-declared structs not used

  • urldata: Bye-bye 'conn->hostname_resolve'

  • urldata: Change 'keep_post' into three distinct bitfields

  • urldata: Convert 'long' fields to fixed variable types

  • urldata: Switch to uint* types

  • usercertinmem: Use the correct cert BIO

  • verbose.md: Explain the { and } prefixes

  • vquic: Fix unused variable warning reported by clang-tidy

  • vquic: Handle SOCKEMSGSIZE correctly

  • vtls: De-dupe common on-session-reuse logic
  • vtls: Use ALPN http/1.0 and http/1.1 for HTTP/1.0 requests

  • VULN-DISCLOSURE-POLICY.md: Push reports to the web form

  • VULN-DISCLOSURE-POLICY.md: Use hackerone

  • winapi: Use FormatMessageA instead of FormatMessageW

  • windows: 'USE_WINSOCK' to guard winsock2 code (where missing)

  • windows: Determine 'RtlVerifyVersionInfo' address on global init

  • windows: Tidy up 'wincrypt.h'/ BoringSSL/AWS-LC coexist workaround

  • wolfssl: Fix build without USE_BIO_CHAIN

  • ws/tftp: include header file even when protocol disabled

  • x509asn1: Make encodeOID stop on too long input

Monday 9th March 2026

Fedora Project

• Updated perl-Compress-Raw-Bzip2 to 2.218 in Rawhide:

  • Add SECURITY.md (GH#18)

  • Fix POD typo

• Updated perl-Compress-Raw-Lzma to 2.221 in Rawhide:

  • Add SECURITY.md

• Updated perl-Compress-Raw-Zlib to 2.222 in Rawhide:

  • Add SECURITY.md (GH#40)

  • Fix POD typos

• Updated perl-IO-Compress to 2.219 in Rawhide:

  • Add SECURITY.md (GH#69)

  • Fix a few typos

  • Refresh zipdetails from https://github.com/pmqs/zipdetails

  • Squash repeated semicolons

  • Make dependent version checking consistent and update module to version 2.219 (GH#70)

• Updated perl-MetaCPAN-Client to 2.040000 in F-44 and Rawhide:

  • Use a boolean in reverse_deps term (GH#136)

  • Allow JSON->true and JSON->false (GH#137)

Local Packages

• Updated perl-Compress-Raw-Bzip2 to 2.218 as per the Fedora version

• Updated perl-Compress-Raw-Lzma to 2.221 as per the Fedora version

• Updated perl-Compress-Raw-Zlib to 2.222 as per the Fedora version

• Updated perl-IO-Compress to 2.219 as per the Fedora version

• Updated perl-Module-CoreList to 5.20260308:

  • Updated for v5.42.1

• Updated perl-MetaCPAN-Client to 2.040000 as per the Fedora version

Sunday 8th March 2026

Fedora Project

• Updated perl-Business-ISBN-Data to 20260306.001 in F-44 and Rawhide:

  • Data update for 2026-03-06

• Updated perl-Compress-Raw-Lzma to 2.220 in F-44 and Rawhide:

  • Remove obsolete TODO comment

• Updated perl-Devel-Cover to 1.52 in F-44 and Rawhide:

  • Increase minimum Perl version to 5.20 (GH#366)

  • Handle empty else branches optimised away by Perl (GH#362)

  • Fix set_module_file bug (GH#366)

  • Skip alarm-dependent tests on Windows (GH#366)

  • Refactor Collection.pm to Perl 5.42 built-in class (GH#366)

  • Extract shared code from Vim and Nvim reports (GH#366)

  • Consolidate CSS handling in Web module (GH#366)

  • Add test for gcov2perl (GH#366)

  • Add collection tests (GH#366)

  • Overhaul cpancover compression (GH#334)

  • Use multi-stage build for perl Docker images (GH#334)

  • Add Caddy configuration management (GH#334)

  • Add CPANCOVER_TEST_REGEX filter (GH#334)

  • Fix TTY handling in cpancover controller command (GH#334)

  • Update zsh completion to use modern compdef

  • Add pre-commit hooks and linting (GH#364)

  • Add Perl 5.42 to CI matrix
  • Test against 5.43.6 and 5.43.7

  • Enhance all_versions with timing and logging (GH#366)

  • Remove SVK annotation module (GH#364)

Local Packages

• Updated perl-Compress-Raw-Lzma to 2.220 as per the Fedora version

Friday 6th March 2026

Local Packages

• Updated perl-DateTime-TimeZone to 2.67:

  • This release is based on version 2026a of the Olson database
  • Contemporary changes for Moldova