Updated perl-Authen-Radius to 0.37 in Rawhide:

• Enable Rfc3579MessageAuth by default and emit Message-Authenticator as the first attribute in Access-Request packets (RFC 9716 section 4.2), mitigating the Blast-RADIUS protocol vulnerability (callers that need the previous behaviour can pass Rfc3579MessageAuth => 0 explicitly)

• Stabilise t/eintr.t on loaded smokers and MSWin32 by relaxing the timeout budget and skipping the SIGALRM sub-test on MSWin32 where Time::HiRes::alarm is unimplemented

Updated perl-Crypt-DSA to 1.20 in F-42, F-43, F-44, Rawhide, EPEL-10.1, EPEL-10.2 and EPEL-10:

• This module is now marked as deprecated: Crypt-DSA-GMP is a possible replacement

• Improve the call to IPC::Open3::open3

• Replace two arg open (CVE-2026-8704)

• Replace rand() (CVE-2026-8700)

• Add a security policy

• Add use warnings

• Typo fix (CPAN RT#86424)

Updated perl-Crypt-DSA (1.17) in EPEL-8 and EPEL-9:

• Replace two arg open (CVE-2026-8704)

• Replace rand() (CVE-2026-8700)

• Fix "Use of uninitialized value $cur_part in hash element" warning in Crypt::DSA::KeyChain

• Add security note discouraging use of Crypt::DSA

• Fix typo in Crypt::DSA::Util

Updated perl-Role-Tiny to 2.002005 in Rawhide:

• Split role initialization from setting pragmas to allow more flexibility for subclasses

• Ensure consistent internal handling of Class::C3 versus mro

• Reduced Exporter dependency to 0 (any version)

Update perl-HTTP-Tiny to 0.094:

• Fix to prevent invalid characters in all headers, and prevent header smuggling (CVE-2026-7010)

Updated perl-Role-Tiny to 2.002005 as per the Fedora version

Updated perl-IO-Compress to 2.220 in Rawhide:

• Remove use of eval in globmapper (GH#73)

• Update zipdetails to version 4.006

• Fix typo in fastForward (GH#72)

• Fix issue with 'rawdeflate' option in AnyInflate (GH#71)

Updated perl-IO-Compress to 2.220 as per the Fedora version

Updated perl-Apache-Session-Browseable to 1.3.19 in F-43, F-44, Rawhide, EPEL-8, EPEL-9, EPEL-10.1, EPEL-10.2 and EPEL-10:

• Apache::Session::Generate::SHA256 used a low-entropy seed (time, PID, rand, stringified hash ref) to derive session identifiers; use Crypt::URandom to generate session ids from a cryptographically secure source, falling back to the previous hashing method only if Crypt::URandom is unavailable (CVE-2026-8503, similar in scope to CVE-2025-40931 and CVE-2025-40932)

• Fix Redis indexes: never cleaned before
• Improve resilience and reliability of Patroni driver

Updated perl-IO-Socket-IP to 0.44:

• Can 'use parent' rather than 'use base' (CPAN RT#177570)

Updated proftpd (1.3.9a) in F-34, F-44, Rawhide, EPEL-10.1, EPEL-10.2 and EPEL-10:

• Additional escaping for avoidance of SQL injection issues with %{note:...} and %{env:...}; these are on top of the existing fix for CVE-2026-42167 in 1.3.9a

• Fix for SQL Injection in mod_wrap2_sql via reverse DNS hostname (CVE-2026-44331, GH#2057)

Updated proftpd (1.3.8d) in EPEL-9 as per the Rawhide version

Updated proftpd (1.3.6e) in EPEL-8 with the fix for CVE-2026-44331

Updated perl-Object-HashBase to 0.016:

• Add [PruneCruft] to dist.ini so build artefacts (blib/, pm_to_blib, MYMETA.*) no longer leak into release tarballs

• Add '@Class::Name' parent prefix to import (shortcut for use parent)

• Add '&Role::Name' role prefix to import (compose Role::Tiny role)

• Skip 'new' injection when Object::HashBase is imported into a Role::Tiny role

• Role::Tiny is a soft requirement, loaded only when '&' prefix used

• '&' prefix requires Perl 5.10+

Updated proftpd (1.3.9a) as per the Fedora version, and proftpd (1.3.10rc1) with the same fixes

• Reject Unicode digits and trailing newlines in parser inputs (CVE-2026-45190)

• Reject zero-padded CIDR masks (CVE-2026-45191)

Updated python-paramiko to 4.0.0 in Rawhide:

• Dropped support for Python <3.9

• Migrated packaging metadata and practices to use 'pyproject.toml'

• Removed the now-vestigial 'ed25519' packaging 'extra' (support for this hasn't required additional dependencies in a number of releases now, just the core ones)

• Moved Invoke requirement to core dependencies, and removed 'paramiko[invoke]' from extras

• With those two changes, 'paramiko[all]' becomes much less useful, and has itself been axed

• Removed the very old and wizened 'setup_helper.py', which was only needed on ancient (for this century) versions of macOS

• Removed 'paramiko.__all__', as it was redundant (guessing it dated back to some very old Python versions; anyone using 'import *' these days - shame! - should still be fine as we never had any 'private' members in '__all__' and AFAICT that was the only reason ever to use it in the first place (as 'import *' skips names like '_private')

• Removed support for the DSA (a.k.a. DSS) key algorithm, as it has been badly outdated and insecure for a decade or more at this point, and was recently completely removed from OpenSSH as well (GH#973)

• If you were still using DSA out of sheer inertia: we strongly recommend upgrading to Ed25519 (or maybe ECDSA)
• If you were still using DSA because of target hosts you do not control: please continue using Paramiko 3.x

Updated python-paramiko to 5.0.0 in Rawhide:

• Fix 'Ed25519Key <paramiko.ed25519key.Ed25519Key's internals such that it no longer throws 'AttributeError' during calls to '__repr__' when only partly initialized; this isn't a normal runtime problem (it only happens inside error handling for fatal errors like "not a valid private key") but was perennially complicating test failure diagnosis and similar scenarios

• The 'PKey <paramiko.pkey.PKey>' class family tree reorganized the 'write_private_key' and 'write_private_key_file' methods; with other recent changes, having individual implementations on the child classes made no sense, so key writing is now implemented in 'PKey <paramiko.pkey.PKey>' itself and the included child classes such as 'ECDSAKey <paramiko.ecdsakey.ECDSAKey>' no longer define their own such methods, instead simply exposing their underlying cryptographic private key objects as '.private_key'

• Added a new, optional 'file_format' keyword argument to 'PKey.write_private_key <paramiko.pkey.PKey.write_private_key>' and 'PKey.write_private_key_file <paramiko.pkey.PKey.write_private_key_file>' to allow writing out OpenSSH-style private key files in addition to the legacy PEM format

• Warning: While the default format remains PEM in Paramiko 5, future major releases are likely to change that default to the OpenSSH format; we recommend updating any key-writing code you have to be explicit now, to insulate yourself from such an update

• Raised the minimum modulus size in 'diffie-hellman-group-exchange-sha256' key exchange from 1024 (the original spec's minimum) to 2048 (the contemporary minimum according to RFC-9142, and matching a similar change by OpenSSH ten years ago in 7.2 / 2016)

• Warning: This change may be backwards incompatible if you were targeting servers supporting only this kex method and whose own maximum modulus size for group-exchange was lower than 2048

• Removed GSSAPI support, as the current (buggy, no longer easily testable in CI, poorly understood and not used by the core team) implementation is SHA-1 based and no SHA-256 upgrade appeared to be forthcoming from contributors
• We don't like removing functionality, but this feature has been on the rocks for years and it makes sense to remove it as an insecure support burden; we will definitely consider merging a SHA256-based replacement in the future if a high-quality one appears

• Side note: the GSS related constants in 'paramiko/common.py' have been left in place as they are essentially mapping out known protocol numbers

• Warning: This change is backwards incompatible if you require GSS

• Removed support for key exchange using SHA-1, meaning the kex methods 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', and 'diffie-hellman-group1-sha1' are now gone; implementing classes have been removed/merged/shuffled as required

• Warning: This change is backwards incompatible if you were still supporting old systems that don't implement sha256/sha512 DH kex (or ECDH kex)

• Removed support for verifying/signing with RSA keys using SHA-1 hashing; generally, this means most cases where "ssh-rsa" was used as an algorithm identifier (as opposed to a key material identifier) will no longer accept that string as valid, and the relevant code that actually used e.g. 'hashes.SHA1' no longer does

• Warning: This change is backwards incompatible if you are stuck supporting legacy systems with Paramiko that are unable to use SHA2-based signatures with RSA keys (or other workarounds, such as switching from RSA keys to Ed25519 ones)

• Added a 'password' kwarg to 'PKey.from_type_string <paramiko.pkey.PKey.from_type_string>' so it can handle encrypted keys like most other PKey constructors already could

• Renamed 'PKey.from_path <paramiko.pkey.PKey.from_path>'s 'passphrase' argument to 'password' so it's consistent with all the other methods of instantiating PKey objects

• Warning: This change is backwards incompatible if you were using this relatively new constructor and were doing so to load encrypted keys

• Removed the 'demos/' folder; they've become too big a support burden and we've wanted to remove them for years

• Users who enjoyed the client-side demos should look at our wrapper library, 'Fabric (https://fabfile.org/)'

• We suspect the most-used demo was 'demos/demo-server.py' and may consider adding a variant of it to the actual Python package in future

Updated perl-Net-CIDR-Lite to 0.24 as per the Fedora version

Updated perl-YAML-LibYAML to 0.907.0:

• Turn off cyclic references by default