Monday 25th May 2026

Fedora Project

• Updated perl-IO-Tty to 1.31 in Rawhide:

• Bug Fixes:

  • Fix v1.27 regression where _open_tty() always passed O_NOCTTY, preventing make_slave_controlling_terminal() from acquiring a controlling terminal via the POSIX-standard open-without-O_NOCTTY mechanism (it was forced to fall through to an explicit TIOCSCTTY ioctl) (GH#91, GH#94)

    • _open_tty() now takes an optional noctty flag (default 1 for backward compatibility)

    • make_slave_controlling_terminal() passes 0

  • Fix openpty() detection on Fedora 33-34 / glibc 2.32-2.33 where LTO flags (-flto=auto) caused the libc-only compile probe to falsely succeed, producing "undefined symbol: openpty" at runtime; try -lutil before libc; harmless on systems where openpty lives in libc (glibc 2.34+, musl) and necessary where it doesn't (GH#92, GH#93)

• Maintenance:

  • Address CPANTS kwalitee issues: add LICENSE, SECURITY.md, and CONTRIBUTING.md; add META 'provides' for IO::Tty, IO::Pty, and IO::Tty::Constant; use --format=ustar in TARFLAGS to prevent PaxHeader entries in distribution tarballs (GH#90)

  • Clean up MANIFEST.SKIP: add #!include_default so ExtUtils::Manifest's built-in skip list is in effect, drop five entries that duplicate those defaults, and add a ^\.claude/ rule

• Updated perl-YAML-Syck to 1.46:

• Bug Fixes:

  • Preserve string nature of numeric-looking values in Dump; pure strings (POK only, no IOK/NOK) are now quoted to maintain round-trip fidelity (GH#199, GH#200)

  • Accept trailing commas in flow sequences and mappings ([a, b,] and {a: 1,}), valid per YAML 1.0/1.1/1.2 spec (GH#195, GH#196)

• Maintenance:

  • CI: upgrade install-with-cpm to v2 for compatibility with Perl versions prior to 5.24 in perldocker containers (GH#197, GH#198)

  • Clean up MANIFEST.SKIP: add #!include_default, remove redundant entries, exclude .claude/ from distribution

Local Packages

• Updated libxml2 to 2.13.9 (see NEWS for details)

• Updated perl-IO-Tty to 1.31 as per the Fedora version

• Updated perl-YAML-Syck to 1.46 as per the Fedora version

Sunday 24th May 2026

Local Packages

• Updated perl-Archive-Tar to 3.08:

  • Validate symlink and hardlink linkname in SECURE MODE

Saturday 23rd May 2026

Fedora Project

• Updated perl-Business-ISBN-Data to 20260523.001 in Rawhide:

  • Data update for 2026-05-23

• Updated perl-Crypt-PasswdMD5 to 1.4.3 in F-43, F44, Rawhide, EPEL-8, EPEL-9, EPEL-10.2 and EPEL-10:

  • Replace use of the cryptographically weak rand() function with the much stronger Crypt::URandom::urandom() (GH#3, CVE-2026-6659, Bug #2479575)

  • Add Encode, Exporter, ExtUtils::MakeMaker to Makefile.PL

  • Add files AI_POLICY.md and SECURITY.md

Friday 22nd May 2026

Fedora Project

• Updated libssh2 (1.11.1) in F-43, F-44, Rawhide, EPEL-9, EPEL-10.2 and EPEL-10 to fix CVE-2026-7598: integer overflow via large username or password arguments (GH#1058)

Local Packages

• Updated libssh2 (1.11.1) as per the Fedora version

Thursday 21st May 2026

Fedora Project

• Updated perl-Sereal-Decoder, perl-Sereal-Encoder and perl-Sereal to 5.006 in Rawhide and EPEL-10 (EPEL-10 update includes security fix from 5.005):

  • Update bundled miniz to 3.1.1

  • Avoid deprecated ZSTD API
  • Tidy and regenerate

• Updated perl-Sereal-Decoder (4.018) in EPEL-8 and EPEL-9 to make sure that COPY tags cannot be used to read past end of buffer (ported from upstream commit 303a2c69)

Local Packages

• Updated dovecot to 2.4.4 in F-40 onwards where only the x86_64 build is done, because the ix86 build fails the test suite

  • lib-var-expand: Safe filter marked all following pipelines safe (CVE-2026-27851)

  • auth: CRAM-SHA-*-PLUS channel binding could be faked; MITM attacker with a certificate trusted by the client could have bypassed the requirement for channel binding (CVE-2026-33603)

  • IMAP folders could be shared-spammed to everyone (CVE-2026-40020)

  • An attacker could cause uncontrolled memory usage with excessive bracing over IMAP; the fix in CVE-2026-27857 was incomplete (CVE-2026-42006)

  • indexer-worker, quota-status, script-login, program-client-local: Root privileges are now dropped permanently before serving requests

  • indexer-worker: Default restart_request_count changed to 1 to work correctly after permanent root privilege drop

  • lmtp: Add back service_extra_groups=$SET:default_internal_group that was incorrectly removed in v2.4.3

  • master: inet_listener_reuse_port has been replaced by service_reuse_port; the new setting properly pre-creates all listener sockets at start-up and assigns one unique socket per process, which allows evenly distributing incoming connections to login processes (see https://doc.dovecot.org/latest/core/config/service.html#service_reuse_port for details)

  • auth: Fix LDAP escaping of 0x13 control character
  • auth: Use timing-safe comparison for certificate and public key fingerprints
  • fts: Correctly handle internal http-client response errors
  • fts: Don't send request to Tika if there is no body text
  • fts: Fix address header indexing for RFC 2047 encoded-words

  • fts: tika, fts-solr: Fix use-after-free crash during DNS lookup

  • imap: Fix assertion panic on invalid REPLACE 0 command

  • lib-auth-client: Avoid "unknown id" errors for aborted auth requests

  • lib-dcrypt: Fix potential crash if trying to access untrusted/corrupted keys

  • lib-dcrypt: Improve error message if keys aren't in hex format as expected

  • lib-index: Fix potential crash if fsck fails

  • lib-ldap: Fix using OpenLDAP default CA when ssl_client_ca_dir/file is unset (v2.4.3 regression)

  • lib-master, master: Fix behaviour for services with client_limit>1 and restart_request_count so that processes reaching restart_request_count are no longer counted towards process_limit

  • lib-master: Fix crash when reaching client_limit with restart_request_count>1

  • lib-master: haproxy - Don't trust client certificate common name when HAProxy reports verification failure

  • lib-sasl: cram-md5 - Fix out of bounds memory read

  • lib-sasl: oauth2 - Fix one byte out of bounds read

  • lib-sql: cassandra - Fix reusing Cassandra SSL connections

  • lib-sql: sqlite - Fix sqlite_journal_mode=wal to actually work

  • lib-storage: Auto-rename non-NFC subscription file entries to NFC on read

  • lib-storage: Prevent non-atom SEARCH keywords from causing IMAP command injection

  • lib-var-expand-crypt: Return error if hex decoding fails

  • lib-var-expand: Fix crash (SIGFPE) with non-positive divisor for / and %

  • log: Fix memory leak at de-init

  • login-common: When process is full, don't destroy clients waiting on master auth

  • login-proxy: Fix crash with rawlog and multiplexing during reconnection

  • mail-compress: Fix panic when save method unavailable

  • mail-crypt: Fix crash when HMAC-based algorithm is used

  • mail-crypt: Use AEAD instead of HMAC with ChaCha20-Poly1305

  • mdbox: Create files with O_NOFOLLOW

  • push-notification: ox - Fix use-after-free crash during DNS lookup

  • quota: quota-status - Limit input buffer size to 1 kB

• Update pigeonhole to 2.4.4:

  • Sieve :contains and :matches operators could have been using excessive amount of CPU; limit the CPU to sieve_max_cpu_time (CVE-2026-40016)

  • Fix potential crashes parsing corrupted Sieve binaries

  • lib-sieve: matches - Fix trailing literal match when it fills value exactly (v2.4.3 regression)

• Updated perl-XML-LibXML to 2.0213:

• Security/Bug Fixes:

  • Revert GH#143 per the libxml2 author's request (GH#168)

    • GH#143 added a URL-scheme filter inside LibXML_load_external_entity and removed the EXTERNAL_ENTITY_LOADER_FUNC == NULL guards on the five Schema/RelaxNG NONET swap sites, on the premise that no_network on one parser should override a user-installed global externalEntityLoader

    • Nick Wellnhofer clarified that this contradicts upstream intent: XML_PARSE_NONET only polices libxml2's default loader; a user who installs a global loader is explicitly opting out of that policy, and the http/https/ftp allowlist was never a real security boundary

    • Reverted in full; GH#138's lifecycle/memory-safety fixes are kept

• Bug Fixes:

  • Fix latent SEGV in _externalEntityLoader

    • The XS code returned &PL_sv_undef as RETVAL when no previous global loader existed

    • Since xsubpp auto-mortalizes SV* RETVAL, each call mortalized the PL_sv_undef singleton, eventually driving its refcount negative and producing "Attempt to free unreferenced scalar" followed by SEGV under repeated invocation

    • Now returns newSV(0) so RETVAL is always a fresh refcount-1 SV safe to mortalize

    • The bug shipped in 2.0212 with GH#138's lifecycle fixes; this is a single-line correction to that code path

• Maintenance:

  • Add t/49global_extent_with_no_network.t, 17 subtests locking in the entity-loader contract restored by the GH#168 revert: a user-installed global loader takes precedence over no_network across plain XML parse, RelaxNG, and XML Schema, while no_network without any loader still blocks via libxml2's default loader

  • Document the entity-loader contract in CLAUDE.md ("Entity loaders, no_network, and XML_PARSE_NONET") plus a "Verifying audit-flagged security findings" checklist to keep pattern-matched "security fixes" like GH#143 from shipping again

• Updated perl-YAML-LibYAML (0.907.0) to safely check for JSON::PP in 13-utf8.t