Paul Howarth's Blog
| << < 2026 / 6 > >> | ||||||
|---|---|---|---|---|---|---|
| Mon | Tue | Wed | Thu | Fri | Sat | Sun |
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 | |||||
Recent Entries
Wednesday 24th June 2026
Fedora Project
Merged libssh2 PR#3 to fix CVE-2026-55200 (transport.c: Additional boundary checks for packet length) and CVE-2026-55199 (packet.c: check _libssh2_get_string() return in EXT_INFO handler) and built (1.11.1) for F-43, F-44, Rawhide, EPEL-9, EPEL-10.2 and EPEL-10
Branched and built perl-Crypt-PBKDF2 (0.261630) for EPEL-8
Updated perl-Module-CPANTS-Analyse to 1.03 in F-43, F-44 and Rawhide:
Fix tests to work with newer Archive::Tar (GH#51)
- Check link errors and warnings while extracting an archive
Local Packages
Updated curl to 8.21.0:
curl: Named globs in output file name for upload glob references
HTTP/3: Add proxy CONNECT and MASQUE CONNECT-UDP support (ngtcp2 QUIC)
http2: Remove stream dependency tracking (CVE-2026-10536)
lib: Drop support for CURLAUTH_DIGEST_IE
libssh: Add support for SHA256 host public keys
tool_urlglob: Add named globs
_ENVIRONMENT.md: Windows does case insensitive environment variables
_URL.md: Remove the zone-id mention
AmigaOS: Avoid explicit_bzero with clib2 in curl_setup.h
- AmigaOS: Fix build fallouts, re-add to CI
asyn-thrdd: Add IPv6 guards
asyn-thrdd: Fix result processing without wakeup socketpair
- autotools: mbedtls detection fixes
BINDINGS: Update Hollywood link
BUFQ.md: Re-sync with source code
build: Enable '-Wlogical-op' picky warning for GCC 4.4+
build: Omit zlib pkg-config reference for Android
cf-h2-prox: Fix peer leak
cf-h2-proxy: Drop interim responses
cf-https-connect: Do not engage on proxy origin
cf-ip-happy.c: Minor comment typo
cf-ip-happy: Update documentation
cf-socket: Make Curl_addr2string static
cf-socket: Set scope_id for IPv6 link-local addresses
cf-socket: Store errno from do_connect in ctx->error
cfilters: Fix busy loop on blocked transfers
- chunked: Reject invalid bytes in trailer
CIPHERS.md: Fix the example that uses only TLS 1.3
cmake/FindGSS: Drop "MIT Unknown" version value, related tidy ups
cmake/FindGSS: Drop CMake <3.16 compatibility logic
cmake/FindGSS: Fix comment, adjust custom flavour property name
cmake/FindGSS: Prioritize MIT over GNU in pkg-config detection
cmake: Auto-select static nghttp2/nghttp3/ngtcp2 Config
cmake: Export/forward 'NGTCP2_CRYPTO_BACKEND'
- cmake: Fix three issues generating lib options in config files
cmake: Fix zstd CMake config name
cmake: Opt in 'MSVC_VERSION' 1951 to picky warnings
cmake: Quote 'COMPONENTS' string in 'curl-config.in.cmake'
cmake: Simplify 'LINK_ONLY' imported target extraction
config2setopts: Use default protocol properly (CVE-2026-12064)
- connect: Remove deref of freed pointer in trace call
content_encoding: Fix limit failure message
content_encoding: Fix non-last chunked rejection
content_encoding: Timeout during slow decoding
cookie: Check __Secure- and __Host- case-sensitively when read from file
- cookie: Compare path case-sensitively
- cookie: Reject control octets in file-loaded cookies
cookie: Simplify strstore(), remove outdated comment
- cookie: Tailmatch the domains for secure override
cookie: Trim trailing dots when checking PSL (CVE-2026-8924)
creds: Add sasl service name (CVE-2026-8458)
- creds: Create with empty user+pass
- creds: Mask OAuth bearer token in trace logs
- creds: Remove two unused functions
curl_easy_pause.md: Rephrase the stream cache when pause clause
curl_easy_setopt.md: Change options when no transfer runs
curl_formdata: Fix to pass long where missing, document 'CURLFORM_NAMELENGTH'
curl_multi_assign.md: Clarify lifetime
curl_ntlm_core: Fix nettle 4+ builds in certain MultiSSL combos
curl_ntlm_core: Propagate DES 'CryptEncrypt()' error
curl_sha512_256: Fix result code on error
CURLINFO_CONTENT_LENGTH_UPLOAD_T.md: Expand
CURLMOPT_SOCKETFUNCTION.md: This sends all file descriptors
CURLOPT_CHUNK_BGN_FUNCTION: Target is there for symlinks only
CURLOPT_DISALLOW_USERNAME_IN_URL: Is for CURLOPT_URL only
CURLOPT_DOH_URL.md: Does not inherit proxy options
CURLOPT_ECH.md: Simplify the description language
CURLOPT_HAPROXYPROTOCOL.md: Only sent for newly setup connections
CURLOPT_MAXFILESIZE: Clarify this also works for on-going transfers
CURLOPT_PINNEDPUBLICKEY.md: Does not apply for other origins
CURLOPT_PORT.md: Use stronger language
CURLOPT_SHARE: Warn about early remove
CURLOPT_SSH_HOSTKEYFUNCTION.md: For new connections only
CURLOPT_WRITEFUNCTION.md: Mention redirects
CURLOPT_WRITEFUNCTION.md: Remove stray reference to HSTS
- delta: Harden external command invocations
- digest: Escape control codes too
- digest: Flush proxy state on proxy or credential change
digest: Flush state on origin or credential change (CVE-2026-11856)
dns-httpsrr-lookup: Use origin, not peer
dnscache: Remove Curl_dns_entry_link
docs/libcurl: Fix the version for curl_multi_socket_action
- docs: End "...can be used several times..." sentences with period
docs: Fix --follow doc typo
- docs: Fix a couple of typos
- docs: Fix grammar and wording in FAQ
docs: Fix odd wording in CONTRIBUTE.md
docs: Note CURLOPT_PINNEDPUBLICKEY has no effect on legacy LDAP backend
- docs: Returned header size reflects HTTP/1-style format
- doh: Cap the maximum TTL to 24 hours
doh: Drop redundant 'curlx_dyn_free()' call in 'doh_probe_done()'
- doh: Stricter HTTPS RNAME parsing
- ECH: Clean-ups
- event: Fix wakeup consumption
ftp: Avoid accessing EPSV response one byte past the NULL
ftp: Remove 2 Curl_resolv_blocking() calls
ftp: Remove bits.ftp_use_control_ssl
ftplistparser: Clear strings.target if not symlink
- gnutls: Allow building with nettle 4.0
- gnutls: Fix more nettle 4+ compatibility issues
gnutls: Require 3.7.2 for earlydata
gsasl: Fix potential double free (CVE-2026-8925)
- gtls: Fix ignored return and uninitialized status in OCSP check
- gtls: Fix some typos
- gtls: Minor fixes and improvements
- gtls: Use the correct return code in trace output
gtls: Verify OCSP response signature in gtls_verify_ocsp_status
h3-proxy: Fix callback return values and a typo in tests
hostip: Remove unused MAX_HOSTCACHE_LEN and MAX_DNS_CACHE_SIZE
hsts.md: Mention multiple curl invokes effect
hsts: Duplicate live HSTS data in curl_easy_duphandle
http-proxy: Verify CONNECT response headers
HTTP3.md: Update quiche build
- http: Don't pass on set cookies to new origins
http: Prefer chunked encoding over Content-Length: 0
- http: Reject spurious CR bytes in headers
http_digest: Return better error
- idn: Replace header guards with forward declaration
INSTALL-CMAKE.md: Document CMake environment variables
INTERNALS.md: Document minimum nghttp3 and ngtcp2 versions
KNOWN_BUGS.md: Remove fixed GnuTLS <-> OpenSSL incompat bug
KNOWN_BUGS: Remove stale Threads::Threads entry
krb5_sspi: Fix error message on 'DecryptMessage()' fail
- ldap: base64 encode binary LDIF values with WinLDAP
- ldap: Fix minor leak on write callback error
ldap: Fix to not leak 'attribute' on OOM (WinLDAP)
- ldap: Switch off chasing referrals
lib678: Fix to not be perma-skipped
lib: Make '__STDC_VERSION__' literals 'L' (where missing)
- lib: Transfer origin and proxy handling
- lib: Two minor typos
libcurl-easy.md: Minor clarifications
libssh2: Do not use deprecated macros when unavailable
libssh2: Drop stray double-negative from 'strncmp()' result
libssh2: Fix to return error code on missing parameter
libssh2: Replace macro names with non-misspelled alternatives
libssh2: Save non-standard port to 'known_hosts'
libssh2: Sync version check with INTERNALS.md
libssh2: Use non-deprecated 'libssh2_knownhost_addc()'
libssh: Map SSH_KNOWN_HOSTS_OTHER to CURLKHMATCH_MISMATCH (CVE-2026-9547)
- m4: Drop redundant conditions in TLS library detections
Makefile.am: Drop test1190 listed twice
managen: Apply minor fixes and improvements
- mbedtls: Null-terminate the private key blob
mk-unity.pl: '#include', and not concatenate input headers
mqtt: Return error on truncated Remaining Length
mqtt: Validate PINGRESP and DISCONNECT have remaining_length == 0
multi: Handle pause in multi socket callback (CVE-2026-9080)
- multi: Remove a stale comment
multi: Silence gcc 16 '-Wnull-dereference', bump CI job to test
multi: xfers_really_alive
netrc: Remember and check filename loaded
netrc: Scanner refactor (CVE-2026-8926)
ngtcp2: Fail handshake directly (CVE-2026-9545)
openssl: Do not mix OpenSSL int result with 'CURLcode' variable
- os400sys: Fix theoretical length overflows
peer.h: Fix typo in comment
pingpong: Reject nul byte in server response line
progress: Fix CURLINFO time reporting
psl: Require libpsl 0.16.0 (2016-12-10) or greater
pytest: Pass '--disable' to curl
pytest: Re-enable test test_05_01 and test_05_02 for quiche 0.29.0+
pythonlint.sh: Make it fail on error, fix ruff warnings in pytest
quic: Count zero length packets against max (CVE-2026-11352)
ratelimits: Use minimal burst rate
RELEASE-PROCEDURE.md: Update coming release dates
- resolve: Mention in error that IP address is expected
rtsp: Bump buf after rtsp_filter_rtp()
runner.pm: Apply minor correctness fix
runner.pm: Set 'CURL_TESTNUM' for 'precheck' commands
runtests: Fix tests for curl builds with embedded CA bundle
rustls: Error on CURLOPT_CRLFILE with native CA store
schannel: Check 'schannel_sha256sum()' success, and more
schannel: Enforce Extended Key Usage for custom CA roots
schannel: Error on TLS 1.3-only with cipher list
schannel: Fix https proxy for client cert and certinfo
schannel: Fix revoke_best_effort setting for proxy
schannel: Use fopen instead of CreateFile
schannel_verify: Avoid out of blob access
schannel_verify: Simplify CryptQueryObject use
- scripts: Catch Credits-to contributors
SECURITY-ADVISORY.md: Expand
setopt: Changing the proxy port is also a proxy change
setopt: Clear proxy auth properly on NULL (CVE-2026-9079)
- setopt: Clear the "custom" CA booleans when set to NULL
setopt: CURLOPT_MAXCONNECTS set to 0 restores default value
- setopt: Deref the old referer when setting a new
setopt: Fix to honour 'CURLOPT_PROXY_CAINFO_BLOB' over Native CA
- setopt: Gate a few proxy TLS options by checking backend support
- setopt: More careful clean-up of the HSTS cache
setopt: Return error if received 'curl_blob->data' is NULL
show-headers.md: Mention bold headers and --no-styled-output
sigv4: URL encode the user name in the header
smb: constify 'strchr()' result variable
- smb: Integer overflow proof a size check
smbserver: Update internal id generation for Python 3
socket: Introduce 'SOCK_EAGAIN()' and use it
socket: Use name 'sockerr' for socket error variables
socks_sspi: Invalid response length is a fatal error
socks_sspi: Store socks5_gssapi_enctype
spnego_sspi: Honour CURLOPT_GSSAPI_DELEGATION for Windows SSPI
spnego_sspi: Preserve distinction btw policy-only and uncond delegation
- src: Fix comment typos
src: Sync nghttp2 versions checks with current requirements
ssl native_ca_store: Always reinit (CVE-2026-11564)
SSLCERTS: Document 8.19.0 default Native CA builds (Windows)
sspi: Clear SSPI credentials on AcquireCredentialsHandle failure
sspi: Free libcurl allocated memory with curlx_free
telnet: Drop an 'int' cast no longer necessary
- telnet: Drop redundant interim variables
- telnet: Fix error message typos
- telnet: Fix old copy-paste typo in variable name
telnet: Honour CURLOPT_TIMEOUT in send_telnet_data()
test1588: Use %TESTNUMBER, not hard-coded number
test1981: Explicitly set the locale
- tests: Add 'cookies' feature to some tests
- tests: Add an assert to avoid IPC blocking
tests: Add the "--resolve" keyword to tests that lack it
tests: Fix unit1636 with --disable-progress-meter
- tftp: Avoid the timeout calc if the timeout is crazy
- tftp: Stricter option name checks
- tidy-up: Add space around operators, where missing
- tidy-up: Apply clang-format fixes
- tidy-up: Drop stray casts for allocated pointers
- tidy-up: Miscellaneous
tls: Fix incomplete mTLS config in conn reuse and session cache (CVE-2026-8932)
- tls: Wolfssl: fixes for PQC key shares
tool: Warn when --ssl and --ftp-ssl-control override each other
tool_formparse.c: Fix two minor comment typos
tool_formparse: Polish error message + make two functions static
tool_formparse: tool2curlparts is no longer recursive
tool_help: Rectify a bad assert
tool_operhlp: Avoid NULL to %s
tool_urlglob: Avoid overflow at end of range
tool_urlglob: Better 'Duplicate glob name' position
tool_urlglob: Make globbing error reported for correct position
tool_writeout: Fix %time{} output for %s
transfer: Clear referer when set to NULL (CVE-2026-9546)
unit1675: Fix potential memory leak on dynbuf fail path
- unix-sockets: Ignore proxy settings
URL-SYNTAX: Document more URL parsing details
- url: Compare full origin when setting credentials
- url: Connection credentials origin
- url: Connection reuse fixes for starttls
url: Detect proxy changes read from environment (CVE-2026-8927)
url: Don't log bits.close state
url: Fix connection reuse for starttls protocols (CVE-2026-8286)
- url: Keep the question mark for empty queries
- url: Remove superfluous check
url: url_match_destination fix
urlapi: Accept 0X prefix in IPv4 address as well
- urlapi: Change more lowercase percent-encoded to uppercase
urlapi: Compare zone-id in Curl_url_same_origin()
- urlapi: Consume trailing dots after IPv4 numerical addresses
- urlapi: Deny hostnames with more than one trailing dot
- urlapi: Drop base fragment on empty redirect
urlapi: Fix an issue parsing file URLs
urlapi: Fix memleaks on error in 'parse_hostname_login()'
urlapi: Fix redirect handling if CURLU_NO_GUESS_SCHEME is set
urlapi: Forbid '|' in host
- urlapi: Handle redirect without set scheme with default-scheme
- urlapi: URL decode hostname before IP address normalization
user-agent.md: Mention double quotes too
- var: Use a dedicated pointer for the alloc
verify-release: Verify more thoroughly with git
vquic: Drop stray casts for 'iovec.iov_len'
vquic: Fix '-Wunused-parameter' with proxies disabled
- vtls: More large buffer support and error checks for SHA-256
vtls: Use Curl_safecmp for CRLfile and pinned_key comparison
vtls_scache: Include signature_algorithms in the SSL peer cache key
vtls_spack: Drop redundant macro fallbacks
VULN-DISCLOSURE-POLICY.md: Emphasize comm as a human
VULN-DISCLOSURE-POLICY.md: Emphasize the no email thank you part
VULN-DISCLOSURE-POLICY.md: Test code is not secure
VULN-DISCLOSURE-POLICY: Non-released code
- websockets: Auto-tunnel through http proxy
- websockets: Buffer ugprade data at connection level
- windows: Update MS SDK versions in comments
winldap: Avoid NULL pointer deref on 'ldap_get_dn()' fail
ws: Make pong sending lazy (CVE-2026-11586)
x509asn1: Fix DH public key parameter extraction
x509asn1: Fix operator order in do_pubkey
- I adjusted the parallel test jobs cap to 32 (from 64) to avoid overwhelming system resources
Updated libssh2 (1.11.1) as per the Fedora version
Updated perl-Module-CPANTS-Analyse to 1.03 as per the Fedora version
Tuesday 23rd June 2026
Fedora Project
Updated perl-MetaCPAN-Client to 2.044000 in Rawhide:
Local Packages
Updated perl-MetaCPAN-Client to 2.044000 as per the Fedora version
Monday 22nd June 2026
Fedora Project
Updated perl-DBD-CSV to 0.63 in Rawhide:
- It's 2026
New test for DBI-1.648 CVE fix
- Minor typo in doc
- Raise recommended versions for fixed CVE's
Updated perl-Finance-Quote to 1.70 in F-43, F-44, Rawhide, EPEL-9, EPEL-10.2 and EPEL-10:
New module Finnhub.pm: Fetches quotes from https://finnhub.io using a free personal-use API key
GoogleWeb.pm: Adapt to the redesigned Google Finance site
Tradegate.pm: Remove explicit "our $VERSION" assignment that collided with the dzil-injected version, producing a duplicate declaration and an "our variable $VERSION redeclared" warning; use a bare # VERSION marker like the other modules
Tradegate.pm: Trim whitespace before parsing date and time
Added CurrencyRates/Frankfurter
Removed AEX.pm: Euronext.com added JavaScript based anti-webscraping
Added CurrencyRates/UniRate.pm
Updated perl-GDGraph to 1.56 in EPEL-8 and EPEL-9:
Fix failing XBM test resulting from some upstream changes (CPAN RT#140940)
Skip samples tests if libgd has gd/gd2 image support disabled, which is the default starting with version 2.3.3 (see https://github.com/libgd/libgd/issues/428)
- Improve language in documentation
Updated perl-Module-Extract-VERSION to 1.121 in Rawhide:
Support the old qv() syntax from version.pm
Updated perl-Text-CSV_XS to 1.64 in Rawhide:
- Check attribute lengths (memory protection)
- Minor code consistencies (not user-visible)
- Dropped support for 5.6.x and 5.8.0; minimum perl is now 5.8.1
Fix special str setting consistency for types, undef_str and comment_str
Characters []:*/\ are not allowed in XLSX sheet names
Fix syntax error in csv2xlsx
Local Packages
Updated perl-DBD-CSV to 0.63 as per the Fedora version
Updated perl-DBI to 1.649:
Extra Cwd::abs_path required for Windows
Updated perl-List-SomeUtils-XS to 0.59:
Fix a heap buffer overflow in the pairwise function when it would return a very large list
Updated perl-Module-Extract-VERSION to 1.121 as per the Fedora version
Updated perl-Text-CSV_XS to 1.64 as per the Fedora version
Sunday 21st June 2026
Fedora Project
Updated perl-YAML-LibYAML to 0.908.0 in Rawhide:
- Fix for OOP interface: improve handling of mapping keys, for example numbers
Local Packages
Rebuilt curl (8.21.0~rc3) for OpenSSL 4.0 in Rawhide
Rebuilt libssh2 (1.11.1) for OpenSSL 4.0 in Rawhide
Rebuilt nmap (7.92) for OpenSSL 4.0 in Rawhide
Rebuilt perl-Net-SSLeay (1.92) for OpenSSL 4.0 in Rawhide
Updated perl-YAML-LibYAML to 0.908.0 as per the Fedora version
Rebuilt proftpd (1.3.9 and 1.3.10rc2) for OpenSSL 4.0 in Rawhide
Rebuilt sendmail (8.18.2) for OpenSSL 4.0 in Rawhide
Thursday 18th June 2026
Local Packages
Updated curl (8.21.0~rc3) to fix multi_fdset must not report only the wakeup socket (Bug #2460719)
Other Entries
Local Packages refers to my local package repository at http://www.city-fan.org/ftp/contrib/