Paul Howarth's Blog
| << < 2026 / 5 > >> | ||||||
|---|---|---|---|---|---|---|
| Mon | Tue | Wed | Thu | Fri | Sat | Sun |
| 1 | 2 | 3 | ||||
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 | 31 |
Recent Entries
Wednesday 29th April 2026
Fedora Project
Updated perl-Text-CSV_XS to 1.62 in F-42, F-43, F-44, Rawhide, EPEL-8, EPEL-9, EPEL-10.1, EPEL-10.2 and EPEL-10:
- It is 2026
Fix possible stack corruption (GH#65, CVE-2026-7111)
Updated proftpd (1.3.8d) in EPEL-9 to fix potential SQL injection via mod_sql (GH#2052, CVE-2026-42167)
Local Packages
Updated curl to 8.20.0:
async-thrdd: Use thread queue for resolving
- build: Make NTLM disabled by default
- cmake: Drop support for CMake 3.17 and older
- lib: Add thread pool and queue
lib: Drop support for c-ares < 1.16.0
- lib: Make SMB support opt-in
multi.h: Add CURLMNWC_CLEAR_ALL
- rtmp: Drop support
altsvc: Cap the list at 5,000 entries
altsvc: Drop the prio field from the struct
altsvc: Skip expired entries read from file
asyn-ares: Connect async
asyn-ares: Drop orphaned variable references
asyn-ares: Fix HTTPS-lookup when not on port 443
asyn-thrdd: Drop redundant 'result' check
asyn-thrdd: Fix clang-tidy unused value warning
async-ares: Fix query counter handling
autotools: Limit checksrc target to ignore non-repo test sources
badwords-all: Exit with correct code on errors
- badwords: Combine the whitelisting into a single regex
badwords: Detect the the and with with
- badwords: Only check comments and strings in source code
- badwords: Rework exceptions, fix many of them
boringssl: Fix more coexist cases with Schannel/WinCrypt
build: Adjust/add casts to fix '-Wformat-signedness'
build: Assume 'snprintf()' in 'mprintf', drop feature check
- build: Compiler warning silencing tidy-ups
build: Drop 'openssl' module dependency for BoringSSL from 'libcurl.pc'
build: Drop duplicate 'pthread.h' includes
build: Drop redundant 'USE_QUICHE' guards
build: Enable '-Wimplicit-int-enum-cast' compiler warning, fix issues
build: Fix '-Wformat-signedness' by adjusting printf masks
build: Link 'bcrypt.lib' via vcxproj files
build: Skip detecting 'pipe2()' for Apple targets
build: Stop building and installing 'runtests.1' and 'testcurl.1'
cf-https-connect: Silence '-Wimplicit-int-enum-cast' with HTTPS-RR
cf-ip-happy: Limit concurrent attempts
cf-socket: Avoid low risk integer overflow on ancient Solaris
cfilters: Fix Curl_pollset_poll() return code mixup
clang-tidy: Avoid assignments in 'if' expressions
clang-tidy: Enable more checks, fix fallouts
- cmake: Add CMake Config-based dependency detection
cmake: Add CMake Config-based dependency detection for c-ares, wolfSSL
cmake: Do not install 'wcurl' when 'BUILD_CURL_EXE=OFF'
cmake: Do not install shell completions when 'BUILD_CURL_EXE=OFF'
- cmake: Document functions used from Windows system DLLs
cmake: Enable pthreads for BoringSSL/AWS-LC
cmake: Resolve targets recursively when generating 'libcurl.pc'
cmake: Rework binutils ld hack to not read 'LOCATION' property
cmake: Silence bad library 'Threads::Threads' warning
- cmake: Use 'AIX' built-in variable (with CMake 4.0+)
config2setopts: Make --capath work in proxy disabled builds
configure: Fix '--with-ngtcp2=<path>' option for crypto libs
configure: Fix LibreSSL ngtcp2 1.15.0+ crypto lib selection logic
configure: Prefer dependency-specific variables over '$withval'
configure: Remove superfluous experimental warning for HTTP/3
configure: Silence useless clang warnings in C89 builds
configure: Tidy up comments
connect: Fix typo on error message
- cookie: Fix rejection when tabs in value
curl-wolfssl.m4: Fix to use the correct value for pkg-config directory
curl.h: Replace macros with C++-friendly method to enforce 3 args
curl_ctype.h: Fix spelling in a couple of locally used macros
curl_get_line: Error out on read errors
curl_get_line: Fix potential infinite loop when filename is a directory
curl_ngtcp2: Extend and update callbacks for 1.22.0+
curl_ntlm_core: Drop redundant PP condition
curl_ntlm_core: Use wolfCrypt DES API with wolfSSL
curl_setup.h: Drop stray/unused 'USE_OPENSSL_QUIC' guard
curl_sha512_256: Support delegating to wolfSSL API
curl_version_info.md: Clarify age details
CURLOPT_HAPROXY_CLIENT_IP.md: Mention assumption on data format
CURLOPT_RTSP_SESSION_ID.md: Clarify reuse "dangers"
CURLOPT_RTSP_SESSION_ID.md: Expand the comment
CURLOPT_RTSP_SESSION_ID.md: Minor language fix
CURLOPT_SOCKS5_AUTH.md: An access property
CURLOPT_SSL_CTX_FUNCTION.md: Expand on effects connection reuse
CURLOPT_UPLOAD_FLAGS.md: Expand
curlx_now(): Prevent zero timestamp
DEPRECATE: Fix minor release number typo
- digest: Pass in the user name quoted (as well)
- dns: https-eyeballing async
- dnscache: Own source file, improvements
docs/cmdline-opts/write-out.md: tls_earlydata was adeded in 8.13.0
docs/cmdline-opts: Tidy up retry-connrefused
- docs/lib: Fix typos
docs/libcurl: Improve easy setopt examples
docs: Clarify retry-max-time timing
docs: CURLOPT_LOGIN_OPTIONS is a login property
- docs: Enable more compiler warnings for C snippets, fix 3 finds
- docs: List more dependencies for running Python HTTP tests
- docs: Mention more zip bomb precautions
- docs: Minor wording tweaks
docs: noproxy wants the punycoded hostname version
- docs: SSH host verification is done at connect time
docs: Use the correct CURLOPT_WRITEFUNCTION signature
- doh: Fix memory-leak when doing a second DoH resolve
doh: Remove superfluous doh_req check
examples/websocket: Fix to sleep more on Windows
- examples: Drop warning silencers no longer hit
- examples: Fix typo in comment
- file: init fd to -1 to prevent close fd 0 on early failure
fopen: For temp files, inherit permissions only for owner
ftp: Do not strdup DATA hostname
- ftp: Make the MDTM date parser stricter (again)
ftp: Reject PWD responses containing control characters
gcc: Guard '#pragma diagnostic' in core code for <4.6
generate.bat: Remove extra % from VC11 and VC12 runs
genserv.pl: Make external calls safe
getinfo: Initialize 'PureInfo' field 'used_proxy'
getinfo: Repair CURLINFO_TLS_SESSION
gnutls: Fix clang-tidy warning with !verbose
gtls: Fail for large files in 'load_file()'
- h3: HTTPS-RR use in HTTP/3
- Happy Eyeballs: Add resolution time delay
- haproxy: Use correct ip version on client supplied address
hostip: Clear the sockaddr_in6 structure before use
hostip: init the curl_jmpenv_lock appropriately
- hostip: Resolve user supplied ip addresses
- HSTS: Cap the list
hsts: Make the HSTS read callback handle name dupes
- hsts: Skip expired HSTS entries read from file
- hsts: When a dupe host adds subdomains, use that
- http2: Clear the h2 session at delete
- http2: Prevent secure schemes pushed over insecure connections
- http2: return error on OOM in push headers
HTTP3.md: Drop outdated mentions of OpenSSL-QUIC
http: Clear credentials better on redirect (CVE-2026-6429)
- http: Clear digest nonce on cross-orgin redirect
http: Clear the proxy credentials as well on port or scheme change (CVE-2026-6253)
http: Fix auth_used and auth_avail
http: Fix Curl_compareheader for multi value headers
http: Make Curl_compareheader handle multiple commas in header
http: On 303, switch to GET
http: Use header_has_value() instead of duplicate code
imap: Reset the UIDVALIDITY state between transfers
include: Drop 'will' from public headers
INSTALL.md: Update Cygwin instructions
keylog.h: Replace literal number with macro in declaration
keylog: Drop unused/redundant includes and guards
ldap: Drop duplicate 'ldap_set_option()' on Windows
- ldap: Fix to initialize cleartext connection on Windows
lib1560: Fix comment typo
lib1960: Fix test failure
lib: Accept larger input to md5/hmac/sha256/sha512 functions
lib: Always use Curl_1st_fatal instead of Curl_1st_err
- lib: Fix typos in comments
- lib: Make resolving HTTPS DNS records reliable
- lib: Minor comment typos
- lib: Move request specific allocations to the request struct
lib: Replace 'PRI*32' printf masks with C89 ones
libssh2: Allocate libssh2-friendly memory in kbd_callback
libssh2: Fix error handling on quote errors
libssh: Fix 64-bit printf mask for mingw-w64 ≤ 6.0.0
libssh: Fix '-Wsign-compare' in 32-bit builds
libssh: Path length precaution
libssh: Propagate error back in SFTP function
libtest: Drop duplicate include
location/follow: Mention netrc
man: Fix argument type for 'CURLSHOPT_[UN]SHARE' options
mbedtls: Clean up more without care for 'initialized'
mbedtls: Fix ECJPAKE matching
mbedtls: Remove failf() call with first argument as NULL
- md4, md5: Switch to wolfCrypt API in wolfSSL builds
- mime: Only allow 40 levels of calls
- misc: Fix code quality findings
mk-ca-bundle.pl: Make ca-bundle.crt timestamp match certdata.txt's
- multi: Enhance pending handles fairness
- multi: Fix connection retry for non-http
- multi: Improve wakeup and wait code
netrc: Find login-less password when user is given in URL
netrc: Remove unused parsenetrc() macro for netrc-disabled
netrc: Skip malformed macdef lines
openssl channel_binding: Lookup digest algorithm without NID
- openssl: Drop obsolete SSLv2 logic
- openssl: Fix build with 4.0.0-beta1 no-deprecated
- openssl: Fix memory leaks in ECH code (OpenSSL 3)
openssl: Fix unused variable warnings in !verbose builds
- openssl: Trace count of found / imported Windows native CA roots
- OS400: Add new definitions to the ILE/RPG binding
os400sys: Fix typo in comment (symetry -> symmetry)
parsedate: bsearch the time zones
parsedate: Fix wrong treatment of "military time zones"
parsedate: Refactor
- perl: Harden external command invocations
- progress: Count amount of data "delivered" to application
protocol.h: Fix the CURLPROTO_MASK
protocol: Disable connection reuse for SMB(S) (CVE-2026-5773)
- protocol: Use scheme names lowercase
- proxy: Chunked response, error code
pytest: Add additional quiche check for flaky test_05_01
pytest: Check 429 handling
rand: Use 'BCryptGenRandom()' in UWP builds
- ratelimit: Reset on start
request: Reset resp_trailer in new requests
- runtests: Skip setting ed25519 SSH key format
rustls: Fix memory leak on repeated SSLKEYLOGFILE fails
- rustls: Handle EOF during initial handshake
- schannel: Increase renegotiation timeout to 60 seconds
scripts: Drop redundant double-quotes: '"$var"' -> '$var' (Perl)
scripts: Harden / tidy up more Perl 'system()' calls
sectrust: Fail on missing OCSP stapling (CVE-2026-7009)
sendf: Fix CR detection if no LF is in the chunk
setopt: Clear proxy auth properties when switching (CVE-2026-7168)
setopt: Fix typos in comments
setopt: Move CURLOPT_CURLU
- setup connection filter: Mark as setup
sha256, sha512_256: Switch to wolfCrypt API
sha256: Support delegating to wolfSSL API
- share: Concurrency handling, easy updates
- share: Do bitshifts after the type is checked to be valid
- socks: Reject zero-length GSSAPI/SSPI tokens from proxy
- socks: Use dns filter for resolving
- spelling: Fix typos
src: Use ftruncate() unconditionally
sshserver.pl: Harden more 'system()' calls
sshserver.pl: Pass command-line to 'system()' safely
strerr: Correct the strerror_s() return code condition
- sws: Fix potential OOB write
synctime: Fix off-by-one read and write to a read-only buffer (Windows)
- test 766: Flag as timing-dependent
test1675: Unit tests for URL API helper functions
test459: Switch to mode="warn" for stderr check
testcurl.pl: Replace shell commands with Perl 'rmtree()'
tests/unit/README: Describe how to unit test static functions
tests: Avoid infinite recursion for 'make check'
tests: Use %b64[] instead of "raw" base64
tool: Check for curlinfo->age when determining if ssh backend
- tool: Fix memory mixups
- tool: Fix retries in parallel mode
- tool: Fix two more allocator mismatches
tool_cb_hdr: Only truncate etags output when regular file
tool_cb_rea: Make waitfd() return void
tool_cb_wrt: Fix no-clobber error handling
tool_cfgable: Free the SSL signature algorithms
tool_dirhie: Fix to create drive-relative directory
tool_formparse: Propagate my_get_line errors when reading headers
tool_getparam: Use correct free function for libcurl memory
tool_ipfs: Accept IPFS gateway URL without set port number
tool_msgs: Avoid null pointer deref for early errors
tool_operate: Actually apply the --parallel-max-host limit
tool_operate: Drop the scheme-guessing in the -G handling
tool_operate: Fix condition for loading 'curl-ca-bundle.crt' (Windows)
tool_operate: Fix memory-leak on failed uploads
tool_operate: Fix minor memory-leak on early error
tool_operate: Reset the upload glob counter for next URL
tool_operhlp: Fix 'add_file_name_to_url()' result on OOM
tool_operhlp: Iterate through all slashes to find name
tool_operhlp: Propagate low-level OOM in 'add_file_name_to_url()'
tool_setopt: Return error on OOM correctly
tool_urlglob: Fix memory-leak on glob range overflow
- top-complexity: Prevent filename-based shell injection risk
- transfer: Clear the old autoreferer
- transfer: Clear the URL pointer in OOM to avoid UAF
- transfer: Enable custom methods again on next transfer
- transfer: Enhance secure check
unit1675: Fix '-Wformat-signedness'
url: Do not reuse a non-tls starttls connection if new requires TLS (CVE-2026-4873)
url: Improve connection reuse on negotiate (CVE-2026-5545)
url: init req.no_body in DO so that it works for h2 push
url: Set default upload flags to CURLULFLAG_SEEN
- url: Use the socks type for socks proxy
- url: Use URL for url even in comments
urlapi: Fix handling of "file:///"
urlapi: Make dedotdotify handle leading dots correctly
- urlapi: Same origin tests
urlapi: Stop extracting hostname from file:// URLs on Windows
- urlapi: Verify the last letter of a scheme when set explicitly
urldata.h: Fix typo and lingering backtick
urldata: Connection bit ipv6_ip is wrong
- urldata: Import port types and conn destination format
urldata: Make hstslist only present in HSTS builds
urldata: Make speeder_c uint32
urldata: Move cookiehost to struct SingleRequest (CVE-2026-6276)
urldata: Remove trailers_state
- vquic: Fix variable name in fallback code
- vtls: Fix comment typos and tidy up a type
- vtls: Log when key logging is enabled
vtls_scache: Check reentrancy
vtls_scache: Include cert_blob independently of verifypeer
- wolfssl: Document v5.0.0 (2021-11-01) as minimum required
wolfssl: Fix '-Wmissing-prototypes'
- wolfssl: Fix handling of abrupt connection close
write-out.md: Minor language fix
write-out.md: tls_earlydata was added in 8.13.0
ws: Fix a blocking curl_ws_send() to report written length correctly
x509asn1: Fix to return error in an error case from 'encodeOID()'
x509asn1: Fixed and adapted for ASN1tostr unit testing
x509asn1: Improve encodeOID
- Updated perl-Text-CSV_XS` to 1.62 as per the Fedora version
Tuesday 28th April 2026
Fedora Project
Updated perl-IO-Tty to 1.29 in Rawhide:
- Bug Fixes:
Fix make_slave_controlling_terminal() on Solaris/HP-UX to use _open_tty() instead of IO::Tty->open(), ensuring STREAMS modules (ptem, ldterm, ttcompat) are pushed via I_PUSH when the slave is opened for controlling terminal setup - parallel fix to the slave() method fix in 1.24 (GH#69)
Fix Perl 5.40+ "Possible memory corruption: ioctl overflowed 3rd argument" warning in clone_winsize_from() and get_winsize(); use pack_winsize(0,0,0,0) to pre-allocate the ioctl buffer with SvCUR matching sizeof(struct winsize) instead of an empty string (GH#74)
Fix diagnostic warnings being silently suppressed when callers use lexical "use warnings" (the modern standard since Perl 5.6); $^W and PL_dowarn only fire under perl -w - replaced with warnings::enabled() in IO::Tty and IO::Pty (GH#76) and ckWARN(WARN_IO) in Tty.xs (GH#79)
Fix file descriptor leak in IO::Pty when new_from_fd() fails after pty_allocate() or _open_tty() returns raw C-level fds; added POSIX::close() calls on the raw fds before croaking at three sites in new() and slave() (GH#77)
Fix openpty() detection on Alpine Linux and other musl-based systems where openpty() has moved from libutil into libc (glibc 2.34+); probe libc first before falling back to -lutil (GH#78)
Fix -Wsign-compare compiler warnings: change namebuflen parameter type from int to size_t in open_slave() and allocate_pty() to match the return type of strlcpy() and the size argument of snprintf() (GH#80)
Fix spurious "_FORTIFY_SOURCE requires compiling with optimization" warnings during configure probes when $Config{optimize} (e.g. -Os) is separate from $Config{ccflags}; include optimize flags in all configure probe compilations (GH#81)
Fix header probes in Makefile.PL missing platform extension defines (_GNU_SOURCE, _BSD_VISIBLE, etc.) that function probes already included; bare #includes could cause HAVE_PTY_H and similar to be unset on strict POSIX systems even when the header exists (GH#84)
- Fix configure-time function detection probes being broken by compiler optimization:
The probes stored function pointers in local variables that -O2/-Os (added to probe flags in GH#81) eliminated as dead stores, so the linker never saw the function reference; on systems where openpty() lives in -lutil (older glibc, BSDs), the probe falsely succeeded without -lutil, producing "undefined symbol: openpty" at runtime
Fixed by storing the function pointer in a file-scope global variable that the optimizer cannot eliminate (GH#87, GH#88)
- Improvements:
Use L<> instead of C<> for cross-module POD references in Tty.pm and Pty.pm so MetaCPAN renders IO::Pty, IO::Handle, and IO::Stty as clickable links (GH#86)
- Maintenance:
Modernize POD in Tty.pm and Pty.pm: remove stale platform version references (FreeBSD 4.4, OpenBSD 2.8, HPUX 10.20, Solaris 2.6), replace defunct !SourceForge/mailing list URLs with GitHub issue tracker (GH#70)
Modernize the 'try' example script: add strict/warnings, my declarations, 3-arg open, and lexical filehandles; the script is shipped to CPAN and referenced in POD as the canonical usage example (GH#73)
Strengthen test coverage for set_raw() and winsize: verify all termios flags set by cfmakeraw (iflag, oflag, PARENB, CSIZE, CS8, VMIN, VTIME) and add a test for the unpack_winsize() length-validation croak (GH#75)
Update GitHub Actions to Node.js 24 versions: actions/checkout v6, cross-platform-actions/action v1, perl-actions/install-with-cpm v2; required before GitHub forces Node.js 24 in June 2026 (GH#85)
Add Ubuntu LTS version matrix (20.04, 22.04, 24.04) to the GitHub Actions test suite; exercises the system perl on each current Ubuntu LTS release via Docker containers, running after the main ubuntu job (GH#89)
I needed to add a patch to fix detection of openpty() in libutil on older Fedora releases (GH#92)
Updated perl-Module-Signature to 0.96 in Rawhide:
- Fix issue from last release where search keys is interactive
Local Packages
Updated perl-IO-Tty to 1.29 as per the Fedora version
Updated perl-Module-Signature to 0.96 as per the Fedora version
Monday 27th April 2026
Fedora Project
Updated perl-Business-ISBN-Data to 20260424.001 in Rawhide:
- Data update for 2026-04-24
Updated perl-MetaCPAN-Client to 2.042000 in Rawhide:
Updated perl-Module-Signature to 0.95 in Rawhide:
- Announce deprecation of the module
Updated perl-PPI to 1.286 in Rawhide:
Updated perl-YAML-Syck to 1.45 in F-42, F-43, F-44, Rawhide, EPEL-9, EPEL-10.2 and EPEL-10:
- Bug Fixes:
Fix: Use syck_base64_free() to fix Windows "Free to wrong pool" crash in base64 encode/decode buffers; also plugs a memory leak (GH#189)
Fix: Clear type tag on blessed scalar alias early-return so the stale tag no longer leaks onto the next emitted item (GH#193, GH#194, Bug #2459200)
Fix: Negative float#base60 values produce wrong results; strip sign before accumulating and avoid negative zero for portable stringification (GH#191)
Fix: Prevent memory leaks when Load/LoadJSON croak on parse errors (GH#192)
- Maintenance:
Local Packages
Updated curl (rc) to new upstream release candidate 8.20.0~rc3
Updated dovecot (2.4.3) to dump the test log if the test suite fails
Updated java-1.8.0-oracle to Java SE 8 update 491
Updated libgpg-error to 1.60 (https://dev.gnupg.org/T8112):
New error codes (https://dev.gnupg.org/T6644)
- Fix a use-after-scope of a Windows handle array
Fix cross compiling for wasm32-unknown-emscripten
New symbols: GPG_ERR_PUBKEY_NON_COMPLIANT, GPG_ERR_CIPHER_NON_COMPLIANT, GPG_ERR_DIGEST_NON_COMPLIANT
Updated perl-DateTime-TimeZone to 2.68:
- This release is based on version 2026b of the Olson database
- Contemporary changes for British Columbia, CA
Updated perl-MetaCPAN-Client to 2.042000 as per the Fedora version
Updated perl-Module-Signature to 0.95 as per the Fedora version
Updated perl-PPI to 1.286 as per the Fedora version
Updated perl-YAML-LibYAML to 0.906.0:
Updated perl-YAML-Syck to 1.45 as per the Fedora version
Wednesday 22nd April 2026
Fedora Project
Branched and built perl-autovivification (0.18) for EPEL-9
Branched and built perl-Business-ISBN-Data (20260416.001) for EPEL-9, EPEL-10.2 and EPEL-10
Branched and built perl-Data-Compare (1.29) for EPEL-10.2 and EPEL-10
Branched and built perl-Scalar-Properties (1.100860) for EPEL-10.2 and EPEL-10
Monday 20th April 2026
Local Packages
Updated perl-Module-CoreList to 5.20260420:
- Updated for v5.43.10
Other Entries
Local Packages refers to my local package repository at http://www.city-fan.org/ftp/contrib/