Wednesday 29th January 2014
Fedora Project
Updated libpng10 in F-19, F-20, Rawhide and EPEL-6 to address CVE-2013-6954: handle zero-length PLTE chunk or NULL palette with png_error(), to avoid later reading from a NULL pointer (png_ptr->palette) in png_do_expand_palette()
Updated perl-Error to 0.17022 in Rawhide:
Add "use warnings;" to everything
Add a separate LICENSE file
Updated perl-IO-Socket-SSL (1.88) in F-19 to include back-ported patch from version 1.951 to use OpenSSL's default CA if the user doesn't specify one (Bug #1059002)
Updated perl-SQL-Statement in Rawhide to support bootstrapping the EPEL-7 build
Branched and built perl-DBD-CSV (0.38) for EPEL-7
Branched and built perl-SQL-Statement (1.405) for EPEL-7
Branched and built perl-Test-Assert (0.0504) for EPEL-7
Local Packages
Updated curl to 7.35.0:
imap/pop3/smtp: added support for SASL authentication downgrades
imap/pop3/smtp: extended the login options to support multiple auth mechanisms
TheArtOfHttpScripting: major update, converted layout and more
mprintf: added support for I, I32 and I64 size specifiers
makefile: added support for VC7, VC11 and VC12
Security Advisory: re-use of wrong HTTP NTLM connection (CVE-2014-0015)
curl_easy_setopt: fixed OAuth 2.0 Bearer option name
pop3: fixed APOP being determined by CAPA response rather than by timestamp
Curl_pp_readresp: zero terminate line
FILE: don't wait due to CURLOPT_MAX_RECV_SPEED_LARGE
Docs: mention CURLOPT_MAX_RECV/SEND_SPEED_LARGE don't work for FILE://
pop3: fixed auth preference not being honoured when CAPA not supported
imap: fixed auth preference not being honoured when CAPABILITY not supported
Threaded resolver: use pthread_t * for curl_thread_t
FILE: we don't support paused transfers using this protocol
connect: try all addresses in first connection attempt
curl_easy_setopt.3: added SMTP information to CURLOPT_INFILESIZE_LARGE
OpenSSL: fix forcing SSLv3 connections
OpenSSL: allow explicit SSLv2 selection
FTP parselist: fix "total" parser
conncache: fix possible dereference of null pointer
multi.c: fix possible dereference of null pointer
mk-ca-bundle: introduces -d and warns about using this script
ConnectionExists: fix NTLM check for new connection
trynextip: fix build for non-IPV6 capable systems
Curl_updateconninfo: don't do anything for UDP "connections"
darwinssl: un-break Leopard build after PKCS#12 change
threaded-resolver: never use NULL hints with getaddrinf
multi_socket: remind app if timeout didn't run
- OpenSSL: deselect weak ciphers by default
- Error message: sensible message on timeout when transfer size unknown
curl_easy_setopt.3: mention how to unset CURLOPT_INFILESIZE*
Win32: fixed use of deprecated function 'GetVersionInfoEx' for VC12
configure: fix gssapi linking on HP-UX
chunked-parser: abort on overflows, allow 64 bit chunks
Chunked parsing: relax the CR strictness
cookie: max-age fixes
- Progress bar: always update when at 100%
- Progress bar: increase update frequency to 10 Hz
- Tool: fixed incorrect return code if command line parser runs out of memory
- Tool: fixed incorrect return code if password prompting runs out of memory
HTTP POST: omit Content-Length if data size is unknown
- GnuTLS: disable insecure ciphers
GnuTLS: honour --slv2 and the --tlsv1[.N] switches
multi: fixed a memory leak on OOM condition
netrc: fixed a memory and file descriptor leak on OOM
getpass: fix password parsing from console
TFTP: fix crash on timeout
hostip: don't remove DNS entries that are in use
- Tests: lots of tests fixed to pass the OOM torture tests
Updated libpng10 as per the Fedora version
Updated perl-Email-Address to 1.901:
Further avoidance of stringifying to undef
Updated perl-Error to 0.17022 as per the Fedora version
Updated perl-File-ShareDir-Install to 0.08:
- Tests may now be run in parallel