#acl PaulHowarth:read,write,admin,revert,delete All:read === Wednesday 29th January 2014 === ==== Fedora Project ==== * Updated `libpng10` in F-19, F-20, Rawhide and EPEL-6 to address [[CVE:2013-6954|CVE-2013-6954]]: handle zero-length `PLTE` chunk or `NULL` palette with `png_error()`, to avoid later reading from a `NULL` pointer (`png_ptr->palette`) in `png_do_expand_palette()` * Updated `perl-Error` to 0.17022 in Rawhide: * Add "`use warnings;`" to everything * Add a separate `LICENSE` file * Updated `perl-IO-Socket-SSL` (1.88) in F-19 to include back-ported patch from version 1.951 to use OpenSSL's default CA if the user doesn't specify one ([[RedHatBugzilla:1059002|Bug #1059002]]) * Updated `perl-SQL-Statement` in Rawhide to support bootstrapping the EPEL-7 build * Branched and built `perl-DBD-CSV` (0.38) for EPEL-7 * Branched and built `perl-SQL-Statement` (1.405) for EPEL-7 * Branched and built `perl-Test-Assert` (0.0504) for EPEL-7 ==== Local Packages ==== * Updated `curl` to 7.35.0: * `imap`/`pop3`/`smtp`: added support for `SASL` authentication downgrades * `imap`/`pop3`/`smtp`: extended the login options to support multiple auth mechanisms * `TheArtOfHttpScripting`: major update, converted layout and more * `mprintf`: added support for `I`, `I32` and `I64` size specifiers * `makefile`: added support for VC7, VC11 and VC12 * '''Security Advisory:''' re-use of wrong `HTTP` `NTLM` connection ([[CVE:2014-0015|CVE-2014-0015]]) * `curl_easy_setopt`: fixed OAuth 2.0 Bearer option name * `pop3`: fixed `APOP` being determined by `CAPA` response rather than by timestamp * `Curl_pp_readresp`: zero terminate line * `FILE`: don't wait due to `CURLOPT_MAX_RECV_SPEED_LARGE` * Docs: mention `CURLOPT_MAX_RECV`/`SEND_SPEED_LARGE` don't work for `FILE://` * `pop3`: fixed auth preference not being honoured when `CAPA` not supported * `imap`: fixed auth preference not being honoured when `CAPABILITY` not supported * Threaded resolver: use `pthread_t *` for `curl_thread_t` * `FILE`: we don't support paused transfers using this protocol * `connect`: try all addresses in first connection attempt * `curl_easy_setopt.3`: added SMTP information to `CURLOPT_INFILESIZE_LARGE` * OpenSSL: fix forcing `SSLv3` connections * OpenSSL: allow explicit `SSLv2` selection * `FTP` `parselist`: fix "`total`" parser * `conncache`: fix possible dereference of null pointer * `multi.c`: fix possible dereference of null pointer * `mk-ca-bundle`: introduces `-d` and warns about using this script * `ConnectionExists`: fix `NTLM` check for new connection * `trynextip`: fix build for non-IPV6 capable systems * `Curl_updateconninfo`: don't do anything for UDP "connections" * `darwinssl`: un-break Leopard build after PKCS#12 change * `threaded-resolver`: never use `NULL` hints with `getaddrinf` * `multi_socket`: remind app if timeout didn't run * OpenSSL: deselect weak ciphers by default * Error message: sensible message on timeout when transfer size unknown * `curl_easy_setopt.3`: mention how to unset `CURLOPT_INFILESIZE*` * Win32: fixed use of deprecated function '`GetVersionInfoEx`' for VC12 * `configure`: fix `gssapi` linking on HP-UX * `chunked-parser`: abort on overflows, allow 64 bit chunks * Chunked parsing: relax the `CR` strictness * `cookie`: max-age fixes * Progress bar: always update when at 100% * Progress bar: increase update frequency to 10 Hz * Tool: fixed incorrect return code if command line parser runs out of memory * Tool: fixed incorrect return code if password prompting runs out of memory * `HTTP` `POST`: omit `Content-Length` if data size is unknown * GnuTLS: disable insecure ciphers * GnuTLS: honour `--slv2` and the `--tlsv1[.N]` switches * `multi`: fixed a memory leak on OOM condition * `netrc`: fixed a memory and file descriptor leak on OOM * `getpass`: fix password parsing from console * `TFTP`: fix crash on timeout * `hostip`: don't remove DNS entries that are in use * Tests: lots of tests fixed to pass the OOM torture tests * Updated `libpng10` as per the Fedora version * Updated `perl-Email-Address` to 1.901: * Further avoidance of stringifying to `undef` * Updated `perl-Error` to 0.17022 as per the Fedora version * Updated `perl-File-ShareDir-Install` to 0.08: * Tests may now be run in parallel ----