PaulHowarth/Blog/2014-03-26

Wednesday 26th March 2014

Fedora Project

• Updated perl-CPAN-Meta to 2.140640 in Rawhide:

  • Improved bad version handling during META conversion

  • When downgrading multiple licenses to version 1.x META formats, if all the licenses are open source, the downgraded license will be "open_source", not "unknown"

  • Added a 'load_string' method that guesses whether the string is YAML or JSON

• Updated perl-IO-Socket-SSL to 1.973 in Rawhide:

  • With SSL_ca, certificate handles can now be used in addition to SSL_ca_file and SSL_ca_path

  • No longer complain if SSL_ca_file and SSL_ca_path are both given; instead, add both as options to the CA store

  • Shortcut 'issuer' to give both issuer_cert and issuer_key in CERT_create

• Updated perl-Scalar-List-Utils to 1.38 in Rawhide:

  • Skip pairmap()'s MULTICALL implementation 5.8.9/5.10.0 as it doesn't work (CPAN RT#87857)

  • Comment on the fact that package "0" is defined but false (CPAN RT#88201)

  • TODO test in t/readonly.t now passes since 5.19.3 (CPAN RT#88223)

  • Added any, all, none, notall list reduction functions (inspired by List::MoreUtils)

  • Added List::Util::product()

  • Added Scalar::Util::unweaken()

  • Avoid C99/C++-style comments in XS code

  • Fix dualvar tests for perl 5.6; fix skip() test counts in dualvar.t

  • Neater documentation examples of other functions that can be built using reduce

  • Implement reduce() and first() even in the absence of MULTICALL

  • Various documentation changes/updates

  • Correct uses of overload operators in unit tests (CPAN RT#91969)

• Updated perl-Test-Modern to 0.005 in Rawhide:

  • Support Perl 5.6.1+

Local Packages

• Updated curl to 7.36.0:

• This release includes the following security advisories:

  • Wrong re-use of connections (CVE-2014-0138)

  • IP address wildcard certificate validation (CVE-2014-0139)

  • Not verifying certs for TLS to IP address / Darwinssl (CVE-2014-1263)

  • Not verifying certs for TLS to IP address / Winssl (CVE-2014-2522)

• This release includes the following changes:
  • ntlm: added support for NTLMv2
  • Tool: added support for URL specific options
  • openssl: add ALPN support
  • gtls: add ALPN support
  • nss: add ALPN and NPN support

  • Added CURLOPT_EXPECT_100_TIMEOUT_MS

  • Tool: add --no-alpn and --no-npn

  • Added CURLOPT_SSL_ENABLE_NPN and CURLOPT_SSL_ENABLE_ALPN

  • winssl: enable TLSv1.1 and TLSv1.2 by default
  • winssl: TLSv1.2 disables certificate signatures using MD5 hash
  • winssl: enable hostname verification of IP address using SAN or CN
  • darwinssl: don't omit CN verification when an IP address is used

  • http2: build with current nghttp2 version

  • polarssl: dropped support for PolarSSL < 1.3.0

  • openssl: info message with SSL version used
• This release includes the following bugfixes:
  • nss: allow to use ECC ciphers if NSS implements them
  • netrc: fixed a memory leak in an OOM condition
  • ftp: fixed a memory leak on wildcard error path

  • pipeline: fixed a NULL pointer dereference on OOM

  • nss: prefer highest available TLS version

  • 100-continue: fix timeout condition

  • ssh: fixed a NULL pointer dereference on OOM condition

  • formpost: use semicolon in multipart/mixed

  • --help: add missing --tlsv1.x options

  • formdata: fixed memory leak on OOM condition

  • ConnectionExists: reusing possible HTTP+NTLM connections better

  • mingw32: fix compilation
  • Chunked decoder: track overflows correctly

  • curl_easy_setopt.3: add CURL_HTTP_VERSION_2_0

  • dict: fix memory leak in OOM exit path

  • valgrind: added suppression on optimized code

  • curl: output protocol headers using binary mode

  • Tool: added URL index to password prompt for multiple operations

  • ConnectionExists: re-use non-NTLM connections better

  • axtls: call ssl_read repeatedly

  • multi: make MAXCONNECTS default 4 x number of easy handles function

  • configure: fix the --disable-crypto-auth option

  • multi: ignore SIGPIPE internally

  • curl.1: update the description of --tlsv1

  • SFTP: skip reading the dir when NOBODY=1

  • easy: fixed a memory leak on OOM condition

  • Tool: fixed incorrect return code when setting HTTP request fails

  • configure: tiny fix to honour POSIX

  • Tool: do not output libcurl source for the information-only parameters

  • Rework Open Watcom make files to use standard Wmake features

  • x509asn: moved out Curl_verifyhost from NSS builds

  • configure: call it GSS-API

  • hostcheck: Curl_cert_hostcheck is not used by NSS builds

  • multi_runsingle: move timestamp into INIT

  • remote_port: allow connect to port 0

  • parse_remote_port: error out on illegal port numbers better

  • ssh: pass errors from libssh2_sftp_read up the stack

  • docs: remove documentation on setting up krb4 support
  • polarssl: build fixes to work with PolarSSL 1.3.x

  • polarssl: fix possible handshake timeout issue in multi

  • nss: allow to enable/disable cipher-suites better
  • ssh: prevent a logic error that could result in an infinite loop
  • http2: free resources on disconnect
  • polarssl: avoid extra newlines in debug messages

  • rtsp: parse "Session:" header properly

  • trynextip: don't store 'ai' on failed connects

  • Curl_cert_hostcheck: strip trailing dots in host name and wildcard

• Updated perl-IO-Socket-SSL to 1.973 as per the Fedora version

• Updated perl-Test-Modern to 0.005 as per the Fedora version