PaulHowarth/Blog/2017-11-15

Wednesday 15th November 2017

Fedora Project

• Updated spamass-milter (0.4.0) in Rawhide to replace /bin/* dependencies with coreutils etc. (Bug #1512898)

Local Packages

• Updated libgcrypt to 1.7.9:

  • Mitigate a local side-channel attack on Curve25519 dubbed "May the Fourth be With You" (CVE-2017-0379)

• Updated perl-Compress-Raw-Zlib to 2.075:

  • Update bundled zlib to 1.2.11

  • perl 5.26.1 is vulnerable to CVE-2016-9843, CVE-2016-9841, CVE-2016-9840, CVE-2016-9842 (CPAN RT#123245)

  • Zlib.xs: Don't allow offset to be greater than length of buffer in crc32

  • Zlib.xs: Change my_zcalloc to use safecalloc

  • The link, https://github.com/madler/zlib/issues/253, is the upstream report for the remaining valgrind errors not already dealt with by 1.2.11; using calloc in Zlib.xs for now as a workaround (CPAN RT#121074)

• I also tweaked the build to use the bundled zlib if the system version was older than 1.2.11

• Updated perl-Filter to 1.58:

  • Drop 5.005 support

  • Switch from DynaLoader to XSLoader (GH#5)

  • Replace use vars by our (GH#5)

  • Lazy load Carp only when required (GH#5)

  • Minor test improvements
  • Fix v5.8 cast warnings

• Updated perl-Search-Elasticsearch to 6.00:

  • Released 6.00 with default API for 6_0

  • Legacy 5_0 API now released separately

  • Trace logging now includes content-type headers where appropriate

  • Deprecation warnings are now parsed to extract the message only

  • Improved boolean value handling in query string parameters - now accepts true, false, \1, \0, or a JSON::PP::Boolean object

  • Handle removal of '.' from @INC in perl 5.26

• Updated spamass-milter (0.4.0) as per the Fedora version