Paul's Blog Entries for February 2020

Saturday 1st February 2020

Fedora Project

  • Updated perl-Modern-Perl to 1.20200201 in F-30, F-31, Rawhide, EPEL-7 and EPEL-8:

Local Packages

  • Updated check (0.14.0) to disable tests on s390x

  • Updated perl-DBI to 1.643:

    • Fix memory corruption in XS functions when Perl stack is reallocated
    • Fix calling dbd_db_do6 API function

    • Fix potentially calling newSV(0) in malloc_using_sv()

    • Fix order of XS preparse() ps_accept and ps_return argument names

    • Fix a potential NULL profile dereference in dbi_profile()

    • Fix a buffer overflow on an over-long DBD class name

    • Remove remnants of support for perl ≤ v5.8.0

    • Update Devel::PPPort and remove redundant compatibility macros

    • Correct minor typo in documentation
    • Correct documentation introducing $dbh->selectall_array()

    • Introduce select and do wrappers earlier in the documentation

    • Mark as deprecated old API functions that overflow or are affected by Unicode issues
    • Add new attribute RaiseWarn, similar to RaiseError

Sunday 2nd February 2020

Local Packages

  • Updated perl-Archive-Tar to 2.36:

    • Add xz support

    • Use 4 digit year in Time::Local call

Monday 3rd February 2020

Local Packages

  • Updated perl-Test2-Suite to 0.000129:

    • Improve error handling of mock->override with AUTOLOADed methods

Tuesday 4th February 2020

Fedora Project

  • Updated libpari23 (2.3.5) in Rawhide to fix the patch that enforces use of the distribution compilation flags to work with GCC 10

  • Updated proftpd (1.3.6b) in EPEL-8:

    • Fix API tests compile failure with GCC 10 (GH#886)

    • mod_sftp: When handling the 'keyboard-interactive' authentication mechanism, as used for (e.g.) PAM, make sure to properly handle DEBUG, IGNORE, DISCONNECT and UNIMPLEMENTED messages, per RFC 4253 (ProFTPD Bug#4385)

Thursday 6th February 2020

Fedora Project

  • Updated perl-Cpanel-JSON-XS to 4.19 in Rawhide:

    • Fix typed decode memory leak (GH#160)

Local Packages

  • Updated perl-Cpanel-JSON-XS to 4.19 as per the Fedora version

  • Rebuilt perl-IO-AIO (4.72), perl-MCE (1.865), perl-Net-DNS (1.21), perl-Object-HashBase (0.009), perl-Specio (0.45) and pptp (1.10.0) for the Fedora_32_Mass_Rebuild

Friday 7th February 2020

Fedora Project

  • Updated perl-parent to 0.238 in Rawhide:

    • Move the prerequisite Test::More from being a runtime prerequisite to a test time / build time prerequisite (GH#11)

Local Packages

  • Updated perl-parent to 0.238 as per the Fedora version

Saturday 8th February 2020

Local Packages

  • Updated perl-PPIx-Regexp to 0.069:

    • The PPIx::Regexp->new() 'parse' option is now fatal; this selected either string or regex parse (I consider the string parse a failed experiment and this is the latest step in removing it in favour of the PPIx::QuoteLike package)

Sunday 9th February 2020

Fedora Project

  • Updated perl-MCE to 1.866 in Rawhide:

    • Bug fix for restart_worker, race condition introduced in 1.863

RPM Fusion Project

  • Updated xv (3.10a) in Rawhide to fix FTBFS with GCC 10

Local Packages

  • Updated perl-MCE to 1.866 as per the Fedora version

  • Updated xv (3.10a) to fix FTBFS with GCC 10 as per the RPM Fusion version

Monday 10th February 2020

Fedora Project

  • Updated perl-Math-GMP to 2.20 in Rawhide:

Tuesday 11th February 2020

Fedora Project

  • Updated perl-Modern-Perl to 1.20200211 in Rawhide:

Wednesday 12th February 2020

Local Packages

  • Updated schily to 2020.02.11, adding patch to fix FTBFS with GCC 10

  • Updated sendmail (8.15.2) to de-fuzzify the fix-covscan-issues patch

  • Rebuilt perl-DBI (1.643)

Thursday 13th February 2020

Fedora Project

  • Updated perl-Devel-Hide to 0.0011 in F-32 and Rawhide:

Local Packages

  • Updated dovecot to

    • Truncated UTF-8 could be used to DoS submission-login and lmtp processes (CVE-2020-7046)

    • Specially crafted mail could crash snippet generation (CVE-2020-7957)

  • Updated perl-Devel-Hide to 0.0011 as per the Fedora version

  • Updated python2-subversion to sync with subversion-1.12.2-7 in Rawhide

Friday 14th February 2020

Fedora Project

  • Updated gtkwave to 3.3.104 in F-32 and Rawhide:

    • Added support for loading .vf files (provided FSDB reader libraries are enabled)

    • Added support for dumping variable types in vcd saver, not just using "wire" for non-reals/strings

    • Fix for uninitialized values at time 0 for FST, FSDB loaders

Local Packages

  • Updated gtkwave to 3.3.104 as per the Fedora version

  • Updated perl-Compress-Raw-Lzma (2.093) and perl-IO-Compress-Lzma (2.093) to unbundle test dependencies

  • Updated perl-Net-DNS to 1.22:

    • Fix parse issue in Net::DNS::RR->token (CPAN RT#131579)

    • Provide rudimentary decode and print for DSO packet

Saturday 15th February 2020

Fedora Project

  • Updated perl-IO-Socket-SSL to 2.067 in F-32 and Rawhide:

    • Fix memory leak on incomplete handshake (GH#92)

    • Add support for SSL_MODE_RELEASE_BUFFERS via SSL_mode_release_buffers; this can decrease memory usage at the costs of more allocations (CPAN RT#129463)

    • More detailed error messages when loading of certificate file failed (GH#89)

    • Fix for ip_in_cn == 6 in verify_hostname scheme (CPAN RT#131384)

    • Deal with new MODE_AUTO_RETRY default in OpenSSL 1.1.1

    • Fix warning when no ecdh support is available
    • Documentation update regarding use of select and TLS 1.3

    • Various fixes in documentation (GH#81, GH#87, GH#90, GH#91)

    • Stability fix for t/core.t

Local Packages

  • Branched F-32 repository from the development branch
  • Updated libxml2 (2.9.10) to fix memory leak in xmlSchemaValidateStream (CVE-2019-20388) and to fix infinite loop in xmlStringLenDecodeEntities (CVE-2020-7595)

  • Updated perl-IO-Socket-SSL to 2.067 as per the Fedora version

Sunday 16th February 2020

Fedora Project

  • Updated perl-Devel-Hide to 0.0012 in F-32 and Rawhide:

    • Add -lexically argument to import() to support hiding modules just during the current scope

  • Updated perl-Text-CSV_XS to 1.41 in F-32 and Rawhide:

    • Update to Devel::PPPort-3.56

    • csv2xls uses sheetname as csv2xlsx

    • csv2xlsx: support images (each image gets its own tab)

    • More docs (data validation)
    • It's 2020
    • No binary literals in fixed error messages
    • Fix auto_diag > 2 to die when headers are used (GH#19)

Local Packages

  • Updated perl-Devel-Hide to 0.0012 as per the Fedora version

  • Updated perl-Text-CSV_XS to 1.41 as per the Fedora version

Monday 17th February 2020

Fedora Project

  • Updated perl-Devel-Hide to 0.0013 in F-32 and Rawhide:

    • Cope with changes to how the hints hash works in perl 5.31.7
  • Took orphaned packages perl-PerlIO-via-Timeout, perl-IO-Socket-Timeout, perl-Return-MultiLevel and perl-Compress-LZF

  • Cleaned up and rebuilt perl-Return-MultiLevel (0.05) in F-32 and Rawhide

Local Packages

  • Updated perl-Devel-Hide to 0.0013 as per the Fedora version

  • Updated python2-xapian to 1.4.14

Tuesday 18th February 2020

Local Packages

  • Updated perl-Convert-UUlib to 1.62:

    • Major performance improvement by simplifying code in _FP_gets to not use fscanf; this might slow things down on platforms with very slow fgetc

    • Lint uulib: fix some format string type mismatches and some other minor issues

  • Updated perl-Specio (0.45) to correct the license to be "Artistic 2.0 and (GPL+ or Artistic)"

  • Rebuilt python2-xapian to sync with xapian-bindings-1.4.14-3

Wednesday 19th February 2020

Fedora Project

  • Updated perl-Net-SSLeay (1.88) with some spec file clean-ups from Tom Stellard (PR#1)

  • Updated proftpd to 1.3.6c in F-30, F-31, F-32, Rawhide and EPEL-8:

    • Use-after-free vulnerability in memory pools during data transfer (CVE-2020-9273, GH#903)

    • Fix mod_tls compilation with LibreSSL 2.9.x (GH#810)

    • MaxClientsPerUser was not enforced for SFTP logins when mod_digest was enabled (GH#750)

    • mod_sftp now handles an OpenSSH-specific private key format; it detects such keys, and logs a hint about reformatting them to a supported format (GH#793)

    • Directory listing was slower compared to previous ProFTPD versions (GH#793)

    • mod_sftp crashed when using pubkey-auth with DSA keys (GH#866)

    • Fix improper handling of TLS CRL lookups (CVE-2019-19269, CVE-2019-19270, GH#859)

    • Leaking PAM handler and data in case of unsuccessful authentication (GH#870)

    • SSH authentication failed for many clients due to receiving of SSH_MSG_IGNORE packet (ProFTPD Bug#4385)

    • SFTP publickey authentication failed unexpectedly when user had no shadow password info. (GH#890)

    • ftpasswd failed to restore password file permissions in some cases (GH#898)

    • Out-of-bounds read in mod_cap getstateflags() function; this has been addressed by updating the bundled version of libcap (CVE-2020-9272, GH#902)

    • Note that the Fedora builds of ProFTPD uses the system version of libcap and not the bundled version, and are not vulnerable to this issue

Local Packages

  • Updated proftpd to 1.3.6c as per the Fedora version

Thursday 20th February 2020

Local Packages

  • Updated perl-Test-MockModule to 0.172.0:

    • Make sure we can redefine a function in 'main'

  • Updated perl-Type-Tiny to 1.010000:

    • Subclasses of Moose::Meta::TypeConstraint are now converted to the appropriate subclasses of Type::Tiny by Types::TypeTiny::to_TypeTiny, instead of always being converted to the base class; this improves inlining amongst other things

    • When types are declared by Type::Library's -declare import parameter, the temporary subs installed can now generate placeholder type constraints that allow the types to be used in recursive type definitions

    • Added: Type::Tiny::Enum now has an 'as_regexp' method

    • In some edge cases, the regexps used by Type::Tiny::Enum will now be slightly faster

    • More tests for recursively defined type constraints
    • Added: Type::Params now supports 'head' and 'tail' options for 'compile', 'compile_named', and 'compile_named_oo'

    • Parameterized 'Ref' type constraint in Types::Standard now checks that its parameter is a known Perl ref type

    • Fix importing multiple type libraries into a type registry at once (CPAN RT#131744)

    • Type::Params on Perl older than 5.10 now uses its own B::perlstring implementation to quote strings instead of using B::cstring

    • Mention MooX::Pression in documentation

    • Fix typo in documentation of 'my_methods'

    • Correct documentation of slurpy with compile_named (CPAN RT#131720)

Friday 21st February 2020

Fedora Project

Local Packages

  • Updated perl-Module-CoreList to 5.20200220:

    • Updated for v5.31.9
  • Updated ppp to 2.4.8:

    • New pppd options have been added:

      • ifname, to set the name for the PPP interface device

      • defaultroute-metric, to set the metric for the default route

      • defaultroute6, to add an IPv6 default route (with nodefaultroute6 to prevent adding an IPv6 default route)

      • up_sdnotify, to have pppd notify systemd when the link is up

    • The rp-pppoe plugin has new options:

      • host-uniq, to set the Host-Uniq value to send

      • pppoe-padi-timeout, to set the timeout for discovery packets

      • pppoe-padi-attempts, to set the number of discovery attempts

    • Added the CLASS attribute in radius packets

    • Sundry bug fixes
    • Fixed warnings and issues found by static analysis
    • Added

  • A patch was added to fix a buffer overflow in the eap_request and eap_response functions (CVE-2020-8597)

Monday 24th February 2020

Fedora Project

  • Updated geoipupdate to 4.2.2 in F-32 and Rawhide:

    • The major version of the module is now included at the end of the module path; previously, it was not possible to import the module in projects that were using Go modules (GH#81)

    • A valid account ID and license key combination is now required for database downloads, so those configuration options are now required
    • The error handling when closing a local database file would previously ignore errors and, upon upgrading to '' 0.9.0, would fail to ignore expected errors (GH#69, GH#70)

    • The RPM release was previously lacking the correct owner and group on files and directories: among other things, this caused the package to conflict with the 'GeoIP' package in CentOS 7 and 'GeoIP-GeoLite-data' in CentOS 8; the files are now owned by 'root' (GH#76)

Local Packages

  • Updated geoipupdate to 4.2.2 as per the Fedora version

Wednesday 26th February 2020

Fedora Project

  • Updated perl-Getopt-Long-Descriptive to 0.105 in F-32 and Rawhide:

    • one_of sub-options now get accessors

Local Packages

  • Dropped pptpconfig and libpng10 from F-33, EL-8 onwards as I'm retiring most of the ancient Gnome-1 stack both locally and in Fedora

  • Updated xv (3.10a) so that builds for Fedora 33 and RHEL 8 onwards use libpng rather than libpng10

Friday 28th February 2020

Local Packages

  • Updated libgpg-error to 1.37 (

    • Fix a build problem when using Gawk 5.0 (

    • Fix Bourne shell incompatibilities on Solaris (

    • Improve cross-compiling support (

    • On Windows, strerror_s is now used to emulate strerror_r (

    • New error codes to map SQLite primary error codes
    • Now uses poll(2) instead of select(2) in gpgrt_poll if possible

    • Fix a bug in gpgrt_close (

    • Fix build problem under Cygwin (

    • Fix a few minor portability bugs

  • Updated perl-PPIx-QuoteLike to 0.009:

    • Add new() argument index_locations, which causes locations to be indexed during the parse; this defaults based on whether a location argument was provided, and whether the string being parsed is a PPI::Element

    • Add method statement(), which returns the PPI statement containing the string element, or nothing if none

    • Add PPI::Element location methods, to wit: location(), column_number(), line_number(), logical_filename(), logical_line_number(), and visual_column_number()

    • Add PPIx::QuoteLike::Utils::is_ppi_quotelike_element(), which returns true if the argument is a PPI::Element of interest to us

    • All objects now have a variables() method inherited from PPIx::QuoteLike::Token, which returns nothing unless overridden; it was added to eliminate $elem->can( 'variables' ) ad-hocery

    • Eliminate redirections in POD URL links
  • Updated perl-PPIx-Regexp to 0.070:

    • Add index_locations option to PPIx::Regexp->new(), which defaults to true if the regexp is specified as a PPI::Element object; the locations are consistent with the containing PPI::Document

    • Add methods location(), column_number(), line_number(), logical_filename(), logical_line_number(), and visual_column_number() to PPIx::Regexp::Element; all return undef if the locations could not be determined

    • Add method statement() to PPIx::Regexp::Element, which returns the PPI statement containing the regexp element, or nothing if none

    • Add method is_matcher() to PPIx::Regexp::Element, which classifies objects as to whether they actually match something in the target string; possible returns are true (they do), false but defined (they do not) and undef (no clue)

    • Add methods first_token() and last_token() to PPIx::Regexp::Node

    • Add methods next_token() and previous_token() to PPIx::Regexp::Element

  • Updated ppp (2.4.8) to use %{make_build} and %{_rundir} macros

  • Updated ppp (2.4.5 and 2.4.7) to fix buffer overflow in the eap_request and eap_response functions (CVE-2020-8597)

Previous Month: January 2020
Next Month: March 2020