Saturday 1st February 2020

Fedora Project

• Updated perl-Modern-Perl to 1.20200201 in F-30, F-31, Rawhide, EPEL-7 and EPEL-8:

  • Fix tests for Perl 5.32 (CPAN RT#131608)

  • Update for 2020

Local Packages

• Updated check (0.14.0) to disable tests on s390x

• Updated perl-DBI to 1.643:

  • Fix memory corruption in XS functions when Perl stack is reallocated

  • Fix calling dbd_db_do6 API function

  • Fix potentially calling newSV(0) in malloc_using_sv()

  • Fix order of XS preparse() ps_accept and ps_return argument names

  • Fix a potential NULL profile dereference in dbi_profile()

  • Fix a buffer overflow on an over-long DBD class name

  • Remove remnants of support for perl ≤ v5.8.0

  • Update Devel::PPPort and remove redundant compatibility macros

  • Correct minor typo in documentation

  • Correct documentation introducing $dbh->selectall_array()

  • Introduce select and do wrappers earlier in the documentation

  • Mark as deprecated old API functions that overflow or are affected by Unicode issues

  • Add new attribute RaiseWarn, similar to RaiseError

Sunday 2nd February 2020

Local Packages

• Updated perl-Archive-Tar to 2.36:

  • Add xz support

  • Use 4 digit year in Time::Local call

Monday 3rd February 2020

Local Packages

• Updated perl-Test2-Suite to 0.000129:

  • Improve error handling of mock->override with AUTOLOADed methods

Tuesday 4th February 2020

Fedora Project

• Updated libpari23 (2.3.5) in Rawhide to fix the patch that enforces use of the distribution compilation flags to work with GCC 10

• Updated proftpd (1.3.6b) in EPEL-8:

  • Fix API tests compile failure with GCC 10 (GH#886)

  • mod_sftp: When handling the 'keyboard-interactive' authentication mechanism, as used for (e.g.) PAM, make sure to properly handle DEBUG, IGNORE, DISCONNECT and UNIMPLEMENTED messages, per RFC 4253 (ProFTPD Bug#4385)

Thursday 6th February 2020

Fedora Project

• Updated perl-Cpanel-JSON-XS to 4.19 in Rawhide:

  • Fix typed decode memory leak (GH#160)

Local Packages

• Updated perl-Cpanel-JSON-XS to 4.19 as per the Fedora version

• Rebuilt perl-IO-AIO (4.72), perl-MCE (1.865), perl-Net-DNS (1.21), perl-Object-HashBase (0.009), perl-Specio (0.45) and pptp (1.10.0) for the Fedora_32_Mass_Rebuild

Friday 7th February 2020

Fedora Project

• Updated perl-parent to 0.238 in Rawhide:

  • Move the prerequisite Test::More from being a runtime prerequisite to a test time / build time prerequisite (GH#11)

Local Packages

• Updated perl-parent to 0.238 as per the Fedora version

Saturday 8th February 2020

Local Packages

• Updated perl-PPIx-Regexp to 0.069:

  • The PPIx::Regexp->new() 'parse' option is now fatal; this selected either string or regex parse (I consider the string parse a failed experiment and this is the latest step in removing it in favour of the PPIx::QuoteLike package)

Sunday 9th February 2020

Fedora Project

• Updated perl-MCE to 1.866 in Rawhide:

  • Bug fix for restart_worker, race condition introduced in 1.863

RPM Fusion Project

• Updated xv (3.10a) in Rawhide to fix FTBFS with GCC 10

Local Packages

• Updated perl-MCE to 1.866 as per the Fedora version

• Updated xv (3.10a) to fix FTBFS with GCC 10 as per the RPM Fusion version

Monday 10th February 2020

Fedora Project

• Updated perl-Math-GMP to 2.20 in Rawhide:

  • Try to fix tests when using libgmp version 6.2.0 (CPAN RT#131718)

Tuesday 11th February 2020

Fedora Project

• Updated perl-Modern-Perl to 1.20200211 in Rawhide:

  • Bash doesn't like !' in double quotes, so it stuck up for awk

Wednesday 12th February 2020

Local Packages

• Updated schily to 2020.02.11, adding patch to fix FTBFS with GCC 10

• Updated sendmail (8.15.2) to de-fuzzify the fix-covscan-issues patch

• Rebuilt perl-DBI (1.643)

Thursday 13th February 2020

Fedora Project

• Updated perl-Devel-Hide to 0.0011 in F-32 and Rawhide:

  • @INC hook should die directly (CPAN RT#120220)

  • Match core error more closely (CPAN RT#120221)

  • Add -quiet option to suppress some notices

Local Packages

• Updated dovecot to 2.3.9.3:

  • Truncated UTF-8 could be used to DoS submission-login and lmtp processes (CVE-2020-7046)

  • Specially crafted mail could crash snippet generation (CVE-2020-7957)

• Updated perl-Devel-Hide to 0.0011 as per the Fedora version

• Updated python2-subversion to sync with subversion-1.12.2-7 in Rawhide

Friday 14th February 2020

Fedora Project

• Updated gtkwave to 3.3.104 in F-32 and Rawhide:

  • Added support for loading .vf files (provided FSDB reader libraries are enabled)

  • Added support for dumping variable types in vcd saver, not just using "wire" for non-reals/strings

  • Fix for uninitialized values at time 0 for FST, FSDB loaders

Local Packages

• Updated gtkwave to 3.3.104 as per the Fedora version

• Updated perl-Compress-Raw-Lzma (2.093) and perl-IO-Compress-Lzma (2.093) to unbundle test dependencies

• Updated perl-Net-DNS to 1.22:

  • Fix parse issue in Net::DNS::RR->token (CPAN RT#131579)

  • Provide rudimentary decode and print for DSO packet

Saturday 15th February 2020

Fedora Project

• Updated perl-IO-Socket-SSL to 2.067 in F-32 and Rawhide:

  • Fix memory leak on incomplete handshake (GH#92)

  • Add support for SSL_MODE_RELEASE_BUFFERS via SSL_mode_release_buffers; this can decrease memory usage at the costs of more allocations (CPAN RT#129463)

  • More detailed error messages when loading of certificate file failed (GH#89)

  • Fix for ip_in_cn == 6 in verify_hostname scheme (CPAN RT#131384)

  • Deal with new MODE_AUTO_RETRY default in OpenSSL 1.1.1

  • Fix warning when no ecdh support is available

  • Documentation update regarding use of select and TLS 1.3

  • Various fixes in documentation (GH#81, GH#87, GH#90, GH#91)

  • Stability fix for t/core.t

Local Packages

• Branched F-32 repository from the development branch

• Updated libxml2 (2.9.10) to fix memory leak in xmlSchemaValidateStream (CVE-2019-20388) and to fix infinite loop in xmlStringLenDecodeEntities (CVE-2020-7595)

• Updated perl-IO-Socket-SSL to 2.067 as per the Fedora version

Sunday 16th February 2020

Fedora Project

• Updated perl-Devel-Hide to 0.0012 in F-32 and Rawhide:

  • Add -lexically argument to import() to support hiding modules just during the current scope

• Updated perl-Text-CSV_XS to 1.41 in F-32 and Rawhide:

  • Update to Devel::PPPort-3.56

  • csv2xls uses sheetname as csv2xlsx

  • csv2xlsx: support images (each image gets its own tab)

  • More docs (data validation)
  • It's 2020
  • No binary literals in fixed error messages

  • Fix auto_diag > 2 to die when headers are used (GH#19)

Local Packages

• Updated perl-Devel-Hide to 0.0012 as per the Fedora version

• Updated perl-Text-CSV_XS to 1.41 as per the Fedora version

Monday 17th February 2020

Fedora Project

• Updated perl-Devel-Hide to 0.0013 in F-32 and Rawhide:

  • Cope with changes to how the hints hash works in perl 5.31.7

• Took orphaned packages perl-PerlIO-via-Timeout, perl-IO-Socket-Timeout, perl-Return-MultiLevel and perl-Compress-LZF

• Cleaned up and rebuilt perl-Return-MultiLevel (0.05) in F-32 and Rawhide

Local Packages

• Updated perl-Devel-Hide to 0.0013 as per the Fedora version

• Updated python2-xapian to 1.4.14

Tuesday 18th February 2020

Local Packages

• Updated perl-Convert-UUlib to 1.62:

  • Major performance improvement by simplifying code in _FP_gets to not use fscanf; this might slow things down on platforms with very slow fgetc

  • Lint uulib: fix some format string type mismatches and some other minor issues

• Updated perl-Specio (0.45) to correct the license to be "Artistic 2.0 and (GPL+ or Artistic)"

• Rebuilt python2-xapian to sync with xapian-bindings-1.4.14-3

Wednesday 19th February 2020

Fedora Project

• Updated perl-Net-SSLeay (1.88) with some spec file clean-ups from Tom Stellard (PR#1)

• Updated proftpd to 1.3.6c in F-30, F-31, F-32, Rawhide and EPEL-8:

  • Use-after-free vulnerability in memory pools during data transfer (CVE-2020-9273, GH#903)

  • Fix mod_tls compilation with LibreSSL 2.9.x (GH#810)

  • MaxClientsPerUser was not enforced for SFTP logins when mod_digest was enabled (GH#750)

  • mod_sftp now handles an OpenSSH-specific private key format; it detects such keys, and logs a hint about reformatting them to a supported format (GH#793)

  • Directory listing was slower compared to previous ProFTPD versions (GH#793)

  • mod_sftp crashed when using pubkey-auth with DSA keys (GH#866)

  • Fix improper handling of TLS CRL lookups (CVE-2019-19269, CVE-2019-19270, GH#859)

  • Leaking PAM handler and data in case of unsuccessful authentication (GH#870)

  • SSH authentication failed for many clients due to receiving of SSH_MSG_IGNORE packet (ProFTPD Bug#4385)

  • SFTP publickey authentication failed unexpectedly when user had no shadow password info. (GH#890)

  • ftpasswd failed to restore password file permissions in some cases (GH#898)

  • Out-of-bounds read in mod_cap getstateflags() function; this has been addressed by updating the bundled version of libcap (CVE-2020-9272, GH#902)

  • Note that the Fedora builds of ProFTPD uses the system version of libcap and not the bundled version, and are not vulnerable to this issue

Local Packages

• Updated proftpd to 1.3.6c as per the Fedora version

Thursday 20th February 2020

Local Packages

• Updated perl-Test-MockModule to 0.172.0:

  • Make sure we can redefine a function in 'main'

• Updated perl-Type-Tiny to 1.010000:

  • Subclasses of Moose::Meta::TypeConstraint are now converted to the appropriate subclasses of Type::Tiny by Types::TypeTiny::to_TypeTiny, instead of always being converted to the base class; this improves inlining amongst other things

  • When types are declared by Type::Library's -declare import parameter, the temporary subs installed can now generate placeholder type constraints that allow the types to be used in recursive type definitions

  • Added: Type::Tiny::Enum now has an 'as_regexp' method

  • In some edge cases, the regexps used by Type::Tiny::Enum will now be slightly faster

  • More tests for recursively defined type constraints

  • Added: Type::Params now supports 'head' and 'tail' options for 'compile', 'compile_named', and 'compile_named_oo'

  • Parameterized 'Ref' type constraint in Types::Standard now checks that its parameter is a known Perl ref type

  • Fix importing multiple type libraries into a type registry at once (CPAN RT#131744)

  • Type::Params on Perl older than 5.10 now uses its own B::perlstring implementation to quote strings instead of using B::cstring

  • Mention MooX::Pression in documentation

  • Fix typo in documentation of 'my_methods'

  • Correct documentation of slurpy with compile_named (CPAN RT#131720)

Friday 21st February 2020

Fedora Project

• Updated proftpd (1.3.5e) in EPEL-7:

  • Fix compatibility with modern SFTP clients like FileZilla:

  • mod_sftp: When handling the 'keyboard-interactive' authentication mechanism, as used for (e.g.) PAM, make sure to properly handle DEBUG, IGNORE, DISCONNECT and UNIMPLEMENTED messages, per RFC 4253 (ProFTPD Bug#4385)

  • Fix use-after-free vulnerability in memory pools during data transfer (CVE-2020-9273, GH#903)

  • Backported fix from https://github.com/proftpd/proftpd/commit/e845abc1

• Updated proftpd (1.3.3g) in EPEL-6:

  • Fix use-after-free vulnerability in memory pools during data transfer (CVE-2020-9273, GH#903)

  • Backported fix from https://github.com/proftpd/proftpd/commit/e845abc1

Local Packages

• Updated perl-Module-CoreList to 5.20200220:

  • Updated for v5.31.9

• Updated ppp to 2.4.8:

  • New pppd options have been added:

    • ifname, to set the name for the PPP interface device

    • defaultroute-metric, to set the metric for the default route

    • defaultroute6, to add an IPv6 default route (with nodefaultroute6 to prevent adding an IPv6 default route)

    • up_sdnotify, to have pppd notify systemd when the link is up

  • The rp-pppoe plugin has new options:

    • host-uniq, to set the Host-Uniq value to send

    • pppoe-padi-timeout, to set the timeout for discovery packets

    • pppoe-padi-attempts, to set the number of discovery attempts

  • Added the CLASS attribute in radius packets

  • Sundry bug fixes
  • Fixed warnings and issues found by static analysis

  • Added Submitting-patches.md

• A patch was added to fix a buffer overflow in the eap_request and eap_response functions (CVE-2020-8597)

Monday 24th February 2020

Fedora Project

• Updated geoipupdate to 4.2.2 in F-32 and Rawhide:

  • The major version of the module is now included at the end of the module path; previously, it was not possible to import the module in projects that were using Go modules (GH#81)

  • A valid account ID and license key combination is now required for database downloads, so those configuration options are now required

  • The error handling when closing a local database file would previously ignore errors and, upon upgrading to 'github.com/pkg/errors' 0.9.0, would fail to ignore expected errors (GH#69, GH#70)

  • The RPM release was previously lacking the correct owner and group on files and directories: among other things, this caused the package to conflict with the 'GeoIP' package in CentOS 7 and 'GeoIP-GeoLite-data' in CentOS 8; the files are now owned by 'root' (GH#76)

Local Packages

• Updated geoipupdate to 4.2.2 as per the Fedora version

Wednesday 26th February 2020

Fedora Project

• Updated perl-Getopt-Long-Descriptive to 0.105 in F-32 and Rawhide:

  • one_of sub-options now get accessors

Local Packages

• Dropped pptpconfig and libpng10 from F-33, EL-8 onwards as I'm retiring most of the ancient Gnome-1 stack both locally and in Fedora

• Updated xv (3.10a) so that builds for Fedora 33 and RHEL 8 onwards use libpng rather than libpng10

Friday 28th February 2020

Local Packages

• Updated libgpg-error to 1.37 (https://dev.gnupg.org/T4772)

  • Fix a build problem when using Gawk 5.0 (https://dev.gnupg.org/T4459)

  • Fix Bourne shell incompatibilities on Solaris (https://dev.gnupg.org/T4574)

  • Improve cross-compiling support (https://dev.gnupg.org/T4643)

  • On Windows, strerror_s is now used to emulate strerror_r (https://dev.gnupg.org/T4539)

  • New error codes to map SQLite primary error codes

  • Now uses poll(2) instead of select(2) in gpgrt_poll if possible

  • Fix a bug in gpgrt_close (https://dev.gnupg.org/T4698)

  • Fix build problem under Cygwin (https://dev.gnupg.org/T4474)

  • Fix a few minor portability bugs

  • New symbols: GPG_ERR_NO_KEYBOXD, GPG_ERR_KEYBOXD, GPG_ERR_NO_SERVICE, GPG_ERR_SERVICE, GPG_ERR_SQL_OK, GPG_ERR_SQL_ERROR, GPG_ERR_SQL_INTERNAL, GPG_ERR_SQL_PERM, GPG_ERR_SQL_ABORT, GPG_ERR_SQL_BUSY, GPG_ERR_SQL_LOCKED, GPG_ERR_SQL_NOMEM, GPG_ERR_SQL_READONLY, GPG_ERR_SQL_INTERRUPT, GPG_ERR_SQL_IOERR, GPG_ERR_SQL_CORRUPT, GPG_ERR_SQL_NOTFOUND, GPG_ERR_SQL_FULL, GPG_ERR_SQL_CANTOPEN, GPG_ERR_SQL_PROTOCOL, GPG_ERR_SQL_EMPTY, GPG_ERR_SQL_SCHEMA, GPG_ERR_SQL_TOOBIG, GPG_ERR_SQL_CONSTRAINT, GPG_ERR_SQL_MISMATCH, GPG_ERR_SQL_MISUSE, GPG_ERR_SQL_NOLFS, GPG_ERR_SQL_AUTH, GPG_ERR_SQL_FORMAT, GPG_ERR_SQL_RANGE, GPG_ERR_SQL_NOTADB, GPG_ERR_SQL_NOTICE, GPG_ERR_SQL_WARNING, GPG_ERR_SQL_ROW, GPG_ERR_SQL_DONE

• Updated perl-PPIx-QuoteLike to 0.009:

  • Add new() argument index_locations, which causes locations to be indexed during the parse; this defaults based on whether a location argument was provided, and whether the string being parsed is a PPI::Element

  • Add method statement(), which returns the PPI statement containing the string element, or nothing if none

  • Add PPI::Element location methods, to wit: location(), column_number(), line_number(), logical_filename(), logical_line_number(), and visual_column_number()

  • Add PPIx::QuoteLike::Utils::is_ppi_quotelike_element(), which returns true if the argument is a PPI::Element of interest to us

  • All objects now have a variables() method inherited from PPIx::QuoteLike::Token, which returns nothing unless overridden; it was added to eliminate $elem->can( 'variables' ) ad-hocery

  • Eliminate redirections in POD URL links

• Updated perl-PPIx-Regexp to 0.070:

  • Add index_locations option to PPIx::Regexp->new(), which defaults to true if the regexp is specified as a PPI::Element object; the locations are consistent with the containing PPI::Document

  • Add methods location(), column_number(), line_number(), logical_filename(), logical_line_number(), and visual_column_number() to PPIx::Regexp::Element; all return undef if the locations could not be determined

  • Add method statement() to PPIx::Regexp::Element, which returns the PPI statement containing the regexp element, or nothing if none

  • Add method is_matcher() to PPIx::Regexp::Element, which classifies objects as to whether they actually match something in the target string; possible returns are true (they do), false but defined (they do not) and undef (no clue)

  • Add methods first_token() and last_token() to PPIx::Regexp::Node

  • Add methods next_token() and previous_token() to PPIx::Regexp::Element

• Updated ppp (2.4.8) to use %{make_build} and %{_rundir} macros

• Updated ppp (2.4.5 and 2.4.7) to fix buffer overflow in the eap_request and eap_response functions (CVE-2020-8597)