Paul's Blog Entries for April 2022
Friday 1st April 2022
Fedora Project
Updated perl-Perl-PrereqScanner-NotQuiteLite to 0.9915 in F-36 and Rawhide:
Add 'optional' option
Local Packages
Updated perl-Perl-PrereqScanner-NotQuiteLite to 0.9915 as per the Fedora version
Sunday 3rd April 2022
Fedora Project
Updated perl-PPIx-QuoteLike to 0.021 in Rawhide:
Recognize postfix deref in '@{[ ... ]}' for determining minimum Perl version; this recognizes all forms of postfix dereference, including ->%*, ->&*, and ->** (NOTE: for now, this remains a PPIx::QuoteLike::Token::Interpolation)
Require PPI 1.238 for postfix deref support, and prune code that dealt with PPI's old behaviour
Postfix %*, &*, and ** do not interpolate
Correct perl_version_introduced() for interpolated postfix scalar deref
Local Packages
Updated perl-PPIx-QuoteLike to 0.021 as per the Fedora version
Updated perl-PPIx-Regexp to 0.084:
Require PPI 1.238 for postfix deref support, and recode the postfix deref logic in terms of 1.238's functionality
Parse '@{[ ... ]}' as code, not interpolation; this is more in line with what it actually represents, and allows correct versioning of postfix dereferences (but it is an incompatible change)
Monday 4th April 2022
Fedora Project
Updated perl-Compress-Raw-Lzma to 2.103 in Rawhide (no changes)
Local Packages
Updated perl-Compress-Raw-Bzip2 to 2.103:
Silence uninitialized warnings (GH#5)
Updated perl-Compress-Raw-Lzma to 2.103 as per the Fedora version
Updated perl-Compress-Raw-Zlib to 2.103:
Update bundled Zlib to 1.2.12 (CVE-2018-25032, GH#6)
Fix for inflateSync return code change (GH#7)
Fix from zlib 1.2.12.1 for incorrect CRC
AUTHOR section in POD didn't contain the stated information (GH#5)
I updated the packaging to use the bundled zlib if the system zlib is not 1.2.12 or later; as of this time, it still has not been updated in Fedora (Bug #2068066)
Updated perl-IO-Compress to 2.103:
Fix for inflateSyncs return code change
Add constant for ZIP_CM_AES
Point links to rfcs to ietf.org (GH#37)
Rename test file to fix manifest warning (GH#36)
Add perl 5.34 to CI
Fix for calling nextStream on an IO::Uncompress::Zip object in Transparent mode dies when input is uncompressed (GH#34)
IO::Compress: Generalize for EBCDIC (GH#32)
IO::Compress: Fix misspelling in 112utf8-zip.t
Update cpanm path on MacOS
Updated perl-IO-Compress-Lzma to 2.103 (no changes)
Friday 8th April 2022
Fedora Project
Submitted a review request for a perl-Parse-Distname package
Local Packages
New package perl-Parse-Distname (0.05)
Updated libgpg-error to 1.45 (https://dev.gnupg.org/T5802)
Support the "sysopen" mode parameter for gpgrt_fopen so that file names longer than MAX_PATH can be supported under Windows
gpgrt_access and gpgrt_mkdir now support file names longer than MAX_PATH
gpgrt_fopen now maps "/dev/null" to "nul" on Windows
- Published some internal helper functions for Windows
New symbols: gpgrt_free_wchar, gpgrt_fname_to_wchar, gpgrt_utf8_to_wchar, gpgrt_wchar_to_utf8
Updated perl-DateTime-Locale to 1.34:
- Rebuilt all locale data with the data from CLDR 41.0.0
Updated perl-Perl-PrereqScanner-NotQuiteLite to 0.9916:
Ignore core modules with undef version correctly
Drop URI::cpan dependency and use Parse::Distname to parse cpan URI
Saturday 9th April 2022
Local Packages
Updated perl-IO-Compress to 2.104:
Sync zipdetails 2.100 from https://github.com/pmqs/zipdetails
Update date in README
WeakDecrypt should not be listed in MANIFEST (GH#39)
Sunday 10th April 2022
Football
Went to a great game of football; City should have won it really but I'd have taken a draw before the game
Local Packages
Updated perl-IO-Compress to 2.105:
Remove WeakDecrypt
Updated perl-XML-LibXSLT to 2.000000:
Add lib/XML/LibXSLT/Quick.pm
- Clean-ups
Monday 11th April 2022
Fedora Project
Updated perl-JSON-PP to 4.08 in Rawhide:
Local Packages
Updated perl-JSON-PP to 4.08 as per the Fedora version
Tuesday 12th April 2022
Fedora Project
Updated perl-Config-General to 2.65 in Rawhide:
Copy 'default' hash, avoid modifying it (CPAN RT#142095)
Catalyst subversion repository no longer exists, so code moved to GitHub: https://github.com/TLINDEN/Config-General
Clarified license, which is now Artistic License 2.0 (CPAN RT#132893)
Correctly include directories (CPAN RT#139261)
Remove the comma from legal variable names, added mandatory start characters a-zA-Z0-9 (CPAN RT#118746); added a section in the POD to clarify this
Fix IfDefine code (CPAN RT#119160)
Updated perl-Math-Pari to 2.030523 (see Changes for details)
Retired perl-Crypt-RSA from Rawhide
The perl-Crypt-RSA package was introduced in Fedora as part of the dependency chain for perl-Net-SSH-Perl. That package has since moved to using perl-CryptX instead so there is nothing left in Fedora that depends on perl-Crypt-RSA.
The last release of Crypt-RSA was in 2009. Dana Jacobsen created an alternative implementation (https://metacpan.org/dist/Alt-Crypt-RSA-BigInt) that avoided the need for Math::Pari, which would be a big win itself due to the difficulty in packaging that module, but that implementation doesn't look to have gained any traction.
I am therefore retiring the perl-Crypt-RSA package, along with some other packages that are only used as part of the dependency tree for perl-Crypt-RSA:
perl-Crypt-Primes
perl-Crypt-Random
perl-Math-Pari
libpari23
Wednesday 13th April 2022
Local Packages
Updated perl-IO-Compress to 2.106:
Sync zipdetails 2.104 from https://github.com/pmqs/zipdetails
Thursday 14th April 2022
Fedora Project
Retired perl-Crypt-Primes, perl-Crypt-Random, perl-Math-Pari and libpari23 from Rawhide
Saturday 16th April 2022
Fedora Project
Updated perl-PPIx-QuoteLike to 0.022 in Rawhide:
Remove 'postderef' argument to new(); postfix dereference is always recognized
Local Packages
Updated perl-PPIx-QuoteLike to 0.022 as per the Fedora version
Monday 18th April 2022
Local Packages
Updated perl-PPIx-Regexp to 0.085:
Remove 'postderef' argument to PPIx::Regexp->new(); postfix dereference is always recognized
Updated perl-Test-Harness to 3.44:
- Let the aggregator finish gracefully after bailout
Make prove respect HARNESS_VERBOSE if no verbosity flags are passed
- Move timer initialization
- Fix YAMLish behaviour with empty values
Fix eintr error handling in TAP::Parser::Multiplexer
- Parse out signal name and core dump
- Remove ASCII-isms to better work on EBCDIC
Fix failing SEGV test on Windows
Fix skipping SEGV test
Updated xz (5.2.5) to fix arbitrary-file-write vulnerability in xzgrep (Bug #2073310, CVE-2022-1271)
Tuesday 19th April 2022
Fedora Project
Updated perl-DateTime to 1.58 in Rawhide:
Fixed tests so that they ignore the value set in the 'PERL_DATETIME_DEFAULT_TZ' environment variable, if one exists (GH#128)
Local Packages
Updated perl-DateTime to 1.58 as per the Fedora version
Thursday 21st April 2022
Local Packages
Rebuilt libmetalink (0.1.3) to sync with Rawhide
Updated perl-Module-CoreList to 5.20220420:
- Updated for v5.35.11
Monday 25th April 2022
Fedora Project
Updated perl-IO-Compress-Lzma to 2.103 in Rawhide (no changes)
Updated perl-PPI to 1.273 in Rawhide:
Whitespace in signatures is now preserved (GH#257)
Updated proftpd to 1.3.7d in F-34, F-35, F-36 and Rawhide:
Fix crash with long lines in AuthGroupFile due to large realloc(3) (GH#1321)
NLST did not behave consistently for relative paths (GH#1325)
Implement AllowForeignAddress class matching for passive data transfers (GH#1346)
DeleteAbortedStores removed successfully transferred files unexpectedly (Bug #4467)
Keepalive socket options should be set using IPPROTO_TCP, not SOL_SOCKET (GH#1401)
TCP keepalive SocketOptions should apply to control as well as data connection (GH#1402)
ProFTPD always used the same PassivePorts port for first transfer (GH#1396)
Name-based virtual hosts not working as expected after upgrade from 1.3.7a to 1.3.7b (GH#1369)
Updated proftpd to 1.3.8rc3 in EPEL-9:
Support SSH hostkey rotation via OpenSSH extensions (GH#1323)
NLST did not behave consistently for relative paths (GH#1325)
Support AES Galois Counter Mode (AES-GCM) in SSH; support for the "aes128-gcm@openssh.com" and "aes256-gcm@openssh.com" ciphers has been added to mod_sftp (Bug #3759)
Implement an LDAPConnectTimeout directive, to configure the timeout used when connecting to LDAP servers (GH#1333)
Implement OpenSSH "Encrypt-Then-MAC" (ETM) algorithm extensions (GH#1330)
Implement AllowForeignAddress class matching for passive data transfers (GH#1346)
Implement support for PCRE2 (GH#1353)
ProFTPD wouldn't start with several locales (Bug #4466)
Auth sources providing space-bearing user/group names caused compliance issues with MLSD/MLST responses (GH#1367)
DeleteAbortedStores removed successfully transferred files unexpectedly (Bug #4467)
Omit EPRT/EPSV from FEAT response when denied by <Limit> configuration (GH#1383)
Support uploading to symlinked files (GH#1379)
Keepalive socket options should be set using IPPROTO_TCP, not SOL_SOCKET (GH#1401)
TCP keepalive SocketOptions should apply to control as well as data connection (GH#1402)
ProFTPD always used the same PassivePorts port for first transfer (GH#1396)
mod_sftp needs to handle unknown SSH messages in an RFC-compliant manner, ignoring rather than disconnecting (GH#1410)
Improve handling of some globally applied configuration directives (GH#1418)
Name-based virtual hosts not working as expected after upgrade from 1.3.7a to 1.3.7b (GH#1369)
Local Packages
Updated perl-DateTime-Locale to 1.35:
The code passed to DateTime::Locale->load is now validated and untainted before using it to load and eval data from the filesystem (based on GH#30)
Updated perl-PPI to 1.273 as per the Fedora version
Updated proftpd to 1.3.7d as per the Fedora version
Updated proftpd to 1.3.8rc3 as per the EPEL-9 version
Tuesday 26th April 2022
Fedora Project
Took ownership of mcrcon and updated it to 0.7.2 in Rawhide
Set default address to localhost
Add -w option for rcon command throttling
Deprecate -i flag for invoking terminal mode
Add workaround to prevent server-side bug (https://bugs.mojang.com/browse/MC-154617)
- Quit gracefully when Ctrl-D or Ctrl+C is pressed
Remove "exit" and "quit" as quitting commands (these are actual rcon commands on some servers)
Suppress compiler warning (strncpy)
- Fix erroneous string length in packet building function
- Fix typo in ANSI escape sequence for LCYAN
Make stdout and stderr unbuffered
Updated python-paramiko to 2.10.4 in F-34, F-35, F-36 and Rawhide:
Update 'camelCase' method calls against the 'threading' module to be 'snake_case'; this and related tweaks should fix some deprecation warnings under Python 3.10 (GH#1838, GH#1870, GH#2028)
'~paramiko.pkey.PKey' instances' '__eq__' did not have the usual safety guard in place to ensure they were being compared to another 'PKey' object, causing occasional spurious 'BadHostKeyException', among other things (GH#1964, GH#2023, GH#2024)
Servers offering certificate variants of hostkey algorithms (e.g. 'ssh-rsa-cert-v01@openssh.com') could not have their host keys verified by Paramiko clients, as it only ever considered non-cert key types for that part of connection handshaking (GH#2035)
Local Packages
Updated mcrcon (0.7.2) to use distribution LDFLAGS as well as CFLAGS
Wednesday 27th April 2022
Local Packages
Updated curl to 7.83.0:
curl: Add %header{name} experimental support in -w handling
curl: Add %{header_json} experimental support in -w handling
curl: Add --no-clobber
curl: Add --remove-on-error
header api: Add curl_easy_header and curl_easy_nextheader
msh3: Add support for QUIC and HTTP/3 using msh3
- appveyor: Add Cygwin build
- appveyor: Only add MSYS2 to PATH where required
BearSSL: Add CURLOPT_SSL_CIPHER_LIST support
BearSSL: Add CURLOPT_SSL_CTX_FUNCTION support
- BINDINGS.md: Add Hollywood binding
CI: Do not use buildconf; instead, just use: autoreconf -fi
CI: Install Python package impacket to run SMB test 1451
configure.ac: Move -pthread CFLAGS setting back where it used to be
configure: Bump the copyright year range in the generated output
conncache: Include the zone id in the "bundle" hashkey (CVE-2022-27775)
connecache: Remove duplicate connc->closure_handle check
connect: Make Curl_getconnectinfo work with conn cache from share handle
connect: Use TCP_KEEPALIVE only if TCP_KEEPIDLE is not defined
cookie.d: Clarify when cookies are sent
- cookies: Improve error handling for reading cookiefile
curl/system.h: Update ifdef condition for MCST-LCC compiler
curl: Error out if -T and -d are used for the same URL
curl: Error out when options need features not present in libcurl
curl: Escape '?' in generated --libcurl code
- curl: Fix segmentation fault for empty output file names
curl_easy_header: Fix typos in documentation
CURLINFO_PRIMARY_PORT.3: Clarify which port this is
CURLOPT*TLSAUTH.3: They only work with OpenSSL or GnuTLS
CURLOPT_DISALLOW_USERNAME_IN_URL.3: Use uppercase URL
CURLOPT_PREQUOTE.3: Only works for FTP file transfers, not dirs
CURLOPT_PROGRESSFUNCTION.3: Fix typo in example
CURLOPT_UNRESTRICTED_AUTH.3: Extended explanation
CURLSHOPT_UNLOCKFUNC.3: Fix the callback prototype
docs/HYPER.md: Updated to reflect current hyper build needs
docs/opts: Mention Schannel client cert type is P12
- docs: Fix missing semicolon in example code
- docs: Lots of minor language polish
- English: Use American spelling consistently
fail.d: Tweak the description
firefox-db2pem.sh: Make the shell script safer
- ftp: Fix error message for partial file upload
gen.pl: Change wording for mutexed options
- GHA: Add openssl3 jobs moved over from Zuul
- GHA: Build hyper with nightly rustc
- GHA: Move bearssl jobs over from Zuul
- GHA: Move the event-based test over from Zuul
- gtls: Fix build for disabled TLS-SRP
http2: Handle DONE called for the paused stream
http2: RST the stream if we stop it on our own will
http: Avoid auth/cookie on redirects same host diff port (CVE-2022-27776)
- http: Close the stream (not connection) on time condition abort
- http: Reject header contents with nul bytes
- http: Return error on colon-less HTTP headers
- http: streamclose "already downloaded"
hyper: Fix status_line() return code
- hyper: Fix tests 580 and 581 for hyper
- hyper: No h2c support
- infof: Consistent capitalization of warning messages
ipv4/6.d: Clarify that they are about using IP addresses
json.d: Fix typo (overriden → overridden)
keepalive-time.d: It takes many probes to detect brokenness
lib/warnless.[ch]: Only check for WIN32 and ignore _WIN32
lib670: Avoid double check result
lib: #ifdef on USE_HTTP2 better
lib: Fix some misuse of curlx_convert_wchar_to_UTF8
- lib: Remove exclamation marks
- libssh2: Compare sha256 strings case sensitively
- libssh2: Make the md5 comparison fail if wrong length
- libssh: Fix build with old libssh versions
- libssh: Fix double close
libssh: Improve fix for missing SSH_S_ stat macros
- libssh: Unstick SFTP transfers when done event-based
macos: Set .plist version in autoconf
- mbedtls: Remove 'protocols' array from backend when ALPN is not used
mbedtls: Remove server_fd from backend
mk-ca-bundle.pl: Use stricter logic to process the certificates
mk-ca-bundle.vbs: Delete this script in favor of mk-ca-bundle.pl
mlc_config.json: Add file to ignore known troublesome URLs
- mqtt: Better handling of TCP disconnect mid-message
- ngtcp2: Add client certificate authentication for OpenSSL
ngtcp2: Avoid busy loop in low CWND situation
- ngtcp2: Deal with sub-millisecond timeout
- ngtcp2: Disconnect the QUIC connection properly
ngtcp2: Enlarge H3_SEND_SIZE
- ngtcp2: Fix HTTP/3 upload stall and avoid busy loop
- ngtcp2: Fix memory leak
ngtcp2: Fix QUIC_IDLE_TIMEOUT
- ngtcp2: Make curl 1ms faster
ngtcp2: Remove remote_addr, which is not used in a meaningful way
- ngtcp2: Update to work after recent ngtcp2 updates
ngtcp2: Use token when detecting :status header field
nonblock: Restore setsockopt method to curlx_nonblock
openssl: Check SSL_get_peer_cert_chain return value
openssl: Enable CURLOPT_SSL_EC_CURVES with BoringSSL
- openssl: Fix CN check error code
- options: Remove mistaken space before paren in prototype
- perl: Removed a double semicolon at end of line
pop3/smtp: return *WEIRD_SERVER_REPLY when not understood
projects/README: Converted to markdown
- projects: Update VC version names for VS2017, VS2022
rtsp: Don't let CSeq error override earlier errors
- runtests: Add 'bearssl' as testable feature
- runtests: Make 'oldlibssh' be before 0.9.4
- schannel: Remove dead code that will never run
scripts/copyright.pl: Ignore the new mlc_config.json file
scripts: Move three scripts from lib/ to scripts/
test1135: Sync with recent API updates
test1459: Disable for oldlibssh
test375: Fix line endings on Windows
test386: Fix an incorrect test markup tag
test718: Edited slightly to return better HTTP
tests/server/util.h: Align WIN32 condition with util.c
tests: Refactor server/socksd.c to support --unix-socket
timediff.[ch]: Add curlx helper functions for timeval conversions
tls: Make mbedtls and NSS check for h2, not nghttp2
- tool and tests: Force flush of all buffers at end of program
tool_cb_hdr: Turn the Location: into a terminal hyperlink
tool_getparam: Error out on missing -K file
tool_listhelp.c: Uppercase URL
tool_operate: Fix a scan-build warning
tool_paramhlp: Use feof(3) to identify EOF correctly when using fread(3)
transfer: Redirects to other protocols or ports clear auth (CVE-2022-27774)
unit1620: Call global_init before calling Curl_open
url: Check sasl additional parameters for connection reuse (CVE-2022-22576)
- vtls: Provide a unified ALPN-disagree string for all backends
- vtls: Use a backend standard message for "ALPN: offers %s"
- vtls: Use a generic "ALPN, server accepted" message
winbuild/README.md: Fix up dead link
winbuild: Add a Visual Studio example to the README
- wolfssl: Fix compiler error without IPv6
Cleaned up and rebuilt demoroniser
Cleaned up and rebuilt plusnet-fttc
Thursday 28th April 2022
Local Packages
Updated perl-Parse-Distname (0.05) to incorporate feedback from package review (Bug #2073377)
Previous Month: March 2022
Next Month: May 2022