Friday 3rd June 2022

Local Packages

• Updated dovecot (2.3):

  • Updated dovecot to 2.3.19:

    • Added mail_user_session_finished event, which is emitted when the mail user session is finished (e.g. imap, pop3, lmtp); it also includes fields with some process statistics information (see https://doc.dovecot.org/admin_manual/list_of_events/ for more information)

    • Added process_shutdown_filter setting: when an event matches the filter, the process will be shut down after the current connection(s) have finished, which is intended to reduce memory usage of long-running imap processes that keep a lot of memory allocated instead of freeing it to the OS

    • auth: Add cache hit indicator to auth passdb/userdb finished events; see https://doc.dovecot.org/admin_manual/list_of_events/ for more information

    • doveadm deduplicate: Performance is improved significantly

    • imapc: COPY commands were sent one mail at a time to the remote IMAP server; now the copying is buffered, so multiple mails can be copied with a single COPY command

    • lib-lua: Add a Lua interface to Dovecot's HTTP client library; see https://doc.dovecot.org/admin_manual/lua/ for more information

    • auth: Cache lookup would use incorrect cache key after username change
    • auth: Improve handling unexpected LDAP connection errors/hangs; try to fix up these cases by reconnecting to the LDAP server and aborting LDAP requests earlier
    • auth: Process crashed if userdb iteration was attempted while auth-workers were already full handling auth requests

    • auth: db-oauth2: Using %{oauth2:name} variables caused unnecessary introspection requests

    • dict: Timeouts may have been leaked at deinit
    • director: Ring may have become unstable if a backend's tag was changed; it could also have caused director process to crash

    • doveadm kick: Numeric parameter was treated as IP address

    • doveadm: Proxying can panic when flushing print output; fixes: Panic: file ioloop.c: line 865 (io_loop_destroy): assertion failed: (ioloop == current_ioloop)

    • doveadm sync: BROKENCHAR was wrongly changed to '_' character when migrating mailboxes; this was set by default to %, so any mailbox names containing % characters were modified to "_25"

    • imapc: Copying or moving mails with doveadm to an imapc mailbox could have produced "Error: Syncing mailbox '[...]' failed" errors; the operation itself succeeded but attempting to sync the destination mailbox failed

    • imapc: Prevent index log synchronization errors when two or more imapc sessions are adding messages to the same mailbox index files, i.e. INDEX=MEMORY is not used

    • indexer: Process was slowly leaking memory for each indexing request

    • lib-fts: fts header filters caused binary content to be sent to the indexer with non-default configuration

    • doveadm-server: Process could hang in some situations when printing output to TCP client, e.g. when printing doveadm sync state

    • lib-index: dovecot.index.log files were often read and parsed entirely, rather than only the parts that were actually necessary; this mainly increased CPU usage

    • lmtp-proxy: Session ID forwarding would cause same session IDs being used when delivering the same mail to multiple backends

    • log: Log prefix update may have been lost if log process was busy; this could have caused log prefixes to be empty or in some cases reused between sessions, i.e. log lines could have been logged for the wrong user/session

    • mail_crypt: Plugin crashes if it's loaded only for some users: fixes Panic: Module context mail_crypt_user_module missing

    • mail_crypt: When LMTP was delivering mails to both recipients with mail encryption enabled and not enabled, the non-encrypted recipients may have gotten mails encrypted anyway; this happened when the first recipient was encrypted (mail_crypt_save_version=2) and the 2nd recipient was not encrypted (mail_crypt_save_version=0)

    • pop3: Session would crash if empty line was sent
    • stats: HTTP server leaked memory

    • submission-login: Long credentials, such as OAUTH2 tokens, were refused during SASL interactive due to submission server applying line length limits

    • submission-login: When proxying to remote host, authentication was not using interactive SASL when logging in using long credentials such as OAUTH2 tokens; this caused authentication to fail due to line length constraints in SMTP protocol

    • submission: Terminating the client connection with QUIT command after mail transaction is started with MAIL command and before it is finished with DATA/BDAT can cause a segfault crash

    • virtual: doveadm search queries with mailbox-guid as the only parameter crashes: Panic: file virtual-search.c: line 77 (virtual_search_get_records): assertion failed: (result != 0)

  • Updated pigeonhole to 0.5.19

    • No changes - release done to keep version numbers synced

Wednesday 8th June 2022

Local Packages

• Updated perl-Type-Tiny to 1.012005:

  • Ensure coderefs returned by overload::Method are called with three parameters, as passing two parameters can break subs implemented in XS

  • Fix explanation message for NumRange/IntRange

  • Prevent stringification of Error::TypeTiny from clobbering $@

  • Fix typos in documentation for wrap_methods from Type::Params

Sunday 12th June 2022

Fedora Project

• Updated perl-Specio to 0.48 in Rawhide:

  • Importing types into a class that inherited from another class that had imported types wouldn't work, leaving the child class with no 't()' sub

Local Packages

• Updated perl-Specio to 0.48 as per the Fedora version

Monday 13th June 2022

Fedora Project

• Updated perl-Package-Stash-XS to 0.30 in Rawhide:

  • Miscellaneous tooling updates

  • Fixed redundant argument in sprintf in tests (CPAN RT#143205)

• Updated perltidy to 20220613 in Rawhide (see CHANGES.md for details)

Local Packages

• Updated perl-Package-Stash-XS to 0.30 as per the Fedora version

• Updated perl-Perl-Tidy to 20220613 as per the Fedora perltidy package

Tuesday 14th June 2022

Local Packages

• Updated dovecot to 2.3.19.1:

  • doveadm deduplicate: Non-duplicate mails were deleted (v2.3.19 regression)

  • auth: Crash would occur when iterating multiple backends; fixes: Panic: file userdb-blocking.c: line 125 (userdb_blocking_iter_next): assertion failed: (ctx->conn != NULL)

• Updated perl-File-Remove to 1.61:

  • Symlinks were broken in Windows/msys

Wednesday 15th June 2022

Fedora Project

• Updated perl-Software-License to 0.104002 in Rawhide:

  • Add support for ISC license
  • Add guesser for Apache license and no license

Local Packages

• Updated perl-Software-License to 0.104002 as per the Fedora version

• Rebuilt bluefish (2.2.12) for Python 3.11 in Rawhide

Friday 17th June 2022

Fedora Project

• Updated perl-Cpanel-JSON-XS to 4.30 in Rawhide:

  • Fix perl 5.37 utf8n_to_uvuni deprecation (GH#196)

• Branched and built spamass-milter (0.4.0) for EPEL-9

Local Packages

• Rebuilt libxslt (1.1.35) to sync with Rawhide

• Updated perl-Cpanel-JSON-XS to 4.30 as per the Fedora version

• Updated perl-Filter to 1.61:

  • perfilter.pod: Minor improvements (GH#16)

  • Remove runtime recommends META (GH#14)

  • "use strict" in all modules, fixes Test::Kwalitee

  • Add GitHub actions and cirrus CI's

  • Updated Copyright years

• Updated xz (5.2.2) for EL-7 (clone of EL-7 package, fixes CVE-2022-1271)

Monday 20th June 2022

Local Packages

• Rebuilt libxml2 (2.9.14) for Python 3.11 in Rawhide

• Rebuilt python-passlib (1.7.4) for Python 3.11 in Rawhide

• Rebuilt python2-xapian to sync with xapian-bindings-1.4.19-2 in Rawhide

Tuesday 21st June 2022

Local Packages

• Rebuilt geoipupdate (4.9.0) for CVE-2022-1996, CVE-2022-24675, CVE-2022-28327, CVE-2022-27191, CVE-2022-29526, CVE-2022-30629 in golang

• Updated libidn to 1.40:

  • lib: Code detecting current locale broken since 1.36
    • The code always returned ASCII; the precise cause is complicated to track down but likely boils down to the new autotools/gettext bootstrapping sequence introduced in release 1.36
  • maint: Java JAR archive no longer included in source tarball
  • Minor fixes: typos, makefiles, indentation, gnulib update, etc.

• Updated perl-Module-CoreList to 5.20220620:

  • Updated for v5.37.1

Wednesday 22nd June 2022

Local Packages

• Updated perl-Compress-Raw-Zlib to 2.200:

  • Added zlib-ng support (GH#9)

  • Only set Z_SOLO when building zlib sources (GH#12)

• I had to add a patch to fix the test count for t/07bufsize.t (GH#16)

Friday 24th June 2022

Fedora Project

• Updated perl-JSON-PP to 4.10 in Rawhide:

  • Fix a regression of decode_error introduced at 4.08 (GH#75)

  • Convert all tests to use Test::More (GH#70)

• Updated perl-JSON to 4.07 in Rawhide:

  • Updated backportPP with JSON::PP 4.10

Local Packages

• Updated perl-JSON-PP to 4.10 as per the Fedora version

• Updated perl-JSON to 4.07 as per the Fedora version

Sunday 26th June 2022

Fedora Project

• Updated perl-Compress-Raw-Bzip2 to 2.201 in Rawhide (no functional changes)

• Updated perl-Compress-Raw-Lzma to 2.201 in Rawhide (no functional changes)

• Updated perl-Compress-Raw-Zlib to 2.201 in Rawhide:

  • More zlib-ng updates

  • Fix test count regression in t/07bufsize.t (GH#16)

• Updated perl-IO-Compress to 2.201 in Rawhide:

  • Disable zlib header tests

  • Documentation update (GH#38)

  • Changes for zlib-ng

  • Add perl 5.36 to test matrix

  • Force streaming zip file when writing to stdout (GH#42)

  • Read zip timestamp in localtime

  • streamzip: Tighten up version tests for failing windows tests (GH#41)

  • streamzip: Update year

  • Use Time::Local instead of POSIX::mktime

• Updated perl-IO-Compress-Lzma to 2.201 in Rawhide (no functional changes)

Local Packages

• Updated perl-Compress-Raw-Bzip2 to 2.201 as per the Fedora version

• Updated perl-Compress-Raw-Lzma to 2.201 as per the Fedora version

• Updated perl-Compress-Raw-Zlib to 2.201 as per the Fedora version

• Updated perl-IO-Compress to 2.201 as per the Fedora version

• Updated perl-IO-Compress-Lzma to 2.201 as per the Fedora version

Monday 27th June 2022

Local Packages

• Updated curl to 7.84.0:

  • curl: Add --rate to set max request rate per time unit

  • curl: Deprecate --random-file and --egd-file

  • curl_version_info: Add CURL_VERSION_THREADSAFE

  • CURLINFO_CAPATH/CAINFO: Get the default CA paths from libcurl

  • lib: Make curl_global_init() thread-safe when possible

  • libssh2: Add CURLOPT_SSH_HOSTKEYFUNCTION

  • opts: Deprecate RANDOM_FILE and EGDSOCKET

  • socks: Support unix sockets for socks proxy

  • aws-sigv4: Fix potential NULL pointer arithmetic

  • bindlocal: Don't use a random port if port number would wrap

  • c-hyper: Mark status line as status for Curl_client_write()

  • ci: Avoid 'cmake -Hpath'

  • ci: Bump FreeBSD 13.0 to 13.1

  • ci: Update GitHub actions

  • cmake: Add libpsl support

  • cmake: Do not add libcurl.rc to the static libcurl library

  • cmake: Enable curl.rc for all Windows targets

  • cmake: Fix detecting libidn2

  • cmake: Support adding a suffix to the OS value

  • configure: Skip libidn2 detection when winidn is used

  • configure: Use the SED value to invoke sed

  • configure: Warn about rustls being experimental

  • content_encoding: Return error on too many compression steps (CVE-2022-32206)

  • cookie: Address secure domain overlay

  • cookie: Apply limits (CVE-2022-32205)

  • copyright.pl: Parse and use .reuse/dep5 for skips

  • copyright: Make repository REUSE compliant

  • curl.1: Add a few see also --tls-max

  • curl.1: Mention exit code zero too

  • curl: Re-enable --no-remote-name

  • curl_easy_pause.3: Remove explanation of progress function

  • curl_getdate.3: Document that some illegal dates pass through

  • Curl_parsenetrc: Don't access local pwbuf outside of scope

  • curl_url_set.3: Clarify by default using known schemes only

  • CURLOPT_ALTSVC.3: Document the file format

  • CURLOPT_FILETIME.3: Fix the protocols this works with

  • CURLOPT_HTTPHEADER.3: Improve comment in example

  • CURLOPT_NETRC.3: Document the .netrc file format

  • CURLOPT_PORT.3: We discourage using this option

  • CURLOPT_RANGE.3: Remove ranged upload advice

  • digest: Added detection of more syntax errors in server headers
  • digest: Tolerate missing "realm"
  • digest: Unquote realm and nonce before processing

  • DISABLED: Disable 1021 for hyper again

  • docs/cmdline-opts: Add copyright and license identifier to each file

  • docs/CONTRIBUTE.md: Document the 'needs-votes' concept

  • docs: Clarify data replacement policy for MIME API

  • doh: Remove UNITTEST macro definition

  • examples/crawler.c: Use the curl license

  • examples: Remove fopen.c and rtsp.c

  • FAQ: Clarify Windows double quote usage

  • fopen: Add Curl_fopen() for better overwriting of files (CVE-2022-32207)

  • ftp: Restore protocol state after http proxy CONNECT

  • ftp: When failing to do a secure GSSAPI login, fail hard
  • GHA/hyper: Enable debug in the build

  • gssapi: Improve handling of errors from gss_display_status

  • gssapi: Initialize gss_buffer_desc strings

  • headers API: Remove EXPERIMENTAL tag

  • http2: Always debug print stream id in decimal with %u

  • http2: Reject overly many push-promise headers
  • http: Restore header folding behaviour

  • hyper: Use 'alt-used'

  • krb5: Return error properly on decode errors (CVE-2022-32208)

  • lib: Make more protocol specific struct fields #ifdefed

  • libcurl-security.3: Add "Secrets in memory"

  • libcurl-security.3: Document CRLF header injection

  • libssh: Skip the fake-close when libssh does the right thing

  • links: Update dead links to the curl-wiki

  • log2changes: Do not indent empty lines

  • macos9: Remove partial support

  • Makefile.am: Fix portability issues

  • Makefile.m32: Delete obsolete options, improve -On

  • Makefile.m32: Delete two obsolete OpenSSL options

  • Makefile.m32: Stop forcing XP target with ipv6 enabled

  • max-time.d: Clarify max-time sets max transfer time

  • mprintf: Ignore clang non-literal format string

  • netrc: Check %USERPROFILE% as well on Windows

  • netrc: Support quoted strings

  • ngtcp2: Allow curl to send larger UDP datagrams

  • ngtcp2: Correct use of ngtcp2 and nghttp3 signed integer types

  • ngtcp2: Enable Linux GSO

  • ngtcp2: Extend QUIC transport parameters buffer

  • ngtcp2: Fix alert_read_func return value

  • ngtcp2: Fix typo in preprocessor condition

  • ngtcp2: Handle error from ngtcp2_conn_submit_crypto_data

  • ngtcp2: Send appropriate connection close error code

  • ngtcp2: Support boringssl crypto backend

  • ngtcp2: Use helper funcs to simplify TLS handshake integration

  • ntlm: Provide a fixed fake host name
  • projects: Fix third-party SSL library build paths for Visual Studio

  • quic: Add Curl_quic_idle

  • quiche: Support ca-fallback

  • rand: Stop detecting /dev/urandom in cross-builds

  • remote-name.d: Mention --output-dir

  • runtests.pl: Add the --repeat parameter to the --help output

  • runtests: Fix skipping tests not done event-based

  • runtests: Skip starting the ssh server if user name is lacking

  • scripts/copyright.pl: fix the exclusion to not ignore man pages

  • sectransp: Check for a function defined when __BLOCKS__ is undefined

  • select: Return error from "lethal" poll/select errors

  • server/sws: Support spaces in the HTTP request path

  • speed-limit/time.d: Mention these affect transfers in either direction

  • strcase: Some optimizations

  • test2081: Add a valid reply for the second request
  • test675: Add missing CR so the test passes when run through Privoxy

  • test414: Add the '--resolve' keyword

  • test681: Verify --no-remote-name

  • tests 266, 116 and 1540: Add a small write delay

  • tests/data/test1501: Kill ftp server after slow LIST response

  • tests/getpart: Fix getpartattr to work with "data" and "data2"

  • tests/server/sws.c: Change the HTTP writedelay unit to milliseconds

  • test{440,441,493,977}: Add "HTTP proxy" keywords

  • tool_getparam: Fix --parallel-max maximum value constraint

  • tool_operate: Make sure --fail-with-body works with --retry

  • transfer: Fix potential NULL pointer dereference

  • transfer: Maintain --path-as-is after redirects

  • transfer: Upload performance; avoid tiny send
  • url: Free old conn better on reuse

  • url: Remove redundant #ifdefs in allocate_conn()

  • url: URL encode the path when extracted, if spaces were set

  • urlapi: Make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts

  • urlapi: Support CURLU_URLENCODE for curl_url_get()

  • urldata: Reduce size of a few struct fields

  • urldata: Remove three unused booleans from struct UserDefined

  • urldata: Store tcp_keepidle and tcp_keepintvl as ints

  • version: Allow stricmp() for sorting the feature list

  • vtls: Make curl_global_sslset thread-safe

  • wolfssh.h: Removed

  • wolfSSL: Correct the failf() message when a handle can't be made

  • wolfSSL: Explicitly use compatibility layer

  • x509asn1: Mark msnprintf return as unchecked

• I had to disable flaky test 3026 for now

• Updated libidn update to 1.41:

  • Bump LT_REVISION for new release; it was mistakenly left at the same value since 1.38

  • Add version number related self-checks

• Updated perl-Compress-Raw-Zlib to 2.202:

  • Z_NULL should be 'UV' rather than 'PV' (GH#17)

Tuesday 28th June 2022

Fedora Project

• Branched and built perl-Authen-DigestMD5 (0.04) for EPEL-9

Local Packages

• Updated curl (7.84.0) to improve the workaround for test3026 issues

• Updated perl-Type-Tiny to 1.014000:

• Documentation:
  • Update copyright dates to 2022
  • Various minor documentation improvements
• Test Suite:
  • Eliminate some warnings and other noise from the test suite
  • Rename some directories in the test suite to better reflect their contents
• Other:

  • Added: $Type::Tiny::SafePackage variable

  • Added: Error::TypeTiny now has a 'throw_cb' method that acts like 'throw' but takes an initial callback parameter

  • Added: Type::Params 'compile', 'compile_named', and 'compile_named_oo' functions now support an 'on_die' callback

  • Eliminate warnings while generating deep explanations for type constraint check fails under some circumstances (mostly affects StrMatch when Regexp::Util isn't installed)