Friday 3rd June 2022
Local Packages
Updated dovecot (2.3):
Updated dovecot to 2.3.19:
Added mail_user_session_finished event, which is emitted when the mail user session is finished (e.g. imap, pop3, lmtp); it also includes fields with some process statistics information (see https://doc.dovecot.org/admin_manual/list_of_events/ for more information)
Added process_shutdown_filter setting: when an event matches the filter, the process will be shut down after the current connection(s) have finished, which is intended to reduce memory usage of long-running imap processes that keep a lot of memory allocated instead of freeing it to the OS
auth: Add cache hit indicator to auth passdb/userdb finished events; see https://doc.dovecot.org/admin_manual/list_of_events/ for more information
doveadm deduplicate: Performance is improved significantly
imapc: COPY commands were sent one mail at a time to the remote IMAP server; now the copying is buffered, so multiple mails can be copied with a single COPY command
lib-lua: Add a Lua interface to Dovecot's HTTP client library; see https://doc.dovecot.org/admin_manual/lua/ for more information
- auth: Cache lookup would use incorrect cache key after username change
- auth: Improve handling unexpected LDAP connection errors/hangs; try to fix up these cases by reconnecting to the LDAP server and aborting LDAP requests earlier
- auth: Process crashed if userdb iteration was attempted while auth-workers were already full handling auth requests
auth: db-oauth2: Using %{oauth2:name} variables caused unnecessary introspection requests
- dict: Timeouts may have been leaked at deinit
- director: Ring may have become unstable if a backend's tag was changed; it could also have caused director process to crash
doveadm kick: Numeric parameter was treated as IP address
doveadm: Proxying can panic when flushing print output; fixes: Panic: file ioloop.c: line 865 (io_loop_destroy): assertion failed: (ioloop == current_ioloop)
doveadm sync: BROKENCHAR was wrongly changed to '_' character when migrating mailboxes; this was set by default to %, so any mailbox names containing % characters were modified to "_25"
imapc: Copying or moving mails with doveadm to an imapc mailbox could have produced "Error: Syncing mailbox '[...]' failed" errors; the operation itself succeeded but attempting to sync the destination mailbox failed
imapc: Prevent index log synchronization errors when two or more imapc sessions are adding messages to the same mailbox index files, i.e. INDEX=MEMORY is not used
- indexer: Process was slowly leaking memory for each indexing request
lib-fts: fts header filters caused binary content to be sent to the indexer with non-default configuration
doveadm-server: Process could hang in some situations when printing output to TCP client, e.g. when printing doveadm sync state
lib-index: dovecot.index.log files were often read and parsed entirely, rather than only the parts that were actually necessary; this mainly increased CPU usage
lmtp-proxy: Session ID forwarding would cause same session IDs being used when delivering the same mail to multiple backends
- log: Log prefix update may have been lost if log process was busy; this could have caused log prefixes to be empty or in some cases reused between sessions, i.e. log lines could have been logged for the wrong user/session
mail_crypt: Plugin crashes if it's loaded only for some users: fixes Panic: Module context mail_crypt_user_module missing
mail_crypt: When LMTP was delivering mails to both recipients with mail encryption enabled and not enabled, the non-encrypted recipients may have gotten mails encrypted anyway; this happened when the first recipient was encrypted (mail_crypt_save_version=2) and the 2nd recipient was not encrypted (mail_crypt_save_version=0)
- pop3: Session would crash if empty line was sent
- stats: HTTP server leaked memory
submission-login: Long credentials, such as OAUTH2 tokens, were refused during SASL interactive due to submission server applying line length limits
submission-login: When proxying to remote host, authentication was not using interactive SASL when logging in using long credentials such as OAUTH2 tokens; this caused authentication to fail due to line length constraints in SMTP protocol
submission: Terminating the client connection with QUIT command after mail transaction is started with MAIL command and before it is finished with DATA/BDAT can cause a segfault crash
virtual: doveadm search queries with mailbox-guid as the only parameter crashes: Panic: file virtual-search.c: line 77 (virtual_search_get_records): assertion failed: (result != 0)
Updated pigeonhole to 0.5.19
- No changes - release done to keep version numbers synced
Wednesday 8th June 2022
Local Packages
Updated perl-Type-Tiny to 1.012005:
Ensure coderefs returned by overload::Method are called with three parameters, as passing two parameters can break subs implemented in XS
Fix explanation message for NumRange/IntRange
Prevent stringification of Error::TypeTiny from clobbering $@
Fix typos in documentation for wrap_methods from Type::Params
Sunday 12th June 2022
Fedora Project
Updated perl-Specio to 0.48 in Rawhide:
Importing types into a class that inherited from another class that had imported types wouldn't work, leaving the child class with no 't()' sub
Local Packages
Updated perl-Specio to 0.48 as per the Fedora version
Monday 13th June 2022
Fedora Project
Updated perl-Package-Stash-XS to 0.30 in Rawhide:
- Miscellaneous tooling updates
Fixed redundant argument in sprintf in tests (CPAN RT#143205)
Updated perltidy to 20220613 in Rawhide (see CHANGES.md for details)
Local Packages
Updated perl-Package-Stash-XS to 0.30 as per the Fedora version
Updated perl-Perl-Tidy to 20220613 as per the Fedora perltidy package
Tuesday 14th June 2022
Local Packages
Updated dovecot to 2.3.19.1:
doveadm deduplicate: Non-duplicate mails were deleted (v2.3.19 regression)
auth: Crash would occur when iterating multiple backends; fixes: Panic: file userdb-blocking.c: line 125 (userdb_blocking_iter_next): assertion failed: (ctx->conn != NULL)
Updated perl-File-Remove to 1.61:
- Symlinks were broken in Windows/msys
Wednesday 15th June 2022
Fedora Project
Updated perl-Software-License to 0.104002 in Rawhide:
- Add support for ISC license
- Add guesser for Apache license and no license
Local Packages
Updated perl-Software-License to 0.104002 as per the Fedora version
Rebuilt bluefish (2.2.12) for Python 3.11 in Rawhide
Friday 17th June 2022
Fedora Project
Updated perl-Cpanel-JSON-XS to 4.30 in Rawhide:
Fix perl 5.37 utf8n_to_uvuni deprecation (GH#196)
Branched and built spamass-milter (0.4.0) for EPEL-9
Local Packages
Rebuilt libxslt (1.1.35) to sync with Rawhide
Updated perl-Cpanel-JSON-XS to 4.30 as per the Fedora version
Updated perl-Filter to 1.61:
Updated xz (5.2.2) for EL-7 (clone of EL-7 package, fixes CVE-2022-1271)
Monday 20th June 2022
Local Packages
Rebuilt libxml2 (2.9.14) for Python 3.11 in Rawhide
Rebuilt python-passlib (1.7.4) for Python 3.11 in Rawhide
Rebuilt python2-xapian to sync with xapian-bindings-1.4.19-2 in Rawhide
Tuesday 21st June 2022
Local Packages
Rebuilt geoipupdate (4.9.0) for CVE-2022-1996, CVE-2022-24675, CVE-2022-28327, CVE-2022-27191, CVE-2022-29526, CVE-2022-30629 in golang
Updated libidn to 1.40:
- lib: Code detecting current locale broken since 1.36
- The code always returned ASCII; the precise cause is complicated to track down but likely boils down to the new autotools/gettext bootstrapping sequence introduced in release 1.36
- maint: Java JAR archive no longer included in source tarball
- Minor fixes: typos, makefiles, indentation, gnulib update, etc.
- lib: Code detecting current locale broken since 1.36
Updated perl-Module-CoreList to 5.20220620:
- Updated for v5.37.1
Wednesday 22nd June 2022
Local Packages
Friday 24th June 2022
Fedora Project
Updated perl-JSON-PP to 4.10 in Rawhide:
Updated perl-JSON to 4.07 in Rawhide:
Updated backportPP with JSON::PP 4.10
Local Packages
Updated perl-JSON-PP to 4.10 as per the Fedora version
Updated perl-JSON to 4.07 as per the Fedora version
Sunday 26th June 2022
Fedora Project
Updated perl-Compress-Raw-Bzip2 to 2.201 in Rawhide (no functional changes)
Updated perl-Compress-Raw-Lzma to 2.201 in Rawhide (no functional changes)
Updated perl-Compress-Raw-Zlib to 2.201 in Rawhide:
More zlib-ng updates
Fix test count regression in t/07bufsize.t (GH#16)
Updated perl-IO-Compress to 2.201 in Rawhide:
Disable zlib header tests
Documentation update (GH#38)
Changes for zlib-ng
Add perl 5.36 to test matrix
Force streaming zip file when writing to stdout (GH#42)
- Read zip timestamp in localtime
streamzip: Tighten up version tests for failing windows tests (GH#41)
streamzip: Update year
Use Time::Local instead of POSIX::mktime
Updated perl-IO-Compress-Lzma to 2.201 in Rawhide (no functional changes)
Local Packages
Updated perl-Compress-Raw-Bzip2 to 2.201 as per the Fedora version
Updated perl-Compress-Raw-Lzma to 2.201 as per the Fedora version
Updated perl-Compress-Raw-Zlib to 2.201 as per the Fedora version
Updated perl-IO-Compress to 2.201 as per the Fedora version
Updated perl-IO-Compress-Lzma to 2.201 as per the Fedora version
Monday 27th June 2022
Local Packages
Updated curl to 7.84.0:
curl: Add --rate to set max request rate per time unit
curl: Deprecate --random-file and --egd-file
curl_version_info: Add CURL_VERSION_THREADSAFE
CURLINFO_CAPATH/CAINFO: Get the default CA paths from libcurl
lib: Make curl_global_init() thread-safe when possible
libssh2: Add CURLOPT_SSH_HOSTKEYFUNCTION
opts: Deprecate RANDOM_FILE and EGDSOCKET
- socks: Support unix sockets for socks proxy
aws-sigv4: Fix potential NULL pointer arithmetic
bindlocal: Don't use a random port if port number would wrap
c-hyper: Mark status line as status for Curl_client_write()
ci: Avoid 'cmake -Hpath'
- ci: Bump FreeBSD 13.0 to 13.1
ci: Update GitHub actions
cmake: Add libpsl support
cmake: Do not add libcurl.rc to the static libcurl library
cmake: Enable curl.rc for all Windows targets
cmake: Fix detecting libidn2
- cmake: Support adding a suffix to the OS value
configure: Skip libidn2 detection when winidn is used
configure: Use the SED value to invoke sed
configure: Warn about rustls being experimental
content_encoding: Return error on too many compression steps (CVE-2022-32206)
- cookie: Address secure domain overlay
cookie: Apply limits (CVE-2022-32205)
copyright.pl: Parse and use .reuse/dep5 for skips
copyright: Make repository REUSE compliant
curl.1: Add a few see also --tls-max
curl.1: Mention exit code zero too
curl: Re-enable --no-remote-name
curl_easy_pause.3: Remove explanation of progress function
curl_getdate.3: Document that some illegal dates pass through
Curl_parsenetrc: Don't access local pwbuf outside of scope
curl_url_set.3: Clarify by default using known schemes only
CURLOPT_ALTSVC.3: Document the file format
CURLOPT_FILETIME.3: Fix the protocols this works with
CURLOPT_HTTPHEADER.3: Improve comment in example
CURLOPT_NETRC.3: Document the .netrc file format
CURLOPT_PORT.3: We discourage using this option
CURLOPT_RANGE.3: Remove ranged upload advice
- digest: Added detection of more syntax errors in server headers
- digest: Tolerate missing "realm"
- digest: Unquote realm and nonce before processing
DISABLED: Disable 1021 for hyper again
docs/cmdline-opts: Add copyright and license identifier to each file
docs/CONTRIBUTE.md: Document the 'needs-votes' concept
- docs: Clarify data replacement policy for MIME API
doh: Remove UNITTEST macro definition
examples/crawler.c: Use the curl license
examples: Remove fopen.c and rtsp.c
- FAQ: Clarify Windows double quote usage
fopen: Add Curl_fopen() for better overwriting of files (CVE-2022-32207)
ftp: Restore protocol state after http proxy CONNECT
- ftp: When failing to do a secure GSSAPI login, fail hard
- GHA/hyper: Enable debug in the build
gssapi: Improve handling of errors from gss_display_status
gssapi: Initialize gss_buffer_desc strings
headers API: Remove EXPERIMENTAL tag
http2: Always debug print stream id in decimal with %u
- http2: Reject overly many push-promise headers
- http: Restore header folding behaviour
hyper: Use 'alt-used'
krb5: Return error properly on decode errors (CVE-2022-32208)
lib: Make more protocol specific struct fields #ifdefed
libcurl-security.3: Add "Secrets in memory"
libcurl-security.3: Document CRLF header injection
libssh: Skip the fake-close when libssh does the right thing
- links: Update dead links to the curl-wiki
log2changes: Do not indent empty lines
- macos9: Remove partial support
Makefile.am: Fix portability issues
Makefile.m32: Delete obsolete options, improve -On
Makefile.m32: Delete two obsolete OpenSSL options
Makefile.m32: Stop forcing XP target with ipv6 enabled
max-time.d: Clarify max-time sets max transfer time
mprintf: Ignore clang non-literal format string
netrc: Check %USERPROFILE% as well on Windows
netrc: Support quoted strings
ngtcp2: Allow curl to send larger UDP datagrams
ngtcp2: Correct use of ngtcp2 and nghttp3 signed integer types
ngtcp2: Enable Linux GSO
ngtcp2: Extend QUIC transport parameters buffer
ngtcp2: Fix alert_read_func return value
ngtcp2: Fix typo in preprocessor condition
ngtcp2: Handle error from ngtcp2_conn_submit_crypto_data
ngtcp2: Send appropriate connection close error code
ngtcp2: Support boringssl crypto backend
ngtcp2: Use helper funcs to simplify TLS handshake integration
- ntlm: Provide a fixed fake host name
- projects: Fix third-party SSL library build paths for Visual Studio
quic: Add Curl_quic_idle
- quiche: Support ca-fallback
rand: Stop detecting /dev/urandom in cross-builds
remote-name.d: Mention --output-dir
runtests.pl: Add the --repeat parameter to the --help output
runtests: Fix skipping tests not done event-based
runtests: Skip starting the ssh server if user name is lacking
scripts/copyright.pl: fix the exclusion to not ignore man pages
sectransp: Check for a function defined when __BLOCKS__ is undefined
- select: Return error from "lethal" poll/select errors
server/sws: Support spaces in the HTTP request path
speed-limit/time.d: Mention these affect transfers in either direction
strcase: Some optimizations
- test2081: Add a valid reply for the second request
- test675: Add missing CR so the test passes when run through Privoxy
test414: Add the '--resolve' keyword
test681: Verify --no-remote-name
- tests 266, 116 and 1540: Add a small write delay
tests/data/test1501: Kill ftp server after slow LIST response
tests/getpart: Fix getpartattr to work with "data" and "data2"
tests/server/sws.c: Change the HTTP writedelay unit to milliseconds
- test{440,441,493,977}: Add "HTTP proxy" keywords
tool_getparam: Fix --parallel-max maximum value constraint
tool_operate: Make sure --fail-with-body works with --retry
- transfer: Fix potential NULL pointer dereference
transfer: Maintain --path-as-is after redirects
- transfer: Upload performance; avoid tiny send
- url: Free old conn better on reuse
url: Remove redundant #ifdefs in allocate_conn()
- url: URL encode the path when extracted, if spaces were set
urlapi: Make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts
urlapi: Support CURLU_URLENCODE for curl_url_get()
- urldata: Reduce size of a few struct fields
urldata: Remove three unused booleans from struct UserDefined
urldata: Store tcp_keepidle and tcp_keepintvl as ints
version: Allow stricmp() for sorting the feature list
vtls: Make curl_global_sslset thread-safe
wolfssh.h: Removed
wolfSSL: Correct the failf() message when a handle can't be made
- wolfSSL: Explicitly use compatibility layer
x509asn1: Mark msnprintf return as unchecked
- I had to disable flaky test 3026 for now
Updated libidn update to 1.41:
Bump LT_REVISION for new release; it was mistakenly left at the same value since 1.38
- Add version number related self-checks
Updated perl-Compress-Raw-Zlib to 2.202:
Z_NULL should be 'UV' rather than 'PV' (GH#17)
Tuesday 28th June 2022
Fedora Project
Branched and built perl-Authen-DigestMD5 (0.04) for EPEL-9
Local Packages
Updated curl (7.84.0) to improve the workaround for test3026 issues
Updated perl-Type-Tiny to 1.014000:
- Documentation:
- Update copyright dates to 2022
- Various minor documentation improvements
- Test Suite:
- Eliminate some warnings and other noise from the test suite
- Rename some directories in the test suite to better reflect their contents
- Other:
Added: $Type::Tiny::SafePackage variable
Added: Error::TypeTiny now has a 'throw_cb' method that acts like 'throw' but takes an initial callback parameter
Added: Type::Params 'compile', 'compile_named', and 'compile_named_oo' functions now support an 'on_die' callback
Eliminate warnings while generating deep explanations for type constraint check fails under some circumstances (mostly affects StrMatch when Regexp::Util isn't installed)