Paul's Blog Entries for December 2023
Friday 1st December 2023
Fedora Project
Updated perl-Test-Simple to 1.302198 in Rawhide:
- Remove use of defined-or operator
Local Packages
Updated perl-Test-Simple to 1.302198 as per the Fedora version
Monday 4th December 2023
Local Packages
Updated c-ares to 1.23.0:
- This is a feature and bugfix release
- Features:
Introduce optional (but on by default) thread-safety for the c-ares library; this has no API nor ABI implications
resolv.conf in modern systems uses attempts and timeouts options instead of the old retrans and retry options
Query caching support based on TTL of responses: can be enabled via ares_init_options() with ARES_OPT_QUERY_CACHE
- Bug Fixes:
ares_init_options() for ARES_OPT_UDP_PORT and ARES_OPT_TCP_PORT accept the port in host byte order, but it was reading it as network byte order (regression introduced in 1.20.0)
ares_init_options() for ARES_FLAG_NOSEARCH was not being honoured for ares_getaddrinfo() or ares_gethostbyname() (regression introduced in 1.16.0)
- Autotools MacOS and iOS version check was failing
Environment variables passed to c-ares are meant to be an override for system configuration (regression introduced in 1.22.0)
Spelling fixes as detected by codespell
The timeout returned by ares_timeout() was truncated to milliseconds but validated to microseconds, which could cause a user to attempt to process timeouts prior to the timeout actually expiring
CMake was not honouring CXXFLAGS passed in via the environment, which could cause compile and link errors with distribution hardening flags during packaging
- Fix Windows UWP and Cygwin compilation
ares_set_servers_*() for legacy reasons needs to accept an empty server list and zero out all servers, which results in an inoperable channel and thus is only used in simulation testing, but we don't want to break users (regression introduced in 1.21.0)
Wednesday 6th December 2023
Local Packages
Updated curl to 8.5.0:
gnutls: Support CURLSSLOPT_NATIVE_CA
HTTP3: ngtcp2 builds are no longer experimental
appveyor: Make VS2008-built curl tool runnable
asyn-thread: Use pipe instead of socketpair for IPC when available
autotools: Accept linker flags via 'CURL_LDFLAGS_{LIB,BIN}'
autotools: Avoid passing 'LDFLAGS' twice to libcurl
- autotools: Delete LCC compiler support bits
autotools: Fix/improve gcc and Apple clang version detection
autotools: Stop setting '-std=gnu89' with '--enable-warnings'
autotools: Update references to deleted 'crypt-auth' option
BINDINGS: Add V binding
build: Add 'src/.checksrc' to source tarball
- build: Add more picky warnings and fix them
build: Always revert '#pragma GCC diagnostic' after use
build: Delete 'HAVE_STDINT_H' and 'HAVE_INTTYPES_H'
- build: Delete support bits for obsolete Windows compilers
build: Fix 'threadsafe' feature detection for older gcc
- build: Fix builds that disable protocols but not digest auth
- build: Fix compiler warning with auths disabled
build: Fix libssh2 + 'CURL_DISABLE_DIGEST_AUTH' + 'CURL_DISABLE_AWS'
- build: Picky warning updates
- build: Require Windows XP or newer
cfilter: Provide call to tell connection to forget a socket
checksrc.pl: Support #line instructions
- CI: Add autotools, out-of-tree, debug build to distro check job
CI: Ignore test 286 on Appveyor gcc 9 build
cmake: Add 'CURL_DISABLE_BINDLOCAL' option
cmake: Add test for 'DISABLE' options, add 'CURL_DISABLE_HEADERS_API'
- cmake: Dedupe Windows system libs
cmake: Fix 'HAVE_H_ERRNO_ASSIGNABLE' detection
cmake: Fix CURL_DISABLE_GETOPTIONS
- cmake: Fix multiple include of CURL package
- cmake: Fix OpenSSL quic detection in quiche builds
cmake: Option to disable install and drop 'curlu' target when unused
- cmake: Pre-fill rest of detection values for Windows
cmake: Replace 'check_library_exists_concat()'
- cmake: Speed up threads setup for Windows
cmake: Speed up zstd detection
config-win32: Set 'HAVE_SNPRINTF' for mingw-w64
configure: Better --disable-http
configure: Check for the fseeko declaration too
- conncache: Use the closure handle when disconnecting surplus connections
content_encoding: Make Curl_all_content_encodings allocless
cookie: Lowercase the domain names before PSL checks (CVE-2023-46218)
curl.h: Delete Symbian OS references
curl.h: On FreeBSD include sys/param.h instead of osreldate.h
curl.rc: Switch out the copyright symbol for plain ASCII
curl: Improved IPFS and IPNS URL support
curl_easy_duphandle.3: Clarify how HSTS and alt-svc are duped
Curl_http_body: Clean up properly when Curl_getformdata errors
curl_setup: Disallow Windows IPv6 builds missing getaddrinfo
curl_sspi: Support more revocation error names in error messages
CURLINFO_PRETRANSFER_TIME_T.3: Fix time explanation
CURLMOPT_MAX_CONCURRENT_STREAMS: Make sure the set value is within range
CURLOPT_CAINFO_BLOB.3: Explain what CURL_BLOB_COPY does
CURLOPT_WRITEFUNCTION.3: Clarify libcurl returns for CURL_WRITEFUNC_ERROR
CURPOST_POSTFIELDS.3: Add CURLOPT_COPYPOSTFIELDS in SEE ALSO
docs/example/keepalive.c: Show TCP keep-alive options
docs/example/localport.c: Show off CURLOPT_LOCALPORT
docs/examples/interface.c: Show CURLOPT_INTERFACE use
docs/libcurl: Fix three minor man page format mistakes
docs/libcurl: SYNOPSIS clean up
- docs: Add supported version for the json write-out
docs: Clarify that curl passes on input unfiltered
docs: Fix function typo in curl_easy_option_next.3
docs: KNOWN_BUGS clean up
docs: Make all examples in all libcurl man pages compile
- docs: Preserve the modification date when copying the prebuilt man page
docs: Remove bold from some man page SYNOPSIS sections
docs: Use SOURCE_DATE_EPOCH for generated manpages
- doh: Provide better return code for responses w/o addresses
doh: Use PIPEWAIT when HTTP/2 is attempted
duphandle: Also free 'outcurl->cookies' in error path
duphandle: Make dupset() not return with pointers to old alloced data
duphandle: Use strdup to clone *COPYPOSTFIELDS if size is not set
easy: In duphandle, init the cookies for the new handle
easy: Remove duplicate wolfSSH init call
easy_lock: Add a pthread_mutex_t fallback
examples/rtsp-options.c: Add
fopen: Create new file using old file's mode
fopen: Create short(er) temporary file name (CVE-2023-46219)
getenv: PlayStation doesn't have getenv()
GHA: Move mod_h2 version in CI to v2.0.25
hostip: Show the list of IPs when resolving is done
hostip: Silence compiler warning '-Wparentheses-equality'
- hsts: Skip single-dot hostname
- HTTP/2, HTTP/3: Handle detach of ongoing transfers
- http2: Header conversion tightening
http2: Provide an error callback and failf the message
http2: Safer invocation of populate_binsettings
- http: Allow longer HTTP/2 request method names
http: Avoid Expect: 100-continue if Upgrade: is used
http: Consider resume with CURLOPT_FAILONERRROR and 416 to be fine
http: Fix '-Wunused-parameter' with no auth and no proxy
http: Fix '-Wunused-variable' compiler warning
- http: Fix empty-body warning
http_aws_sigv4: Canonicalise valueless query params
- hyper: Temporarily remove HTTP/2 support
INSTALL: Update list of ports and CPU archs
IPFS: Fix IPFS_PATH and file parsing
keylog: Disable if unused
lib: Add and use Curl_strndup()
lib: Apache style infof and trace macros/functions
lib: Fix gcc warning in printf call
libcurl-errors.3: Sync with current public headers
libcurl-thread.3: Simplify the TLS section
Makefile.am: Drop vc10, vc11 and vc12 projects from dist
Makefile.mk: Fix '-rtmp' option for non-Windows
- mime: Store "form escape" as a single bit
misc: Fix -Walloc-size warnings
msh3: Error when built with CURL_DISABLE_SOCKETPAIR set
multi: During ratelimit multi_getsock should return no sockets
multi: Use pipe instead of socketpair to *wakeup()
- ngtcp2: Fix races in stream handling
- ngtcp2: Ignore errors on unknown streams
ntlm_wb: Use pipe instead of socketpair when possible
openldap: Move the alloc of ldapconninfo to *connect()
openldap: Set the callback argument in oldap_do
openssl: Avoid BN_num_bits() NULL pointer derefs
- openssl: Fix building with v3 'no-deprecated' + add CI test
openssl: Fix infof() to avoid compiler warning for %s with null
- openssl: Identify the "quictls" backend correctly
openssl: Include SIG and KEM algorithms in verbose
openssl: Make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs
openssl: Two multi pointer checks should probably rather be asserts
- openssl: When a session-ID is reused, skip OCSP stapling
- page-footer: Clarify exit code 25
- projects: Add VC14.20 project files
- pytest: Use lower count in repeat tests
- quic: Make eyeballers connect retries stop at weird replies
- quic: Manage connection idle timeouts
quiche: Use quiche_conn_peer_transport_params()
- rand: Fix build error with autotools + LibreSSL
resolve.d: Drop a multi use-sentence
- RTSP: Improved RTP parser
rustls: Implement connect_blocking
sasl: Fix '-Wunused-function' compiler warning
- schannel: Add CA cache support for files and memory blobs
setopt: Check CURLOPT_TFTP_BLKSIZE range on set
- setopt: Remove outdated cookie comment
- setopt: Remove superfluous use of ternary expressions
- socks: Better buffer size checks for socks4a user and hostname
socks: Make SOCKS5 use the CURLOPT_IPRESOLVE choice
symbols-in-versions: The CLOSEPOLICY options are deprecated
test1683: Remove commented-out check alternatives
test3103: Add missing quotes around a test tag attribute
test613: Stop showing an error on missing output file
tests/README: SOCKS tests are not using OpenSSH; it has its own server
tests/server: Add more SOCKS5 handshake error checking
tests: Fix Windows test helper tool search and use it for handle64
- tidy-up: Casing typos, delete unused Windows version aliases
tool: Fix --capath when proxy support is disabled
- tool: Support bold headers in Windows
tool_cb_hdr: Add an additional parsing check
tool_cb_prg: Make the carriage return fit for wide progress bars
tool_cb_wrt: Fix write output for very old Windows versions
tool_getparam: Limit --rate to be smaller than number of ms
tool_operate: Do not mix memory models
tool_operate: Fix links in IPFS errors
tool_parsecfg: Make warning output propose double-quoting
tool_urlglob: Fix build for old gcc versions
tool_urlglob: Make multiply() bail out on negative values
tool_writeout_json: Fix JSON encoding of non-ascii bytes
- transfer: Abort pause send when connection is marked for closing
- transfer: Avoid calling the read callback again after EOF
transfer: Only reset the FTP wildcard engine in CLEAR state
- url: Don't touch the multi handle when closing internal handles
- url: Find scheme with a "perfect hash"
url: Fix '-Wzero-length-array' with no protocols
url: Fix builds with 'CURL_DISABLE_HTTP'
- url: Protocol handler lookup tidy-up
- url: Proxy ssl connection reuse fix
- urlapi: Avoid null deref if setting blank host to url encode
- urlapi: Skip appending NULL pointer query
- urlapi: When URL encoding the fragment, pass in the right length
urldata: Make maxconnects a 32-bit value
urldata: Move async resolver state from easy handle to connectdata
urldata: Move cookielist from UserDefined to UrlState
urldata: Move hstslist from 'set' to 'state'
urldata: Move the 'internal' boolean to the state struct
vssh: Remove the #ifdef for Curl_ssh_init, use empty macro
- vtls: Clean up SSL config management
vtls: Consistently use typedef names for OpenSSL structs
- vtls: Late clone of connection ssl config
- vtls: Use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0
VULN-DISCLOSURE-POLICY: Escape sequences are not a security flaw
windows: Use built-in '_WIN32' macro to detect Windows
- wolfssh: Remove redundant static prototypes
wolfssl: Add default case for wolfssl_connect_step1 switch
wolfssl: Require WOLFSSL_SYS_CA_CERTS for loading system CA
I had to locally include errorcodes.pl, missing from tarball (GH#12462), to get the test suite to pass
Updated curl (8.2.1) to fix cookie mixed case PSL bypass (CVE-2023-46218) and HSTS long file name clears contents (CVE-2023-46219)
Updated libxml2 to 2.12.2:
- Regressions:
parser: Fix invalid free in xmlParseBalancedChunkMemoryRecover
- globals: Disable TLS in static Windows builds
- html: Re-enable buggy detection of XML declarations
- tree: Fix regression when copying DTDs
- parser: Make CRLF increment line number
- Build fixes:
- build: Disable compiler TLS by default
cmake: Update config.h.cmake.in
tests: Fix tests --with-valid --without-xinclude
- I also enabled the W3C XML Conformance and Schema test suites, which required separate sources
Thursday 11th December 2023
Fedora Project
Updated libssh2 from 1.10.0 to 1.11.0 in EPEL-9 (lots of updates for more modern cryptography features - Bug #2253412)
Monday 11th December 2023
Fedora Project
Updated perl-Mail-Message to 3.015 in Rawhide:
- Accept empty fields without complaint
Fix counting epilogue trailing blank (GH#18, CPAN RT#150141
Tuesday 12th December 2023
Fedora Project
Updated gtk+ (1.2.10) to fix incompatible pointer type in call to XmbTextListToTextProperty
Local Packages
Updated gtk+ (1.2.10) as per the Fedora version
Wednesday 13th December 2023
Fedora Project
Updated bluefish (2.2.14) in Rawhide:
Fix use of incompatible pointer types (upstream rev 8991)
Fix improper use of pointer (SourceForge ticket #80)
Updated perl-IO-AIO (4.8) in Rawhide to fix use of incompatible pointer type in configure test for fexecve():
Fix this error: conftest.c: In function 'main': conftest.c:61:27: error: passing argument 2 of 'fexecve' from incompatible pointer type 61 | int res = fexecve (-1, "argv", 0); | ^~~~~~ | | | char * In file included from conftest.c:58: /usr/include/unistd.h:578:43: note: expected 'char * const*' but argument is of type 'char *' 578 | extern int fexecve (int __fd, char *const __argv[], char *const __envp[]) | The incompatible pointer type issue is traditionally a warning but is likely to be an error in GCC 14. See: https://fedoraproject.org/wiki/Changes/PortingToModernC The presence of the issue in the configure test would be likely to result in failure to detect fexecve() on some systems where it is actually available. diff -up ./configure.ac.orig ./configure.ac --- ./configure.ac.orig 2022-09-28 09:21:39.000000000 +0100 +++ ./configure.ac 2023-12-13 09:22:12.070446241 +0000 @@ -80,7 +80,8 @@ AC_CACHE_CHECK(for fexecve, ac_cv_fexecv #include <unistd.h> int main (void) { - int res = fexecve (-1, "argv", 0); + char *const argv[] = { "foo", "bar", 0 }; + int res = fexecve (-1, argv, 0); return 0; } ]])],ac_cv_fexecve=yes,ac_cv_fexecve=no)]) diff -up ./configure.orig ./configure --- ./configure.orig 2022-09-28 09:23:23.000000000 +0100 +++ ./configure 2023-12-13 09:22:43.887161250 +0000 @@ -4762,7 +4762,8 @@ else $as_nop #include <unistd.h> int main (void) { - int res = fexecve (-1, "argv", 0); + char *const argv[] = { "foo", "bar", 0 }; + int res = fexecve (-1, argv, 0); return 0; }
Local Packages
Updated bluefish (2.2.14) as per the Fedora version
Updated libxml2 to 2.12.3:
- Regressions:
- parser: Fix namespaces redefined from default attributes
- Build fixes:
include: Rename XML_EMPTY helper macro
include: Move declaration of xmlInitGlobals
- include: Add missing includes
include: Move globals from xmlsave.h to parser.h
include: Re-add circular dependency between tree.h and parser.h
- I also disabled Xpointer locations support as per the Fedora package; upstream says of this code:
- This was based on a W3C specification which never got beyond Working Draft status. To my knowledge, there's no software supporting this spec that is still maintained. Be warned that this part of the code base is buggy and had many security issues in the past.
Updated perl-IO-AIO (4.8) as per the Fedora version
Rebuilt pptp (1.10.0) to sync with Rawhide
Updated proftpd (1.3.8a) with an additional C compatibility fix (GH#1754)
Friday 15th December 2023
Fedora Project
Updated perl-Business-ISBN-Data to 20231215.001 in Rawhide:
- Data update for 20231215
Local Packages
Updated unrar to 7.00 beta 3
Sunday 17th December 2023
Fedora Project
Updated perl-Getopt-Long-Descriptive to 0.113 in Rawhide:
- Improve line wrapping so spacers (non-option text lines) can use more horizontal characters
- Replace tabs (generally 8 space) indents in output with four spaces
Updated perl-MouseX-Getopt (0.38) in Rawhide to fix compatibility with Getopt::Long::Descriptive 0.113 (GH#15)
Tuesday 19th December 2023
Fedora Project
Updated perl-MooseX-Getopt to 0.76 in Rawhide:
Adjust tests to deal with formatting changes in Getopt::Long::Descriptive 0.113
Wednesday 20th December 2023
Fedora Project
Became main admin of perl-Crypt-DES and perl-String-Util
Thursday 21st December 2023
Fedora Project
Updated perl-Business-ISBN-Data to 20231220.001 in Rawhide:
- Data update for 20231220
Updated proftpd to 1.3.8b in Rawhide, F-39, F-38 and EPEL-9:
Compiling ProFTPD 1.3.8a mod_sftp, mod_tls using libressl 3.7.3 failed (GH#1735)
Build system failed for specific module names (GH#1756)
"Terrapin" Prefix Truncation Attacks in SSH Specification affected mod_sftp (CVE-2023-48795, GH#1760)
Local Packages
Updated proftpd to 1.3.8b as per the Fedora version
Updated proftpd (1.3.9) to 1.3.9rc2:
1.3.9rc1 mod_sftp failed to compile if EVP_chacha20 was unavailable, as when using older OpenSSL versions (GH#1730)
Error resolving DNS name for implicit "server config" vhost lead to DelayTable not being found (GH#1746)
Log message for exceeding quota did not include the user/group/class quota type (GH#1749)
Build system failed for specific module names (GH#1756)
"Terrapin" Prefix Truncation Attacks in SSH Specification affected mod_sftp (CVE-2023-48795, GH#1760)
Sunday 24th December 2023
Local Packages
Updated c-ares to 1.24.0 (Fedora 30 onwards):
- This is a feature and bugfix release
- Features:
Add support for IPv6 link-local DNS servers; nameserver formats can now accept the %iface suffix, and a new ares_get_servers_csv() function was added to return servers that can contain the link-local interface name
- Changes:
Unbundle GoogleTest for test cases; package maintainers will now need to require GoogleTest (GMock) as a build dependency if building tests (new GoogleTest versions require C++14 or later)
- Replace nameserver parsing code to use new memory-safe functions
Replace the sortlist parser with new memory-safe functions
- Various warning fixes and dead code removal
- Bug Fixes:
Old Linux versions require POSIX_C_SOURCE or _GNU_SOURCE to compile with thread safety support
- A non-responsive DNS server that caused timeouts wouldn't increment the failure count, which would lead to other servers not being tried (regression introduced in 1.22.0)
Some projects that depend on c-ares expect invalid parameter option values passed into ares_init_options() to simply be ignored; this behaviour has been restored
On linux, getrandom() can fail if the kernel doesn't support the syscall: fall back to another random source
ares_cancel() when performing ares_gethostbyname() or ares_getaddrinfo() with AF_UNSPEC, if called after one address class was returned but before the other address class, would return ARES_SUCCESS rather than ARES_ECANCELLED
Note: building without cmake is broken in this release (GH#670), which is why builds for releases older than Fedora 30 are unavailable
Thursday 28th December 2023
Fedora Project
Updated perl-YAML to 1.31 in Rawhide:
- Update docs to recommend YAML::PP
Updated proftpd (1.3.6e) in EPEL-8 to fix one-byte out-of-bounds read, and daemon crash, because of mishandling of quote/backslash semantics (GH#1683, CVE-2023-51713)
Local Packages
Updated perl-Net-DNS to 1.42:
Fix hang in Net::DNS::Nameserver on Windows (CPAN RT#150695)
Updated perl-YAML to 1.31 as per the Fedora version
Friday 29th December 2023
Fedora Project
Updated perl-IO-Tty to 1.20 in Rawhide:
Local Packages
Saturday 30th December 2023
Fedora Project
Updated perl-Spreadsheet-ParseExcel to 0.66 in F-38, F-39 and Rawhide:
Fix for CVE-2023-7101 (unvalidated input can lead to arbitrary code execution vulnerability) (GH#33)
Sunday 31st December 2023
Fedora Project
Updated perl-Spreadsheet-ParseExcel to 0.66 (from 0.65) in EPEL-8 and EPEL-9:
Fix for CVE-2023-7101 (unvalidated input can lead to arbitrary code execution vulnerability) (GH#33)
Updated perl-Spreadsheet-ParseExcel to 0.66 (from 0.59) in EPEL-7:
Fix for CVE-2023-7101 (unvalidated input can lead to arbitrary code execution vulnerability) (GH#33)
- Merge support for accessing hyperlink data
Fix ExcelLocaltime rounding (CPAN RT#47072)
Fix crash with date format that has commas (CPAN RT#93142)
Fix distribution metadata (CPAN RT#93651)
Allow more flexible filehandle specifications (CPAN RT#12946)
Fix auto color (CPAN RT#93065)
Fix test 46 skip_all plan logic
Fix 0x00 general format and associated test (CPAN RT#52830)
Fix undefined value as ARRAY (CPAN RT#93138)
Fix Red Cell formats (CPAN RT#93500)
Add tab colour support (CPAN RT#93379)
Detect active worksheet (CPAN RT#93393)
Fix colour leaks from workbook (CPAN RT#93425)
Add support for hidden rows and columns (CPAN RT#93367)
Save merged areas properly (CPAN RT#62953)
Fix CellHandler not localised to object (CPAN RT#43250)
Local Packages
Updated perl-DateTime-TimeZone to 2.61:
- This release is based on version 2023d of the Olson database
- Contemporary changes for Antarctica, Greenland, and Palestine
Updated perl-Module-CoreList to 5.20231230:
- Updated for v5.39.6
Previous Month: November 2023
Next Month: January 2024