Paul's Blog Entries for February 2025
Sunday 2nd February 2025
Fedora Project
Updated perl-Test-Warnings to 0.038 in Rawhide:
Refrain from swapping out done_testing method if :no_end_test is configured
Local Packages
Updated perl-Test-Warnings to 0.038 as per the Fedora version
Monday 3rd February 2025
Tuesday 4th February 2025
Fedora Project
Updated python-paramiko to 3.5.1 in Rawhide:
Private key material is now explicitly 'unpadded' during decryption, removing a reliance on some lax OpenSSL behaviour and making us compatible with future Cryptography releases (GH#2490)
Wednesday 5th February 2025
Local Packages
Updated curl to 8.12.0:
curl: Add byte range support to --variable reading from file
curl: Make --etag-save acknowledge --create-dirs
getinfo: Fix CURLINFO_QUEUE_TIME_T and add 'time_queue' var
- getinfo: Provide info about which auth was used for HTTP and proxy
- hyper: Drop support
- openssl: Add support to use keys and certificates from PKCS#11 provider
QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA
vtls: Feature ssls-export for SSL session im-/export
- altsvc: Avoid integer overflow in expire calculation
- altsvc: return error on dot-only name
android: Add CI jobs, buildinfo, cmake docs, disable 'CURL_USE_PKGCONFIG' by default
asyn-ares: Acknowledge CURLOPT_DNS_SERVERS set to NULL
- asyn-ares: Fix memory leak
- asyn-ares: Initial HTTPS resolve support
asyn-thread: Use c-ares to resolve HTTPS RR
async-thread: Avoid closing eventfd twice (CVE-2025-0665)
- autotools: Add support for mingw UWP builds
autotools: Silence gcc warnings in libtool code
- binmode: Convert to macro and use it from tests
build: Delete '-Wsign-conversion' related FIXMEs
build: Drop '-Winline' picky warning
build: Drop 'tool_hugehelp.c.cvs', tidy up macros, drop 'buildconf.bat'
build: Drop macro used to enable '-Wsign-conversion' warnings in CI
- build: Drop unused feature macros, update exception list
build: Fix '-Wtrampolines' picky warning for gcc 4.x versions
- build: Fix compiling with GCC 4.x versions
- build: Fix the tidy targets for autotools
build: Fix unsigned 'time_t' detection for cmake, MS-DOS, AmigaOS
build: Replace configure check with PP condition (Android <21)
build: Stop detecting 'sched_yield()' on Windows
- c-ares: Fix/tidy-up macro initializations, avoid a deprecated function
cd2nroff: Do not insist on quoted <> within backticks
cd2nroff: Support "none" as a TLS backend
cf-https-connect: Look into httpsrr alpns when available
cf-socket: Error if address can't be copied
cfilters: Kill connection filter events attach+detach
checksrc.bat: Remove explicit SNPRINTF bypass
checksrc: Ban use of sscanf()
checksrc: Check for return with parens around a value/name
- checksrc: Exclude generated bundle files to avoid race condition
checksrc: Fix the return() checker
checksrc: Introduce 'banfunc' to ban specific functions
cmake/Find: Add 'iphlpapi' for c-ares, omit syslibs if dep not found
cmake/FindLDAP: Avoid empty 'Requires' item when emitting 'pkg-config' module
- cmake/FindLDAP: Avoid framework locations for libs too (Apple)
cmake/FindLibpsl: Protect against 'pkg-config' "half-detection"
- cmake/FindLibssh: Sync header comment with other modules
- cmake/FindMbedTLS: Drop lib duplicates early
cmake: Add 'librtmp' Find module
- cmake: Add LDAP Find module
cmake: Add native 'pkg-config' detection for remaining Find modules
cmake: Allow 'CURL_LTO' regardless of 'CURL_BUILD_TYPE', enable in CI
- cmake: clang-cl improvements
- cmake: Delete accidental debug message
- cmake: Deprecate winbuild, add migration guide from legacy build methods
cmake: Detect mingw-w64 version, pre-fill 'HAVE_STRTOK_R'
cmake: Do not store 'MINGW64_VERSION' in cache
cmake: Drop 'CURL_USE_PKGCONFIG' from 'curl-config.cmake.in'
cmake: Drop 'fseeko()' pre-fill and check for Windows
- cmake: Drop duplicate Windows cache value
cmake: Drop redundant FOUND checks (libgsasl, libssh, libuv)
cmake: Drop redundant opening/closing '.*' from 'MATCH' expressions
cmake: Drop unused 'HAVE_SYS_XATTR_H' detection
- cmake: Drop VS2010 "Dialog Hell" workaround added in 2013
cmake: Extend zlib's 'AUTO' option to brotli, zstd and enable if found
cmake: Fix 'net/in.h' detection for MS-DOS
cmake: Improve 'curl_dumpvars()' and move to 'Utilities.cmake'
cmake: Make libpsl required by default
cmake: Make system libraries 'dl', 'm', 'pthread' customizable
cmake: Move 'pkg-config' names to Find modules
- cmake: Move GSS init before feature detections
cmake: Move mingw UWP workaround from GHA to 'CMakeLists.txt'
- cmake: Namespace functions and macros
cmake: Optimize out 4 picky warning option detections with gcc
- cmake: Pick a better IPv6 feature flag when assembling the feature list
cmake: Pre-fill 'HAVE_STDATOMIC_H', 'HAVE_ATOMIC' for mingw-w64
cmake: Pre-fill 'HAVE_STDINT_H' on Windows
- cmake: Prefer dash-style MSVC options
cmake: Publish/check supported protocols/features via 'CURLConfig.cmake'
cmake: Replace 'unset(VAR)' with 'set(VAR "")' for init
- cmake: Sync OpenSSL QUIC fork detection with autotools
cmake: Use 'CMAKE_REQUIRED_LINK_DIRECTORIES'
cmake: Use 'STREQUAL' to detect Linux
- cmake: Warn for OpenSSL versions missing TLS 1.3 support
cmdline-opts/version.md: Describe multissl, mention SSLS-EXPORT
completion.pl: Add completion for paths after @ for fish
config-mac: Drop 'MACOS_SSL_SUPPORT' macro
- config: Drop unused code and variables
configure: Do not inline 'dnl' comments
- configure: Drop unused detections and macros
- configure: Streamline Windows large file feature check
- configure: UWP and Android follow-up fixes
- conncache: Count shutdowns against host and max limits
conncache: result_cb comment removed from function docs
content_encoding: Drop support for zlib before 1.2.0.4 (CVE-2025-0725)
content_encoding: Namespace GZIP flag constants
content_encoding: Put the decomp buffers into the writer structs
content_encoding: Support use of custom libzstd memory functions
- cookie: Cap expire times to 400 days
- cookie: Fix crash in netscape cookie parsing
- cookie: Parse only the exact expire date
curl-functions.m4: Fix indentation in 'CURL_SIZEOF()'
- curl: return error if etag options are used with multiple URLs
curl_multi_fdset: Include the shutdown connections in the set
curl_multi_waitfds.md: Tidy up the example
curl_multibyte: Support Windows paths longer than MAX_PATH
curl_setup: Fix missing 'ADDRESS_FAMILY' type in rare build cases
curl_sha512_256: Rename symbols to the curl namespace
curl_url_set.md: Adjust the added-in to 7.62.0
curl_ws_recv.md: Fix typo
CURLOPT_CONNECT_ONLY.md: An easy handle with this option set cannot be reused
CURLOPT_PROXY.md: Clarify the credential support in proxy URLs
CURLOPT_RESOLVE.md: Fix wording
CURLOPT_SEEKFUNCTION.md: Used for FTP, HTTP and SFTP (only)
docs/BUGS.md: Remove leading space from a link
docs/cmdline-opts/_ENVIRONMENT.md: Minor language fix
docs/cmdline-opts/location.md: Fix typos for location flag
docs/HTTP-COOKIES.md: Link to more information
docs/HTTPSRR.md: Initial HTTPS RR documentation
docs/libcurl/opts: Clarify the return values
docs/libcurl: Return value overhaul
docs/TLS-SESSIONS: Fix typo, the=>they
docs: Document the behaviour of -- in the curl command line
docs: Use lower-case curl and libcurl
doh: Clean-ups and extended HTTPS RR code
doh: Send HTTPS RR requests for all HTTP(S) transfers
easy: Allow connect-only handle reuse with easy_perform
easy: Make curl_easy_perform() return error if connection still there
easy_lock: Use Sleep(1) for thread yield on old Windows
- ECH: Update APIs to those agreed with OpenSSL maintainers
examples/block-ip: Drop redundant 'memory.h' include
examples/block-ip: Show how to block IP addresses
examples/complicated: Fix warnings, bump deprecated callback, tidy up
examples/synctime.c: Remove references to dead URLs and functionality
- examples: Make them compile with compatibility functions disabled (Windows)
examples: Use return according to code style
file: Drop 'OPEN_NEEDS_ARG3' option
- file: Fix Android compiler warning
- gitignore: Add generated unity sources for lib and src
GnuTLS: Fix 'time_appconnect' for early data
hash: Add asserts in hash_element_dtor()
- HTTP/2: Strip TE request header
http2: Fix data_pending check
- http2: Fix value stored to 'result' is never read
http: Fix build with 'CURL_DISABLE_COOKIES'
http: Ignore invalid Retry-After times
http_aws_sigv4: Fix invalid compare function handling zero-length pairs
https-connect: Start next immediately on failure
INFRASTRUCTURE.md: Project infra
INSTALL-CMAKE.md: Fix punctuation
INSTALL.md: Add CMake examples for macOS and iOS
INSTALL.md: Document VS2008 and mingw-w64
INTERNALS.md: Sync wolfSSL version requirement with source code
lib517: Extend the getdate test with quotes and leading "junk"
lib: Clarify 'conn->httpversion'
- lib: Redirect handling by protocol handler
lib: Remove '__EMX__' guards
lib: Replace 'inline' redefine with 'CURL_INLINE' macro
- lib: Suppress deprecation warnings in apple builds
- lib: TLS session ticket caching reworked
libcurl/opts: Do not save files in dirs where attackers have access
Makefile.dist: Delete
- Makefile.mk: Drop in favour of autotools and cmake (MS-DOS, AmigaOS3)
- mbedtls: Fix handling of blocked sends
- mbedtls: PSA can be used independently of TLS 1.3 (avoid runtime errors)
- mime: Explicitly rewind sub-parts at attachment time
mprintf: Fix integer handling in float precision
mprintf: Terminate snprintf output on windows
msvc: Add missing push/pop for warning pragmas
msvc: Assume '_INTEGRAL_MAX_BITS >= 64'
- msvc: Drop checks for ancient versions
msvc: Fix building with 'HAVE_INET_NTOP' and MSVC <=1900
- msvc: Require VS2005 for large file support
msvc: Tidy up '_CRT_*_NO_DEPRECATE' definitions
multi: Fix curl_multi_waitfds reporting of fd_count
- multi: Fix return code for an already-removed easy handle
multihandle: Add an ssl_scache here
multissl: Auto-enable 'OPENSSL_COEXIST' for wolfSSL + OpenSSL
- multissl: Make openssl + wolfssl builds work
netrc: 'default' with no credentials is not a match (CVE-2025-0167)
- netrc: Fix password-only entries
netrc: Restore _netrc fallback logic
- ngtcp2: Fix memory leak on connect failure
- ngtcp2: Fix two cases of value stored never read
openssl: Define 'HAVE_KEYLOG_CALLBACK' before use
openssl: Drop unused 'HAVE_SSL_GET_SHUTDOWN' macro
- openssl: Fix ECH logic
osslq: Use SSL_poll to determine writeability of QUIC streams
- projects/Windows: Remove wolfSSL from legacy projects
projects: Fix 'INSTALL-CMAKE.md' references
pytest: Remove 'repeat' parameter
pytest: Use httpd/apache2 directly, no apachectl
RELEASE-PROCEDURE.md: Mention how to publish security advisories
runtests.pl: Fix precedence issue
scripts/mdlinkcheck: Markdown link checker
- sectransp: Free certificate on error
select: Avoid a NULL deref in cwfds_add_sock
- smb: Fix compiler warning
src: Add 'CURL_STRICMP()' macro, use '_stricmp()' on Windows
src: Drop support for 'CURL_TESTDIR' debug env
src: Omit hugehelp and ca-embed from libcurltool
- ssl session cache: Change cache dimensions
strparse: String parsing helper functions
symbols-in-versions: Update version for LIBCURL_VERSION and LIBCURL_VERSION_NUM
system.h: Add 64-bit curl_off_t definitions for NonStop
system.h: Drop compilers lacking 64-bit integer type (Windows/MS-DOS)
system.h: Drop duplicate and no-op code
system.h: Fix indentation
- telnet: Handle single-byte input option
test1960: Don't close the socket too early
test483: Require cookie support
tests/http/clients: Use proper sleep() call on NonStop
tests: Change the behaviour of swsbounce
- tests: Stop promoting perl warnings to fatal errors
TheArtOfHttpScripting.md: Rewrite double 'that'
tidy-up: 'curl_setup.h', 'curl_setup_once.h', 'config-win32ce.h'
tidy-up: Drop parenthesis around 'return' expression
tidy-up: Drop parenthesis around 'return' values
tidy-up: Extend 'CURL_O_BINARY' to lib and tests
- TLS: Check connection for SSL use, not handler
tool_formparse.c: Make curlx_uztoso a static` in here
tool_formparse: Accept digits in --form type= strings
tool_getparam: ECH param parsing refix
tool_getparam: Fail --hostpubsha256 if libssh2 is not used
tool_getparam: Fix "Ignored Return Value"
tool_getparam: Fix memory leak on error in parse_ech
tool_getparam: Fix the ECH parser
tool_operate: Make --etag-compare always accept a non-existing file
transfer: Fix CURLOPT_CURLU override logic
- urlapi: Fix redirect to a new fragment or query (only)
urldata: Tweak the UserDefined struct
variable.md: Mention --expand-variable for variables to variables
variable.md: Show function use with examples
version: Fix the IDN feature for winidn and appleidn
- vquic: Fix 4th function call argument is an uninitialized value
vquic: Make vquic_send_packets not return without setting psent
- vtls: Fix default SSL backend as a fallback
- vtls: Only remember the expiry timestamp in session cache
vtls: Remove 'detach/attach' functions from TLS handler struct
vtls: Remove unusued 'check_cxn' from TLS handler struct
vtls: Replace "none"-functions with NULL pointers
VULN-DISCLOSURE-POLICY.md: Mention the not setting CVSS
VULN-DISCLOSURE-POLICY: On legacy dependencies
- websocket: Fix message send corruption
windows: Drop dupe macros, detect 'CURL_OS' for WinCE ARM, indentation
windows: Drop redundant 'USE_WIN32_SMALL_FILES' macro
windows: Drop two missed 'buildconf.bat' references
windows: Merge 'config-win32ce.h' into 'config-win32.h'
ws-docs: Extend WebSocket documentation
- ws-docs: Remove the outdated texts saying ws support is experimental
- ws: Reject frames with unknown reserved bits set
x509asn1: Add parse recursion limit
Thursday 6th February 2025
Fedora Project
Updated perl-Business-ISBN-Data to 20250205.001 in F-42 and Rawhide:
- Data update for 20250205
Updated perl-TAP-Formatter-JUnit to 0.17 in F-42 and Rawhide:
Bump minimum required Perl to 5.010; XML::Generator v1.11 now requires that as a minimum acceptable Perl
Skip BAIL_OUT test when using Test::Harness 3.45_01-3.48, as those versions contained a bug that resulted in outputting a double summary (GH#15)
Local Packages
Updated dovecot (2.3.21.1) to fix FTBFS in Rawhide and fix sysusers config file name
Rebuilt gtkwave (3.3.121) for tcl/tk 9 in F-42 and Rawhide
Friday 7th February 2025
Fedora Project
Updated perl-MIME-Types to 2.27 in F-42 and Rawhide:
- IANA updates
Explicitly set $/ before reading the file by line
Local Packages
- Branched local development repository for Fedora 42
Updated perl-MIME-Types to 2.27 as per the Fedora version
Wednesday 12th February 2025
Fedora Project
Updated milter-regex (2.7) in Rawhide to drop EL-7 support and add sysusers configuration for builds on Fedora 43 onwards
Updated rbldnsd (0.998b) in Rawhide to add sysusers configuration for builds on Fedora 43 onwards
Local Packages
Updated rbldnsd (0.998b) as per the Fedora version
Thursday 13th February 2025
Fedora Project
Updated perltidy to 20250214 in F-42 and Rawhide (see CHANGES.md for details)
Updated proftpd (1.3.8c) in F-40, F-41, F-42, Rawhide and EL-9 to avoid NULL pointer dereferences in mod_ls (CVE-2024-57392, GH#1866)
Local Packages
Updated curl to 8.12.1:
All: Remove FIXME and TODO comments
asyn-thread: Fix build with 'CURL_DISABLE_SOCKETPAIR'
- asyn-thread: Fix HTTPS RR crash
asyn-thread: Fix the returned bitmask from Curl_resolver_getsock
asyn-thread: Survive a c-ares channel set to NULL
build: Add tool_hugehelp.c into IBMi build
checksrc.pl: Warn on FIXME/TODO comments
cmake/Find: Set '<Modulename>_FOUND' for compatibility when found via 'pkg-config'
- cmake: Add integration tests, run them in CI
- cmake: Always reference OpenSSL and ZLIB via imported targets
cmake: Avoid unnecessary '-L' for implicit link dirs
cmake: Drop 'LDAP_DEPRECATED=1' macro, to sync with autotools
cmake: Fix 'HAVE_GETHOSTBYNAME_R_*' detections with 'CURL_WERROR=ON'
cmake: Fix to detect 'HAVE_OPENSSL_SRP' in MSVC UWP builds
- cmake: Fix/add missing feature detections for Windows/MS-DOS
- cmake: Initialize variables where missing
cmake: Library order fixes for picky linkers (e.g. binutils 'ld')
- cmake: Normalize before matching paths with syspaths
cmake: Respect 'GNUTLS_CFLAGS' when detected via 'pkg-config'
cmake: Respect 'GNUTLS_LIBRARY_DIRS' in 'libcurl.pc' and 'curl-config'
cmake: Save a line with 'CMAKE_C_IMPLICIT_LINK_DIRECTORIES' exclusion
- cmake: Tidy up string append and list prepend syntax
configure/cmake: Check for realpath
configure/cmake: Set asyn-rr as feature only if httpsrr is enabled
content_encoding: #error on too old zlib
curl_global_sslset.md: Add SSL backend names
CURLOPT_SSH_KNOWNHOSTS.md: Strongly recommend using this
CURLSHOPT_SHARE.md: Adjust for the new SSL session cache
- docs: Better explain multi-part byte range behaviour
- docs: Use valid example domain names
generate.bat: Remove curl_get_line.c from the curlx file list
header.md: Mention 'Authorization:' and 'Cookie:' special treatment
- imap: TLS upgrade fix
INTERNALS: Fix c-ares, as we actually support 1.6.0 or later
- ldap: Drop support for legacy Novell LDAP SDK
lib: include necessary headers for 'inet_ntop'/'inet_pton'
- lib: Silence LibreSSL collision warning on non-MSVC Windows
libssh2: Comparison is always true because rc <= -1
libssh2: Raise lowest supported version to 1.2.8
libssh: Drop support for libssh older than 0.9.0
libssh: Silence '-Wconversion' with a cast (Windows 32-bit)
netrc: return code clean-up, fix missing file error
- openssl-quic: Ignore ciphers for h3
openssl: Fix out of scope variables in goto
- pop3: TLS upgrade fix
runtests: Fix the disabling of the memory tracking
runtests: Quote commands to support paths with spaces
- scache: Add magic checks
smb: Silence '-Warray-bounds' with gcc 13+
- smtp: TLS upgrade fix
SPONSORS.md: Clarify that we don't promise goods or services
test1516: Avoid failure due to spaces in path
test2080: Simplify, avoid the null byte
tests: Fix test 558, 1330 for MSVC, allow TrackMemory with MSVC in cmake
tidy-up: Make per-file 'ARRAYSIZE' macros global as 'CURL_ARRAYSIZE'
tool_cfgable: Sort struct fields by size, use bitfields for booleans
tool_getparam: Add "TLS required" flag for each such option
tool_progress: Fix percent output of large parallel transfers
tool_ssls: Switch to tool-specific get_line function
verbose.md: Mention how carriage-return might occur in headers
vquic: Make the "disable GSO" use infof, not failf
- vtls: Fix multissl-init
vtls: Eliminate 'data->state.ssl_scache'
wakeup_write: Make sure the eventfd write sends eight bytes
wolfssl: Silence compiler warning (MSVC 2019), simplify existing
I had to use libssh2 rather than libssh for the Fedora 28 and 29 builds since their versions of libssh are too old for curl now
Updated perl-Perl-Tidy to 20250214 as per the Fedora perltidy package
Updated proftpd (1.3.8c) as per the Fedora version
Friday 14th February 2025
Fedora Project
Updated milter-greylist (4.6.4) in Rawhide to add sysusers.d config file to allow rpm to create users/groups automatically
Updated spamass-milter (0.4.0) in Rawhide to add sysusers.d config file to allow rpm to create users/groups automatically
Local Packages
- Started End-Of-Life process for EL-7 and Fedora 19 to 27 packages (moving them to archive area)
Updated spamass-milter (0.4.0) as per the Fedora version
Monday 17th February 2025
Fedora Project
Updated perl-Module-Find to 0.17 in F-42 and Rawhide:
Avoid warnings when extracting the distribution tarball, which prevented installation under cpanm and other tools (GH#13, CPAN RT#148978)
Local Packages
Updated perl-Module-Find to 0.17 as per the Fedora version
Tuesday 18th February 2025
Fedora Project
Updated perl-Error to 0.17030 in F-42 and Rawhide:
Fix die/warn hooks for perl 5.41.9 changes (GH#4)
Local Packages
Updated perl-Error to 0.17030 as per the Fedora version
Wednesday 19th February 2025
Fedora Project
Updated perl-DateTime to 1.66 in F-42 and Rawhide:
Require Specio 0.50
- That release has a bug fix for validation of integer values
Without the fix, DateTime could accept non-integer values for things like nanoseconds (GH#145)
Updated perl-Specio to 0.50 in F-42 and Rawhide:
Fixed a bug in the Int type that caused it to accept numbers like 124512.000000000123, which when stringified, are stringified as integers
Local Packages
Updated perl-DateTime to 1.66 as per the Fedora version
Updated perl-Specio to 0.50 as per the Fedora version
Updated unrar to 7.10
Thursday 20th February 2025
Fedora Project
Updated perl-Business-ISBN-Data to 20250220.001 in F-32 and Rawhide:
- Data update for 2025-02-19
Friday 21st February 2025
Local Packages
Updated perl-Net-DNS to 1.50:
Minor code improvements in Resolver::Base
Add RESINFO package for resolver information
- Documentation revision and reformatting
IPv4 loopback may be disabled in IPv6-only configuration (CPAN RT#158714)
Fix use of uninitialized value in _send_udp (CPAN RT#158706)
Monday 24th February 2025
Local Packages
Updated perl-Module-CoreList to 5.20250220:
- Updated for v5.41.9
Updated unrar to 7.11 beta 1
Wednesday 26th February 2025
Fedora Project
Updated perl-Business-ISBN-Data to 20250226.001 in F-42 and Rawhide:
- Data update for 2025-02-26
Local Packages
Updated perl-Archive-Tar to 3.04:
- Fix handling filenames with trailing whitespace
Allow --format=ustar option for ptar
Symlink tests on Windows (https://github.com/Perl/perl5/issues/21402)
Previous Month: January 2025
Next Month: March 2025