Paul's Blog Entries for September 2025
Tuesday 2nd September 2025
Fedora Project
Updated perl-Business-ISBN-Data to 20250902.001 in F-43 and Rawhide:
- Data update for 2025-09-02
Local Packages
Updated perl-Net-DNS to 1.53:
Suppress autovivified undefined $rr->{class} and $rr->{ttl}
Rework test scripts for SVCB and DELEG
Updated perl-Type-Tiny to 2.008003:
- Bug Fixes:
Make sure methods fake-inherited from Moose (if it's loaded) are a last resort
- Other:
Slightly streamlined Type::Tiny::can and Type::Tiny::AUTOLOAD
When dumping structures via Data::Dumper (mostly in error messages), suppress any warnings Data::Dumper would emit
Wednesday 3rd September 2025
Fedora Project
Merged PR#1 for perl-Unicode-UTF8 in Rawhide to use the bundled Module::Install in RHEL builds
Updated perl-Mail-Transport to 3.007 in F-43 and Rawhide:
Fix smtp when the message body does not naturally end on a blank
Local Packages
Updated curl (release candidate) in Rawhide to new upstream release candidate 8.16.0~rc3
Updated perl-Term-Table to 0.025:
- Typo fix in comment
- Hide some diagnostics when tests run in perl core
Friday 5th September 2025
Local Packages
Updated perl-ExtUtils-ParseXS to 3.59:
Throw an exception when combining the length operator with a typemap other than T_PV
Monday 8th September 2025
Local Packages
Updated perl-Filter to 1.65:
- Documentation updates
Tuesday 9th September 2025
Fedora Project
Updated perl-Cpanel-JSON-XS to 4.40 in F-41, F-42, F-43, Rawhide, EPEL-8, EPEL-9, EPEL-10.0, EPEL-10.1 and EPEL-10.2:
Fix overflow with overlong numbers, fuzzing only (CVE-2025-40929)
- Detect more malformed numbers, with two decimal points
Pin Github actions to latest @v via pinact run -u
Local Packages
Updated perl-Cpanel-JSON-XS to 4.40 as per the Fedora version
Updated perl-JSON-XS to 4.03:
Fix heap overflow causing crashes, possibly information disclosure or worse (CVE-2025-40928), and causes JSON::XS to accept invalid JSON texts as valid in some cases
Wednesday 10th September 2025
Fedora Project
Updated perl-MCE to 1.902 in F-43 and Rawhide:
Add support for Iterator:: classes
Merged PR#2 for perl-Unicode-UTF8 in Rawhide to use system Module::Install but skip ReadmeFromPod on RHEL
Local Packages
Updated curl to 8.16.0:
- build: Bump minimum required mingw-w64 to v3.0 (from v1.0)
curl: Add --follow
curl: Add --out-null
curl: Add --parallel-max-host to limit concurrent connections per host
curl: Make --retry-delay and --retry-max-time accept decimal seconds
hostip: Cache negative name resolves
- IP happy eyeballing: Keep attempts running
- mbedtls: Bump minimum version required to 3.2.0
multi: Add curl_multi_get_offt
multi: Add CURLMOPT_NETWORK_CHANGED to signal network changed
netrc: Use the NETRC environment variable (first) if set
- smtp: Allow suffix behind a mail address for RFC 3461
- tls: Make default TLS version be minimum 1.2
tool_getparam: Add support for '--longopt=value'
vquic: Drop msh3
websocket: Support CURLOPT_READFUNCTION
writeout: Add %time{}
_PROTOCOLS.md: Mention file:// is only for absolute paths
acinclude: --with-ca-fallback only works with OpenSSL
- alpn: Query filter
- ares: Destroy channel on shutdown
ares: Use 'ares_strerror()' to retrieve error messages
asyn-thrdd: Fix --disable-socketpair builds
asyn-thrdd: Fix Curl_async_pollset without socketpair
asyn-thrdd: Fix no 'HAVE_GETADDRINFO' builds
asyn-thrdd: Manage DEFERRED and locks better
autotools: Make curl-config executable
- aws-lc: Do not use large buffer
BINDINGS.md: Add LibQurl
bufq: Add integer overflow checks before chunk allocations
bufq: Removed "Useless Assignment"
bufq: Simplify condition
build: Allow libtests/clients to use libcurl dependencies directly
build: Disable 'TCP_NODELAY' for emscripten
build: Enable _GNU_SOURCE on GNU/Hurd
build: Extend GNU C guards to clang where applicable, fix fallouts
- build: Fix build errors/warnings in rare configurations
- build: Fix disable-verbose
- build: Fix mingw-w64 version guard for mingw32ce
build: If no perl, fix to use the pre-built hugehelp, if present
- build: Link to Apple frameworks required by static wolfSSL
build: Support LibreSSL native crypto lib with ngtcp2 1.15.0+
- build: Tidy up compiler definition for tests
cf-https-connect: Delete unused declaration
clang-tidy: Disable 'clang-analyzer-security.ArrayBound'
cmake: 'CURL_CA_FALLBACK' only works with OpenSSL
cmake: Capitalize 'Rustls' in the config summary
cmake: Defer building 'unitprotos.h' till a test target needs it
cmake: Define 'WIN32_LEAN_AND_MEAN' for examples
cmake: Drop redundant unity mode for 'curlinfo'
cmake: Enable '-Wall' for MSVC 1944
cmake: Fix 'ENABLE_UNIX_SOCKETS=OFF' with pre-fill enabled on unix
- cmake: Fix setting LTO properties on the wrong targets
- cmake: Fix to disable Schannel and SSPI for non-Windows targets
cmake: Fix to restrict 'SystemConfiguration' to macOS
cmake: Honour 'CMAKE_C_FLAGS' in test 1119 and 1167
- cmake: Improve error message for invalid HTTP/3 MultiSSL configs
- cmake: Keep websockets disabled if HTTP is disabled
cmake: Make 'runtests' targets build the curl tool
cmake: Make the ExternalProject test work
- cmake: Omit linking duplicate/unnecessary libs to tests and examples
- cmake: Re-add simple test target, and name it 'tests'
cmake: Set 'CURL_DIRSUFFIX' automatically in multi-config builds
CODE_STYLE: Sync with recent 'checksrc.pl' updates
config-win32.h: Do not use winsock2 'inet_ntop()'/'inet_pton()'
configure: If no perl, disable unity and shell completion, related tidy ups
configure: Tidy up internal names in ngtcp2 ossl detection logic
connectdata: Remove primary+secondary ip_quadruple
- connection: Terminate after goaway
contrithanks: Fix for BSD 'sed' tool
cookie: Don't treat the leading slash as trailing (CVE-2025-9086)
- cookie: Remove expired cookies before listing
curl-config: Remove X prefix use
curl/system.h: Fix for GCC 3.3.x and older
curl: Make the URL indexes 64 bit
curl: tool_read_cb fix of segfault
curl_addrinfo: Drop workaround for old-mingw
curl_easy_ssls_export: Make the example more clear
curl_fnmatch, servers: Drop local macros in favour of 'sizeof()'
curl_mime_data_cb.md: Mention what datasize is for
curl_ossl: Extend callback table for nghttp3 1.11.0
curl_setup.h: include 'stdint.h' earlier
CURLINFO_FILETIME*.md: Correct the examples
CURLOPT: Bump 'CURL_REDIR_*' macros to 'long'
CURLOPT: Bump 'CURL_SSLVERSION_*' macros to 'long'
CURLOPT: Bump 'CURLALTSVC_*' macros to 'long'
CURLOPT: Bump 'CURLFTP*' enums to 'long', drop casts
CURLOPT: Bump 'CURLHEADER_*' macros to 'long', drop casts
CURLOPT: Bump 'CURLPROTO_*' macros to 'long'
CURLOPT: Bump 'CURLPROXY_*' enums to 'long', drop casts
CURLOPT: Bump 'CURLWS_NOAUTOPONG', 'CURLWS_RAW_MODE' macros to 'long'
CURLOPT: Bump remaining macros to 'long'
CURLOPT: Drop redundant 'long' casts
CURLOPT: Replace '(long)' cast with 'L' suffix for 'CURLHSTS_*' macros
CURLOPT_HTTP_VERSION: Mention new default value
CURLOPT_SSL_CTX_*: Replace the base64 with XXXX
delta: Fix warnings, fix for non-GNU 'date' tool
DEPRECATE.md: Drop old OpenSSL versions
DEPRECATE.md: Drop support for c-ares versions before 1.16.0
DEPRECATE.md: Drop support for Windows XP/2003
DEPRECATE.md: Remove leftover "nothing"
DISTROS.md: Add Haiku
docs/cmdline-opts: The auth types are not mutually exclusive
docs: Add CURLOPT type change history, drop casts where present
- docs: Add major incident section to vuln disclosure policy
docs: Fix CONTRIBUTE.md link
docs: Fix name in curl_easy_ssls_export man page
docs: Fix typo (staring -> starting)
- docs: Point two broken links to archive.org
docs: Put '<>' within backticks in titles
- doh: Rename symbols to avoid collision with mingw-w64 headers
- easy handle: Check validity on external calls
examples: Drop long cast for 'CURLALTSVC_*'
examples: Make 'CURLPIPE_MULTIPLEX' fallback 'long'
- examples: Remove base64 encoded chunks from examples
examples: Remove href_extractor.c
ftp: Store dir components as start+len instead of memdup'ing
ftp: Use 'conn' instead of 'data->conn'
- gnutls: Fix building with older supported GnuTLS versions
- gnutls: Some small clean-ups
- hmac: Return error if init fails
- hostip: Do DNS cache pruning in milliseconds
HTTP3.md: Avoid 'configure' issue for ngtcp2 1.14.0+ compatibility
http: const up readonly H2_NON_FIELD
- http: Do the cookie list access under lock
http: Silence '-Warray-bounds' with gcc 13+
- idn: Reject conversions that end up as a zero length hostname
inet_pton, inet_ntop: Drop declarations when unused
lib1560: Fix memory leak when run without UTF-8 support
lib1560: Replace an 'int' with 'bool'
lib2700: Use 'testnum'
lib517: Use 'LL' 64-bit literals and re-enable a test case ('time_t')
lib: Drop 'UNUSED_PARAM' macro
libcurl: Reset rewind flag in curl_easy_reset()
libssh: Use sftp_aio instead of sftp_async for sftp_recv
libtests: Update format strings to avoid casts, drop some macros
libtests: Use 'FMT_SOCKET_T', drop more casts
managen: Reset text mode at end of table marker
- mbedtls: Check for feature macros instead of version
mdlinkcheck: Handle links with a leading slash properly
memanalyze: fIx warnings
- memory: Make function overrides work reliably in unity builds
- multi event: Remove only announced
- multi: Don't insert a node into the splay tree twice
multi: Fix assert in multi_getsock()
- multi: Fix bad splay management
- multi: Process pending, one by one
multi: Replace remaining EXPIRE_RUN_NOW
multissl: Initialize when requesting a random number
ngtcp2: Extend callback tables for nghttp3 1.11.0 and ngtcp2 1.14.0
ngtcp2: Handshake timeout should be equal to --connect-timeout
ngtcp2: Use custom mem funcs
openldap: Fix '-Wtentative-definition-compat'
openssl: Add and use 'HAVE_BORINGSSL_LIKE' internal macro
openssl: Add and use 'HAVE_OPENSSL3' internal macro
openssl: Assume 'OPENSSL_VERSION_NUMBER'
- openssl: Auto-pause on verify callback retry
openssl: Check SSL_write() length on retries
openssl: Clear errors after a failed 'd2i_X509()'
- openssl: Drop more legacy cruft
openssl: Drop redundant 'HAVE_OPENSSL_VERSION' macro
- openssl: Drop redundant version check
openssl: Drop single-use interim macro 'USE_OPENSSL_SRP'
openssl: Enable 'HAVE_KEYLOG_CALLBACK' for AWS-LC
openssl: Merge two #if blocks
- openssl: Output unescaped utf8 x509 issuer/subject DNs
- openssl: Remove legacy cruft, document macro guards
- openssl: Save and restore OpenSSL error queue in two functions
- openssl: Some small clean-ups
openssl: Split cert_stuff into smaller sub functions
- openssl: Sync an AWS-LC guard with BoringSSL
openssl: Use 'RSA_flags()' again with BoringSSL
parallel-max: Bump the max value to 65535
parsedate: Make Curl_getdate_capped able to return epoch
processhelp.pm: Fix to use the correct null device on Windows
processhelp.pm: Use 'Win32::Process*' perl modules if available
projects: Drop unused logic from 'generate.bat'
projects: Fix Windows project 'clean' function
pytest: Add SOCKS tests and scoring
pytest: Fix test_17_09_ssl_min_max for BoringSSL
pytest: Increase server KeepAliveTimeout
pytest: Relax error check on test_07_22
- resolving: DNS error tracing
runtests: Assume 'Time::HiRes', drop Perl Win32 dependency
- runtests: Remove warning message
runtests: Replace '--ci' with '--buildinfo', show OS/Perl version again
- runtests: Show still running tests when nothing has happened for a while
- schannel: Add an error message for client cert not found
schannel: Assume 'CERT_CHAIN_REVOCATION_CHECK_CHAIN'
- schannel: Drop fallbacks for 4 macros
schannel: Drop fallbacks for unused 'BCRYPT_*' macros
- schannel: Drop old-mingw special case
- schannel: Fix recent update for mingw32ce
- schannel: Fix renegotiation
- schannel: Improve handshake procedure
- schannel: Not supported with UWP, drop redundant code
schannel: Use if(result) like the code style says
- scripts: Enable strict warnings in Perl where missing, fix fallouts
- scripts: Fix two Perl uninitialized value warnings
sendf: Getting less data than "max allowed" is okay
servers: Convert two macros to scoped static const strings
setopt: Refactor out the booleans from setopt_long to setopt_bool
setopt: Split out cookielist() and cookiefile()
socks: do_SOCKS5: Fix invalid buffer content on short send
socks_sspi: Simplify, clean up Curl_SOCKS5_gssapi_negotiate
spacecheck.pl: When detecting unicode, mention line number
spacecheck: Warn for 3+ empty lines in a row, fix fallouts
- spelling: File system
test1148: Drop redundant 'LC_NUMBER=' env setting
test1557: Pass 'long' type to 'multi_setopt()'
test1560: Set locale/codeset with 'LC_ALL' (was: 'LANG'), test in CI
test1560: Skip some URLs if UTF-8 is not supported
test1: Raise alloc limits
test428: Re-enable for Windows
test436: Fix running on Windows with '_curlrc' present
test: Add 'cygwin' feature and use it (test 1056, 1517)
tests/ech_tests.sh: Indent, if/for style, inline ifs
- tests: constify command-line arguments
- tests: Delete unused commands
tests: Drop unused 'BLANK' envs, unset 'CURL_NOT_SET'
tests: Drop unused 'CURL_FORCEHOST' envs
tests: Fix perl warnings in http2-server, http3-server
tests: Fix prechecks to call the bundle libtest tool
tests: Fix UTF-8 detection, per-test 'LC_*' settings, CI coverage
tests: Merge clients into libtests, drop duplicate code
tests: Remove the QUIT filters
tests: Set 'CURL_ENTROPY' per test, not globally
- tests: Unset some envs instead of blanking them
- threaded-resolver: Fix shutdown
tidy-up: 'Curl_thread_create()' callback return type
- tidy-up: Move literal to the right side of comparisons
tidy-up: Prefer 'ifdef'/'ifndef' for single checks
tls: CURLINFO_TLS_SSL_PTR testing
TODO: Remove session export item
TODO: Remove the expand ~ idea
tool_cb_wrt: Stop alloc/free for every chunk windows console output
tool_filetime: Accept setting negative filetime
tool_getparam: Let --trace-config override -v
tool_getparam: Warn on more unicode prefixes
tool_operate: Avoid superfluous strdup'ing output
tool_operate: Use stricter curl_multi_setopt() arguments
tool_operate: Use the correct config pointer
tool_paramhlp: Fix secs2ms()
tool_parsecfg: Use dynbuf for quoted arguments
tool_urlglob: Add integer overflow protection
tool_urlglob: Polish, clean-ups, improvements
typecheck-gcc: Add type checks for curl_multi_setopt()
unit-tests: Build the unitprotos.h from here
unit2604: Avoid 'UNCONST()'
URL-SYNTAX.md: Drop link to codepoints.net to pass linkcheck
- urlapi: Allow more path characters "raw" when asked to URL encode
urldata: Reduce two long struct fields to unsigned short
- urlglob: Only accept 255 globs
vquic-tls: Fix SSL backend type for QUIC connections using gnutls
vquic: Replace assert
vquic: Use curl_getenv
vtls: Set seen http version on successful ALPN
websocket example: Cast print values to unsigned int
- websocket: Handling of PONG frames
- websocket: Improve handling of 0-len frames
- websocket: Reset upload_done when sending data
windows: Assume 'ADDRESS_FAMILY', drop feature checks
windows: Document toolchain support for 'CERT_NAME_SEARCH_ALL_NAMES_FLAG'
- windows: Document toolchain support for some macros
windows: Drop 'CRYPT_E_*' macro fallbacks, limit one to mingw32ce
- windows: Drop two interim, single-use macros
windows: Drop unused 'curlx/version_win32.h' includes
windows: Fix 'if_nametoindex()' detection with autotools, improve with cmake
windows: include 'wincrypt.h' before 'iphlpapi.h' for mingw-w64 <6
- windows: Target version macro tidy-ups
wolfssl: Rename ML-KEM hybrids to match IETF draft
write-out.md: header_json is not included the json object
ws: Avoid NULL pointer deref in curl_ws_recv
ws: Get a new mask for each new outgoing frame (CVE-2025-10148)
Updated perl-MCE to 1.902 as per the Fedora version
Thursday 11th September 2025
Fedora Project
Updated perl-Business-ISBN-Data to 20250911.001 in F-43 and Rawhide:
- Data update for 20250911
Saturday 13th September 2025
Fedora Project
Updated perl-Business-ISBN-Data to 20250912.001 in F-43 and Rawhide:
- Data update for 20250912
Updated perltidy to 20250912 in F-43 and Rawhide (see CHANGES.md for details)
Local Packages
Updated perl-Perl-Tidy to 20250912 as per the Fedora perltidy package
Monday 15th September 2025
Fedora Project
Updated perl-Business-ISBN-Data to 20250915.001 in F-43 and Rawhide:
- Data update for 20250915
Updated perl-MIME-Types to 2.29 in F-43 and Rawhide:
- Require 5.16 (2012)
Remove xt/98perl.t
::Type->defaultCharset()
- Remove use of bareword filehandle
- IANA updates
Updated perl-User-Identity to 1.03 in F-43 and Rawhide:
- Changes:
- Require Perl 5.16 (2012)
- Improvements:
- Convert to OODoc 3.04
Add .gitignore
Local Packages
Updated perl-MIME-Types to 2.29 as per the Fedora version
Tuesday 16th September 2025
Local Packages
Updated perl-Math-Base-Convert to 0.13:
Fix precedence issue highlighted by perl 5.42 (CPAN RT#168226)
- Correct typo: 96 ASCII characters should be 95
Monday 22nd September 2025
Fedora Project
Updated miniz to 3.1.0 in F-43 and Rawhide:
- Fix warnings: Ensure correct integer promotion when adding
- Fix Unicode paths on MinGW32
Prevent min/max conflicts between windows.h and std namespace
Update miniz_tdef.c to enable compiling in forced-C++ mode
- Fix missing large file support warning on 64-bit Linux
Bump cmake minimum version
Add some catch2 tests including CI
Remove parameter check in tinfl_decompress that breaks tinfl_decompress_mem_to_heap
Don't redefine WIN32_LEAN_AND_MEAN if already defined
- Fix OSS-Fuzz build
Do not redefine TDEFL_LESS_MEMORY if already defined
Fix unused arg warnings when building with MINIZ_NO_TIME
- Support Zip archives not starting at zero offset
Fix offset detection for MZ_ZIP_TYPE_USER
Avoid fdreopen if possible
cmake: new option BUILD_NO_STDIO to enable MINIZ_NO_STDIO
Add fuzzer for mz_zip_add_mem_to_archive_file_in_place function
- Replace defines with function wrappers etc. as much as possible
Updated perl-Sereal-Decoder (5.004) and perl-Sereal-Encoder (5.004) in F-43 and Rawhide to fix detection of miniz 3.1.0:
miniz 3.1.0 has static functions in miniz.h that reference functions in the miniz library so we need -lminiz even for the header check in Devel::CheckLib
Local Packages
Rebuilt bluefish (2.2.17) for Python 3.14.0rc3 bytecode in Rawhide
Rebuilt libxml2 (2.12.10) for Python 3.14.0rc3 bytecode in Rawhide
Rebuilt libxslt (1.1.43) for Python 3.14.0rc3 bytecode in Rawhide
Updated perl-PPIx-Regexp to 0.090:
Explain s///eee... more than 2 'e' modifiers are permitted, and cause the result of the expression to be eval-ed n-1 times, where n is the number of 'e' modifiers
- Fix typo in comment
Tuesday 23rd September 2025
Fedora Project
Updated perl-Apache-Session-Browseable to 1.3.18 in F-43 and Rawhide:
- Add persistence option for Redis
Local Packages
Updated oerl-Module-CoreList to 5.20250923:
- Updated for v5.43.3
Friday 26th September 2025
Fedora Project
Updated rbldnsd (0.998b) in F-42, F-43 and Rawhide to fix base template replacement issue (GH#18, GH#19, GH#22, Bug #2398024)
Local Packages
Updated rbldnsd (0.998b) as per the Fedora version
Saturday 27th September 2025
Fedora Project
Updated perl-ExtUtils-InstallPaths to 0.015 in F-43 and Rawhide:
- Restore installing non-standard types
Local Packages
Updated perl-ExtUtils-InstallPaths to 0.015 as per the Fedora version
Sunday 28th September 2025
Local Packages
Updated perl-ExtUtils-ParseXS to 3.60:
Fix INTERFACE for C23
Support perl package names in INTERFACE
- Clean up typemap file-finding code and change priority
Revert throwing an exception when combining the length operator with a typemap other than T_PV
Previous Month: August 2025
Next Month: October 2025