Paul's Blog Entries for January 2026
Friday 2nd January 2026
Local Packages
Updated perl-DBD-SQLite to 1.78:
- Upgraded bundled SQLite to 3.51.1
- Omit constants for newly-added C-array extension
- SQLite 3.51.0 has two extensions (C-array and percentile) amalgamated but both are disabled by default
Make ->column_info() also return generated columns (GH#119)
- I updated the package build to use the bundled SQLite unless the system SQLite is 3.31.0 or above (needed for generated columns)
Saturday 3rd January 2026
Fedora Project
Updated perl-Devel-Hide to 0.0016 in Rawhide:
- Drop support for perl 5.6 (deprecated since 0.0012)
Local Packages
Updated perl-Devel-Hide to 0.0016 as per the Fedora version
Sunday 4th January 2026
Fedora Project
Became owner of (orphaned) perl-B-Hooks-Parser and did a clean-up and rebuild (version 0.21) in Rawhide
Monday 5th January 2026
Fedora Project
Updated gtkwave to 3.3.126 in Rawhide:
Added -H --noheader command line option for GTK3
Added headerbar rc variable to disable GTK3 headerbars
- Fix for rendering multi-line string constants in dumps
- Add warning message for missing XPM loader
Updated libghw to current version
- Changed behaviour of X search in pattern search so it is matched by a single X bit
Updated perl-GD to 2.84 in Rawhide:
Added Makefile.PL --with and --without options to bypass auto-detection errors or upstream libgd or subsequent library errors (GH#55)
Better support MSWin32 without gdlib.pc (requires manual --options and --lib_gd_path)
Work around broken ExtUtils::PkgConfig->find (GH#61)
Fixed snprintf for newer MSVC (>= VS 2015)
Added GD::Image::supported() image types method
Added newFromTiffData() method
Fixed t/GD.t for unsupported image types
Add GIFANIM to the default since 2.0.33 (GH#56)
Honour PKG_CONFIG_PATH for finding gdlib.pc (GH#57)
Add demos/png2jpeg.pl
I added a patch to ensure that XPM support is included even if libX11 is not explicitly linked, if libgd has XPM support itself
Updated perl-IO-Socket-SSL to 2.096 in Rawhide:
Allow stacking TLS layers with SSL_usebio; this also allows LWP (after patches) to access an https site through a TLS-enabled proxy
Local Packages
Updated gtkwave to 3.3.126 as per the Fedora version
Updated perl-IO-Socket-SSL to 2.096 as per the Fedora version
Wednesday 7th January 2026
Fedora Project
Updated perl-IO-Socket-SSL to 2.098 in Rawhide:
Fix GH#175 with upgrading from plain socket (no object) by using correct fdopen mode +< instead of <+
Another fix for GH#175 to make sure that an unblessed socket gets blessed in place instead of using new_from_fd; document that it will not retain original class with unblessed sockets on error, since this never worked anyway (there is no native unbless)
Updated perl-MetaCPAN-Client to 2.035000 in Rawhide:
Fix a compatibility issue for ES 8 in scroller setting (GH#131)
Local Packages
Updated perl-Compress-Raw-Lzma (2.214) to rebuild against xz 5.8.2
Updated perl-IO-Socket-SSL to 2.098 as per the Fedora version
Updated perl-MetaCPAN-Client to 2.035000 as per the Fedora version
Updated perl-Type-Tiny to 2.010001:
Fix for $LIST_SEPARATOR changes breaking Type::Coercion, Types::Common, Types::Standard
Updated curl to 8.18.0:
- build: Drop support for VS2008 (Windows)
- build: Drop Windows CE / CeGCC support
gnutls: Drop support for GnuTLS < 3.6.5
gnutls: Implement CURLOPT_CAINFO_BLOB
- openssl: Bump minimum OpenSSL version to 3.0.0
_PROGRESS.md: Add the E unit, mention kibibyte
- altsvc: More flexibility on same destination
altsvc: Accept ma/persist per alternative entry
altsvc: Make it one malloc instead of three per entry
AmigaOS: Increase minimum stack size for tool_main
- apple sectrust: Fix ancient evaluation
apple-sectrust: Always ask when 'native_ca_store' is in use
asyn-ares: Handle Curl_dnscache_mk_entry() OOM error
- asyn-ares: Remove hostname free on OOM
asyn-thrdd: Fix Curl_async_getaddrinfo() on systems without getaddrinfo
asyn-thrdd: Release rrname if ares_init_options fails
auth: Always treat Curl_auth_ntlm_get() returning NULL as OOM
autotools: Add nettle library detection via pkg-config (for GnuTLS)
autotools: Drop autoconf <2.59 compatibility code (zz60-xc-ovr)
autotools: Fix LargeFile feature display on Windows (after prev patch)
autotools: Tidy-up 'if' expressions
badwords: Add fist -> first, fix fallouts
badwords: Catch and fix threading-related words
badwords: Fix issues found in scripts and other files
badwords: Fix issues found in tests
build: Add build-level 'CURL_DISABLE_TYPECHECK' options
build: Exclude clang prereleases from compiler warning options
build: Replace '-pedantic' with '-Wpedantic' when supported
build: Set '-Wno-format-signedness'
- build: Tidy up MSVC CRT warning suppression macros
ccsidcurl: Make curl_mime_data_ccsid() use the converted size
cf-h1-proxy: Support folded headers in CONNECT responses
cf-https-connect: Allocate ctx at first in cf_hc_create()
cf-socket: Drop feature check for 'IPV6_V6ONLY' on Windows
cf-socket: Enable Win10 'TCP_KEEP*' options with old SDKs
cf-socket: Limit use of 'TCP_KEEP*' to Windows 10.0.16299+ at runtime
cf-socket: Return OOM error if socket() fails due to OOM
cf-socket: Trace ignored errors
cfilters: Make conn_forget_socket a private libssh function
checksrc.pl: Detect assign followed by more than one space
- cmake: Adjust defaults for target platforms not supporting shared libs
cmake: Define dependencies as 'IMPORTED' interface targets
cmake: Delete unused file 'CMake/CMakeConfigurableFile.in'
cmake: Disable 'CURL_CA_PATH' auto-detection if 'USE_APPLE_SECTRUST=ON'
cmake: Fix 'ws2_32' reference in 'curl-config.cmake'
cmake: Honour 'CURL_DISABLE_INSTALL' and 'CURL_ENABLE_EXPORT_TARGET'
cmake: Replace deprecated 'OPENSSL_FOUND' with 'OpenSSL_FOUND'
cmake: Replace deprecated 'PERL_FOUND' with 'Perl_FOUND'
cmake: Save and restore 'CMAKE_MODULE_PATH' in 'curl-config.cmake'
cmake: Set found status to OFF when not found (for compression deps)
- code: Minor indent fixes before closing braces
CODE_STYLE.md: Sync banned function list with checksrc.pl
compressed.md: Might generate a huge amount of bytes
config-win32.h: Delete obsolete, non-Windows comments
config-win32.h: Drop unused/obsolete 'CURL_HAS_OPENLDAP_LDAPSDK'
config2setopts: Add space in cookie header with multiple -b
config2setopts: Bail out if curl_url_get() returns OOM
config2setopts: Exit if curl_url_set() fails on OOM
- configure: Delete unused variable
conncache: Silence '-Wnull-dereference' on gcc 14 RISC-V 64
- conncontrol: Re-use handling
connect: Reshuffle Curl_timeleft_ms to avoid 'redundant condition'
- connection: Attached transfer count
content_encoding: Avoid strcpy
- cookie: Return proper error on OOM
- cookie: Allocate the main struct once cookie is fine
- cookie: Flush better
- cookie: Only keep and use the canonical cleaned up path
- cookie: Propagate errors better, clean up the internal API
- cookie: Return error on OOM
- cookie: When parsing a cookie header, delay all allocations until okay
cshutdn: Acknowledge FD_SETSIZE for shutdown descriptors
- curl: Fix progress meter in parallel mode
curl_fopen: Do not pass invalid mode flags to 'open()' on Windows
curl_gssapi: Make sure Curl_gss_log_error() has an initialized buffer
curl_ntlm_core: Fix DES_* symbols for some wolfSSL builds
curl_quiche: Refuse headers with CR, LF or null bytes
curl_sasl: If redirected, require permission to use bearer (CVE-2025-14524)
curl_sasl: Make Curl_sasl_decode_mech compare case insensitively
curl_setup.h: Document more funcs flagged by '_CRT_SECURE_NO_WARNINGS'
curl_setup.h: Drop stray '#undef stat' (Windows)
curl_setup.h: Drop superfluous parenthesis from 'Curl_safefree' macro
curl_threads: Don't do another malloc if the first fails
curl_trc: Delete unused DoH remains
CURLINFO: Remove 'get' and 'get the' from each short desc
CURLINFO_SCHEME/PROTOCOL: They return the "scheme" for a "transfer"
CURLINFO_TLS_SSL_PTR.md: Remove CURLINFO_TLS_SESSION text
CURLMOPT_SOCKETFUNCTION.md: Fix the callback argument use
CURLOPT_ACCEPT_ENCODING.md: Warn about the expansion
CURLOPT_FOLLOWLOCATION.md: s/Authentication:/Authorization:/
CURLOPT_HAPROXY_CLIENT_IP.md: Emphasize reused connection use
CURLOPT_READFUNCTION.md: Clarify the size of the buffer
CURLOPT_SSH_KEYFUNCTION.md: Fix minor indent mistake in example
curlx/fopen: Replace open CRT functions with their '_s' counterparts (Windows)
curlx/multibyte: Stop setting macros for non-Windows
curlx/strerr: Use 'strerror_s()' on Windows
curlx: Add 'curlx_rename()', fix to support long filenames on Windows
curlx: curlx_strcopy() instead of strcpy()
curlx: Limit use of system allocators to the minimum possible
curlx: Replace 'mbstowcs'/'wcstombs' with '_s' counterparts (Windows)
curlx: Replace 'sprintf' with 'snprintf'
curlx: Use curl alloc in 'curlx_win32_stat()' (Windows)
curlx: Use curlx allocators in non-memdebug builds (Windows)
DEPRECATE: Add CMake <3.18 deprecation for April 2026
- digest: Fix OWS and escaped quote handling
digest_sspi: Fix a memory leak on error path
digest_sspi: Properly free sspi identity
DISTROS.md: Add OpenBSD
DISTROS: Fix a Mageia URL
DISTROS: Remove broken URLs for buildroot
- doc: Some returned in-memory data may not be altered
Dockerfile: Update debian:bookworm-slim digest to e899040
docs/libcurl: Fix C formatting nits
docs: Add a note about --compressed to note about binary output
- docs: Clarify how to do unix domain sockets with SOCKS proxy
docs: Fix checksrc 'EQUALSPACE' warnings
docs: Fix time_posttransfer output unit as seconds
docs: Mention umask need when curl creates files
- docs: Remove dead URLs
docs: Rename CURLcode variables to 'result'
docs: Spell it Rustls with a capital R
docs: Switch more URLs to https://
docs: Use .example URLs for proxies
docs: Use mresult as variable name for CURLMcode
escape: Add a length check in curl_easy_escape
- example: Fix formatting nits
examples/crawler: Fix variable
examples/multi-uv: Fix invalid req->data access
examples/threaded-ssl: Delete in favour of 'examples/threaded'
examples/threaded: Fix race condition
- examples: Fix minor typo
- examples: Make functions/data static where missing
- examples: Tidy-up headers and includes
examples: Use 64-bit 'fstat' on Windows
FAQ/TODO/KNOWN_BUGS: Convert to markdown
FAQ: Fix hackerone URL
file: Do not pass invalid mode flags to 'open()' on upload (Windows)
- formdata: Validate callback is non-NULL before use
ftp: Make EPRT connections non-blocking
- ftp: Refactor a piece of code by merging the repeated part
ftp: Remove #ifdef for define that is always defined
- ftp: Return better on OOM in two places
ftp: Return from ftp_state_use_port immediately on OOM
getenv: Drop internal 1-to-1 wrapper
getinfo: Improve perf in debug mode
gnutls: Add PROFILE_MEDIUM as default
- gnutls: Report accurate error when TLS-SRP is not built-in
- gtls: Add return checks and optimize the code
gtls: Call keylog_close in clean-up
gtls: Skip session resumption when verifystatus is set
h2/h3: Handle methods with spaces
headers: Add length argument to Curl_headers_push()
hostcheck: Fail wildcard match if host starts with a dot
hostip.h: Drop redundant 'setjmp.h' include
- hostip: Don't store negative lookup on OOM
hostip: Make more functions return CURLcode
hostip: Only store negative response for CURLE_COULDNT_RESOLVE_HOST
- hsts: Propagate and error out correctly on OOM
hsts: Use one malloc instead of two per entry
http: Acknowledge OOM errors from Curl_input_ntlm
http: Avoid two strdup()s and do minor simplifications
- http: Error on OOM when creating range header
http: Fix OOM exit in Curl_http_follow
http: Handle oom error from Curl_input_digest()
http: Replace atoi use in Curl_http_follow with curlx_str_number
- http: Return OOM errors from hsts properly
http: The :authority header should never contain user+password
- http: Unfold response headers earlier
idn: Avoid allocations and wcslen on Windows
- idn: Clarify null-termination on Windows
idn: Fix memory leak in 'win32_ascii_to_idn()'
idn: Use curlx allocators on Windows
- imap: Check buffer length before accessing it
imap: Make sure Curl_pgrsSetDownloadSize() does not overflow
inet_ntop: Avoid the strlen()
INSTALL-CMAKE.md: Document static option defaults more
- krb5: Fix detecting channel binding feature
krb5_sspi: Unify a part of error handling
ldap: Call ldap_init() before setting the options (CVE-2025-14017)
- ldap: Drop PP logic for old, unsupported, Windows SDKs
- ldap: Improve detection of Apple LDAP
- ldap: Provide version for "legacy" ldap as well
lib/sendf.h: Forward declare two structs
- lib: Clean-up for some typos about spaces and code style
lib: Create unitprotos.h in the builddir, not srcdir
lib: Drop unused or duplicate 'curlx/timeval.h' includes
- lib: Drop unused protocol headers
lib: Eliminate size_t casts
- lib: Error for OOM when extracting URL query
- lib: Fix formatting nits
lib: Fix gssapi.h include on IBMi
lib: Name the main CURLMcode variable 'mresult'
- lib: Refactor the type of funcs that have useless return and checks
lib: Replace '_tcsncpy'/'wcsncpy'/'wcscpy' with '_s' counterparts (Windows)
- lib: Timer stats improvements
lib: Use 'SOCKET_WRITABLE()'/'SOCKET_READABLE()' where possible
- libssh2: Add paths to error messages for quote commands
libssh2: Clean up ssh_force_knownhost_key_type
libssh2: Consider strdup() failures OOM and return correctly
libssh2: Replace atoi() in ssh_force_knownhost_key_type
- libssh: Fix state machine loop to progress as it should
libssh: Properly free sftp_attributes
libssh: Require private key or user-agent for public key auth (CVE-2025-15224)
libssh: Set both knownhosts options to the same file (CVE-2025-15079)
libtests: Replace 'atoi()' with 'curlx_str_number()'
limit-rate: Add example using --limit-rate and --max-time together
- localtime: Detect thread-safe alternatives and use them
m4/sectrust: Fix test(1) operator
- manage: Expand the 'libcurl support required' message
- mbedTLS: Clean up insecure/deprecated code
mbedtls: Fix potential use of uninitialized 'nread'
- mbedtls: Sync format across log messages
mbedtls_threadlock: Avoid calloc, use array
mdlinkcheck: Ignore IP numbers, allow '@' in raw URLs
mdlinkcheck: Only look for markdown links in markdown files
- memdebug: Add mutex for thread safety
memdebug: Fix realloc logging
mk-ca-bundle.md: The file format docs URL is permaredirected
mk-ca-bundle.pl: Default to SHA256 fingerprints with '-t' option
mk-ca-bundle.pl: Use 'open()' with argument list to replace backticks
- mqtt: Reject overly big messages
- mqtt: Return error when a too large packet is decoded
multi: Make max_total_* members size_t
multi: Remove MSTATE_TUNNELING
- multi: Simplify admin handle processing
multibyte: Limit 'curlx_convert_*wchar*()' functions to Unicode builds
ngtcp2+openssl: Fix leak of session
ngtcp2: Remove the unused Curl_conn_is_ngtcp2 function
- ngtcp2: Retune window sizes
- noproxy: Fix build on systems without IPv6
- noproxy: Fix ipv6 handling
noproxy: Replace atoi with curlx_str_number
- openssl: Exit properly on OOM when getting certchain
openssl: Fix a potential memory leak of bio_out
openssl: Fix a potential memory leak of params.cert
- openssl: Fix building against no-dsa openssl
openssl: Fix building against no-ocsp openssl with Apple SecTrust
openssl: No verify failf message unless strict
openssl: Release ssl_session if sess_reuse_cb fails
- openssl: Remove code handling default version
openssl: Simplify 'HAVE_KEYLOG_CALLBACK' guard
openssl: Stop checking for 'OPENSSL_NO_SHA*' macros
openssl: Stop checking for 'OPENSSL_NO_TLSEXT' macro
openssl: Toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache (CVE-2025-14819)
OS400/ccsidcurl: Fix curl_easy_setopt_ccsid for non-converted blobs
OS400/makefile.sh: Fix shellcheck warning SC2038
os400sys: Replace 'strcpy()' with 'memcpy()'
- osslq: Code readability
- progress: Make it one column narrower
- progress: Narrower time display, multiple fixes
- progress: Show fewer digits
projects/README.md: Markdown fixes
- pytest fixes and improvements
- pytest: Add tests using sshd
- pytest: Disable two H3 earlydata tests for all platforms (was: macOS)
- pytest: Do not ignore server issues
- pytest: Enable OCSP test 17_08 for LibreSSL
- pytest: Fix and improve reliability
- pytest: Improve stragglers
- pytest: quiche flakiness
pytest: Skip H2 tests if feature missing from curl
- quiche: Use client writer
- ratelimit blocking: Fix busy loop
- ratelimit: Redesign
- rtmp: Fix double-free on URL parse errors
- rtmp: Precaution for a potential integer truncation
rtmp: Stop redefining 'setsockopt' system symbol on Windows
runner.pm: Run memanalyzer as a Perl module
runtests: Add options to set minimum number of tests, use them
runtests: Detect bad libssh differently for test 1459
runtests: Drop Python 2 support remains
runtests: Enable torture testing with threaded resolver
runtests: Improve XML prolog check, enable '-w' permanently, fix two tests
runtests: Make memanalyzer a Perl module (for 1.1-2x speed-up per test run)
- rustls: Fix a potential memory issue
rustls: Minor adjustment of sizeof()
- rustls: Simplify init err path
rustls: Verify that verifier_builder is not NULL
- schannel: Cap the maximum allowed size for loading cert
schannel: Fix memory leak of cert_store_path on four error paths
schannel: Replace atoi() with curlx_str_number()
schannel: Use Win8 'CERT_NAME_SEARCH_ALL_NAMES_FLAG' with old SDKs
schannel_verify: Fix a memory leak of cert_context
- scripts: Fix shellcheck SC2046 warnings
scripts: Use end-of-options marker in 'find -exec' commands
setopt: Disable CURLOPT_HAPROXY_CLIENT_IP on NULL
- setopt: When setting bad protocols, don't store them
- sftp: Fix range downloads in both SSH backends
slist: constify Curl_slist_append_nodup() string argument
- smb: Fix a size check to be overflow safe
socketpair: Drop redundant '_WIN32' branch and include
socks_sspi: Use free() not FreeContextBuffer()
- source: Misc typos
speedcheck: Do not trigger low speed cancel on transfers with CURL_READFUNC_PAUSE
speedlimit: Also reset on send unpausing
src: Drop redundant definition of 'BIT()'
- src: Fix formatting nits
- ssh: Tracing and better pollset handling
sspi: Fix memory leaks on error paths in 'Curl_create_sspi_identity()'
- sws: Fix binding to unix socket on Windows
- synctime: Tidy up, make it work on all platforms
- telnet: Abort on bad suboption sequence
telnet: Replace atoi for BINARY handling with curlx_str_number
TEST-SUITE.md: Correct the man page's path
test07_22: Fix flakiness
test1475: Consistently use %CR in headers
test1498: Disable 'HTTP PUT from stdin' test on Windows
test2045: Replace HTML multi-line comment markup with '#' comments
test318: Tweak the name a little
test3207: Enable memdebug for this test again
test363: Delete stray character (typo) from a section tag
test568: Fix codespell, catch it next time early in CI
test568: Remove what looks like an email and a URL
test787: Fix possible typo & -> % in curl option
test96: Fix to accept non-unity memdump content with MSVC
tests/data: Move '--libcurl' output to external data files
tests/data: Replace hard-coded test numbers with '%TESTNUMBER'
tests/data: Support using native newlines on disk, drop '.gitattributes'
tests/server: Do not fall back to original data file in 'test2fopen()'
tests/server: Fix initialization on Windows Vista+
tests/server: Replace 'atoi()' and 'atol()' with 'curlx_str_number()'
tests: Add '%AMP' macro, use it in two tests
- tests: Add a standard log line for alloc failures
- tests: Allow 2500-2503 to use ~2MB malloc
- tests: Drop redundant parentheses from two macro expressions
- tests: Fix formatting nits
tests: Rename CURLMcode variables to mresult
tftp: Release filename if conn_get_remote_addr fails
tftpd: Fix/tidy up 'open()' mode flags
tidy-up: Avoid '(())', clang-format fixes and more
tidy-up: Move 'CURL_UNCONST()' out from macro 'curl_unicodefree()'
tidy-up: URLs (cont.) and mdlinkcheck
- tidy-up: URLs
TODO: Remove a mandriva.com reference
tool: Consider (some) curl_easy_setopt errors fatal
tool: Log when loading .curlrc in verbose mode
tool_cfgable: Free ssl-sessions at exit
tool_doswin: Clear pointer when thread takes ownership
tool_doswin: Increase allowable length of path sanitizer
tool_doswin: Remove the max length check
tool_getparam: Simplify the --rate parser
tool_getparam: Use memdup0() instead of malloc + copy
tool_getparam: Verify that a file exists for some options
tool_help: Add checks to avoid unsigned wrap around
tool_ipfs: Check return codes better
tool_msgs: Make voutf() use stack instead of heap
tool_operate: Exit on curl_share_setopt errors
tool_operate: Fix a case of ignoring return code in operate()
tool_operate: Fix case of ignoring return code in single_transfer
tool_operate: Remove redundant condition
tool_operate: Return error for OOM in append2query
tool_operate: Use curlx_str_number instead of atoi
tool_paramhlp: Refuse --proto remove all protocols
tool_paramhlp: Remove a malloc+free from proto2num()
tool_paramhlp: Simplify number parsing
tool_progress: Fix large time outputs and decimal size display
tool_urlglob: Acknowledge OOM in peek_ipv6
tool_urlglob: Clean up used memory on errors better
tool_urlglob: constify an argument
tool_urlglob: Fix propagating OOM error from 'sanitize_file_name()'
tool_urlglob: Support globs as long as config line lengths
tool_writeout: Bail out proper on OOM
url: Fix return code for OOM in parse_proxy()
url: If curl_url_get() fails due to OOM, error out properly
url: If OOM in parse_proxy() return error
url: Return error at once when OOM in netrc handling
urlapi: Fix mem-leaks in curl_url_get error paths
- urlapi: Handle OOM properly when setting URL
urlapi: Return OOM correctly from parse_hostname_login()
- verify-release: Update to avoid shellcheck warning SC2034
vquic-tls/gnutls: Call Curl_gtls_verifyserver unconditionally (CVE-2025-13034)
vquic: Do not pass invalid mode flags to 'open()' (Windows)
vquic: do_sendmsg full init
- vquic: Ignore 0-length UDP packets
vquic: Initialize new callback in nghttp3 1.14.0+
vtls: Drop unused 'use_alpn' from 'ssl_connect_data' struct
vtls: Fix CURLOPT_CAPATH use
vtls: Handle possible malicious certs_num from peer
- vtls: Pinned key check
VULN-DISCLOSURE-POLICY.md: CRLF in data
wcurl: Import v2026.01.05
windows: Assume 'USE_WIN32_LARGE_FILES'
windows: Fix 'CreateFile()' calls to support long filenames
windows: Use '_strdup()' instead of 'strdup()' where missing
- wolfSSL: Able to differentiate between IP and DNS in alt names
- wolfssl: Avoid NULL dereference in OOM situation
- wolfssl: Fix a potential memory leak of session
- wolfssl: Fix cipher list, skip 5.8.4 regression
wolfssl: Fix possible assert with '!HAVE_NO_EX' wolfSSL builds
wolfssl: Proof use of wolfSSL_i2d_SSL_SESSION
wolfssl: Simplify wssl_send_earlydata
- ws: Replace a cast by matching the format string
x509asn1: Drop unused 'hostcheck.h', 'vtls_int.h' includes
I enabled HTTP/3 support with ngtcp2 from Fedora 43 onwards
- I also had to drop support for distributions prior to F-36, EL-9 since OpenSSL 3.x is now a requirement
- Finally, I had to (hopefully temporarily) disable new test 2090 on EL, where it seems to be flaky
Thursday 8th January 2026
Fedora Project
Updated perl-MetaCPAN-Client to 2.037000 in Rawhide:
Updated perltidy to 20260109 in Rawhide (see CHANGES.md for details)
The Pod::Html dependency was changed to Pod::Simple::XHTML, which is now the preferred back-end option for HTML generation
Local Packages
Updated perl-MetaCPAN-Client to 2.037000 as per the Fedora version
Updated perl-Perl-Tidy to 20260109 as per the Fedora perltidy package
Friday 9th January 2026
Fedora Project
Updated perl-Business-ISBN-Data to 20260109.001 in F-42, F-43 and Rawhide:
- Data update for 2026-01-08
Local Packages
Updated perl-ExtUtils-ParseXS to 3.61:
Allow XS files with no XS again (GH#24016)
Wednesday 14th January 2026
Fedora Project
Updated perl-Net-SSH-Perl (2.143) in Rawhide to fix FTBFS with ExtUtils::ParseXS 3.61 (GH#75)
Thursday 15th January 2026
Fedora Project
Updated perl-Net-SSH-Perl to 2.144 in Rawhide:
Fix FTBFS with ExtUtils::ParseXS 3.61 (GH#75)
Friday 16th January 2026
Local Packages
Updated dovecot to 2.4.2:
CVE-2025-30189: passdb oauth2 (not oauth2 mechanism), passdb passwd, passdb bsdauth, and userdb passwd drivers would cause users to be cached with same cache key when auth cache was enabled
auth: Remove proxy_always field
- config: Change settings history parsing to use python3
doveadm: Print table formatter - print empty values as "-"
imapc: Propagate remote error codes properly
lda: Default mail_home=$HOME environment if not using userdb lookup
lib-dcrypt: Salt for new version 2 keys has been increased to 16 bytes
lib-dregex: Add libpcre2 based regular expression support to Dovecot; if the library is missing, disable all regular expressions (this adds libpcre2-32 as build dependency)
lib-oauth2: jwt - Allow nbf and iat to point 1 second into future
lib: Replace libicu with our own unicode library; removes libicu as build dependency
login-common: If proxying fails due to remote having invalid SSL cert, don't reconnect
auth: Add ssl_client_cert_fp and ssl_client_cert_pubkey_fp fields, see https://doc.dovecot.org/latest/core/summaries/settings.html#ssl_peer_certificate_fingerprint_hash for more information
config: Add support for $SET:filter/path/setting
config: Improve @group includes to work with overwriting their settings
doveadm kick: Add support for kicking multiple usernames
doveadm mailbox status: Add support for deleted status item
imap, imap-client: Add experimental partial IMAP4rev2 support
imap: Implement support for UTF8=ACCEPT for APPEND
lib-oauth2, oauth2: Add oauth2_token_expire_grace setting
lmtp: lmtp-client - Support command pipelining
login-common: Support local/remote blocks better
master: accept() unix/inet connections before creating child process to handle it; this reduces timeouts when child processes are slow to spawn themselves
SMTPUTF8 was accepted even when it wasn't enabled
auth, *-login: Direct logging with -L parameter was not working
auth: Crash occured when OAUTH token validation failed with oauth2_use_worker_with_mech=yes
auth: Invalid field handling crashes were fixed
auth: ldap - Potential crash could happen at deinit
auth: mech-gssapi - Server sending empty initial response would cause errors
auth: mech-winbind - GSS-SPNEGO mechanism was erroneously marked as not accepting NUL
config: Multiple issues with $SET handling have been fixed
- configure: Building without LDAP didn't work
doveadm: If source user didn't exist, a crash would occur
imap, pop3, submission, imap-urlauth: USER environment usage was broken when running standalone
imap-hibernate: Statistics would get truncated on unhibernation
imap: "SEARCH MIMEPART FILENAME ENDS" command could have accessed memory outside allocated buffer, resulting in a crash
imapc: Fetching partial headers would cause other cached headers to be cached empty, breaking e.g. imap envelope responses when caching to disk
imapc: Shared namespace's INBOX mailbox was not always uppercased
imapc: imapc_features=guid-forced GUID generation was not working correctly
lda: USER environment was not accepted if -d hasn't been specified
lib-http: http-url - Significant path percent encoding through parse and create was not preserved; this is mainly important for Dovecot's lua bindings for lib-http
lib-settings: Crash would occur when using %variables in SET_FILE type settings
lib-storage: Attachment flags were attempted to be added for readonly mailboxes with mail_attachment_flags=add-flags
lib-storage: Root directory for unusable shared namespaces was unnecessarily attempted to be created
- lib: Crash would occur when config was reloaded and logging to syslog
login-common: Crash might have occured when login proxy was destroyed
sqlite: The sqlite_journal_mode=wal setting didn't actually do anything
- Many other bugs have been fixed
Updated pigeonhole to 2.4.2:
lib-sieve: Use new regular expression library in core
managesieve: Add default service_extra_groups=$SET:default_internal_group
lib-sieve: Add support for "extlists" extension
lib-sieve: regex - Allow unicode comparator
lib-sieve-tool: sieve-tool - All sieve_script settings were overridden
lib-sieve: storage: dict: sieve_script_dict filter was missing from settings
sieve-ldap-storage: Fix compile without LDAP
Rebuilt ansible-collection-community-libvirt (2.0.0), bluefish (2.2.19), check (0.15.2), curl (8.18.0), davfs2 (1.7.2) and Judy (1.0.5) for the Fedora_44_Mass_Rebuild
Saturday 17th January 2026
Local Packages
Rebuilt grepmail (5.3111), gtkwave (3.3.126), libgpg-error (1.58), libidn (1.43), libnet (1.3), libssh2 (1.11.1), libxml2 (2.12.10), libxslt (1.1.43), mod_fcgid (2.3.9), nmap (7.92), perl-Any-Moose (0.27) and perl-Class-XSAccessor (1.19) for the Fedora_44_Mass_Rebuild
Sunday 18th January 2026
Local Packages
Rebuilt perl-DBI (1.647), perl-Dir-Self (0.11), perl-Feature-Compat-Class (0.08), perl-HTML-Lint (2.32), perl-IO-AIO (4.81), perl-MCE (1.902), perl-MIME-Types (2.32), perl-MIME-tools (5.515), perl-Moose (2.4000) and proftpd (1.3.9) for the Fedora_44_Mass_Rebuild
Monday 19th January 2026
Fedora Project
Rebuilt perl-AnyEvent (7.17), perl-B-COW (0.007) and perl-Test-LeakTrace (0.17) for the Fedora_44_Mass_Rebuild
Local Packages
Updated perl-Net-DNS to 1.54:
- Resync with IANA DNS parameters registry
- Resync with IANA DNSSEC algorithms registry
Implement DELEGI as derived subtype of DELEG RR
Backport DELEG parser to SVCB
Updated sendmail to 8.18.2 (see RELEASE_NOTES for details)
Rebuilt perl-Mouse (2.6.1), perl-Object-HashBase (0.015), perl-Perl-Critic (1.156), perl-Perl-Tidy (20260109), perl-Specio (0.53), perl-Test-InDistDir (1.112071), perl-Test-LeakTrace (0.17), perl-Type-Tiny (2.010001), perl-Types-Path-Tiny (0.006), pptp (1.10.0), rbldnsd (0.998b), smbldap-tools (0.9.11) and spamass-milter (0.4.0) for the Fedora_44_Mass_Rebuild
Tuesday 20th January 2026
Local Packages
Updated dovecot (2.4.2) to move pigeonhole libraries from the main package to the pigeonhole package to avoid having the main package accidentally depending on the pigeonhole package
Updated perl-Module-CoreList to 5.20260119:
- Updated for v5.43.7
Wednesday 21st January 2026
Fedora Project
Updated perl-Business-ISBN-Data to 20260120.001 in Rawhide:
- Data update for 2026-01-20
Local Packages
Updated perl-Moo (2.005005) to assume Sub::Util is always available and to use the %{make_build} and %{make_install} macros
Thursday 22nd January 2026
Fedora Project
Updated perl-Business-ISBN-Data to 20260122.001 in Rawhide:
- Data update for 2026-01-22
Updated perl-Mail-Message to 4.02 in Rawhide:
Fix $msg->study
Local Packages
Updated perl-EV to 4.37:
Work around issues with different versions of ExtUtils::ParseXS
Updated perl-Net-Server to 2.015:
Compatibility fix to work with MakeMaker prior to 6.58 (GH#35)
Update META info from dzil (CPAN RT#94977)
Compatibility fix to work with Net::SSLeay prior to 1.34 (GH#38)
Multiplex fix for Perl 5.40.x (CPAN RT#172029)
Compatibility fix to work with Socket.pm prior to 1.93
Remove all bindv6only sniffing; always use setsockopt to set IPV6_V6ONLY flag appropriately based on {ipv}
Honour {ipv6_package} preference, if specified
Fix to work without deprecated "Socket6.pm" module (IO::Socket::IP can handle everything now)
Fix {reverse_lookups} with {udp_true}
- Fix tests where "localhost" is not listed as IPv6 loopback
Add more various {ipv} and NO_IPV6 tests
Fix comments, wordings, messages, and POD (CPAN RT#85052)
Friday 23rd January 2026
Fedora Project
Updated perl-Business-ISBN-Data to 20260123.001 in Rawhide:
- Data update for 2026-01-23
Updated perl-CPAN-Meta to 2.150011 in Rawhide:
- Improved example of testing a minimum prerequisite version of a module
- Remove some code meant to handle running on pre-v5.8 perl, even though v5.8 was already a requirement
Updated perl-CPAN-Meta-Requirements to 2.144:
- Remove code meant to cope with running on v5.8, when v5.10 is the minimum required perl
Normalize away ">= 0" in compound version requirements; it's meaningless
Local Packages
Updated perl-CPAN-Meta to 2.150011 as per the Fedora version
Updated perl-CPAN-Meta-Requirements to 2.144 as per the Fedora version
Monday 26th January 2026
Fedora Project
Updated perl-Mail-Message to 4.03 in Rawhide:
Field attributes must be handled case-insensitively (GH#5)
- Wrongly added LF after multipart parts that do not end in a LF
Thursday 29th January 2026
Local Packages
Updated java-1.8.0-oracle to Java SE 8 Update 481; also updated tzupdater to 2.3.3 but it's neither needed nor used
Updated perl-Net-Server to 2.016:
Honour platform-provided IPV6_V6ONLY value
Fix $xflags NIx_* logic emulation
Make stub honour wantarray context invocation
Don't require ipv6_package to run routines
- Show correct line number if stub routine dies
Warn clean safe_* routines
Avoid "string" eval
- Allow caller to import any Proto routine
Allow to import all exportable Socket macros
Friday 30th January 2026
Fedora Project
Updated perl-MetaCPAN-Client to 2.038000 in Rawhide:
- Support CVE index
Local Packages
Updated Judy (1.0.5) to start providing the lower-case 'judy-devel' name for compatibility with other RPM based distributions (Bug #2435466, PR#4)
Updated perl-MetaCPAN-Client to 2.038000 as per the Fedora version
Saturday 31st January 2026
Fedora Project
Updated perl-CPAN-Meta to 2.150012 in Rawhide:
- Distribution metadata update
I added a workaround for test issues with CPAN::Meta::Requirements ≥ 2.144 (GH#145)
Updated perl-CPAN-Meta-Requirements to 2.145 in Rawhide:
Correct "normalization of 0" code to work correctly with vstrings (GH#46)
Local Packages
Updated perl-CPAN-Meta to 2.150012 as per the Fedora version
Updated perl-CPAN-Meta-Requirements to 2.145 as per the Fedora version
Previous Month: December 2025
Next Month: February 2026