Paul's Blog Entries for April 2026
Wednesday 1st April 2026
Local Packages
Rebuilt dovecot (2.4) for lua 5.5 in Rawhide
Rebuilt perl-Compress-Raw-Lzma (2.221) against xz 5.8.3 in Rawhide
Updated perl-Mail-SPF to 3.20260331:
- Do not check for multiple CNAMEs if the included domain is a macro
Thursday 2nd April 2026
Fedora Project
Updated bluefish to 2.4.1 in Rawhide:
- Bluefish 2.4.1 is a minor maintenance release with a few notable changes
- The experimental "side by side" feature that was introduced in 2.4.0 is no longer experimental and is fully stable now
- A new feature is that Bluefish will automatically adjust the text colours for people that use a dark desktop theme
- Translations for Ελληνικά (Greek) and தமிழ் (Tamiḻ) have been completely renewed
- A critical bug and a regression in the split view function has been fixed
- The windows build has some minor improvements
- Several translations are updated
Updated perl-Business-ISBN-Data to 20260331.001 in Rawhide:
- Data update for 2026-03-31
Updated perl-IO-Tty to 1.25 in Rawhide:
- Bug Fixes:
Fix IO::Pty DESTROY force-closing the slave pty: the DESTROY method (added in 1.21) explicitly closed the cached slave handle, breaking consumers like IPC::Run that hold a reference to the slave via $pty->slave() and expect it to survive master destruction; now just deletes the internal reference and lets Perl's refcounting handle fd closure correctly (GH#62, GH#64)
- Maintenance:
Simplify version variables to a single source of truth: extract version from Tty.pm in Makefile.PL using MM->parse_version() instead of hard-coding it, use VERSION_FROM in WriteMakefile, and remove $XS_VERSION from Tty.pm (GH#61)
Updated perl-IPC-Run to 20260401.0 in Rawhide:
- Bug fixes:
Require IO::Pty 1.25, which fixes stale pty slave fd after close_terminal in child, replacing defensive workarounds (GH#240, GH#241)
Close Win32IO socket/pipe handles explicitly in _cleanup to prevent handle leaks (GH#237, GH#246)
Handle $SIG{PIPE} set to 'DEFAULT' in _select_loop instead of crashing (GH#242, GH#244)
Handle $SIG{CHLD} set to '' or 'DEFAULT' in _select_loop (GH#262)
Fix PTYS typo in adopt() and missing TIMERS init in harness constructor (GH#260)
Handle PTY allocation failure gracefully in start() instead of dying with an unhelpful error (GH#267)
Correct Timer.pm POD typos, _parse_time error message, and remove redundant parse call (GH#251)
Prevent noexec probe from leaking TAP output in search_path_cache.t (GH#247)
- Improvements:
Correct broken POD links and code examples in documentation (GH#252)
- Maintenance:
Update GitHub URLs from toddr/IPC-Run to cpan-authors/IPC-Run (GH#263)
Replace GPL v2 full text with standard "same terms as Perl" license (GH#268)
Add AI policy document (GH#248)
Use File::Spec->devnull in autoflush.t for portability (GH#250)
Skip search_path_cache.t on noexec temp filesystems (GH#247)
Remove dead code from Run.pm (GH#266)
Updated perl-YAML-Syck to 1.43 in Rawhide:
- Bug Fixes:
Fix: Prevent resource leaks on croak/early-return paths in Dump (GH#161)
Fix: Prevent output SV leaks on croak in Dump/DumpFile callers (GH#163)
Fix: Load() in list context returns empty list for empty/undef input; also applies to LoadBytes and LoadUTF8 (GH#164, GH#165)
Fix: DumpCode serializes prototype string instead of code body (GH#168)
Fix: Memory leak in !perl/scalar Load - newRV_inc should be newRV_noinc (GH#170)
Fix: Add pTHX_ to SAVEDESTRUCTOR_X callback for threaded Perl (GH#175, GH#176)
Fix: Add TODO guard for eval_pv leak on Perl < 5.14 (GH#179, GH#180)
Fix: Negative hex and octal values parsed as 0 with ImplicitTyping (GH#183)
Fix: Negative int#base60 values produce unsigned wraparound (GH#185)
- Improvements:
- Maintenance:
Local Packages
Updated bluefish to 2.4.1 as per the Fedora version
Updated perl-IO-Tty to 1.25 as per the Fedora version
Updated perl-IPC-Run to 20260401.0 as per the Fedora version
Updated perl-YAML-Syck to 1.43 as per the Fedora version
Friday 3rd April 2026
Fedora Project
Updated perl-Business-ISBN-Data to 20260403.001 in Rawhide:
- Data update for 2026-04-03
Updated perl-IO-Tty to 1.26 in Rawhide:
- Bug Fixes:
Fix strlcpy detection on DragonFly BSD to avoid static/non-static declaration conflict; added __DragonFly__ guard to the function test (paralleling __FreeBSD__) and added a belt-and-suspenders check for perl's own HAS_STRLCPY in Tty.xs (GH#67)
- Maintenance:
Add 5-minute timeout to all CI test steps to prevent hung tests from consuming CI resources indefinitely (GH#66)
Updated perl-IPC-Run to 20260402.0 in Rawhide:
- Bug fixes:
Detect undefined command in arrayref at harness parse time instead of deferring to start() (GH#164, GH#271, GH#272)
pipe_writer dropped input when data is the string "0" due to redundant boolean test on input buffer (GH#264)
Callback filter evaluates return in list context to distinguish empty return from the string "0", preventing infinite loop on Win32 (GH#264)
Skip pty output assertions on BSD/Darwin due to known pty drain timing issues on short-lived children (GH#240, GH#274)
Implement proper Windows command-line parsing per Microsoft C/C++ rules, fixing argument parsing failures with single-quoted strings containing whitespace (GH#273)
- Maintenance:
Add shebang to eg/synopsis_scripting (GH#275)
Updated perl-YAML-Syck to 1.44 in Rawhide:
Local Packages
Updated perl-IO-Tty to 1.26 as per the Fedora version
Updated perl-IPC-Run to 20260402.0 as per the Fedora version
Updated perl-YAML-Syck to 1.44 as per the Fedora version
Sunday 5th April 2026
Fedora Project
Updated perl-IO-Tty to 1.27 in Rawhide:
Fix build on OpenBSD by including termios.h to detect openpty reliably and setting _BSD_SOURCE to find strlcpy in includes (GH#68)
Updated perl-Module-Metadata to 1.000039 in Rawhide:
Adds recognition of attributes in "class" declarations (GH#39)
Updated perl-Perl-PrereqScanner-NotQuiteLite to 0.9918 in Rawhide:
Support builtin, experimental, native class and Feature::Compat::Class
Local Packages
Updated curl (rc) to new upstream release candidate 8.20.0~rc1
Updated perl-IO-Tty to 1.27 as per the Fedora version
Updated perl-Module-Metadata to 1.000039 as per the Fedora version
Updated perl-Mouse to 2.6.2:
Fix the conversion from floating point number to string with quadmath Perl (GH#126)
Updated perl-Perl-PrereqScanner-NotQuiteLite to 0.9918 as per the Fedora version
Monday 6th April 2026
Local Packages
Updated perl-ExtUtils-ParseXS to 3.63:
Allow 'length(foo)' to work with any 'foo' type that has 'SvPV_nolen()' or similar in its typemap, not just that it maps to T_PV
Use static, not STATIC
Rewrite perlxs.pod
- Finish refactoring to use an Abstract Syntax Tree (AST) internally
- Improve warning and error messages
- Improve test coverage
Reorganise t/
Updated perl-Net-Daemon to 0.52:
- Bug fixes:
Fix dead $RegExpLock that was never acquired in ithreads mode; the lock variable existed but was never actually locked before regexp compilation, leaving ithreads unprotected; also fix share() call to pass explicit ref for runtime-loaded prototype (GH#33)
Fix ithreads auto-detection to gate on Perl 5.10+ and exclude Windows; on Perl 5.8.x threads::shared is never loaded, making lock() a no-op; on Windows, DuplicateHandle() corrupts Winsock sockets - WSADuplicateSocket() is required instead (GH#19, GH#30, GH#50)
Correct $eventId hash key typo in Log.pm that prevented event IDs from being logged (GH#36)
Fix Done() call in test server Loop method - was called without arguments, preventing proper server shutdown (GH#38)
Clean up stale test artifacts (log, ndtest.cnt) (GH#40)
Harden ReadConfigFile against $@ contamination and $! errors (GH#44)
Skip pidfile write when pidfile option is not set, preventing spurious empty pidfile creation (GH#45)
Close cloned listening socket in ithreads handler threads; Perl ithreads dup every open handle into new threads; on Windows closing these at thread exit invalidated the parent's handle; also re-add Windows skip with root-cause documentation (GH#19, GH#30, GH#46)
Address CPAN testers failures in t/reap.t and t/fork.t (GH#48)
Skip ithread-detach.t on Perl < 5.10 (GH#49)
Verify privilege drop succeeded in Bind(); assigning to $>/$) silently fails without permission - the daemon would continue running as root (GH#51)
Use POSIX::setuid/setgid for permanent privilege drop in Bind(); the previous $< = ($> = $user) left saved-set-user-ID as root, allowing a compromised process to regain privileges (GH#55)
- Improvements:
Modernize open() calls to 3-arg form with lexical filehandles throughout the codebase (GH#41)
- Maintenance:
Fix POD typos and remove outdated alpha warning (GH#37)
Fix stale --mode=threads references and config example syntax in documentation (GH#39)
Update ancient FSF address in Net::Daemon::Test copyright (GH#34, GH#35)
Convert server tests from raw TAP to Test::More (GH#42)
Convert ithreads tests to Test::More and fix Test.pm fd leak (GH#43)
Convert remaining tests (loop.t, loop-child.t, unix_clients.t, forkm.t) to Test::More (GH#47)
Updated perl-Pod-Simple to 3.48:
Tuesday 7th April 2026
Fedora Project
Branched and built perl-Test-Command (0.11) for EPEL-10
Wednesday 8th April 2026
Fedora Project
Updated perl-Business-ISBN-Data to 20260408.001 in Rawhide:
- Data update for 2026-04-08
Thursday 9th April 2026
Fedora Project
Updated bluefish to 2.4.1 in F-44 and EPEL-10
Friday 10th April 2026
Fedora Project
Updated perl-Apache-Session-Browseable (1.3.18) in Rawhide to BR: perl(DBD::Cassandra) to improve test coverage (PR#3)
Updated perl-Business-ISBN-Data to 20260410.001 in Rawhide:
- Data update for 2026-04-10
Updated perl-Mail-Message to 4.05 in Rawhide:
- Fixes:
Parse X-MLServer
$msg->string must end with a newline
- Fold fields with newline
- Improvements:
Mail::Message->new(message_id) replacing messageId: parameters should not use camel-casing; old attribute now deprecated
Mail::Message add clean attributes for fieldType, headType, bodyType, and isTrusted
Remove version of introduction indicators '[3*]', because version 4 is not backwards compatible anyway
Local Packages
Updated dovecot (2.4) to 2.4.3:
CVE-2025-59028: Invalid base64 authentication could cause DoS for other logins
CVE-2025-59031: decode2text.sh OOXML extraction may follow symlinks and read unintended files during indexing (fixed by dropping the script)
CVE-2026-24031: SQL injection possible if auth_username_chars is configured empty (fixed escaping to always happen; v2.4 regression)
CVE-2026-27859: Excessive RFC 2231 MIME parameters in email would cause excessive CPU usage (fixed by limiting number of parameters to process)
CVE-2026-27860: LDAP query injection possible if auth_username_chars is configured empty (fixed escaping to always happen; v2.4 regression)
CVE-2026-27857: Sending excessive parenthesis causes imap-login to use excessive memory
CVE-2026-27856: doveadm credentials were not checked using timing-safe checking function
CVE-2026-27855: OTP driver vulnerable to replay attack
Remove default service/*/service_extra_groups=$SET:default_internal_group; they are now replaced by default mail_access_groups=$SET:default_internal_group
The version file has been renamed as version.txt to avoid clash with C++ headers
- auth: oauth2 - Do not export token automatically, must be exported using fields
config: Don't accept 0 as meaning unlimited any more for last_valid_uid, last_valid_gid, mail_cache_max_headers_count, mail_cache_max_header_name_length, mail_vsize_bg_after_count, mail_sort_max_read_count, message_max_size, submission_max_recipients and quota_mail_size
- imap, pop3: Don't autoexpunge if Dovecot is shutting down or process is killed
imap: LIST - Handle invalid mUTF-7 mailbox names as never matching anything
lazy-expunge: Change lazy_expunge_only_last_instance default to yes
lda: Use EX_TEMPFAIL (75) if configuration is invalid instead of 89; v2.4 regression
lib-master: Increase ANVIL_DEFAULT_LOOKUP_TIMEOUT_MSECS from 5s to 30s
lib: crc32 - Use zlib's built-in CRC32 function
- Improve UTF-8 support for mail storage
- auth: Add default auth-token UNIX socket for token-based authentication
doc: solr-config-9.xml - Make it compatible with Solr 9.8.0
doveadm: dsync - Search mails when exporting to reduce number of mails exported by dsync-server
dovecot-sysreport: Add -D|--destdir support
imap, imap-hibernate: Use DOVECOT-TOKEN authentication for unhibernation; default imap-master socket permissioms have been changed due to this
imap: Add APPENDLIMIT capability when configured with quota_mail_size
imap: Support STATUS (DELETED) for IMAP4rev2
imapc: Add support for SEARCH MIMEPART
- imapc: Improve error forwarding
imapc: Support SORT and ESORT extensions
imapc: Support STATUS (DELETED) for IMAP4rev2
lib-sql: Support parameterized queries
lib-test: Add new test-dir API for better temporary test directory handling
lmtp: Advertise SIZE capability when configured with quota_mail_size
lmtp: Support XCLIENT DESTADDR and DESTPORT
pop3-login: proxy - Add support for XCLIENT DESTIP and DESTPORT
submission-login: proxy - Add support for XCLIENT DESTIP and DESTPORT
- Various optimizations have been made to the code
- Fix building dovecot with BSD, Solaris and macOS
auth: Crash would occur if users were iterated but userdb_ldap_iterate_fields was not set
- auth: Fix request leak when client authenticates with unsupported mechanism
auth: Some passdbs would default to PLAIN instead of CRYPT scheme
- config: Section and setting names could have been intermixed, resulting in the setting being silently ignored
configure: Fix checking if BUILD_IMAP_HIBERNATE is set
doveadm: dsync - -e parameter was handled wrong with dsync-server
fts-flatcurve: Mailbox leak would occur if mailbox failed to open
- imap: Fix potential issues with unhibernation and process state handling
imapc: SEARCH failure handling was done wrong
imapc: UID STORE commands included extra comma in uidset
lib-auth-client: auth-master - Fix panic when reconnecting after handshake timeout
lib-compression: Lz4 algorithm would assert-crash with malicious data
lib-dcrypt: Fix digest algorithm handling
lib-dict: Escape username paths to prevent traversal issues with dict-fs
lib-http: Fix HTTP parsing edge cases and state handling
lib-iostream: Disallow empty ssl_min_protocol
lib-json: Fix incorrect character handling logic
lib-ldap: Fix various TLS-related bugs
lib-mail: Fix charset translation and MIME parsing edge cases
lib-mail: Fix multiple bounds checks and parsing issues in message handling
lib-var-expand: Multiple fixes and improvements for expansion handling
- lib: Fix punycode decoding out-of-bounds reads
- lib: Fix unicode normalization edge cases causing crashes
lib-http: Chunked transfer trailer size was not limited
login-common: Improve logging and internal error handling
login-common: login_log_format_elements was split by spaces naively, which could break variable expansion; use template-aware splitting now
master: Dovecot would fail to start if listen directive was used and dovenull or dovecot user was missing
- pop3c: Connection might've hung with SSL
- util: Fix handling of environment variables containing control characters
- Many other bugs have been fixed
Updated pigeonhole to 2.4.3:
CVE-2026-27858: managesieve-login can allocate large amount of memory during authentication
CVE-2025-59032: ManageSieve panic occurs with sieve-connect as a client
lib-sieve: Don't accept 0 as meaning unlimited any more for sieve_quota_script_count and sieve_quota_storage_size
managesieve-login: If mail_max_userip_connections is reached, return LIMIT/CONNECTIONS resp-code
managesieve-login: proxy - Return unexpected backend failures as TRYLATER/NORETRY resp-code
managesieve: Remove default service_extra_groups=$SET:default_internal_group
managesieve-login: proxy - Add support for XCLIENT DESTIP and DESTPORT
- imapsieve: Fix panic occurring upon implicit flag changes
lib-sieve: include-extension - Fix crash occurring when previous global command has no arguments
lib-sieve: Fix erroneous attempt to read active script for non-personal storage
lib-sieve: ldap: Fix linking non-shared LIBDOVECOT
I had to hack the configure script to specify a custom TEST_DIR value because the path name of the default TEST_DIR in the buildsystem is too long to be able to use a unix-domain socket in it and as a result, test-imap-client-hibernate would fail
Saturday 11th April 2026
Fedora Project
Updated perl-Business-ISBN-Data to 20260411.001 in Rawhide:
- Data update for 2026-04-11
Updated perl-Net-CIDR-Lite to 0.23 in F-42, F-43, F-44, Rawhide, EPEL-8, EPEL-10.1, EPEL-10.2 and EPEL10:
Security: Fix IPv4 mapped IPv6 packed length (CVE-2026-40199)
Security: Reject invalid uncompressed IPv6 (CVE-2026-40198)
Local Packages
Updated perl-Net-CIDR-Lite to 0.23 as per the Fedora version
Monday 13th April 2026
Fedora Project
Updated gtkwave to 3.3.127 in F-44, Rawhide and EPEL-10:
- Fix for fixed point shift that does not disable it on the specify value change menu option
Changed ps2pdf to pstopdf on Mac as ps removed by Sonoma
Warnings fix in vcd2fst for missing string.h include
Added FST_ST_SV_ARRAY (FST) and "sv_array" (VCD) for arrays (gtkwave/libfst#17)
Wrote replacement for gdk_pixbuf_new_from_xpm_data
Update FSDB to handle FST_ST_SV_ARRAY (VCS emits this), FSDB_ST_SV_INTERFACEPORT_REF, and FSDB_VT_STRING
Added "SV_ST_ARRAY" to exclude file parsing on init
Fix use after free of GLOBALS->entrybox_text in regexp_highlight_generic()
I dropped the dependency on gdk-pixbuf2-modules-extra (added for GH#417), XPM support now done locally
Local Packages
Updated curl (rc) to new upstream release candidate 8.20.0~rc2
Updated gtkwave to 3.3.127 as per the Fedora version
Updated perl-version to 0.9934:
Reorder "v" check to avoid forward goto
Fix string comparisons with $] to use numeric comparison instead
Remove unnecessary shebang in version.pm
Thursday 16th April 2026
Fedora Project
Updated perl-Devel-CallParser to 0.004 in Rawhide:
Fix failing tests where '.' was removed from INC
Fix cpantester fails on debug perls; switch to a rv2cv op that dereferences a code reference, matching what Perl expects as the last child of OP_ENTERSUB newUNOP(OP_RV2CV, 0, newSVOP(OP_CONST, 0, newRV_inc((SV*)cv)));
Fix qerror compatibility across perl versions: declare Perl_qerror via EXTERN_C to fix implicit declaration error on blead perl 5.43.9+ and avoid Perl_yyerror linker failure on Windows
PERL_VERSION_GE is now wrapped in #ifndef so it skips the local definition when Perl's handy.h already defines it
The qerror fallback now checks for Perl_qerror first (older Perls), and falls back to Perl_yyerror
Fix t/leximport.t failures on threaded/debugging Perl builds: add find_lexical_cv() helper that checks %^H hints hash directly for Lexical::Sub CVs before falling back to rv2cv_op_cv() lookup
Friday 17th April 2026
Fedora Project
Updated perl-Business-ISBN-Data to 20260416.001 in Rawhide:
Stop unintended autovivification of ISBN_RANGE_MESSAGE (GH#236)
Sunday 19th April 2026
Fedora Project
Updated perl-Finance-Quote to 1.69 in F-42, F-43, F-44, Rawhide, EPEL-9, EPEL-10.1, EPEL-10.2 and EPEL-10.3:
Sinvestor.pm: Trim whitespace before parsing date and price
XETRA.pm: Trim whitespace from date-time before extracting the actual date value (GH#557)
Modified Stooq.pm to send cookies
- Stooq requires European visitors to their website to accept cookies
Cookies are set using JavaScript
- Current version of module hard codes these cookies gleaned from a browser session
Added CurrencyRates/TwelveData.pm
Updated perl-Module-Extract-Use to 1.055 in Rawhide:
extract_modules can now search PATH for file
Local Packages
Updated perl-Module-Extract-Use to 1.055 as per the Fedora version
Monday 20th April 2026
Local Packages
Updated perl-Module-CoreList to 5.20260420:
- Updated for v5.43.10
Wednesday 22nd April 2026
Fedora Project
Branched and built perl-autovivification (0.18) for EPEL-9
Branched and built perl-Business-ISBN-Data (20260416.001) for EPEL-9, EPEL-10.2 and EPEL-10
Branched and built perl-Data-Compare (1.29) for EPEL-10.2 and EPEL-10
Branched and built perl-Scalar-Properties (1.100860) for EPEL-10.2 and EPEL-10
Monday 27th April 2026
Fedora Project
Updated perl-Business-ISBN-Data to 20260424.001 in Rawhide:
- Data update for 2026-04-24
Updated perl-MetaCPAN-Client to 2.042000 in Rawhide:
Updated perl-Module-Signature to 0.95 in Rawhide:
- Announce deprecation of the module
Updated perl-PPI to 1.286 in Rawhide:
Updated perl-YAML-Syck to 1.45 in F-42, F-43, F-44, Rawhide, EPEL-9, EPEL-10.2 and EPEL-10:
- Bug Fixes:
Fix: Use syck_base64_free() to fix Windows "Free to wrong pool" crash in base64 encode/decode buffers; also plugs a memory leak (GH#189)
Fix: Clear type tag on blessed scalar alias early-return so the stale tag no longer leaks onto the next emitted item (GH#193, GH#194, Bug #2459200)
Fix: Negative float#base60 values produce wrong results; strip sign before accumulating and avoid negative zero for portable stringification (GH#191)
Fix: Prevent memory leaks when Load/LoadJSON croak on parse errors (GH#192)
- Maintenance:
Local Packages
Updated curl (rc) to new upstream release candidate 8.20.0~rc3
Updated dovecot (2.4.3) to dump the test log if the test suite fails
Updated java-1.8.0-oracle to Java SE 8 update 491
Updated libgpg-error to 1.60 (https://dev.gnupg.org/T8112):
New error codes (https://dev.gnupg.org/T6644)
- Fix a use-after-scope of a Windows handle array
Fix cross compiling for wasm32-unknown-emscripten
New symbols: GPG_ERR_PUBKEY_NON_COMPLIANT, GPG_ERR_CIPHER_NON_COMPLIANT, GPG_ERR_DIGEST_NON_COMPLIANT
Updated perl-DateTime-TimeZone to 2.68:
- This release is based on version 2026b of the Olson database
- Contemporary changes for British Columbia, CA
Updated perl-MetaCPAN-Client to 2.042000 as per the Fedora version
Updated perl-Module-Signature to 0.95 as per the Fedora version
Updated perl-PPI to 1.286 as per the Fedora version
Updated perl-YAML-LibYAML to 0.906.0:
Updated perl-YAML-Syck to 1.45 as per the Fedora version
Tuesday 28th April 2026
Fedora Project
Updated perl-IO-Tty to 1.29 in Rawhide:
- Bug Fixes:
Fix make_slave_controlling_terminal() on Solaris/HP-UX to use _open_tty() instead of IO::Tty->open(), ensuring STREAMS modules (ptem, ldterm, ttcompat) are pushed via I_PUSH when the slave is opened for controlling terminal setup - parallel fix to the slave() method fix in 1.24 (GH#69)
Fix Perl 5.40+ "Possible memory corruption: ioctl overflowed 3rd argument" warning in clone_winsize_from() and get_winsize(); use pack_winsize(0,0,0,0) to pre-allocate the ioctl buffer with SvCUR matching sizeof(struct winsize) instead of an empty string (GH#74)
Fix diagnostic warnings being silently suppressed when callers use lexical "use warnings" (the modern standard since Perl 5.6); $^W and PL_dowarn only fire under perl -w - replaced with warnings::enabled() in IO::Tty and IO::Pty (GH#76) and ckWARN(WARN_IO) in Tty.xs (GH#79)
Fix file descriptor leak in IO::Pty when new_from_fd() fails after pty_allocate() or _open_tty() returns raw C-level fds; added POSIX::close() calls on the raw fds before croaking at three sites in new() and slave() (GH#77)
Fix openpty() detection on Alpine Linux and other musl-based systems where openpty() has moved from libutil into libc (glibc 2.34+); probe libc first before falling back to -lutil (GH#78)
Fix -Wsign-compare compiler warnings: change namebuflen parameter type from int to size_t in open_slave() and allocate_pty() to match the return type of strlcpy() and the size argument of snprintf() (GH#80)
Fix spurious "_FORTIFY_SOURCE requires compiling with optimization" warnings during configure probes when $Config{optimize} (e.g. -Os) is separate from $Config{ccflags}; include optimize flags in all configure probe compilations (GH#81)
Fix header probes in Makefile.PL missing platform extension defines (_GNU_SOURCE, _BSD_VISIBLE, etc.) that function probes already included; bare #includes could cause HAVE_PTY_H and similar to be unset on strict POSIX systems even when the header exists (GH#84)
- Fix configure-time function detection probes being broken by compiler optimization:
The probes stored function pointers in local variables that -O2/-Os (added to probe flags in GH#81) eliminated as dead stores, so the linker never saw the function reference; on systems where openpty() lives in -lutil (older glibc, BSDs), the probe falsely succeeded without -lutil, producing "undefined symbol: openpty" at runtime
Fixed by storing the function pointer in a file-scope global variable that the optimizer cannot eliminate (GH#87, GH#88)
- Improvements:
Use L<> instead of C<> for cross-module POD references in Tty.pm and Pty.pm so MetaCPAN renders IO::Pty, IO::Handle, and IO::Stty as clickable links (GH#86)
- Maintenance:
Modernize POD in Tty.pm and Pty.pm: remove stale platform version references (FreeBSD 4.4, OpenBSD 2.8, HPUX 10.20, Solaris 2.6), replace defunct !SourceForge/mailing list URLs with GitHub issue tracker (GH#70)
Modernize the 'try' example script: add strict/warnings, my declarations, 3-arg open, and lexical filehandles; the script is shipped to CPAN and referenced in POD as the canonical usage example (GH#73)
Strengthen test coverage for set_raw() and winsize: verify all termios flags set by cfmakeraw (iflag, oflag, PARENB, CSIZE, CS8, VMIN, VTIME) and add a test for the unpack_winsize() length-validation croak (GH#75)
Update GitHub Actions to Node.js 24 versions: actions/checkout v6, cross-platform-actions/action v1, perl-actions/install-with-cpm v2; required before GitHub forces Node.js 24 in June 2026 (GH#85)
Add Ubuntu LTS version matrix (20.04, 22.04, 24.04) to the GitHub Actions test suite; exercises the system perl on each current Ubuntu LTS release via Docker containers, running after the main ubuntu job (GH#89)
I needed to add a patch to fix detection of openpty() in libutil on older Fedora releases (GH#92)
Updated perl-Module-Signature to 0.96 in Rawhide:
- Fix issue from last release where search keys is interactive
Local Packages
Updated perl-IO-Tty to 1.29 as per the Fedora version
Updated perl-Module-Signature to 0.96 as per the Fedora version
Wednesday 29th April 2026
Fedora Project
Updated perl-Text-CSV_XS to 1.62 in F-42, F-43, F-44, Rawhide, EPEL-8, EPEL-9, EPEL-10.1, EPEL-10.2 and EPEL-10:
- It is 2026
Fix possible stack corruption (GH#65, CVE-2026-7111)
Updated proftpd (1.3.8d) in EPEL-9 to fix potential SQL injection via mod_sql (GH#2052, CVE-2026-42167)
Local Packages
Updated curl to 8.20.0:
async-thrdd: Use thread queue for resolving
- build: Make NTLM disabled by default
- cmake: Drop support for CMake 3.17 and older
- lib: Add thread pool and queue
lib: Drop support for c-ares < 1.16.0
- lib: Make SMB support opt-in
multi.h: Add CURLMNWC_CLEAR_ALL
- rtmp: Drop support
altsvc: Cap the list at 5,000 entries
altsvc: Drop the prio field from the struct
altsvc: Skip expired entries read from file
asyn-ares: Connect async
asyn-ares: Drop orphaned variable references
asyn-ares: Fix HTTPS-lookup when not on port 443
asyn-thrdd: Drop redundant 'result' check
asyn-thrdd: Fix clang-tidy unused value warning
async-ares: Fix query counter handling
autotools: Limit checksrc target to ignore non-repo test sources
badwords-all: Exit with correct code on errors
- badwords: Combine the whitelisting into a single regex
badwords: Detect the the and with with
- badwords: Only check comments and strings in source code
- badwords: Rework exceptions, fix many of them
boringssl: Fix more coexist cases with Schannel/WinCrypt
build: Adjust/add casts to fix '-Wformat-signedness'
build: Assume 'snprintf()' in 'mprintf', drop feature check
- build: Compiler warning silencing tidy-ups
build: Drop 'openssl' module dependency for BoringSSL from 'libcurl.pc'
build: Drop duplicate 'pthread.h' includes
build: Drop redundant 'USE_QUICHE' guards
build: Enable '-Wimplicit-int-enum-cast' compiler warning, fix issues
build: Fix '-Wformat-signedness' by adjusting printf masks
build: Link 'bcrypt.lib' via vcxproj files
build: Skip detecting 'pipe2()' for Apple targets
build: Stop building and installing 'runtests.1' and 'testcurl.1'
cf-https-connect: Silence '-Wimplicit-int-enum-cast' with HTTPS-RR
cf-ip-happy: Limit concurrent attempts
cf-socket: Avoid low risk integer overflow on ancient Solaris
cfilters: Fix Curl_pollset_poll() return code mixup
clang-tidy: Avoid assignments in 'if' expressions
clang-tidy: Enable more checks, fix fallouts
- cmake: Add CMake Config-based dependency detection
cmake: Add CMake Config-based dependency detection for c-ares, wolfSSL
cmake: Do not install 'wcurl' when 'BUILD_CURL_EXE=OFF'
cmake: Do not install shell completions when 'BUILD_CURL_EXE=OFF'
- cmake: Document functions used from Windows system DLLs
cmake: Enable pthreads for BoringSSL/AWS-LC
cmake: Resolve targets recursively when generating 'libcurl.pc'
cmake: Rework binutils ld hack to not read 'LOCATION' property
cmake: Silence bad library 'Threads::Threads' warning
- cmake: Use 'AIX' built-in variable (with CMake 4.0+)
config2setopts: Make --capath work in proxy disabled builds
configure: Fix '--with-ngtcp2=<path>' option for crypto libs
configure: Fix LibreSSL ngtcp2 1.15.0+ crypto lib selection logic
configure: Prefer dependency-specific variables over '$withval'
configure: Remove superfluous experimental warning for HTTP/3
configure: Silence useless clang warnings in C89 builds
configure: Tidy up comments
connect: Fix typo on error message
- cookie: Fix rejection when tabs in value
curl-wolfssl.m4: Fix to use the correct value for pkg-config directory
curl.h: Replace macros with C++-friendly method to enforce 3 args
curl_ctype.h: Fix spelling in a couple of locally used macros
curl_get_line: Error out on read errors
curl_get_line: Fix potential infinite loop when filename is a directory
curl_ngtcp2: Extend and update callbacks for 1.22.0+
curl_ntlm_core: Drop redundant PP condition
curl_ntlm_core: Use wolfCrypt DES API with wolfSSL
curl_setup.h: Drop stray/unused 'USE_OPENSSL_QUIC' guard
curl_sha512_256: Support delegating to wolfSSL API
curl_version_info.md: Clarify age details
CURLOPT_HAPROXY_CLIENT_IP.md: Mention assumption on data format
CURLOPT_RTSP_SESSION_ID.md: Clarify reuse "dangers"
CURLOPT_RTSP_SESSION_ID.md: Expand the comment
CURLOPT_RTSP_SESSION_ID.md: Minor language fix
CURLOPT_SOCKS5_AUTH.md: An access property
CURLOPT_SSL_CTX_FUNCTION.md: Expand on effects connection reuse
CURLOPT_UPLOAD_FLAGS.md: Expand
curlx_now(): Prevent zero timestamp
DEPRECATE: Fix minor release number typo
- digest: Pass in the user name quoted (as well)
- dns: https-eyeballing async
- dnscache: Own source file, improvements
docs/cmdline-opts/write-out.md: tls_earlydata was adeded in 8.13.0
docs/cmdline-opts: Tidy up retry-connrefused
- docs/lib: Fix typos
docs/libcurl: Improve easy setopt examples
docs: Clarify retry-max-time timing
docs: CURLOPT_LOGIN_OPTIONS is a login property
- docs: Enable more compiler warnings for C snippets, fix 3 finds
- docs: List more dependencies for running Python HTTP tests
- docs: Mention more zip bomb precautions
- docs: Minor wording tweaks
docs: noproxy wants the punycoded hostname version
- docs: SSH host verification is done at connect time
docs: Use the correct CURLOPT_WRITEFUNCTION signature
- doh: Fix memory-leak when doing a second DoH resolve
doh: Remove superfluous doh_req check
examples/websocket: Fix to sleep more on Windows
- examples: Drop warning silencers no longer hit
- examples: Fix typo in comment
- file: init fd to -1 to prevent close fd 0 on early failure
fopen: For temp files, inherit permissions only for owner
ftp: Do not strdup DATA hostname
- ftp: Make the MDTM date parser stricter (again)
ftp: Reject PWD responses containing control characters
gcc: Guard '#pragma diagnostic' in core code for <4.6
generate.bat: Remove extra % from VC11 and VC12 runs
genserv.pl: Make external calls safe
getinfo: Initialize 'PureInfo' field 'used_proxy'
getinfo: Repair CURLINFO_TLS_SESSION
gnutls: Fix clang-tidy warning with !verbose
gtls: Fail for large files in 'load_file()'
- h3: HTTPS-RR use in HTTP/3
- Happy Eyeballs: Add resolution time delay
- haproxy: Use correct ip version on client supplied address
hostip: Clear the sockaddr_in6 structure before use
hostip: init the curl_jmpenv_lock appropriately
- hostip: Resolve user supplied ip addresses
- HSTS: Cap the list
hsts: Make the HSTS read callback handle name dupes
- hsts: Skip expired HSTS entries read from file
- hsts: When a dupe host adds subdomains, use that
- http2: Clear the h2 session at delete
- http2: Prevent secure schemes pushed over insecure connections
- http2: return error on OOM in push headers
HTTP3.md: Drop outdated mentions of OpenSSL-QUIC
http: Clear credentials better on redirect (CVE-2026-6429)
- http: Clear digest nonce on cross-orgin redirect
http: Clear the proxy credentials as well on port or scheme change (CVE-2026-6253)
http: Fix auth_used and auth_avail
http: Fix Curl_compareheader for multi value headers
http: Make Curl_compareheader handle multiple commas in header
http: On 303, switch to GET
http: Use header_has_value() instead of duplicate code
imap: Reset the UIDVALIDITY state between transfers
include: Drop 'will' from public headers
INSTALL.md: Update Cygwin instructions
keylog.h: Replace literal number with macro in declaration
keylog: Drop unused/redundant includes and guards
ldap: Drop duplicate 'ldap_set_option()' on Windows
- ldap: Fix to initialize cleartext connection on Windows
lib1560: Fix comment typo
lib1960: Fix test failure
lib: Accept larger input to md5/hmac/sha256/sha512 functions
lib: Always use Curl_1st_fatal instead of Curl_1st_err
- lib: Fix typos in comments
- lib: Make resolving HTTPS DNS records reliable
- lib: Minor comment typos
- lib: Move request specific allocations to the request struct
lib: Replace 'PRI*32' printf masks with C89 ones
libssh2: Allocate libssh2-friendly memory in kbd_callback
libssh2: Fix error handling on quote errors
libssh: Fix 64-bit printf mask for mingw-w64 ≤ 6.0.0
libssh: Fix '-Wsign-compare' in 32-bit builds
libssh: Path length precaution
libssh: Propagate error back in SFTP function
libtest: Drop duplicate include
location/follow: Mention netrc
man: Fix argument type for 'CURLSHOPT_[UN]SHARE' options
mbedtls: Clean up more without care for 'initialized'
mbedtls: Fix ECJPAKE matching
mbedtls: Remove failf() call with first argument as NULL
- md4, md5: Switch to wolfCrypt API in wolfSSL builds
- mime: Only allow 40 levels of calls
- misc: Fix code quality findings
mk-ca-bundle.pl: Make ca-bundle.crt timestamp match certdata.txt's
- multi: Enhance pending handles fairness
- multi: Fix connection retry for non-http
- multi: Improve wakeup and wait code
netrc: Find login-less password when user is given in URL
netrc: Remove unused parsenetrc() macro for netrc-disabled
netrc: Skip malformed macdef lines
openssl channel_binding: Lookup digest algorithm without NID
- openssl: Drop obsolete SSLv2 logic
- openssl: Fix build with 4.0.0-beta1 no-deprecated
- openssl: Fix memory leaks in ECH code (OpenSSL 3)
openssl: Fix unused variable warnings in !verbose builds
- openssl: Trace count of found / imported Windows native CA roots
- OS400: Add new definitions to the ILE/RPG binding
os400sys: Fix typo in comment (symetry -> symmetry)
parsedate: bsearch the time zones
parsedate: Fix wrong treatment of "military time zones"
parsedate: Refactor
- perl: Harden external command invocations
- progress: Count amount of data "delivered" to application
protocol.h: Fix the CURLPROTO_MASK
protocol: Disable connection reuse for SMB(S) (CVE-2026-5773)
- protocol: Use scheme names lowercase
- proxy: Chunked response, error code
pytest: Add additional quiche check for flaky test_05_01
pytest: Check 429 handling
rand: Use 'BCryptGenRandom()' in UWP builds
- ratelimit: Reset on start
request: Reset resp_trailer in new requests
- runtests: Skip setting ed25519 SSH key format
rustls: Fix memory leak on repeated SSLKEYLOGFILE fails
- rustls: Handle EOF during initial handshake
- schannel: Increase renegotiation timeout to 60 seconds
scripts: Drop redundant double-quotes: '"$var"' -> '$var' (Perl)
scripts: Harden / tidy up more Perl 'system()' calls
sectrust: Fail on missing OCSP stapling (CVE-2026-7009)
sendf: Fix CR detection if no LF is in the chunk
setopt: Clear proxy auth properties when switching (CVE-2026-7168)
setopt: Fix typos in comments
setopt: Move CURLOPT_CURLU
- setup connection filter: Mark as setup
sha256, sha512_256: Switch to wolfCrypt API
sha256: Support delegating to wolfSSL API
- share: Concurrency handling, easy updates
- share: Do bitshifts after the type is checked to be valid
- socks: Reject zero-length GSSAPI/SSPI tokens from proxy
- socks: Use dns filter for resolving
- spelling: Fix typos
src: Use ftruncate() unconditionally
sshserver.pl: Harden more 'system()' calls
sshserver.pl: Pass command-line to 'system()' safely
strerr: Correct the strerror_s() return code condition
- sws: Fix potential OOB write
synctime: Fix off-by-one read and write to a read-only buffer (Windows)
- test 766: Flag as timing-dependent
test1675: Unit tests for URL API helper functions
test459: Switch to mode="warn" for stderr check
testcurl.pl: Replace shell commands with Perl 'rmtree()'
tests/unit/README: Describe how to unit test static functions
tests: Avoid infinite recursion for 'make check'
tests: Use %b64[] instead of "raw" base64
tool: Check for curlinfo->age when determining if ssh backend
- tool: Fix memory mixups
- tool: Fix retries in parallel mode
- tool: Fix two more allocator mismatches
tool_cb_hdr: Only truncate etags output when regular file
tool_cb_rea: Make waitfd() return void
tool_cb_wrt: Fix no-clobber error handling
tool_cfgable: Free the SSL signature algorithms
tool_dirhie: Fix to create drive-relative directory
tool_formparse: Propagate my_get_line errors when reading headers
tool_getparam: Use correct free function for libcurl memory
tool_ipfs: Accept IPFS gateway URL without set port number
tool_msgs: Avoid null pointer deref for early errors
tool_operate: Actually apply the --parallel-max-host limit
tool_operate: Drop the scheme-guessing in the -G handling
tool_operate: Fix condition for loading 'curl-ca-bundle.crt' (Windows)
tool_operate: Fix memory-leak on failed uploads
tool_operate: Fix minor memory-leak on early error
tool_operate: Reset the upload glob counter for next URL
tool_operhlp: Fix 'add_file_name_to_url()' result on OOM
tool_operhlp: Iterate through all slashes to find name
tool_operhlp: Propagate low-level OOM in 'add_file_name_to_url()'
tool_setopt: Return error on OOM correctly
tool_urlglob: Fix memory-leak on glob range overflow
- top-complexity: Prevent filename-based shell injection risk
- transfer: Clear the old autoreferer
- transfer: Clear the URL pointer in OOM to avoid UAF
- transfer: Enable custom methods again on next transfer
- transfer: Enhance secure check
unit1675: Fix '-Wformat-signedness'
url: Do not reuse a non-tls starttls connection if new requires TLS (CVE-2026-4873)
url: Improve connection reuse on negotiate (CVE-2026-5545)
url: init req.no_body in DO so that it works for h2 push
url: Set default upload flags to CURLULFLAG_SEEN
- url: Use the socks type for socks proxy
- url: Use URL for url even in comments
urlapi: Fix handling of "file:///"
urlapi: Make dedotdotify handle leading dots correctly
- urlapi: Same origin tests
urlapi: Stop extracting hostname from file:// URLs on Windows
- urlapi: Verify the last letter of a scheme when set explicitly
urldata.h: Fix typo and lingering backtick
urldata: Connection bit ipv6_ip is wrong
- urldata: Import port types and conn destination format
urldata: Make hstslist only present in HSTS builds
urldata: Make speeder_c uint32
urldata: Move cookiehost to struct SingleRequest (CVE-2026-6276)
urldata: Remove trailers_state
- vquic: Fix variable name in fallback code
- vtls: Fix comment typos and tidy up a type
- vtls: Log when key logging is enabled
vtls_scache: Check reentrancy
vtls_scache: Include cert_blob independently of verifypeer
- wolfssl: Document v5.0.0 (2021-11-01) as minimum required
wolfssl: Fix '-Wmissing-prototypes'
- wolfssl: Fix handling of abrupt connection close
write-out.md: Minor language fix
write-out.md: tls_earlydata was added in 8.13.0
ws: Fix a blocking curl_ws_send() to report written length correctly
x509asn1: Fix to return error in an error case from 'encodeOID()'
x509asn1: Fixed and adapted for ASN1tostr unit testing
x509asn1: Improve encodeOID
- Updated perl-Text-CSV_XS` to 1.62 as per the Fedora version
Thursday 30th April 2026
Fedora Project
Updated perl-MetaCPAN-Client to 2.043000 in Rawhide:
Updated perl-Test-Most to 0.41 in Rawhide:
Prevent strange import behaviour caused by @EXPORT twiddling
Updated proftpd to 1.3.9a in F-42, F-43, F-44, Rawhide, EPEL-10.1, EPEL-10.2 and EPEL-10:
SCP transfers failed for files with spaces in their names (GH#1886)
LDAPDefaultGID ignored since 1.3.9 (GH#1898)
Compilation of mod_wrap2 failed when the --enable-wrapper-options configure option was used (Bug #4512)
mod_sftp failed to parse authorized user/host public keys with CRLF line endings (GH#1904)
Uploads using MODE Z sometimes resulted in corrupted files or broken transfers (GH#1896)
Remove usage of the deprecated MySQL_OPT_RECONNECT option for newer MySQL versions (GH#1911)
Update usage of MySQL API for SSL/TLS connections to server (GH#340)
mod_sftp leaked file descriptor when reading SFTPHostKey file (GH#1959)
Large/slow SCP downloads could be unnecessarily truncated by TimeoutStalled (GH#1964)
Handling of CRLs in mod_tls was incorrect, leading to confusing errors (GH#1960)
Resumed SSL_SESSION management in mod_tls led to memory growth, infinite loop using newer OpenSSL versions (GH#1963)
mod_quotatab_ldap interactions could lead to segfault due to stale pointer (GH#1984)
RNTO before authentication led to out-of-order response codes (GH#2003)
MaxLoginAttemptsFromUser event never triggered in mod_ban for SFTP sessions (GH#2009)
Using toupper(3) on non-ASCII FTP command bytes might cause remote DoS (GH#2019)
Out-of-bounds single byte read when FTP command input buffer starts with LF (GH#2020)
FTP command LIST/NLST -B could cause buffer overflow when listing certain crafted filenames (GH#2030)
Memory exhaustion with mod_log_forensic when downloading very large files via SFTP (GH#2043)
Setting process groups during authentication crashed when using mod_radius and <IfGroup> (GH#2046)
SQL injection possible via mod_sql because of is_escaped_text() logic error (GH#2052, CVE-2026-42167)
Local Packages
Updated perl-MetaCPAN-Client to 2.043000 as per the Fedora version
Updated perl-Test-Most to 0.41 as per the Fedora version
Updated proftpd to 1.3.9a as per the Fedora version
Updated unrar to 7.21
Previous Month: March 2026
Next Month: May 2026