Paul's Blog Entries for May 2026
Friday 1st May 2026
Fedora Project
Updated perl-Test-MockModule to 0.182.0 in Rawhide:
See https://github.com/geofffranks/test-mockmodule/releases for details
Highlight: Moose and Mouse meta-class aware mocking (GH#55)
Local Packages
Updated perl-Test-MockModule to 0.182.0 as per the Fedora version
Sunday 3rd May 2026
Fedora Project
Updated perl-Test-MockModule to 0.183.0 in Rawhide:
Local Packages
Updated perl-Test-MockModule to 0.183.0 as per the Fedora version
Monday 4th May 2026
Fedora Project
Updated perl-Business-ISBN-Data to 20260502.001 in Rawhide:
- Data update for 2026-05-02
Branched and built perl-Data-GUID (0.051) for EPEL-10.2 and EPEL-10
Tuesday 5th May 2026
Fedora Project
Branched and built perl-Class-C3 (0.35) for EPEL-10.2 and EPEL-10
Branched and built perl-Config-Any (0.33) for EPEL-10.2 and EPEL-10
Branched and built perl-MooseX-Types-Path-Class (0.09) for EPEL-10.2 and EPEL-10
Wednesday 6th May 2026
Fedora Project
Updated perl-Test-MockModule to 0.184.0 in Rawhide:
Fix: Restore noop() to return 1 for backward compatibility (GH#80)
Local Packages
Updated perl-Test-MockModule to 0.184.0 as per the Fedora version
Packaged proftpd 1.3.10rc1 with init via mod_systemd using Type=notify-reload, for testing (not in DNF repository, must be downloaded and installed manually)
Thursday 7th May 2026
Fedora Project
Updated perl-Authen-Radius to 0.36 in Rawhide:
Treat EINTR from can_read() as a retryable signal interruption rather than ETIMEOUT, so a signal arriving during recv_packet() no longer triggers a spurious retransmit when the reply is actually in flight
Updated perl-Test-MockModule to 0.185.0 in Rawhide:
Revert to pre-v0.181.0 behaviour: new() returns singleton-per-package by default again; pass distinct => 1 for v0.181's fresh-object-per-call behaviour (GH#83)
New: Test::MockModule->original_for($pkg, $sub): Call the original sub from inside a mock closure without capturing $mock
Local Packages
Updated perl-Test-MockModule to 0.185.0 as per the Fedora version
Friday 8th May 2026
Fedora Project
Updated perl-Test-Most to 0.42 in Rawhide:
Restore support for 'use Test::Most import => [...]' to select which symbols to export; the 0.39 export rework broke it (GH#18)
Local Packages
Updated perl-Test-Most to 0.42 as per the Fedora version
Sunday 10th May 2026
Fedora Project
Updated perl-Business-ISBN-Data to 20260508.001 in Rawhide:
- Data update for 2026-05-08
Local Packages
Updated libgpg-error to 1.61 (https://dev.gnupg.org/T8239):
Fix possible stack overflow in es_printf for %.100f format (https://dev.gnupg.org/T8240)
Fix out-of-bounds read in vfnameconcat
Add cross compile support for wasm*-*-emscripten target
- Update Japanese and Polish translations
Updated perl-Archive-Tar to 3.06:
Hardlinks not extracted by default; added EXTRACT_HARDLINK flag
If hardlinks are extracted, they are now subject to the same rules as symlinks with regards to chown and chmod
Monday 11th May 2026
Fedora Project
- Updated `perl-Net-CIDR-Lite to 0.24 in F-43, F-44, Rawhide, EPEL-8, EPEL-10.1, EPEL-10.2 and EPEL-10:
Reject Unicode digits and trailing newlines in parser inputs (CVE-2026-45190)
Reject zero-padded CIDR masks (CVE-2026-45191)
Updated python-paramiko to 4.0.0 in Rawhide:
Dropped support for Python <3.9
Migrated packaging metadata and practices to use 'pyproject.toml'
Removed the now-vestigial 'ed25519' packaging 'extra' (support for this hasn't required additional dependencies in a number of releases now, just the core ones)
Moved Invoke requirement to core dependencies, and removed 'paramiko[invoke]' from extras
With those two changes, 'paramiko[all]' becomes much less useful, and has itself been axed
Removed the very old and wizened 'setup_helper.py', which was only needed on ancient (for this century) versions of macOS
Removed 'paramiko.__all__', as it was redundant (guessing it dated back to some very old Python versions; anyone using 'import *' these days - shame! - should still be fine as we never had any 'private' members in '__all__' and AFAICT that was the only reason ever to use it in the first place (as 'import *' skips names like '_private')
Removed support for the DSA (a.k.a. DSS) key algorithm, as it has been badly outdated and insecure for a decade or more at this point, and was recently completely removed from OpenSSH as well (GH#973)
- If you were still using DSA out of sheer inertia: we strongly recommend upgrading to Ed25519 (or maybe ECDSA)
- If you were still using DSA because of target hosts you do not control: please continue using Paramiko 3.x
Updated python-paramiko to 5.0.0 in Rawhide:
Fix 'Ed25519Key <paramiko.ed25519key.Ed25519Key's internals such that it no longer throws 'AttributeError' during calls to '__repr__' when only partly initialized; this isn't a normal runtime problem (it only happens inside error handling for fatal errors like "not a valid private key") but was perennially complicating test failure diagnosis and similar scenarios
The 'PKey <paramiko.pkey.PKey>' class family tree reorganized the 'write_private_key' and 'write_private_key_file' methods; with other recent changes, having individual implementations on the child classes made no sense, so key writing is now implemented in 'PKey <paramiko.pkey.PKey>' itself and the included child classes such as 'ECDSAKey <paramiko.ecdsakey.ECDSAKey>' no longer define their own such methods, instead simply exposing their underlying cryptographic private key objects as '.private_key'
Added a new, optional 'file_format' keyword argument to 'PKey.write_private_key <paramiko.pkey.PKey.write_private_key>' and 'PKey.write_private_key_file <paramiko.pkey.PKey.write_private_key_file>' to allow writing out OpenSSH-style private key files in addition to the legacy PEM format
Warning: While the default format remains PEM in Paramiko 5, future major releases are likely to change that default to the OpenSSH format; we recommend updating any key-writing code you have to be explicit now, to insulate yourself from such an update
Raised the minimum modulus size in 'diffie-hellman-group-exchange-sha256' key exchange from 1024 (the original spec's minimum) to 2048 (the contemporary minimum according to RFC-9142, and matching a similar change by OpenSSH ten years ago in 7.2 / 2016)
Warning: This change may be backwards incompatible if you were targeting servers supporting only this kex method and whose own maximum modulus size for group-exchange was lower than 2048
- Removed GSSAPI support, as the current (buggy, no longer easily testable in CI, poorly understood and not used by the core team) implementation is SHA-1 based and no SHA-256 upgrade appeared to be forthcoming from contributors
- We don't like removing functionality, but this feature has been on the rocks for years and it makes sense to remove it as an insecure support burden; we will definitely consider merging a SHA256-based replacement in the future if a high-quality one appears
Side note: the GSS related constants in 'paramiko/common.py' have been left in place as they are essentially mapping out known protocol numbers
Warning: This change is backwards incompatible if you require GSS
Removed support for key exchange using SHA-1, meaning the kex methods 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', and 'diffie-hellman-group1-sha1' are now gone; implementing classes have been removed/merged/shuffled as required
Warning: This change is backwards incompatible if you were still supporting old systems that don't implement sha256/sha512 DH kex (or ECDH kex)
Removed support for verifying/signing with RSA keys using SHA-1 hashing; generally, this means most cases where "ssh-rsa" was used as an algorithm identifier (as opposed to a key material identifier) will no longer accept that string as valid, and the relevant code that actually used e.g. 'hashes.SHA1' no longer does
Warning: This change is backwards incompatible if you are stuck supporting legacy systems with Paramiko that are unable to use SHA2-based signatures with RSA keys (or other workarounds, such as switching from RSA keys to Ed25519 ones)
Added a 'password' kwarg to 'PKey.from_type_string <paramiko.pkey.PKey.from_type_string>' so it can handle encrypted keys like most other PKey constructors already could
Renamed 'PKey.from_path <paramiko.pkey.PKey.from_path>'s 'passphrase' argument to 'password' so it's consistent with all the other methods of instantiating PKey objects
Warning: This change is backwards incompatible if you were using this relatively new constructor and were doing so to load encrypted keys
Removed the 'demos/' folder; they've become too big a support burden and we've wanted to remove them for years
Users who enjoyed the client-side demos should look at our wrapper library, 'Fabric (https://fabfile.org/)'
We suspect the most-used demo was 'demos/demo-server.py' and may consider adding a variant of it to the actual Python package in future
Local Packages
Updated perl-Net-CIDR-Lite to 0.24 as per the Fedora version
Updated perl-YAML-LibYAML to 0.907.0:
- Turn off cyclic references by default
Tuesday 12th May 2026
Fedora Project
Updated proftpd (1.3.9a) in F-34, F-44, Rawhide, EPEL-10.1, EPEL-10.2 and EPEL-10:
Additional escaping for avoidance of SQL injection issues with %{note:...} and %{env:...}; these are on top of the existing fix for CVE-2026-42167 in 1.3.9a
Fix for SQL Injection in mod_wrap2_sql via reverse DNS hostname (CVE-2026-44331, GH#2057)
Updated proftpd (1.3.8d) in EPEL-9 as per the Rawhide version
Updated proftpd (1.3.6e) in EPEL-8 with the fix for CVE-2026-44331
Local Packages
Updated perl-Object-HashBase to 0.016:
Add [PruneCruft] to dist.ini so build artefacts (blib/, pm_to_blib, MYMETA.*) no longer leak into release tarballs
Add '@Class::Name' parent prefix to import (shortcut for use parent)
Add '&Role::Name' role prefix to import (compose Role::Tiny role)
Skip 'new' injection when Object::HashBase is imported into a Role::Tiny role
Role::Tiny is a soft requirement, loaded only when '&' prefix used
'&' prefix requires Perl 5.10+
Updated proftpd (1.3.9a) as per the Fedora version, and proftpd (1.3.10rc1) with the same fixes
Thursday 14th May 2026
Fedora Project
Updated perl-Apache-Session-Browseable to 1.3.19 in F-43, F-44, Rawhide, EPEL-8, EPEL-9, EPEL-10.1, EPEL-10.2 and EPEL-10:
Apache::Session::Generate::SHA256 used a low-entropy seed (time, PID, rand, stringified hash ref) to derive session identifiers; use Crypt::URandom to generate session ids from a cryptographically secure source, falling back to the previous hashing method only if Crypt::URandom is unavailable (CVE-2026-8503, similar in scope to CVE-2025-40931 and CVE-2025-40932)
- Fix Redis indexes: never cleaned before
- Improve resilience and reliability of Patroni driver
Local Packages
Updated perl-IO-Socket-IP to 0.44:
Can 'use parent' rather than 'use base' (CPAN RT#177570)
Sunday 17th May 2026
Fedora Project
Updated perl-IO-Compress to 2.220 in Rawhide:
Local Packages
Updated perl-IO-Compress to 2.220 as per the Fedora version
Monday 18th May 2026
Fedora Project
Updated perl-Authen-Radius to 0.37 in Rawhide:
Enable Rfc3579MessageAuth by default and emit Message-Authenticator as the first attribute in Access-Request packets (RFC 9716 section 4.2), mitigating the Blast-RADIUS protocol vulnerability (callers that need the previous behaviour can pass Rfc3579MessageAuth => 0 explicitly)
Stabilise t/eintr.t on loaded smokers and MSWin32 by relaxing the timeout budget and skipping the SIGALRM sub-test on MSWin32 where Time::HiRes::alarm is unimplemented
Updated perl-Crypt-DSA to 1.20 in F-42, F-43, F-44, Rawhide, EPEL-10.1, EPEL-10.2 and EPEL-10:
This module is now marked as deprecated: Crypt-DSA-GMP is a possible replacement
Improve the call to IPC::Open3::open3
Replace two arg open (CVE-2026-8704)
Replace rand() (CVE-2026-8700)
- Add a security policy
Add use warnings
Typo fix (CPAN RT#86424)
Updated perl-Crypt-DSA (1.17) in EPEL-8 and EPEL-9:
Replace two arg open (CVE-2026-8704)
Replace rand() (CVE-2026-8700)
Fix "Use of uninitialized value $cur_part in hash element" warning in Crypt::DSA::KeyChain
Add security note discouraging use of Crypt::DSA
Fix typo in Crypt::DSA::Util
Updated perl-Role-Tiny to 2.002005 in Rawhide:
- Split role initialization from setting pragmas to allow more flexibility for subclasses
Ensure consistent internal handling of Class::C3 versus mro
Reduced Exporter dependency to 0 (any version)
Local Packages
Update perl-HTTP-Tiny to 0.094:
Fix to prevent invalid characters in all headers, and prevent header smuggling (CVE-2026-7010)
Updated perl-Role-Tiny to 2.002005 as per the Fedora version
Tuesday 19th May 2026
Local Packages
Updated curl (8.20.0) to fix potential 100% CPU usage in curl_multi_socket()
Wednesday 20th May 2026
Fedora Project
Tidied up and rebuilt perl-Class-Accessor-Lite (0.08) in Rawhide
Updated perl-File-MimeInfo to 0.37 in Rawhide:
Honour XDG_DATA_HOME precedence for extension globs, so a glob entry from a higher-priority data dir overrides one from a lower-priority dir instead of being silently shadowed (CB#62).
Fix open() precedence and stale filehandle bugs in File::MimeInfo::default and File::MimeInfo::Magic
Don't die when @ARGV contains bytes that are invalid in the current locale; decode leniently and continue
Refactor resolvelink to use Cwd::abs_path instead of a hand-rolled loop
mimetype/mimeopen: quote filenames in diagnostic output via B::cstring so unusual characters render unambiguously
Tidied up and rebuilt perl-Meta-Builder (0.004) in Rawhide
Tidied up and rebuilt perl-Validation-Class (7.900059) in Rawhide
Tidied up and rebuilt perl-XML-Filter-BufferText (1.01) in Rawhide
Updated perl-Sereal-Decoder, perl-Sereal-Encoder and perl-Sereal to 5.005 in F-43, F-44 and Rawhide:
- Update bundled Zstd to 1.5.7, and other changes
- Update spec to document changes from version 5
Security fixes - make sure that COPY tags cannot be used to read past end of buffer in decoder
Updated proftpd (1.3.9a) in Rawhide to address another avenue for SQL injection, via custom SQLUserInfo queries
Local Packages
Updated perl-XML-LibXML to 2.0212:
- Security/Bug Fixes:
Prevent out-of-bounds UTF-8 read in domParseChar by replacing it with libxml2's xmlValidateName; truncated multi-byte sequences could cause heap reads past the NUL terminator across five DOM entry points (createElement, createAttribute, setNodeName, etc.) (GH#146, GH#149)
Enforce no_network even when a global externalEntityLoader is set; previously, XML_PARSE_NONET was silently ignored once a global callback was installed, enabling SSRF in multi-module applications that combine a third-party entity loader with no_network parsers (GH#133, GH#143)
Prevent integer overflow in SAX CBuffer length tracking; total character data exceeding INT_MAX (~2GB) overflowed the accumulator causing xmlMalloc to under-allocate and the subsequent memcpy to write past the buffer (GH#135, GH#142)
Proper lifecycle management for externalEntityLoader: the global loader can now be cleared or replaced safely, the previous handler SV is no longer leaked, the returned value is a safe copy rather than the internal global SV, and per-parser ext_ent_handler state is separated from the global slot (GH#138)
Add NULL checks after xmlMalloc returns in SAX CBuffer operations, converting OOM segfaults into catchable Perl exceptions (GH#136, GH#140)
Add NULL check after xmlCopyNamespace in _domReconcileNs, matching the existing guard in _domReconcileNsAttr (GH#137, GH#139)
Plug 11 memory leaks across XS/C code, including setBaseURI, URI/documentURI accessors, load_catalog, PSaxCharactersFlush, createAttributeNS, XPathContext::_find, _newForIO, _toStringC14N, lookupNamespacePrefix, _setNamespace, and the generic XPath extension function dispatcher (GH#131, GH#132)
Handle Apple's local libxml2 patch where xmlSAX2ResolveEntity throws on a NULL URI, so t/13dtd.t no longer dies on macOS (GH#94)
Skip t/50devel.t when mem_used() reports 0 bytes, which happens on Apple's libxml2 (system malloc bypasses the tracking wrappers) (CPAN RT#165193, GH#94)
- Ship POD files in the CPAN tarball
The per-class .pod files generated from docs/libxml.dbk were gitignored, and nothing in the dist chain was producing them, so recent tarballs shipped without POD
The .pod files are now tracked in git (bison-style), so 'make dist' includes them via MANIFEST and the documentation reaches CPAN consumers again
Also eliminates the bootstrap problem of needing XML::LibXML installed to build XML::LibXML's docs, and silences the "kit incomplete" warning from 'perl Makefile.PL' on a fresh checkout
- Improvements:
Resolve Windows CI test failures and compiler warnings: use the file size (-s) for the byteConsumed test instead of a hardcoded 488 (CRLF inflates the file to 507 bytes), use Perl UV/PTR2UV in PmmRegistryName to avoid pointer truncation under Win64 LLP64, and use const xmlError* for xmlCtxtGetLastError to match the libxml2 2.12+ API (GH#122)
Silence macOS build warnings cleanly by gating the libxml2 memory tracking API behind a HAVE_LIBXML_MEMORY_DEBUG feature macro
The deprecated calls are no longer compiled on systems where the API is gone (Apple SDK, libxml2 ≥ 2.14), mem_used is only exported when actually defined, and t/50devel.t skips with a clear reason
Also strip the bogus "-L/lib" entries Alien::Base::Wrapper injects into LDFLAGS on macOS (GH#127)
Add a minimal hello-world HTML example (example/hello-world.pl) and add createInternalSubset("html", ...) to both HTML examples so they emit a proper <!DOCTYPE html> declaration (GH#66, GH#121)
Standardize XPath parameter naming to $xpath_expression throughout the DocBook source, matching the XML::LibXML::XPathExpression class name (GH#64, GH#125)
Update outdated and dead references in README.md: point repository URLs at the canonical cpan-authors/XML-LibXML home, drop the defunct ActiveState mailing list, replace the long Windows nmake recipe with a Strawberry Perl note, refresh the macOS section, and bring the Package History up to date
- Remove the stale "Known Issues" note about push-parser leaks; the leaks it referenced were fixed by Nick Wellnhofer in 2014
Point distribution metadata at the cpan-authors GitHub repo and add an explicit bugtracker entry so MetaCPAN's "Issues" link goes to GitHub Issues instead of falling back to rt.cpan.org
Add NamedNodeMap.pod to MANIFEST so the generated POD ships in the CPAN tarball; the L<XML::LibXML::NamedNodeMap> link in Node.pod now resolves on MetaCPAN (GH#115, GH#118)
Update ppport.h and adopt its suggestions to reduce build issues
Fix test suite with libxml2 2.13.0 and 2.14.0
Remove tests that disable line numbers (always enabled since libxml2 2.15.0)
Use 'our $VERSION' instead of 'use vars'
Fix formatting in docs/libxml.dbk (GH#85)
- Maintenance:
Modernize the CI workflow with a dynamic Perl version matrix, centralized cpanfile, and updated action versions (GH#108)
Use cpanm instead of cpm for the Linux CI matrix so jobs on Perl < 5.24 (down through 5.8) no longer fail to install dependencies (GH#117, GH#119)
Expand CI platform coverage: FreeBSD 14.2, OpenBSD 7.6, NetBSD 10.1, Strawberry Perl on Windows, Fedora 43 container, AddressSanitizer, Devel::Cover + Codecov coverage upload, and a downstream XML::LibXSLT compatibility job (GH#120)
Fix BSD CI: use the correct OpenBSD package name ('libxml', not 'libxml2') and install Perl dependencies explicitly instead of relying on META.json autodiscovery (GH#124)
Parallelize 'make' compilation across CI jobs with platform-appropriate CPU detection (GH#128)
Temporarily disable OpenBSD 7.6 CI due to unreliable runners (GH#130)
Re-enable OpenBSD CI on version 7.8 once the runner situation stabilized (GH#144)
Add a CLAUDE.md describing project layout, build/test commands, libxml2 version landscape, and coding conventions (GH#116)
Add contributing guidelines covering CI, scope, MANIFEST, and version/release handling (GH#126)
Add AI_POLICY.md documenting how AI tools are used (and not used) in this project
Add MANIFEST.SKIP so local files (.hgignore, .tidyallrc, CLAUDE.md, etc.) are kept out of 'make manifest' output
Drop unused dev helper ('tester.sh') and the stale TODO file
Rename README to README.md and remove the obsolete Travis CI references
Add a 'pod-drift' CI job that runs 'make pod_docs' and fails on any diff, catching forgotten POD regenerations after edits to docs/libxml.dbk
Move xmllibxmldocs.pl from example/ to scripts/; it is a maintenance tool that emits source files (POD), not a usage example of XML::LibXML; scripts/ already houses similar build/dev tooling
Skip t/release-kwalitee.t outside a dist tarball
The Test::Kwalitee 'has_meta_yml' check was failing under 'make test' in author mode because META.yml is only generated by 'make dist'
The test now skips cleanly when META.yml is absent and still runs the full 18-check suite under 'make disttest' against the unpacked tarball
Updated proftpd (1.3.9a and 1.3.10rc1) as per the Fedora version
Thursday 21st May 2026
Fedora Project
Updated perl-Sereal-Decoder, perl-Sereal-Encoder and perl-Sereal to 5.006 in Rawhide and EPEL-10 (EPEL-10 update includes security fix from 5.005):
Update bundled miniz to 3.1.1
- Avoid deprecated ZSTD API
- Tidy and regenerate
Updated perl-Sereal-Decoder (4.018) in EPEL-8 and EPEL-9 to make sure that COPY tags cannot be used to read past end of buffer (ported from upstream commit 303a2c69)
Local Packages
Updated dovecot to 2.4.4 in F-40 onwards where only the x86_64 build is done, because the ix86 build fails the test suite
lib-var-expand: Safe filter marked all following pipelines safe (CVE-2026-27851)
auth: CRAM-SHA-*-PLUS channel binding could be faked; MITM attacker with a certificate trusted by the client could have bypassed the requirement for channel binding (CVE-2026-33603)
IMAP folders could be shared-spammed to everyone (CVE-2026-40020)
An attacker could cause uncontrolled memory usage with excessive bracing over IMAP; the fix in CVE-2026-27857 was incomplete (CVE-2026-42006)
indexer-worker, quota-status, script-login, program-client-local: Root privileges are now dropped permanently before serving requests
indexer-worker: Default restart_request_count changed to 1 to work correctly after permanent root privilege drop
lmtp: Add back service_extra_groups=$SET:default_internal_group that was incorrectly removed in v2.4.3
master: inet_listener_reuse_port has been replaced by service_reuse_port; the new setting properly pre-creates all listener sockets at start-up and assigns one unique socket per process, which allows evenly distributing incoming connections to login processes (see https://doc.dovecot.org/latest/core/config/service.html#service_reuse_port for details)
- auth: Fix LDAP escaping of 0x13 control character
- auth: Use timing-safe comparison for certificate and public key fingerprints
- fts: Correctly handle internal http-client response errors
- fts: Don't send request to Tika if there is no body text
- fts: Fix address header indexing for RFC 2047 encoded-words
fts: tika, fts-solr: Fix use-after-free crash during DNS lookup
imap: Fix assertion panic on invalid REPLACE 0 command
lib-auth-client: Avoid "unknown id" errors for aborted auth requests
lib-dcrypt: Fix potential crash if trying to access untrusted/corrupted keys
lib-dcrypt: Improve error message if keys aren't in hex format as expected
lib-index: Fix potential crash if fsck fails
lib-ldap: Fix using OpenLDAP default CA when ssl_client_ca_dir/file is unset (v2.4.3 regression)
lib-master, master: Fix behaviour for services with client_limit>1 and restart_request_count so that processes reaching restart_request_count are no longer counted towards process_limit
lib-master: Fix crash when reaching client_limit with restart_request_count>1
lib-master: haproxy - Don't trust client certificate common name when HAProxy reports verification failure
lib-sasl: cram-md5 - Fix out of bounds memory read
lib-sasl: oauth2 - Fix one byte out of bounds read
lib-sql: cassandra - Fix reusing Cassandra SSL connections
lib-sql: sqlite - Fix sqlite_journal_mode=wal to actually work
lib-storage: Auto-rename non-NFC subscription file entries to NFC on read
lib-storage: Prevent non-atom SEARCH keywords from causing IMAP command injection
lib-var-expand-crypt: Return error if hex decoding fails
lib-var-expand: Fix crash (SIGFPE) with non-positive divisor for / and %
- log: Fix memory leak at de-init
login-common: When process is full, don't destroy clients waiting on master auth
login-proxy: Fix crash with rawlog and multiplexing during reconnection
mail-compress: Fix panic when save method unavailable
mail-crypt: Fix crash when HMAC-based algorithm is used
mail-crypt: Use AEAD instead of HMAC with ChaCha20-Poly1305
mdbox: Create files with O_NOFOLLOW
push-notification: ox - Fix use-after-free crash during DNS lookup
quota: quota-status - Limit input buffer size to 1 kB
Update pigeonhole to 2.4.4:
Sieve :contains and :matches operators could have been using excessive amount of CPU; limit the CPU to sieve_max_cpu_time (CVE-2026-40016)
- Fix potential crashes parsing corrupted Sieve binaries
lib-sieve: matches - Fix trailing literal match when it fills value exactly (v2.4.3 regression)
Updated perl-XML-LibXML to 2.0213:
- Security/Bug Fixes:
Revert GH#143 per the libxml2 author's request (GH#168)
GH#143 added a URL-scheme filter inside LibXML_load_external_entity and removed the EXTERNAL_ENTITY_LOADER_FUNC == NULL guards on the five Schema/RelaxNG NONET swap sites, on the premise that no_network on one parser should override a user-installed global externalEntityLoader
Nick Wellnhofer clarified that this contradicts upstream intent: XML_PARSE_NONET only polices libxml2's default loader; a user who installs a global loader is explicitly opting out of that policy, and the http/https/ftp allowlist was never a real security boundary
Reverted in full; GH#138's lifecycle/memory-safety fixes are kept
- Bug Fixes:
Fix latent SEGV in _externalEntityLoader
The XS code returned &PL_sv_undef as RETVAL when no previous global loader existed
Since xsubpp auto-mortalizes SV* RETVAL, each call mortalized the PL_sv_undef singleton, eventually driving its refcount negative and producing "Attempt to free unreferenced scalar" followed by SEGV under repeated invocation
Now returns newSV(0) so RETVAL is always a fresh refcount-1 SV safe to mortalize
The bug shipped in 2.0212 with GH#138's lifecycle fixes; this is a single-line correction to that code path
- Maintenance:
Add t/49global_extent_with_no_network.t, 17 subtests locking in the entity-loader contract restored by the GH#168 revert: a user-installed global loader takes precedence over no_network across plain XML parse, RelaxNG, and XML Schema, while no_network without any loader still blocks via libxml2's default loader
Document the entity-loader contract in CLAUDE.md ("Entity loaders, no_network, and XML_PARSE_NONET") plus a "Verifying audit-flagged security findings" checklist to keep pattern-matched "security fixes" like GH#143 from shipping again
Updated perl-YAML-LibYAML (0.907.0) to safely check for JSON::PP in 13-utf8.t
Friday 22nd May 2026
Fedora Project
Updated libssh2 (1.11.1) in F-43, F-44, Rawhide, EPEL-9, EPEL-10.2 and EPEL-10 to fix CVE-2026-7598: integer overflow via large username or password arguments (GH#1058)
Updated perl-Business-ISBN-Data to 20260521.001 in Rawhide:
- Data update for 2026-05-21
Local Packages
Updated libssh2 (1.11.1) as per the Fedora version
Saturday 23rd May 2026
Fedora Project
Updated perl-Business-ISBN-Data to 20260523.001 in Rawhide:
- Data update for 2026-05-23
Updated perl-Crypt-PasswdMD5 to 1.4.3 in F-43, F44, Rawhide, EPEL-8, EPEL-9, EPEL-10.2 and EPEL-10:
Replace use of the cryptographically weak rand() function with the much stronger Crypt::URandom::urandom() (GH#3, CVE-2026-6659, Bug #2479575)
Add Encode, Exporter, ExtUtils::MakeMaker to Makefile.PL
Add files AI_POLICY.md and SECURITY.md
Sunday 24th May 2026
Local Packages
Updated perl-Archive-Tar to 3.08:
- Validate symlink and hardlink linkname in SECURE MODE
Monday 25th May 2026
Fedora Project
Updated perl-IO-Tty to 1.31 in Rawhide:
- Bug Fixes:
Fix v1.27 regression where _open_tty() always passed O_NOCTTY, preventing make_slave_controlling_terminal() from acquiring a controlling terminal via the POSIX-standard open-without-O_NOCTTY mechanism (it was forced to fall through to an explicit TIOCSCTTY ioctl) (GH#91, GH#94)
_open_tty() now takes an optional noctty flag (default 1 for backward compatibility)
make_slave_controlling_terminal() passes 0
Fix openpty() detection on Fedora 33-34 / glibc 2.32-2.33 where LTO flags (-flto=auto) caused the libc-only compile probe to falsely succeed, producing "undefined symbol: openpty" at runtime; try -lutil before libc; harmless on systems where openpty lives in libc (glibc 2.34+, musl) and necessary where it doesn't (GH#92, GH#93)
- Maintenance:
Address CPANTS kwalitee issues: add LICENSE, SECURITY.md, and CONTRIBUTING.md; add META 'provides' for IO::Tty, IO::Pty, and IO::Tty::Constant; use --format=ustar in TARFLAGS to prevent PaxHeader entries in distribution tarballs (GH#90)
Clean up MANIFEST.SKIP: add #!include_default so ExtUtils::Manifest's built-in skip list is in effect, drop five entries that duplicate those defaults, and add a ^\.claude/ rule
Updated perl-YAML-Syck to 1.46:
- Bug Fixes:
- Maintenance:
Local Packages
Updated libxml2 to 2.13.9 (see NEWS for details)
Updated perl-IO-Tty to 1.31 as per the Fedora version
Updated perl-YAML-Syck to 1.46 as per the Fedora version
Tuesday 26th May 2026
Fedora Project
Updated perl-RRD-Simple (1.44) to work around non-monotonic version change in rrdtool by requiring at least version 1.3 of perl(RRDs) and patching out version checks in the code (see also https://github.com/oetiker/rrdtool-1.x/pull/1331)
Local Packages
Updated perl-Archive-Tar to 3.10:
Added MAX_FILE_SIZE setting, defaulting to 1GB, for extracting files
Wednesday 27th May 2026
Fedora Project
Updated perl-Test-MockModule to 0.185.1 in Rawhide:
Local Packages
Updated perl-Test-MockModule to 0.185.1 as per the Fedora version
Thursday 28th May 2026
Fedora Project
Updated perl-Cpanel-JSON-XS to 4.41 in F-43, F-44, Rawhide, EPEL-8, EPEL-9, EPEL-10.2 and EPEL-10:
Fix BOM-shift PV-corruption SIGABRT (CVE-2026-9516)
Fix dupkeys_as_arrayref type confusion (CVE-2026-9334)
Fix incr_parse single-quote string delimiter (GH#245)
Fix a one-byte out-of-bounds heap read reachable via allow_barekey on truncated input (GH#244)
Local Packages
Updated perl-Cpanel-JSON-XS to 4.41 as per the Fedora version
Friday 29th May 2026
Fedora Project
Updated perl-PPI to 1.291 in Rawhide:
Local Packages
Updated perl-Module-CPANTS-Analyse (1.02) to use relative symlinks rather than absolute symlinks in test (GH#51)
Updated perl-PPI to 1.291 as per the Fedora version
Saturday 30th May 2026
Fedora Project
Updated perl-Test-MockModule to 0.185.2 in Rawhide:
Local Packages
Updated perl-Test-MockModule to 0.185.2 as per the Fedora version
Sunday 31st May 2026
Fedora Project
Updated perl-Module-CPANTS-Analyse (1.02) in Rawhide to use relative symlinks rather than absolute symlinks in test (GH#51), which fixes FTBFS with perl-Archive-Tar 3.08 onwards
Previous Month: April 2026
Next Month: June 2026