Paul's Blog Entries for July 2026
Wednesday 1st July 2026
Fedora Project
Updated miniz to 3.1.2 in Rawhide:
- Fix central directory offset overflow when reading zip file header
Add tdefl_write_image_to_png_file_in_memory_ex parameter validation
- Add fuzz targets for ZIP validation, writing, and compression APIs
Support cmake 4
Guard against code_len==0 infinite loop in tinfl_decompress
Thursday 2nd July 2026
Fedora Project
Updated perl-YAML-LibYAML to 0.909.0 in Rawhide:
OOP interface test: Do not crash on missing JSON::PP dependency
- OOP interface: Fix for quadmath builds of perl
Add YAML::XS::LibYAML back to list of provided modules
OOP interface: Add boolean option
Local Packages
Updated nmap (7.92) to fix extension header parsing CVE-2026-58058
Updated perl-YAML-LibYAML to 0.909.0 as per the Fedora version
Updated unrar to 7.23
Friday 3rd July 2026
Fedora Project
Updated perl-Sendmail-PMilter to 1.28 in Rawhide:
Proper handling of NULL mail-from (CPAN RT#179844)
Updated perl-Crypt-DSA to 1.22 in F-43, F-44, Rawhide, EPEL-10.2 and EPEL-10:
- Hardening: Use a fresh, independent CSPRNG witness every round
Security fix: Modulo bias in key generation (CVE-2026-14570); an attack with hundreds of signatures could lead to full private-key compromise; keys should be considered compromised and new keys should be generated
Updated perl-Crypt-DSA (1.17) in EPEL-8 and EPEL-9 to backport improvements from version 1.22
Updated perl-IO-Compress to 2.222 in Rawhide:
Local Packages
Updated perl-IO-Compress to 2.222 as per the Fedora version
Updated perl-Sendmail-PMilter to 1.28 as per the Fedora version
Updated perl-YAML-LibYAML to 0.910.0:
OOP interface: Fix default boolean option (missing default lead to random default on some architectures) (GH#133)
Tuesday 7th July 2026
Fedora Project
Updated perl-Crypt-PasswdMD5 to 1.45 in Rawhide:
Replace text of LICENSE file with Perl_5 license generated using Software::License
Updated perl-String-Util to 1.36 in Rawhide:
- Updated POD/README
Make trim() more robust
Updated perl-Tree-DAG_Node to 1.38 in Rawhide:
Replace LICENCE file content with the Perl_5 license from Software::License
Add AI_POLICY.md file
Modernize MANIFEST.SKIP again
Updated perltidy to 20260705 in Rawhide (see CHANGES.md for details)
Local Packages
Updated perl-IO-Compress to 2.223:
Fix typo in Makefile.PL (GH#79)
Updated perl-Perl-Tidy to 20260705 as per the Fedora perltidy package
Updated perl-Tree-DAG_Node to 1.38 as per the Fedora version
Wednesday 8th July 2026
Fedora Project
Updated perl-Crypt-DSA to 1.24 in Rawhide:
Standardize on Crypt::SysRandom and drop the Crypt::URandom dependency
- Make CVE tests optional
Updated perl-Crypt-PasswdMD5 to 1.46 in Rawhide:
Regenerate LICENSE file using latest Software::License to get current GPLv1 license text
Updated perl-Tree-DAG_Node to 1.39 in Rawhide:
Regenerate LICENSE using latest Software::License (GH#1)
Local Packages
Updated c-ares to 1.34.8:
- Bugfixes:
- Revert "Mark parameters in callbacks as const", which shipped in 1.34.7
Changing the parameter types of the 'ares_callback', 'ares_host_callback' and 'ares_nameinfo_callback' function pointer typedefs was an unintended API break: existing applications with the historical non-const callback signatures no longer compiled, particularly in C++ where function pointer types must match exactly
The read-only nature of the callback parameters is now documented instead (GH#1244)
- Revert "Mark parameters in callbacks as const", which shipped in 1.34.7
- Changes for 1.34.7:
- Security:
CVE-2026-33630: Use-after-free / double-free in c-ares' query-completion handling, remotely triggerable via ares_getaddrinfo() over TCP; see https://github.com/c-ares/c-ares/security/advisories/GHSA-6wfj-rwm7-3542
CPU-exhaustion denial of service via unbounded DNS name compression pointer chains; see https://github.com/c-ares/c-ares/security/advisories/GHSA-pjmc-gx33-gc76
Memory-amplification denial of service via unvalidated DNS header record counts; see https://github.com/c-ares/c-ares/security/advisories/GHSA-jv8r-gqr9-68wj
- Changes:
- Bugfixes:
Fix sticky server recovery when all servers have failures (GH#1192)
Fix UDP socket exhaustion regression: retire connections per-connection, not via server failure count (GH#1197)
Guard DNS record binary length overflow (GH#1168)
Prevent integer overflow in allocation size calculations (GH#1147)
Prevent overflow in ares_array allocation size calculations (GH#1117)
Prevent integer overflow in buffer size calculation (GH#1116)
Add overflow checks to ares_buf_ensure_space() (GH#1094)
Skip name compression offsets beyond the 14-bit pointer limit (GH#1159)
ares_dns_parse: Reject name compression in RDATA where not permitted (RFC 3597) (GH#1190)
ares_dns_parse: Reject responses with more than one OPT record (RFC 6891) (GH#1189)
Discard oversized UDP datagrams instead of truncating the length frame (GH#1161)
Route numeric config parsing through range-checked ares_str_parse_uint (GH#1158)
Replace atoi-based port parsing with validated helper (GH#1097)
Defer TCP connection error handling until DNS responses are parsed (GH#1138)
Prevent undefined-behaviour left shift in ares_calc_query_timeout() (GH#1151)
Use unsigned type for ares_round_up_pow2_u64 to avoid undefined behaviour (GH#1107)
Fix undefined behaviour in ares_buf_replace() pointer arithmetic (GH#1099)
ares_array: Reset offset when array becomes empty (GH#1165)
ares_iface_ips: Add ARES_IFACE_IP_NONE zero enum value (GH#1187)
ares_sysconfig_files: Recognize AIX netsvc.conf bind4/local4 tokens (GH#1188)
Use safe string construction in Windows sysconfig join path (GH#1143)
Fix zero-length RAW_RR losing type metadata during parsing (GH#1129)
Fix RAW_RR type tostr/fromstr roundtrip mismatch (GH#1123)
Fix NULL dereference for ifa netmask (GH#1120)
adig: Fix negated option prefix parsing (GH#1135)
Use UnregisterWaitEx to prevent use-after-free on Win32 (GH#1111)
Add NULL check after ares_malloc_zero in Windows UTF8 conversion (GH#1121)
Fix NULL dereference after ares_malloc_zero in Win32 IOCP event add (GH#1132)
Fix microsecond overflow in ares_queue_wait_empty timeout (GH#1122)
Fix NULL dereference in ares_buf_replace() on NULL buf (GH#1124)
Initialize *read_bytes in ares_socket_recvfrom() (GH#1125)
Fix memory leak of binbuf in ares_buf_parse_dns_binstr_int (GH#1126)
Fix memory leak of qcache entry on key allocation failure (GH#1127)
Fix memory leak of buf in ares_dns_multistring_combined() on OOM (GH#1110)
Fix memory leaks on error paths in two functions (GH#1109)
Fix memory leak of buckets in ares_htable_dict_keys() error path (GH#1108)
Fix memory leak of bucket->key in ares_htable_dict_insert error path (GH#1105)
Prevent corrupt addrinfo nodes on sockaddr allocation failure (GH#1112)
Fix two logic bugs in DNS cookie handling (GH#1103)
Fix linked list INSERT_BEFORE corruption and array insertdata_first ordering (GH#1101)
Fix HASH_IDX macro missing parentheses (GH#1128)
Fix malloc(0) in ares_htable_all_buckets on empty table (GH#1131)
Fix wrong sizeof in QNX confstr() call truncating domain names (GH#1130)
Clear probe pending flag after timeout (GH#1059)
Fix incorrect check for empty wide string (GH#1064)
Handle strdup failure (GH#1077)
doc: Reference ares_free_string(), not ares_free() (GH#1084)
Updated perl-DBI to 1.650:
Set a hard limit of 99999 on '?' placeholders (CVE-2026-14739)
Fix out-of-bounds read in preparse of SQL that starts with a comment (CVE-2026-14740)
Fix code injection via Profile DSN attribute or DBI_PROFILE variable (CVE-2026-14380)
Update dbipport.h to Devel::PPPort-3.73
Require Test::More 0.96 (tests will otherwise fail on pristine perl-5.12)
Updated perl-Mail-Sendmail to 0.83:
Strip CR/LF from header values, to prevent insertion of rogue headers (GH#11, CVE-2026-13092)
Switched to a new test Sendmail server for t/original.t, as the old one was no longer accepting connections
Updated perl-Tree-DAG_Node to 1.39 as per the Fedora version
Thursday 9th July 2026
Fedora Project
Updated perl-Module-CPANTS-Analyse (0.99) in EPEL-8 to use relative symlinks rather than absolute symlinks in test (GH#51), which fixes FTBFS with perl-Archive-Tar-2.30-2.el8_10 onwards
Updated perl-Perl-Critic (1.156) in F-44 to run tests with LANG=en_US.UTF-8 to fix pod spelling test with recent update for hunspell-en dictionary
Updated perl-Sereal-Decoder, perl-Sereal-Encoder and perl-Sereal to 5.007 in Rawhide:
Use $Config{ccflags} to compile zstd with, which should fix AIX
Updated perl-Unicode-UTF8 to 0.72 in Rawhide:
read_utf8() now takes a single-pass fast path on PerlIO fast-gets layers, validating/copying/counting straight out of the layer buffer (up to ~11% faster on multibyte-heavy input; see benchmarks/)
Fixed read_utf8() on non-buffered handles stranding the trailing incomplete sequence that was read to satisfy the requested length: the pending bytes are now pushed back with PerlIO_unread() so the following read sees them, matching decode_utf8() when drained to end of file
I added a patch to avoid trying to use 64-bit SSE2 on ix86 (GH#14)
Updated proftpd to 1.3.9c in F-43, F-44, Rawhide, EPEL-10.2 and EPEL-10:
ExecEnviron values not passed due to regression since 1.3.8d (GH#2135)
Stack buffer overflow in MLSD/MLST handling for long path names (GH#2146)
MaxTransfersPerUser no longer enforces configured limits (GH#2158)
AdminControlsACLs for config, get actions not honoured as they should be (GH#2163)
Memcached/Redis-cached JSON TLS session/OCSP entries decoded into fixed buffers without bounds checking (GH#2166)
RewriteMap unescape builtin use causes one-byte out-of-bounds write, fails to reject illegal characters (GH#2173)
SQL group name lookup concatenates client-provided group names without escaping (GH#2188)
Authenticated SFTP sessions can overflow the SFTP packet buffer (GH#2190)
Default Controls socket ACLs unintentionally allow all users access for sending Controls requests (GH#2210)
Local Packages
Updated perl-DateTime-TimeZone to 2.69:
- This release is based on version 2026c of the Olson database
- Contemporary changes for Alberta, CA and Morocco
Updated perl-Unicode-UTF8 to 0.72 as per the Fedora version
Updated proftpd to 1.3.9c as per the Fedora version
Updated proftpd (rc) to 1.3.10rc3:
ExecEnviron values not passed due to regression since 1.3.8d (GH#2135)
FTP TYPE command silently ignores invalid format-control argument instead of returning an error (GH#2141)
Stack buffer overflow in MLSD/MLST handling for long path names (GH#2146)
MaxTransfersPerUser no longer enforces configured limits (GH#2158)
AdminControlsACLs for config, get actions not honoured as they should be (GH#2163)
Memcached/Redis-cached JSON TLS session/OCSP entries decoded into fixed buffers without bounds checking (GH#2166)
RewriteMap unescape builtin use causes one-byte out-of-bounds write, fails to reject illegal characters (GH#2173)
SITE RMDIR command from mod_site_misc does not honour PathAllowFilter, PathDenyFilter as expected (GH#2175)
SFTP SETSTAT, FSETSTAT requests do not honour PathAllowFilter, PathDenyFilter as expected (GH#2180)
SQL group name lookup concatenates client-provided group names without escaping (GH#2188)
Authenticated SFTP sessions can overflow the SFTP packet buffer (GH#2190) & Implement SFTP copy-data extension (GH#2198)
Default Controls socket ACLs unintentionally allow all users access for sending Controls requests (GH#2210)
I added use of memcached when running the API tests, lest the memcached tests would fail
Friday 10th July 2026
Fedora Project
Updated perl-Sereal-Decoder to 5.008 in Rawhide:
Decoder now supports 'thaw_allow_classes' and 'thaw_deny_action' to control thaw callbacks during decoding
Updated perl-Sereal-Encoder to 5.008 in Rawhide:
Released to match Decoder version
Updated perl-Sereal to 5.008 in Rawhide:
Decoder now supports 'thaw_allow_classes' and 'thaw_deny_action' to control thaw callbacks during decoding
Monday 13th July 2026
Fedora Project
Updated perl-CPAN-Requirements-Dynamic to 0.003 in Rawhide:
Avoid undefinedness warning in config_defined
Updated perl-Test-Synopsis to 0.18 in Rawhide:
Fix: =for test_synopsis directives are now applied regardless of their position relative to the SYNOPSIS code block (GH#20, regression since 0.14)
Local Packages
Updated perl-CPAN-Requirements-Dynamic to 0.003 as per the Fedora version
Updated perl-Test-Synopsis to 0.18 as per the Fedora version
Tuesday 14th July 2026
Fedora Project
Updated geoipupdate to 8.0.0 in Rawhide:
BREAKING CHANGE: 'geoipupdate' stops updating on the first error
'NewUpdater' in the unexported 'internal/geoipupdate' package no longer mutates 'http.DefaultTransport' when a proxy is configured; the CLI is the only caller, so there is no user-visible behaviour change (GH#488)
Do not retry proxy CONNECT 4xx errors; these are now treated as permanent failures
Updated perl-DBD-CSV to 0.64 in Rawhide:
Next version will require perl-5.12, following DBI
Updated perl-Unicode-UTF8 to 0.74 in Rawhide:
Added slurp_utf8($filename), which reads an entire file and returns its contents decoded from UTF-8 as a character string
Added support for older MSVC C compilers by using __inline in place of the C99 inline keyword on pre-Visual Studio 2015 builds
Fixed SSE2 detection to only enable the SIMD implementation on 64-bit x86 targets, which prevents unsupported SSE2 code from being selected on 32-bit x86 builds (GH#14)
Updated perl-YAML-Syck to 1.47 in F-43, F-44, Rawhide, EPEL-9, EPEL-10.2 and EPEL-10:
- Security:
Fix four libsyck memory-safety CVEs reachable from the default YAML::Syck::Load() path on untrusted input with no special flags (GH#213)
CVE-2026-57075 (CWE-125): Out-of-bounds read in the base64 decoder caused by signed-char indexing of the decode table on !!binary input
CVE-2026-57076 (CWE-416): Use-after-free of an anchor key string shared between the node and the anchors table
CVE-2026-57077 (CWE-125): One-byte out-of-bounds read in the lexer newline scan during block-scalar parsing (incomplete-fix follow-on to CVE-2025-11683)
CVE-2026-13713 (CWE-416/CWE-415): Use-after-free / double-free of an anchor node on anchor redefinition, a remote-crash DoS from a 7-byte input
Harden syck_base64dec() to bounds-check each read so it cannot run past a non-NUL-terminated input buffer (defense-in-depth for callers passing raw buffers; GH#213)
- Bug Fixes:
Fix: Enforce $MaxDepth on Load to prevent C-stack exhaustion from deeply nested YAML/JSON input; YAML::Syck and JSON::Syck Load now default to 512, matching Dump (GH#204)
Fix: Emit YAML canonical forms (.nan, .inf, -.inf) for NaN/Inf values in Dump so they roundtrip with ImplicitTyping instead of reloading as plain strings (GH#201)
- Maintenance:
CI: add an AddressSanitizer job that builds the XS with -fsanitize=address and runs the suite plus the CVE trigger inputs to catch libsyck memory-safety defects; de-pin the libasan version so it tracks the runner's GCC (GH#213)
Local Packages
Updated geoipupdate to 8.0.0 as per the Fedora version
Updated perl-DBD-CSV to 0.64 as per the Fedora version
Updated perl-DBI to 1.651:
Fix inverted comparisons for strings in DBI::SQL::Nano (CVE-2026-15043)
Document that IS NULL matches empty strings in DBI::SQL::Nano
Fix DBD::File to ensure that the table is not a symlink outside of f_dir (CVE-2026-15392)
Fix an out-of-bounds error when a statement handle has no fields but the source row is not empty (CVE-2026-60082)
Add an overridable upper bound $MAX_PATH_DEPTH for DBI::ProfileData (CVE-2026-60081)
Updated perl-Unicode-UTF8 to 0.74 as per the Fedora version
Updated perl-YAML-Syck to 1.47 as per the Fedora version
Wednesday 15th July 2026
Fedora Project
Updated perl-Unicode-UTF8 to 0.75 in Rawhide:
Fixed slurp_utf8() leaking the file descriptor if a fatal "utf8" warning (e.g. warnings FATAL => 'utf8') was thrown while reading an ill-formed file
Local Packages
Updated perl-Unicode-UTF8 to 0.75 as per the Fedora version
Previous Month: June 2026