PaulHowarth/Blog/2026-07

Paul's Blog Entries for July 2026

Wednesday 1st July 2026

Fedora Project

  • Updated miniz to 3.1.2 in Rawhide:

    • Fix central directory offset overflow when reading zip file header
    • Add tdefl_write_image_to_png_file_in_memory_ex parameter validation

    • Add fuzz targets for ZIP validation, writing, and compression APIs
    • Support cmake 4

    • Guard against code_len==0 infinite loop in tinfl_decompress

Thursday 2nd July 2026

Fedora Project

  • Updated perl-YAML-LibYAML to 0.909.0 in Rawhide:

    • OOP interface test: Do not crash on missing JSON::PP dependency

    • OOP interface: Fix for quadmath builds of perl
    • Add YAML::XS::LibYAML back to list of provided modules

    • OOP interface: Add boolean option

Local Packages

  • Updated nmap (7.92) to fix extension header parsing CVE-2026-58058

  • Updated perl-YAML-LibYAML to 0.909.0 as per the Fedora version

  • Updated unrar to 7.23

Friday 3rd July 2026

Fedora Project

  • Updated perl-Sendmail-PMilter to 1.28 in Rawhide:

  • Updated perl-Crypt-DSA to 1.22 in F-43, F-44, Rawhide, EPEL-10.2 and EPEL-10:

    • Hardening: Use a fresh, independent CSPRNG witness every round
    • Security fix: Modulo bias in key generation (CVE-2026-14570); an attack with hundreds of signatures could lead to full private-key compromise; keys should be considered compromised and new keys should be generated

  • Updated perl-Crypt-DSA (1.17) in EPEL-8 and EPEL-9 to backport improvements from version 1.22

  • Updated perl-IO-Compress to 2.222 in Rawhide:

    • Tag ':constants' no longer exports all constants (GH#64, GH#78)

Local Packages

  • Updated perl-IO-Compress to 2.222 as per the Fedora version

  • Updated perl-Sendmail-PMilter to 1.28 as per the Fedora version

  • Updated perl-YAML-LibYAML to 0.910.0:

    • OOP interface: Fix default boolean option (missing default lead to random default on some architectures) (GH#133)

Tuesday 7th July 2026

Fedora Project

  • Updated perl-Crypt-PasswdMD5 to 1.45 in Rawhide:

    • Replace text of LICENSE file with Perl_5 license generated using Software::License

  • Updated perl-String-Util to 1.36 in Rawhide:

    • Updated POD/README
    • Make trim() more robust

  • Updated perl-Tree-DAG_Node to 1.38 in Rawhide:

    • Replace LICENCE file content with the Perl_5 license from Software::License

    • Add AI_POLICY.md file

    • Modernize MANIFEST.SKIP again

  • Updated perltidy to 20260705 in Rawhide (see CHANGES.md for details)

Local Packages

  • Updated perl-IO-Compress to 2.223:

    • Fix typo in Makefile.PL (GH#79)

  • Updated perl-Perl-Tidy to 20260705 as per the Fedora perltidy package

  • Updated perl-Tree-DAG_Node to 1.38 as per the Fedora version

Wednesday 8th July 2026

Fedora Project

  • Updated perl-Crypt-DSA to 1.24 in Rawhide:

    • Standardize on Crypt::SysRandom and drop the Crypt::URandom dependency

    • Make CVE tests optional
  • Updated perl-Crypt-PasswdMD5 to 1.46 in Rawhide:

    • Regenerate LICENSE file using latest Software::License to get current GPLv1 license text

  • Updated perl-Tree-DAG_Node to 1.39 in Rawhide:

    • Regenerate LICENSE using latest Software::License (GH#1)

Local Packages

  • Updated c-ares to 1.34.8:

  • Bugfixes:
    • Revert "Mark parameters in callbacks as const", which shipped in 1.34.7
      • Changing the parameter types of the 'ares_callback', 'ares_host_callback' and 'ares_nameinfo_callback' function pointer typedefs was an unintended API break: existing applications with the historical non-const callback signatures no longer compiled, particularly in C++ where function pointer types must match exactly

      • The read-only nature of the callback parameters is now documented instead (GH#1244)

  • Changes for 1.34.7:
  • Security:
  • Changes:
    • ares_getaddrinfo(): Handle a NULL node per POSIX and implement ARES_AI_PASSIVE (GH#1186)

    • Mark parameters in callbacks as const (GH#1060)

    • Correct ARES_CLASS_HESOID misspelling to ARES_CLASS_HESIOD (GH#1092)

  • Bugfixes:
    • Fix sticky server recovery when all servers have failures (GH#1192)

    • Fix UDP socket exhaustion regression: retire connections per-connection, not via server failure count (GH#1197)

    • Guard DNS record binary length overflow (GH#1168)

    • Prevent integer overflow in allocation size calculations (GH#1147)

    • Prevent overflow in ares_array allocation size calculations (GH#1117)

    • Prevent integer overflow in buffer size calculation (GH#1116)

    • Add overflow checks to ares_buf_ensure_space() (GH#1094)

    • Skip name compression offsets beyond the 14-bit pointer limit (GH#1159)

    • ares_dns_parse: Reject name compression in RDATA where not permitted (RFC 3597) (GH#1190)

    • ares_dns_parse: Reject responses with more than one OPT record (RFC 6891) (GH#1189)

    • Discard oversized UDP datagrams instead of truncating the length frame (GH#1161)

    • Route numeric config parsing through range-checked ares_str_parse_uint (GH#1158)

    • Replace atoi-based port parsing with validated helper (GH#1097)

    • Defer TCP connection error handling until DNS responses are parsed (GH#1138)

    • Prevent undefined-behaviour left shift in ares_calc_query_timeout() (GH#1151)

    • Use unsigned type for ares_round_up_pow2_u64 to avoid undefined behaviour (GH#1107)

    • Fix undefined behaviour in ares_buf_replace() pointer arithmetic (GH#1099)

    • ares_array: Reset offset when array becomes empty (GH#1165)

    • ares_iface_ips: Add ARES_IFACE_IP_NONE zero enum value (GH#1187)

    • ares_sysconfig_files: Recognize AIX netsvc.conf bind4/local4 tokens (GH#1188)

    • Use safe string construction in Windows sysconfig join path (GH#1143)

    • Fix zero-length RAW_RR losing type metadata during parsing (GH#1129)

    • Fix RAW_RR type tostr/fromstr roundtrip mismatch (GH#1123)

    • Fix NULL dereference for ifa netmask (GH#1120)

    • adig: Fix negated option prefix parsing (GH#1135)

    • Use UnregisterWaitEx to prevent use-after-free on Win32 (GH#1111)

    • Add NULL check after ares_malloc_zero in Windows UTF8 conversion (GH#1121)

    • Fix NULL dereference after ares_malloc_zero in Win32 IOCP event add (GH#1132)

    • Fix microsecond overflow in ares_queue_wait_empty timeout (GH#1122)

    • Fix NULL dereference in ares_buf_replace() on NULL buf (GH#1124)

    • Initialize *read_bytes in ares_socket_recvfrom() (GH#1125)

    • Fix memory leak of binbuf in ares_buf_parse_dns_binstr_int (GH#1126)

    • Fix memory leak of qcache entry on key allocation failure (GH#1127)

    • Fix memory leak of buf in ares_dns_multistring_combined() on OOM (GH#1110)

    • Fix memory leaks on error paths in two functions (GH#1109)

    • Fix memory leak of buckets in ares_htable_dict_keys() error path (GH#1108)

    • Fix memory leak of bucket->key in ares_htable_dict_insert error path (GH#1105)

    • Fix additional memory leaks (GH#1078, GH#1091)

    • Prevent corrupt addrinfo nodes on sockaddr allocation failure (GH#1112)

    • Fix two logic bugs in DNS cookie handling (GH#1103)

    • Fix linked list INSERT_BEFORE corruption and array insertdata_first ordering (GH#1101)

    • Fix HASH_IDX macro missing parentheses (GH#1128)

    • Fix malloc(0) in ares_htable_all_buckets on empty table (GH#1131)

    • Fix wrong sizeof in QNX confstr() call truncating domain names (GH#1130)

    • Clear probe pending flag after timeout (GH#1059)

    • Fix incorrect check for empty wide string (GH#1064)

    • Handle strdup failure (GH#1077)

    • doc: Reference ares_free_string(), not ares_free() (GH#1084)

  • Updated perl-DBI to 1.650:

    • Set a hard limit of 99999 on '?' placeholders (CVE-2026-14739)

    • Fix out-of-bounds read in preparse of SQL that starts with a comment (CVE-2026-14740)

    • Fix code injection via Profile DSN attribute or DBI_PROFILE variable (CVE-2026-14380)

    • Update dbipport.h to Devel::PPPort-3.73

    • Require Test::More 0.96 (tests will otherwise fail on pristine perl-5.12)

  • Updated perl-Mail-Sendmail to 0.83:

    • Strip CR/LF from header values, to prevent insertion of rogue headers (GH#11, CVE-2026-13092)

    • Switched to a new test Sendmail server for t/original.t, as the old one was no longer accepting connections

  • Updated perl-Tree-DAG_Node to 1.39 as per the Fedora version

Thursday 9th July 2026

Fedora Project

  • Updated perl-Module-CPANTS-Analyse (0.99) in EPEL-8 to use relative symlinks rather than absolute symlinks in test (GH#51), which fixes FTBFS with perl-Archive-Tar-2.30-2.el8_10 onwards

  • Updated perl-Perl-Critic (1.156) in F-44 to run tests with LANG=en_US.UTF-8 to fix pod spelling test with recent update for hunspell-en dictionary

  • Updated perl-Sereal-Decoder, perl-Sereal-Encoder and perl-Sereal to 5.007 in Rawhide:

    • Use $Config{ccflags} to compile zstd with, which should fix AIX

  • Updated perl-Unicode-UTF8 to 0.72 in Rawhide:

    • read_utf8() now takes a single-pass fast path on PerlIO fast-gets layers, validating/copying/counting straight out of the layer buffer (up to ~11% faster on multibyte-heavy input; see benchmarks/)

    • Fixed read_utf8() on non-buffered handles stranding the trailing incomplete sequence that was read to satisfy the requested length: the pending bytes are now pushed back with PerlIO_unread() so the following read sees them, matching decode_utf8() when drained to end of file

  • I added a patch to avoid trying to use 64-bit SSE2 on ix86 (GH#14)

  • Updated proftpd to 1.3.9c in F-43, F-44, Rawhide, EPEL-10.2 and EPEL-10:

    • ExecEnviron values not passed due to regression since 1.3.8d (GH#2135)

    • Stack buffer overflow in MLSD/MLST handling for long path names (GH#2146)

    • MaxTransfersPerUser no longer enforces configured limits (GH#2158)

    • AdminControlsACLs for config, get actions not honoured as they should be (GH#2163)

    • Memcached/Redis-cached JSON TLS session/OCSP entries decoded into fixed buffers without bounds checking (GH#2166)

    • RewriteMap unescape builtin use causes one-byte out-of-bounds write, fails to reject illegal characters (GH#2173)

    • SQL group name lookup concatenates client-provided group names without escaping (GH#2188)

    • Authenticated SFTP sessions can overflow the SFTP packet buffer (GH#2190)

    • Default Controls socket ACLs unintentionally allow all users access for sending Controls requests (GH#2210)

Local Packages

  • Updated perl-DateTime-TimeZone to 2.69:

    • This release is based on version 2026c of the Olson database
    • Contemporary changes for Alberta, CA and Morocco
  • Updated perl-Unicode-UTF8 to 0.72 as per the Fedora version

  • Updated proftpd to 1.3.9c as per the Fedora version

  • Updated proftpd (rc) to 1.3.10rc3:

    • ExecEnviron values not passed due to regression since 1.3.8d (GH#2135)

    • FTP TYPE command silently ignores invalid format-control argument instead of returning an error (GH#2141)

    • Stack buffer overflow in MLSD/MLST handling for long path names (GH#2146)

    • MaxTransfersPerUser no longer enforces configured limits (GH#2158)

    • AdminControlsACLs for config, get actions not honoured as they should be (GH#2163)

    • Memcached/Redis-cached JSON TLS session/OCSP entries decoded into fixed buffers without bounds checking (GH#2166)

    • RewriteMap unescape builtin use causes one-byte out-of-bounds write, fails to reject illegal characters (GH#2173)

    • SITE RMDIR command from mod_site_misc does not honour PathAllowFilter, PathDenyFilter as expected (GH#2175)

    • SFTP SETSTAT, FSETSTAT requests do not honour PathAllowFilter, PathDenyFilter as expected (GH#2180)

    • SQL group name lookup concatenates client-provided group names without escaping (GH#2188)

    • Authenticated SFTP sessions can overflow the SFTP packet buffer (GH#2190) & Implement SFTP copy-data extension (GH#2198)

    • Default Controls socket ACLs unintentionally allow all users access for sending Controls requests (GH#2210)

  • I added use of memcached when running the API tests, lest the memcached tests would fail

Friday 10th July 2026

Fedora Project

  • Updated perl-Sereal-Decoder to 5.008 in Rawhide:

    • Decoder now supports 'thaw_allow_classes' and 'thaw_deny_action' to control thaw callbacks during decoding

  • Updated perl-Sereal-Encoder to 5.008 in Rawhide:

    • Released to match Decoder version

  • Updated perl-Sereal to 5.008 in Rawhide:

    • Decoder now supports 'thaw_allow_classes' and 'thaw_deny_action' to control thaw callbacks during decoding

Monday 13th July 2026

Fedora Project

  • Updated perl-CPAN-Requirements-Dynamic to 0.003 in Rawhide:

    • Avoid undefinedness warning in config_defined

  • Updated perl-Test-Synopsis to 0.18 in Rawhide:

    • Fix: =for test_synopsis directives are now applied regardless of their position relative to the SYNOPSIS code block (GH#20, regression since 0.14)

Local Packages

  • Updated perl-CPAN-Requirements-Dynamic to 0.003 as per the Fedora version

  • Updated perl-Test-Synopsis to 0.18 as per the Fedora version

Tuesday 14th July 2026

Fedora Project

  • Updated geoipupdate to 8.0.0 in Rawhide:

    • BREAKING CHANGE: 'geoipupdate' stops updating on the first error

    • 'NewUpdater' in the unexported 'internal/geoipupdate' package no longer mutates 'http.DefaultTransport' when a proxy is configured; the CLI is the only caller, so there is no user-visible behaviour change (GH#488)

    • Do not retry proxy CONNECT 4xx errors; these are now treated as permanent failures

  • Updated perl-DBD-CSV to 0.64 in Rawhide:

    • Next version will require perl-5.12, following DBI

  • Updated perl-Unicode-UTF8 to 0.74 in Rawhide:

    • Added slurp_utf8($filename), which reads an entire file and returns its contents decoded from UTF-8 as a character string

    • Added support for older MSVC C compilers by using __inline in place of the C99 inline keyword on pre-Visual Studio 2015 builds

    • Fixed SSE2 detection to only enable the SIMD implementation on 64-bit x86 targets, which prevents unsupported SSE2 code from being selected on 32-bit x86 builds (GH#14)

  • Updated perl-YAML-Syck to 1.47 in F-43, F-44, Rawhide, EPEL-9, EPEL-10.2 and EPEL-10:

  • Security:
    • Fix four libsyck memory-safety CVEs reachable from the default YAML::Syck::Load() path on untrusted input with no special flags (GH#213)

      • CVE-2026-57075 (CWE-125): Out-of-bounds read in the base64 decoder caused by signed-char indexing of the decode table on !!binary input

      • CVE-2026-57076 (CWE-416): Use-after-free of an anchor key string shared between the node and the anchors table

      • CVE-2026-57077 (CWE-125): One-byte out-of-bounds read in the lexer newline scan during block-scalar parsing (incomplete-fix follow-on to CVE-2025-11683)

      • CVE-2026-13713 (CWE-416/CWE-415): Use-after-free / double-free of an anchor node on anchor redefinition, a remote-crash DoS from a 7-byte input

    • Harden syck_base64dec() to bounds-check each read so it cannot run past a non-NUL-terminated input buffer (defense-in-depth for callers passing raw buffers; GH#213)

  • Bug Fixes:
    • Fix: Enforce $MaxDepth on Load to prevent C-stack exhaustion from deeply nested YAML/JSON input; YAML::Syck and JSON::Syck Load now default to 512, matching Dump (GH#204)

    • Fix: Emit YAML canonical forms (.nan, .inf, -.inf) for NaN/Inf values in Dump so they roundtrip with ImplicitTyping instead of reloading as plain strings (GH#201)

  • Maintenance:
    • CI: add an AddressSanitizer job that builds the XS with -fsanitize=address and runs the suite plus the CVE trigger inputs to catch libsyck memory-safety defects; de-pin the libasan version so it tracks the runner's GCC (GH#213)

Local Packages

  • Updated geoipupdate to 8.0.0 as per the Fedora version

  • Updated perl-DBD-CSV to 0.64 as per the Fedora version

  • Updated perl-DBI to 1.651:

    • Fix inverted comparisons for strings in DBI::SQL::Nano (CVE-2026-15043)

    • Document that IS NULL matches empty strings in DBI::SQL::Nano

    • Fix DBD::File to ensure that the table is not a symlink outside of f_dir (CVE-2026-15392)

    • Fix an out-of-bounds error when a statement handle has no fields but the source row is not empty (CVE-2026-60082)

    • Add an overridable upper bound $MAX_PATH_DEPTH for DBI::ProfileData (CVE-2026-60081)

  • Updated perl-Unicode-UTF8 to 0.74 as per the Fedora version

  • Updated perl-YAML-Syck to 1.47 as per the Fedora version

Wednesday 15th July 2026

Fedora Project

  • Updated perl-Unicode-UTF8 to 0.75 in Rawhide:

    • Fixed slurp_utf8() leaking the file descriptor if a fatal "utf8" warning (e.g. warnings FATAL => 'utf8') was thrown while reading an ill-formed file

Local Packages

  • Updated perl-Unicode-UTF8 to 0.75 as per the Fedora version


Previous Month: June 2026

Recent