[From nobody Wed May 27 19:09:04 2026 Received: (at 1138050-close) by bugs.debian.org; 27 May 2026 18:08:20 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-114.2 required=4.0 tests=ALL_TRUSTED,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FVGT_m_MULTI_ODD, HAS_BUG_NUMBER,MD5_SHA1_SUM,PGPSIGNATURE,SPF_HELO_PASS,SPF_PASS, USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 108; hammy, 150; neutral, 172; spammy, 0. spammytokens: hammytokens:0.000-+--HX-Debian:DAK, 0.000-+--H*rp:D*ftp-master.debian.org, 0.000-+--HX-DAK:process-upload, 0.000-+--UD:debian.tar.xz, 0.000-+--H*r:sk:fasolo. Return-path: <envelope@ftp-master.debian.org> Received: from mailly.debian.org ([2001:41b8:202:deb:6564:a62:52c3:4b72]:37006) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1wSIg0-00AlSq-0Q for 1138050-close@bugs.debian.org; Wed, 27 May 2026 18:08:20 +0000 Received: via submission from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA, CN=fasolo.debian.org, EMAIL=hostmaster@fasolo.debian.org (verified) by mailly.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1wSIfz-004lz4-1A for 1138050-close@bugs.debian.org; Wed, 27 May 2026 18:08:19 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id:Content-Type: Subject:MIME-Version:To:Reply-To:From:Cc:Content-Transfer-Encoding:Content-ID :Content-Description:In-Reply-To:References; bh=mFFnMABzrAH26EYS+y1unuwmVtfbWq6uf4Mu4bV82p4=; b=HFqlQ2Pvxup4cJ0B5KahWXgGl4 ImQ32d/+p+zA7NJAuZIRrV5f4A9+QzwZQZ1hja5nnt3/YVCQjIeKYtCOcBp/8L6CZifiybqoVTp86 dd1AgkO+eMI8Kl6UVFnRRVvpNv7RB39l5pfR2eI+7+QalzQts2L3WLTGlrR+D0YEk3xAm6VpGhN0y QSIKf5knEPM+sUt5Tw/NfFK9dHK22jn5rORc+pGv8TcydVFHg9PVofswXfR5QsxsEbKZ0cgB8Dn/r OTrLRKn3Jchoh6jiYLrsfPdvWdU25wmVKs0yBUMv4l9dPF0Ow5WMy2jvLDEDWh+rag1Klqf+c9U/9 9MgTcQ2g==; Received: from dak by fasolo.debian.org with local (Exim 4.98.2) (envelope-from <envelope@ftp-master.debian.org>) id 1wSIfy-0000000Dkry-1qsK; Wed, 27 May 2026 18:08:18 +0000 From: Debian FTP Masters <ftpmaster@ftp-master.debian.org> Reply-To: gregor herrmann <gregoa@debian.org> To: 1138050-close@bugs.debian.org X-DAK: dak process-upload X-Debian: DAK X-Debian-Package: libhttp-daemon-perl Debian: DAK Debian-Changes: libhttp-daemon-perl_6.17-1_source.changes Debian-Source: libhttp-daemon-perl Debian-Version: 6.17-1 Debian-Architecture: source Debian-Suite: unstable Debian-Archive-Action: accept MIME-Version: 1.0 Subject: Bug#1138050: fixed in libhttp-daemon-perl 6.17-1 Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="===============2242394565874445951==" Message-Id: <E1wSIfy-0000000Dkry-1qsK@fasolo.debian.org> Date: Wed, 27 May 2026 18:08:18 +0000 --===============2242394565874445951== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Source: libhttp-daemon-perl Source-Version: 6.17-1 Done: gregor herrmann <gregoa@debian.org> We believe that the bug you reported is fixed in the latest version of libhttp-daemon-perl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1138050@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. gregor herrmann <gregoa@debian.org> (supplier of updated libhttp-daemon-perl = package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 27 May 2026 19:23:34 +0200 Source: libhttp-daemon-perl Architecture: source Version: 6.17-1 Distribution: unstable Urgency: medium Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org> Changed-By: gregor herrmann <gregoa@debian.org> Closes: 1138050 Changes: libhttp-daemon-perl (6.17-1) unstable; urgency=3Dmedium . * Import upstream version 6.17. - Fix CVE-2026-8450: 2-arg open() in send_file() enabled RCE / arbitrary file write / response-body exfiltration when a string argument was derived from attacker-influenced input. send_file() now uses 3-arg open() with an explicit '<' read mode, so the path is always treated as= a literal filename and 2-arg open() shell-magic shapes ('| cmd', 'cmd |', '> path', etc.) are no longer interpreted. Closes: #1138050 * Update years of upstream copyright. * Update Upstream-Contact in debian/copyright. * Declare compliance with Debian Policy 4.7.4. * Remove =C2=ABRules-Requires-Root: no=C2=BB, which is the current default. * Remove =C2=ABPriority: optional=C2=BB, which is the current default. Checksums-Sha1: c8bd772d05d70f4ecc85d3340534d389eb0c61eb 2676 libhttp-daemon-perl_6.17-1.dsc f3acef84c37f0f22de951f425dc034c96c2c8446 48657 libhttp-daemon-perl_6.17.orig= .tar.gz 250b4e6451725976be3ffc002b3ed21baaccb06b 3692 libhttp-daemon-perl_6.17-1.deb= ian.tar.xz Checksums-Sha256: 141f1dbc3bfb89a26f613c28de97765785a92c486dc904b3a2c8c56e1278ff13 2676 libhtt= p-daemon-perl_6.17-1.dsc 16281580c40e23108d028434698b5d7d53637bf904c9df822481e253cbec920c 48657 libht= tp-daemon-perl_6.17.orig.tar.gz b8ab423f4ab3efe68770a162ac45e668ed00e62f9d3debb0b8a4d6822a1e5520 3692 libhtt= p-daemon-perl_6.17-1.debian.tar.xz Files: ef8e7757201df0982ad5acae38cc29e0 2676 perl optional libhttp-daemon-perl_6.17= -1.dsc 14f98fd61159ec4740a21781b787944e 48657 perl optional libhttp-daemon-perl_6.1= 7.orig.tar.gz 5a5598dd80328c932df8d93ecd1cce56 3692 perl optional libhttp-daemon-perl_6.17= -1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmoXKPdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ qgaE3BAAiTL23+QmMYyA85AifpBMYwBOxT/FYfXbj9FUHfzFdJsYXN6YkyhQwbww rAPnZyjcycu5IRSqlEW01r1LSEke5lXcw/fHuaOQ2AwIspPH+pOQ+k3m8/e6l6d6 fiiM/CRdYAImbGsDyVfXp3GS0bvwwR/9Ovr4w7ld5V/TsmklMDrmK/MrjLRakiRm oB909M2aogUHboPLlxlPlElDHv6F9Q8ncppvxW0Avtor9IBbBPTbqS+rwlSaZjmU aVN0sEOXZt24ISFiauKJYFxRvodBEm1KRPTRUyb142E9xrIlXXV+h3lFvg6sr+Du WowWIpIoybaQ8X7fsrWXwGqadOoAhD4So6jEwCG/ZXtnthK8WlVbF3eU3Feug2VO kDFTTSwv3/aLLPo8Rga9aX0nUHD/gKNt9ndio4S4IwZWobJ9jfbpoh4nqxbgarPH hFvVs+cbGtdd7POan6WZ9/7D3+JiRGD3Y5T4XwsYAG6criLLroKkjxWzdELFjstb 6NqAoYuf8H/CyMgCpB6Q6yFcSFXvm331ZESl00YIAsjPVQ0Ke6y1h2/8MCuoh5Vu qN7yiJj+xRyisBRCNmVnd/D15i/EulUwWZtM7xWl0eqqenYp6x5RoTaEQKwhLroC J28JUbDd0yF6Bf6oZwqnZsoY9I/jbRF4q8L8pD1PztF4C6FlETA=3D =3DzKc7 -----END PGP SIGNATURE----- --===============2242394565874445951== Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCahczEgAKCRCb9qggYcy5 IXOrAQDbh5DJ5Uapwmq7qmTdNj4I4neSSGczgjW0qVniXYBcdQD/f3KGQO7/NuqY nYYY8mtBX1kYJd53bLY5KKbgbmfXZAc= =9ZqS -----END PGP SIGNATURE----- --===============2242394565874445951==-- ]