Bug#1139163: libnet-statsd-perl: CVE-2026-46739
Salvatore Bonaccorso
carnil at debian.org
Sat Jun 6 19:46:44 BST 2026
Source: libnet-statsd-perl
Version: 0.12-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/cosimo/perl5-net-statsd/pull/10
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: found -1 0.12-4
Control: found -1 0.12-5
Hi,
The following vulnerability was published for libnet-statsd-perl.
CVE-2026-46739[0]:
| Net::Statsd versions before 0.13 for Perl allow metric injections.
| The metric names are not checked for newlines, colons or pipes.
| Metrics generated from untrusted sources could inject additional
| statsd metrics. The update_stats (used for updating counters) and
| gauge methods do not check that values are numeric (which would
| block metric injection).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-46739
https://www.cve.org/CVERecord?id=CVE-2026-46739
[1] https://github.com/cosimo/perl5-net-statsd/pull/10
[2] https://lists.security.metacpan.org/cve-announce/msg/40702251/
[3] https://github.com/cosimo/perl5-net-statsd/commit/a10b10173d6751991b7ade14b86dd272439d2283
[4] https://github.com/cosimo/perl5-net-statsd/commit/583dfdf0385120768d6cfca7264a6ebf337ff377
Regards,
Salvatore
More information about the pkg-perl-maintainers
mailing list