Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package perl-Starman for openSUSE:Factory checked in at 2026-05-12 19:31:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/perl-Starman (Old) and /work/SRC/openSUSE:Factory/.perl-Starman.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-Starman" Tue May 12 19:31:08 2026 rev:5 rq:1352800 version:0.4018 Changes: -------- --- /work/SRC/openSUSE:Factory/perl-Starman/perl-Starman.changes 2023-09-29 21:15:52.134716977 +0200 +++ /work/SRC/openSUSE:Factory/.perl-Starman.new.1966/perl-Starman.changes 2026-05-12 19:32:59.654813281 +0200 @@ -1,0 +2,10 @@ +Tue Apr 28 07:46:56 UTC 2026 - Tina Müller <[email protected]> + +- updated to 0.4018 + see /usr/share/doc/packages/perl-Starman/Changes + + 0.4018 2026-04-27 12:29:41 PDT + - Fix HTTP request smuggling: Transfer-Encoding now takes precedence + over Content-Length per RFC 7230 §3.3.3 (CVE-2026-40560, bsc#1263364) + +------------------------------------------------------------------- Old: ---- Starman-0.4017.tar.gz New: ---- README.md Starman-0.4018.tar.gz _scmsync.obsinfo build.specials.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ perl-Starman.spec ++++++ --- /var/tmp/diff_new_pack.NK3BpR/_old 2026-05-12 19:33:00.194835640 +0200 +++ /var/tmp/diff_new_pack.NK3BpR/_new 2026-05-12 19:33:00.194835640 +0200 @@ -1,7 +1,7 @@ # # spec file for package perl-Starman # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,13 +18,14 @@ %define cpan_name Starman Name: perl-Starman -Version: 0.4017 +Version: 0.4018 Release: 0 License: Artistic-1.0 OR GPL-1.0-or-later Summary: High-performance preforking PSGI/Plack web server URL: https://metacpan.org/release/%{cpan_name} Source0: https://cpan.metacpan.org/authors/id/M/MI/MIYAGAWA/%{cpan_name}-%{version}.tar.gz Source1: cpanspec.yml +Source100: README.md BuildArch: noarch BuildRequires: perl BuildRequires: perl-macros @@ -33,19 +34,20 @@ BuildRequires: perl(HTTP::Parser::XS) BuildRequires: perl(HTTP::Status) BuildRequires: perl(LWP::UserAgent) -BuildRequires: perl(Module::Build::Tiny) >= 0.034 -BuildRequires: perl(Net::Server) >= 2.007 -BuildRequires: perl(Plack) >= 0.9971 +BuildRequires: perl(Module::Build) +BuildRequires: perl(Module::Build::Tiny) >= 0.34 +BuildRequires: perl(Net::Server) >= 2.7 +BuildRequires: perl(Plack) >= 0.997.100 BuildRequires: perl(Test::Requires) -BuildRequires: perl(Test::TCP) >= 2.00 +BuildRequires: perl(Test::TCP) >= 2.0 BuildRequires: perl(parent) Requires: perl(Data::Dump) Requires: perl(HTTP::Date) Requires: perl(HTTP::Parser::XS) Requires: perl(HTTP::Status) -Requires: perl(Net::Server) >= 2.007 -Requires: perl(Plack) >= 0.9971 -Requires: perl(Test::TCP) >= 2.00 +Requires: perl(Net::Server) >= 2.7 +Requires: perl(Plack) >= 0.997.100 +Requires: perl(Test::TCP) >= 2.0 Requires: perl(parent) %{perl_requires} @@ -96,7 +98,7 @@ This server does not support Win32. %prep -%autosetup -n %{cpan_name}-%{version} +%autosetup -n %{cpan_name}-%{version} -p1 find . -type f ! -path "*/t/*" ! -name "*.pl" ! -path "*/bin/*" ! -path "*/script/*" ! -path "*/scripts/*" ! -name "configure" -print0 | xargs -0 chmod 644 ++++++ README.md ++++++ ## Build Results Current state of perl in openSUSE:Factory is  The current state of perl in the devel project build (devel:languages:perl)  ++++++ Starman-0.4017.tar.gz -> Starman-0.4018.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Starman-0.4017/Changes new/Starman-0.4018/Changes --- old/Starman-0.4017/Changes 2023-09-13 22:27:04.000000000 +0200 +++ new/Starman-0.4018/Changes 2026-04-27 21:29:42.000000000 +0200 @@ -1,5 +1,9 @@ Revision history for Perl extension Starman +0.4018 2026-04-27 12:29:41 PDT + - Fix HTTP request smuggling: Transfer-Encoding now takes precedence + over Content-Length per RFC 7230 §3.3.3 (CVE-2026-40560) + 0.4017 2023-09-13 13:27:02 PDT - Handle EINTR when doing sysread calls (Rob Mueller) #148 - Requires perl 5.14 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Starman-0.4017/MANIFEST new/Starman-0.4018/MANIFEST --- old/Starman-0.4017/MANIFEST 2023-09-13 22:27:04.000000000 +0200 +++ new/Starman-0.4018/MANIFEST 2026-04-27 21:29:42.000000000 +0200 @@ -34,3 +34,4 @@ t/ssl_key.pem t/ssl_largebody.t t/suite.t +t/te_cl_precedence.t diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Starman-0.4017/META.json new/Starman-0.4018/META.json --- old/Starman-0.4017/META.json 2023-09-13 22:27:04.000000000 +0200 +++ new/Starman-0.4018/META.json 2026-04-27 21:29:42.000000000 +0200 @@ -4,7 +4,7 @@ "Tatsuhiko Miyagawa <[email protected]>" ], "dynamic_config" : 0, - "generated_by" : "Dist::Milla version v1.0.22, Dist::Zilla version 6.025, CPAN::Meta::Converter version 2.150010", + "generated_by" : "Dist::Milla version v1.0.22, Dist::Zilla version 6.025, CPAN::Meta::Converter version 2.150013", "license" : [ "perl_5" ], @@ -76,7 +76,7 @@ "web" : "https://github.com/miyagawa/Starman"; } }, - "version" : "0.4017", + "version" : "0.4018", "x_contributors" : [ "Adam Guthrie <[email protected]>", "Alex Vandiver <[email protected]>", @@ -94,6 +94,7 @@ "John Siracusa <[email protected]>", "Leon Brocard <[email protected]>", "Masahiro Nagano <[email protected]>", + "mauke <[email protected]>", "Olaf Alders <[email protected]>", "Paulo E. Castro <[email protected]>", "Perlover <[email protected]>", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Starman-0.4017/META.yml new/Starman-0.4018/META.yml --- old/Starman-0.4017/META.yml 2023-09-13 22:27:04.000000000 +0200 +++ new/Starman-0.4018/META.yml 2026-04-27 21:29:42.000000000 +0200 @@ -9,7 +9,7 @@ configure_requires: Module::Build::Tiny: '0.034' dynamic_config: 0 -generated_by: 'Dist::Milla version v1.0.22, Dist::Zilla version 6.025, CPAN::Meta::Converter version 2.150010' +generated_by: 'Dist::Milla version v1.0.22, Dist::Zilla version 6.025, CPAN::Meta::Converter version 2.150013' license: perl meta-spec: url: http://module-build.sourceforge.net/META-spec-v1.4.html @@ -37,7 +37,7 @@ bugtracker: https://github.com/miyagawa/Starman/issues homepage: https://github.com/miyagawa/Starman repository: https://github.com/miyagawa/Starman.git -version: '0.4017' +version: '0.4018' x_contributors: - 'Adam Guthrie <[email protected]>' - 'Alex Vandiver <[email protected]>' @@ -55,6 +55,7 @@ - 'John Siracusa <[email protected]>' - 'Leon Brocard <[email protected]>' - 'Masahiro Nagano <[email protected]>' + - 'mauke <[email protected]>' - 'Olaf Alders <[email protected]>' - 'Paulo E. Castro <[email protected]>' - 'Perlover <[email protected]>' @@ -70,6 +71,6 @@ - 'Tatsuhiko Miyagawa <[email protected]>' - 'Tim Bunce <[email protected]>' x_generated_by_perl: v5.34.1 -x_serialization_backend: 'YAML::Tiny version 1.73' +x_serialization_backend: 'YAML::Tiny version 1.76' x_spdx_expression: 'Artistic-1.0-Perl OR GPL-1.0-or-later' x_static_install: 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Starman-0.4017/lib/Starman/Server.pm new/Starman-0.4018/lib/Starman/Server.pm --- old/Starman-0.4017/lib/Starman/Server.pm 2023-09-13 22:27:04.000000000 +0200 +++ new/Starman-0.4018/lib/Starman/Server.pm 2026-04-27 21:29:42.000000000 +0200 @@ -415,20 +415,7 @@ my $chunked = do { no warnings; lc delete $env->{HTTP_TRANSFER_ENCODING} eq 'chunked' }; - if (my $cl = $env->{CONTENT_LENGTH}) { - my $buf = Plack::TempBuffer->new($cl); - while ($cl > 0) { - my($chunk, $read) = $get_chunk->(); - - if ( !defined $read || $read == 0 ) { - die "Read error: $!\n"; - } - - $cl -= $read; - $buf->print($chunk); - } - $env->{'psgi.input'} = $buf->rewind; - } elsif ($chunked) { + if ($chunked) { my $buf = Plack::TempBuffer->new; my $chunk_buffer = ''; my $length; @@ -460,6 +447,19 @@ $env->{CONTENT_LENGTH} = $length; $env->{'psgi.input'} = $buf->rewind; + } elsif (my $cl = $env->{CONTENT_LENGTH}) { + my $buf = Plack::TempBuffer->new($cl); + while ($cl > 0) { + my($chunk, $read) = $get_chunk->(); + + if ( !defined $read || $read == 0 ) { + die "Read error: $!\n"; + } + + $cl -= $read; + $buf->print($chunk); + } + $env->{'psgi.input'} = $buf->rewind; } else { $env->{'psgi.input'} = $null_io; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Starman-0.4017/lib/Starman.pm new/Starman-0.4018/lib/Starman.pm --- old/Starman-0.4017/lib/Starman.pm 2023-09-13 22:27:04.000000000 +0200 +++ new/Starman-0.4018/lib/Starman.pm 2026-04-27 21:29:42.000000000 +0200 @@ -2,7 +2,7 @@ use strict; use 5.008_001; -our $VERSION = '0.4017'; +our $VERSION = '0.4018'; 1; __END__ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Starman-0.4017/script/starman new/Starman-0.4018/script/starman --- old/Starman-0.4017/script/starman 2023-09-13 22:27:04.000000000 +0200 +++ new/Starman-0.4018/script/starman 2026-04-27 21:29:42.000000000 +0200 @@ -73,7 +73,7 @@ Specifies the address to bind. -This option is for a compatibility with L<plackup> and you're +This option is for compatibility with L<plackup> and you're recommended to use C<--listen> instead. =item --port @@ -82,7 +82,7 @@ Specifies the port to bind. -This option is for a compatibility with L<plackup> and you're +This option is for compatibility with L<plackup> and you're recommended to use C<--listen> instead. =item -S, --socket @@ -91,12 +91,12 @@ Specifies the path to UNIX domain socket to bind. -This option is for a compatibility with L<plackup> and you're +This option is for compatibility with L<plackup> and you're recommended to use C<--listen> instead. =item --workers -Specifies the number of worker pool. Defaults to 5. +Specifies the size of the worker pool. Defaults to 5. Starman by default sets up other spare server configuration based on this workers value, making sure there are B<always only> C<N> worker @@ -106,7 +106,7 @@ =item --backlog -Specifies the number of backlog (listen queue size) of listener sockets. Defaults to 1024. +Specifies the backlog size (listen queue size) of listener sockets. Defaults to 1024. On production systems, setting a very low value can allow failover on frontend proxy (like nginx) to happen more quickly, if you have @@ -115,21 +115,21 @@ If you're doing simple benchmarks and getting connection errors, increasing this parameter can help avoid them. You should also consider increasing C<net.core.somaxconn>. Note that this is not -recommended for real production system if you have another cluster to +recommended for real production systems if you have another cluster to failover (see above). =item --max-requests -Number of the requests to process per one worker process. Defaults to 1000. +Number of requests to process per one worker process. Defaults to 1000. =item --preload-app This option lets Starman preload the specified PSGI application in the master parent process before preforking children. This allows memory savings with copy-on-write memory management. When not set (default), -forked children loads the application in the initialization hook. +forked children load the application in the initialization hook. -Enabling this option can cause bad things happen when resources like +Enabling this option can cause bad things to happen when resources like sockets or database connections are opened at load time by the master process and shared by multiple children. @@ -137,25 +137,25 @@ explicitly set this option to preload the application in the master process. -Alternatively, you can use -M command line option (plackup's common +Alternatively, you can use the C<-M> command line option (plackup's common option) to preload the I<modules> rather than the <application> itself. starman -MCatalyst -MDBIx::Class myapp.psgi will load the modules in the master process for memory savings with -CoW, but the actual loading of C<myapp.psgi> is done per children, -allowing resource managements such as database connection safer. +CoW, but the actual loading of C<myapp.psgi> is done per child, +making management of resources such as database connections safer. -If you enable this option, sending C<HUP> signal to the master process +If you enable this option, sending a C<HUP> signal to the master process I<will not> pick up any code changes you make. See L</SIGNALS> for details. =item --disable-keepalive -Disable Keep-alive persistent connections. It is an useful workaround +Disable Keep-alive persistent connections. It is a useful workaround if you run Starman behind a broken frontend proxy that tries to pool -connections more than a number of backend workers (i.e. Apache +more connections than there are backend workers (i.e. Apache mpm_prefork + mod_proxy). =item --keepalive-timeout @@ -208,11 +208,11 @@ =item --ssl-cert -Specify the path to SSL certificate file. +Specify the path to the SSL certificate file. =item --ssl-key -Specify the path to SSL key file. +Specify the path to the SSL key file. =item --enable-ssl @@ -226,12 +226,12 @@ =back Starman passes through other options given to L<Plack::Runner>, the -common backend that L<plackup> uses, so the most options explained in -C<plackup -h> such as C<--access-log> or C<--daemonize> works fine in -starman too. +common backend that L<plackup> uses, so most options explained in +C<plackup -h> (such as C<--access-log> or C<--daemonize>) work fine in +starman, too. Setting the environment variable C<STARMAN_DEBUG> to 1 makes the -Starman server running in the debug mode. +Starman server run in debug mode. =cut diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Starman-0.4017/t/te_cl_precedence.t new/Starman-0.4018/t/te_cl_precedence.t --- old/Starman-0.4017/t/te_cl_precedence.t 1970-01-01 01:00:00.000000000 +0100 +++ new/Starman-0.4018/t/te_cl_precedence.t 2026-04-27 21:29:42.000000000 +0200 @@ -0,0 +1,57 @@ +use strict; +use warnings; +use Test::TCP; +use IO::Socket::INET qw/ SHUT_WR /; +use HTTP::Response; +use Plack::Loader; +use Test::More; + +# RFC 7230 §3.3.3: when both Transfer-Encoding and Content-Length are +# present, Transfer-Encoding must override Content-Length. +test_tcp( + client => sub { + my $port = shift; + + my $socket = IO::Socket::INET->new( + PeerAddr => 'localhost', + PeerPort => $port, + Proto => 'tcp', + ) or die "Failed to connect: $!"; + + # Chunked body encodes "Hello World" (0xb = 11 bytes). + # Content-Length: 5 is intentionally wrong — it must be ignored. + my $chunked_body = "b\r\nHello World\r\n0\r\n\r\n"; + my $req = "POST / HTTP/1.1\r\n" + . "Host: localhost\r\n" + . "Transfer-Encoding: chunked\r\n" + . "Content-Length: 5\r\n" + . "\r\n" + . $chunked_body; + + $socket->send($req); + $socket->shutdown(SHUT_WR); + + my $response = ''; + while (1) { + my $n = $socket->sysread(my $buf, 4096); + last unless $n; + $response .= $buf; + } + + my $res = HTTP::Response->parse($response); + is $res->content, 'Hello World', + 'Transfer-Encoding: chunked takes precedence over Content-Length'; + }, + server => sub { + my $port = shift; + my $server = Plack::Loader->load('Starman', port => $port, host => '127.0.0.1'); + $server->run(sub { + my $env = shift; + my $body = ''; + $env->{'psgi.input'}->read($body, 8192); + return [ 200, [ 'Content-Type', 'text/plain', 'Content-Length', length($body) ], [ $body ] ]; + }); + }, +); + +done_testing; ++++++ _scmsync.obsinfo ++++++ mtime: 1778593732 commit: c88652e2458a87e07ded1a1bf6e42dc14aee06f3d0182abc04f32724eb7cc597 url: https://src.opensuse.org/perl/perl-Starman revision: c88652e2458a87e07ded1a1bf6e42dc14aee06f3d0182abc04f32724eb7cc597 projectscmsync: https://src.opensuse.org/perl/_ObsPrj ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-05-12 15:48:52.000000000 +0200 @@ -0,0 +1 @@ +.osc
