Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package perl-HTTP-Daemon for
openSUSE:Factory checked in at 2026-06-02 19:46:42
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/perl-HTTP-Daemon (Old)
and /work/SRC/openSUSE:Factory/.perl-HTTP-Daemon.new.1937 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-HTTP-Daemon"
Tue Jun 2 19:46:42 2026 rev:20 rq:1356446 version:6.170.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/perl-HTTP-Daemon/perl-HTTP-Daemon.changes
2025-07-14 10:48:01.619534970 +0200
+++
/work/SRC/openSUSE:Factory/.perl-HTTP-Daemon.new.1937/perl-HTTP-Daemon.changes
2026-06-02 19:46:54.512109021 +0200
@@ -1,0 +2,21 @@
+Thu May 21 10:03:14 UTC 2026 - Tina Müller <[email protected]>
+
+- updated to 6.170.0 (6.17)
+ see /usr/share/doc/packages/perl-HTTP-Daemon/Changes
+
+ 6.17 2026-05-19 23:11:06Z
+ - Fix CVE-2026-8450 (affects 6.15 and earlier): 2-arg open() in
+ send_file() enabled RCE / arbitrary file write / response-body
+ exfiltration when a string argument was derived from attacker-
+ influenced input. send_file() now uses 3-arg open() with an
+ explicit '<' read mode, so the path is always treated as a literal
+ filename and 2-arg open() shell-magic shapes ('| cmd', 'cmd |',
+ '> path', etc.) are no longer interpreted. send_file() now also
+ returns '0E0' (true zero) on a successful zero-byte transfer so
+ callers can distinguish empty file from open failure (undef). See
+ https://www.cve.org/CVERecord?id=CVE-2026-8450 for the advisory.
+ Reported and patched by Stig Palmquist (stigtsp). (Stig Palmquist,
+ Olaf Alders)
+ bsc#1266370
+
+-------------------------------------------------------------------
Old:
----
HTTP-Daemon-6.16.tar.gz
New:
----
HTTP-Daemon-6.17.tar.gz
README.md
_scmsync.obsinfo
build.specials.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ perl-HTTP-Daemon.spec ++++++
--- /var/tmp/diff_new_pack.MaJP6y/_old 2026-06-02 19:46:56.092174467 +0200
+++ /var/tmp/diff_new_pack.MaJP6y/_new 2026-06-02 19:46:56.092174467 +0200
@@ -1,7 +1,7 @@
#
# spec file for package perl-HTTP-Daemon
#
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,15 +18,16 @@
%define cpan_name HTTP-Daemon
Name: perl-HTTP-Daemon
-Version: 6.160.0
+Version: 6.170.0
Release: 0
-# 6.16 -> normalize -> 6.160.0
-%define cpan_version 6.16
+# 6.17 -> normalize -> 6.170.0
+%define cpan_version 6.17
License: Artistic-1.0 OR GPL-1.0-or-later
Summary: Simple http server class
URL: https://metacpan.org/release/%{cpan_name}
Source0:
https://cpan.metacpan.org/authors/id/O/OA/OALDERS/%{cpan_name}-%{cpan_version}.tar.gz
Source1: cpanspec.yml
+Source100: README.md
BuildArch: noarch
BuildRequires: perl
BuildRequires: perl-macros
@@ -70,6 +71,8 @@
%prep
%autosetup -n %{cpan_name}-%{cpan_version} -p1
+find . -type f ! -path "*/t/*" ! -name "*.pl" ! -path "*/bin/*" ! -path
"*/script/*" ! -path "*/scripts/*" ! -name "configure" -print0 | xargs -0 chmod
644
+
%build
perl Build.PL --installdirs=vendor
./Build build --flags=%{?_smp_mflags}
++++++ HTTP-Daemon-6.16.tar.gz -> HTTP-Daemon-6.17.tar.gz ++++++
++++ 3411 lines of diff (skipped)
++++++ README.md ++++++
## Build Results
Current state of perl in openSUSE:Factory is
The current state of perl in the devel project build (devel:languages:perl)
++++++ _scmsync.obsinfo ++++++
mtime: 1780344701
commit: a835abc4c46f6e47364de6afa36494b9c3f988e8e7110d2a41c81e36bebc19ad
url: https://src.opensuse.org/perl/perl-HTTP-Daemon
revision: a835abc4c46f6e47364de6afa36494b9c3f988e8e7110d2a41c81e36bebc19ad
projectscmsync: https://src.opensuse.org/perl/_ObsPrj
++++++ build.specials.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/.gitignore new/.gitignore
--- old/.gitignore 1970-01-01 01:00:00.000000000 +0100
+++ new/.gitignore 2026-06-01 22:11:41.000000000 +0200
@@ -0,0 +1 @@
+.osc
