Your message dated Sat, 06 Jun 2026 17:33:51 +0000
with message-id <[email protected]>
and subject line Bug#1138906: fixed in perl 5.40.1-8
has caused the Debian Bug report #1138906,
regarding perl: overflow fix for Storable
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1138906: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138906
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: perl
Version: 5.40.1-6
Severity: normal
Tags: upstream fixed-upstream security
Forwarded: https://github.com/Perl/perl5/pull/24413
X-Debbugs-Cc: [email protected]

Perl 5.44 will include a potential overflow fix for the Storable module
that is also going to be backported for point releases of 5.42, 5.40,
and 5.38.  See https://github.com/Perl/perl5/issues/24445

Leon Timmermans recommended that we include this too. I'll push it to
the 5.40 sid+forky and 5.42 experimental packages at least.  Not sure
yet if we want them in stable (5.40) or oldstable (5.36) as well.

AIUI the security impact is moderate or low and this is only a problem
for badly written XS code. Copying Salvatore anyway just in case.
-- 
Niko Tyni       [email protected]

--- End Message ---
--- Begin Message ---
Source: perl
Source-Version: 5.40.1-8
Done: Niko Tyni <[email protected]>

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niko Tyni <[email protected]> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Format: 1.8
Date: Sat, 06 Jun 2026 17:22:29 +0300
Source: perl
Architecture: source
Version: 5.40.1-8
Distribution: unstable
Urgency: medium
Maintainer: Niko Tyni <[email protected]>
Changed-By: Niko Tyni <[email protected]>
Closes: 1137345 1138854 1138855 1138856 1138858 1138863 1138905 1138906
Changes:
 perl (5.40.1-8) unstable; urgency=medium
 .
   * [SECURITY] backport various fixes from upstream:
     + CVE-2025-15649: header parsing in IO::Uncompress::Unzip.
         (Closes: #1138863)
     + CVE-2026-7010:  CRLF-validation in HTTP::Tiny.
         (Closes: #1138858)
     + CVE-2026-8376:  Buffer overflow in Perl_study_chunk.
         (Closes: #1137345)
     + CVE-2026-48959: CPU exhaustion in IO::Uncompress::Unzip.
         (Closes: #1138856)
     + CVE-2026-48961: crash in zipdetails.
         (Closes: #1138855)
     + CVE-2026-48962: code execution in IO-Compress via output globs.
         (Closes: #1138854)
     + buffer overflows in pack().
         (Closes: #1138905)
     + buffer overflow in Storable.
         (Closes: #1138906)
Checksums-Sha1:
 feff9b43463d196f6744b2f51ab3094537900678 2372 perl_5.40.1-8.dsc
 a275dffed86a0d9a43dc87b7ffec3a03b8aab38d 179088 perl_5.40.1-8.debian.tar.xz
 efc987732ec29a37204e0cc26d43d761be2671d3 5338 perl_5.40.1-8_source.buildinfo
Checksums-Sha256:
 0df3684ddbed6c62651b8f682df33d2af54d47ee238958f30fa26ac066ee88d5 2372 
perl_5.40.1-8.dsc
 621e16fec9e822ec835071aa3665ebd329142bcd270b86a6f9bb04cb94a1de08 179088 
perl_5.40.1-8.debian.tar.xz
 bbf2de68263b588b9b82209e60f9ed9704f7021ffa9b08fab2da43f9c9485b93 5338 
perl_5.40.1-8_source.buildinfo
Files:
 d9d1456beca9bb3f5535b82405708bfe 2372 perl standard perl_5.40.1-8.dsc
 46569b65055e962347a20985b9ec245a 179088 perl standard 
perl_5.40.1-8.debian.tar.xz
 ffcf467b4231949b678af8c4ae3651e3 5338 perl standard 
perl_5.40.1-8_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iKcEARMJAC8WIQTuZv2Xfg2x/uVxefeK/rNkDrE5sgUCaiRB+hEcbnR5bmlAZGVi
aWFuLm9yZwAKCRCK/rNkDrE5st5SAX9cPTfxh8ivQ7d4IBnal//ySr/1+zI8TyyB
J09rCB4SqkDM74u0tZtsSeIXuILCJ5UBgKav4TN0s0BVQ/Kv78fVzoAvLfYtm7dn
nojCgyWR8Nw+dYy5Gg04H/JmVY8GWBMzpA==
=Vizr
-----END PGP SIGNATURE-----

Attachment: pgpshIQ2nRCyZ.pgp
Description: PGP signature


--- End Message ---

Reply via email to