Your message dated Sun, 21 Jun 2026 19:17:27 +0000
with message-id <[email protected]>
and subject line Bug#1138050: fixed in libhttp-daemon-perl 6.16-1+deb13u1
has caused the Debian Bug report #1138050,
regarding libhttp-daemon-perl: CVE-2026-8450
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1138050: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138050
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libhttp-daemon-perl
Version: 6.16-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/libwww-perl/HTTP-Daemon/pull/89
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for libhttp-daemon-perl.

CVE-2026-8450[0]:
| HTTP::Daemon versions before 6.17 for Perl allow OS command
| injection via send_file().  send_file() opens its string argument
| with Perl's 2-arg open(). The 2-arg form interprets magic prefixes:
| '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' and '>>
| path' open the path for write or append.  Untrusted input passed to
| send_file() can run OS commands at the daemon process UID. The read-
| pipe form ('cmd |') also leaks subprocess stdout into the HTTP
| response body. The write-mode forms can create or truncate files at
| attacker chosen paths.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-8450
    https://www.cve.org/CVERecord?id=CVE-2026-8450
[1] https://github.com/libwww-perl/HTTP-Daemon/pull/89
[2] https://lists.security.metacpan.org/cve-announce/msg/40435207/
[3] 
https://github.com/libwww-perl/HTTP-Daemon/commit/945d35141d94490f749640bd4390acd6a2193995

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: libhttp-daemon-perl
Source-Version: 6.16-1+deb13u1
Done: Salvatore Bonaccorso <[email protected]>

We believe that the bug you reported is fixed in the latest version of
libhttp-daemon-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated 
libhttp-daemon-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 20 Jun 2026 23:14:47 +0200
Source: libhttp-daemon-perl
Architecture: source
Version: 6.16-1+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian Perl Group <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1138050
Changes:
 libhttp-daemon-perl (6.16-1+deb13u1) trixie-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2026-8450: send_file() honoured 2-arg open() shell-magic
     (Closes: #1138050)
   * Add regression test for send_file() shell-magic refusal
Checksums-Sha1: 
 2988076bfca1f8e9c82118874335aab3b43288f0 2609 
libhttp-daemon-perl_6.16-1+deb13u1.dsc
 cf817337ec9f4bb2c7f2e46b9762b3d8234f68a0 45830 
libhttp-daemon-perl_6.16.orig.tar.gz
 33e9ef6c87d48d84af5323ad3710eb42862af693 7840 
libhttp-daemon-perl_6.16-1+deb13u1.debian.tar.xz
Checksums-Sha256: 
 b899360a4ac3e26d39859fbc6b983953f4394da4b41b9f28823371eb12d32b77 2609 
libhttp-daemon-perl_6.16-1+deb13u1.dsc
 b38d092725e6fa4e0c4dc2a47e157070491bafa0dbe16c78a358e806aa7e173d 45830 
libhttp-daemon-perl_6.16.orig.tar.gz
 6b6ec08c19e4a27f863165928dfd17fe02306c328929481bfdb72e4cb9e02922 7840 
libhttp-daemon-perl_6.16-1+deb13u1.debian.tar.xz
Files: 
 08394088eb1492889422d136fd983d02 2609 perl optional 
libhttp-daemon-perl_6.16-1+deb13u1.dsc
 51425462790165aeafc2819a7359706f 45830 perl optional 
libhttp-daemon-perl_6.16.orig.tar.gz
 6c3789c087d35fb25b59b6ce92b3ce33 7840 perl optional 
libhttp-daemon-perl_6.16-1+deb13u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmo3Cg5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EJ7wP+wfz2mYt/W7mXVl09dDqMxvvs8rvVSet
0xnpdU6U5cEr3JMFPBNCg4YqaKKgjkKa9gj5LtNBSf7uJ0LvymzLxKfCkHAETQ/g
UimVAOn690wiSamkAoNnF0lFCaK63LO65zoadknmOq7tZ9qVo4ilTufvm7imuS75
vD9AXdF5FXFjg5GTA4h3+kxE9qOxTNpjEZ3VbX6D/r3gwE/8WyOj0G8YRtIglPZL
1jFcqTotyfcPM8VkbOlEjY8cSkGwSJwNShtA5F8O4V1Mdqa1I3iq0iISbFuajDx1
qHA7OlO6HWxpihlIWwGrrTB6T5yaTQcxvySoB06oFnXySCR9gK/eschIjGGMhOh3
Kk+hbNFQA/gss0mAM1ZT2L5bnYGtSL+27Lv9p+qFf8YrH0ujZLoIiT6gEkzhVhqe
xqXyGWB6sviN4ZgnWmXq+UxZvRX8p26TRiNtkG5VZ6OuenltlA72W1jutb/c1hRw
3S76HHFgL4oluIG/NzinEdZJbU89pgoIDS86UD/BBFhnKSZeaZd9YrD2vi3ZZw8K
bwvqVgU4G/pyCrkJJejbkuI4cVFwD91NO9eNLiURbBQKj6o6PAqua0HdqBQyjIOe
grkxukbHlWRBZPXFTEafjLdj2tLLlvpoFn/d83F2KgbNgJPLf6kXvnTme/ATUYLD
/Pcb8BBmWfsj
=qtYP
-----END PGP SIGNATURE-----

Attachment: pgpR3UMbSd99T.pgp
Description: PGP signature


--- End Message ---

Reply via email to