Your message dated Sun, 21 Jun 2026 19:20:02 +0000
with message-id <[email protected]>
and subject line Bug#1138050: fixed in libhttp-daemon-perl
6.16-1+deb13u1~deb12u1
has caused the Debian Bug report #1138050,
regarding libhttp-daemon-perl: CVE-2026-8450
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138050: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138050
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libhttp-daemon-perl
Version: 6.16-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/libwww-perl/HTTP-Daemon/pull/89
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libhttp-daemon-perl.
CVE-2026-8450[0]:
| HTTP::Daemon versions before 6.17 for Perl allow OS command
| injection via send_file(). send_file() opens its string argument
| with Perl's 2-arg open(). The 2-arg form interprets magic prefixes:
| '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' and '>>
| path' open the path for write or append. Untrusted input passed to
| send_file() can run OS commands at the daemon process UID. The read-
| pipe form ('cmd |') also leaks subprocess stdout into the HTTP
| response body. The write-mode forms can create or truncate files at
| attacker chosen paths.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-8450
https://www.cve.org/CVERecord?id=CVE-2026-8450
[1] https://github.com/libwww-perl/HTTP-Daemon/pull/89
[2] https://lists.security.metacpan.org/cve-announce/msg/40435207/
[3]
https://github.com/libwww-perl/HTTP-Daemon/commit/945d35141d94490f749640bd4390acd6a2193995
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libhttp-daemon-perl
Source-Version: 6.16-1+deb13u1~deb12u1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libhttp-daemon-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated
libhttp-daemon-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 20 Jun 2026 23:18:21 +0200
Source: libhttp-daemon-perl
Architecture: source
Version: 6.16-1+deb13u1~deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Perl Group <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1138050
Changes:
libhttp-daemon-perl (6.16-1+deb13u1~deb12u1) bookworm-security; urgency=high
.
* Team upload.
* Rebuild for bookworm-security
.
libhttp-daemon-perl (6.16-1+deb13u1) trixie-security; urgency=high
.
* Team upload.
* Fix CVE-2026-8450: send_file() honoured 2-arg open() shell-magic
(Closes: #1138050)
* Add regression test for send_file() shell-magic refusal
Checksums-Sha1:
8f47d4cd1e189601e9fa9a99070afd018e232bd3 2641
libhttp-daemon-perl_6.16-1+deb13u1~deb12u1.dsc
da0ccc30d999f2fb30f9921226a8d0fdf03476d3 7864
libhttp-daemon-perl_6.16-1+deb13u1~deb12u1.debian.tar.xz
Checksums-Sha256:
a4f7593fa91003d6aa93be8123c9c26ca874237fd037279ad34e262a0faaf838 2641
libhttp-daemon-perl_6.16-1+deb13u1~deb12u1.dsc
77e8a57a8e6321b2602d69e056944126ffaeebf955cdb2254a86c316a2b4623e 7864
libhttp-daemon-perl_6.16-1+deb13u1~deb12u1.debian.tar.xz
Files:
c81c116bd397cdce197d06c5ec3999f7 2641 perl optional
libhttp-daemon-perl_6.16-1+deb13u1~deb12u1.dsc
9512ee46c1cc20cdc38012b18752c620 7864 perl optional
libhttp-daemon-perl_6.16-1+deb13u1~deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmo3dw5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E0kMQAJCOhXPom8hfUCEHFHfz17ScF26285tj
Kwk9Ic/+HSH984OwvEdW+6QhTIIvwBO3X6Uk/P1ujIZJ6FLevADuKKva98O1Xmyb
+FpPs/qUUiZitIprLOzp8BpRDdEgQ0EOYmup5TEPHTU67OzwP6dH6TihORI4CgpW
bU162iEYiGmayGw5n2HuRE5vlNAFvVApgu/JlWPgHRWL8+QRmGhvaChOiJ15v6iF
hFX5eTZzdyObZDAwcRSEKyZrHhYmHVzsrn8The56NQHc79wYCnOm8YtEtu1+PqD/
vn8VkwTenr7wO3jYny3QkWQI8rlqpEjzuLQADb0Bj6vB6WXZAewYddAE+XM7aKIf
DHfku5rvLRnbjqbWzWOZXhdkXLdCSrrmTqTnG5eMXlW64jQGXhduZPmRCfufow0Z
oYvIIk8/PdlSWcf6cNE9klV5zxKgp4milM/2llg553ADwki4dMVsx7AH1GsFV13D
pPNl+XTYq4R+S0tuZkSKHADDRCBous5mpcz9pxwFLQp2t6D17Xja8SsQqGYTqBR5
w8fNqg8FV0zTPsKE935M0+DDYEuGMQkSpyH9K8WQyaIZJ5nNfPVuAko+CG5mkRSt
R+golI1WuwOIUYhkn4p+WYHvvUMWneA3T13S0OS1jm6EPUyutmkejdcjKJcGbVC0
vF5FlL2L0eby
=fNf9
-----END PGP SIGNATURE-----
pgpjI06ytjHEQ.pgp
Description: PGP signature
--- End Message ---