Your message dated Wed, 08 Jul 2026 17:04:27 +0000
with message-id <[email protected]>
and subject line Bug#1141638: fixed in libhttp-tiny-perl 0.096-1
has caused the Debian Bug report #1141638,
regarding HTTP::Tiny: CVE-2026-7017
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1141638: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141638
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libhttp-tiny-perl
Version: 0.092-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/pull/36
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2
Control: reassign -2 src:perl 5.40.1-8
Hi,
The following vulnerability was published for libhttp-tiny-perl.
CVE-2026-7017[0]:
| HTTP::Tiny versions before 0.095 for Perl forward credential headers
| to cross-origin redirect targets. When the server returns a 3xx
| redirect, `_maybe_redirect` follows the `Location:` header and
| `_prepare_headers_and_cb` re-merges the caller's `headers` argument
| into the new request, without checking whether the redirect target
| shares an origin with the original URL. Caller-supplied
| `Authorization`, `Cookie` and `Proxy-Authorization` headers are
| therefore re-sent to whatever host the redirect names, across
| scheme, host or port boundaries, and including `https` to `http`
| downgrades that expose them in plaintext on the wire. The
| HTTP::Tiny POD note that "Authorization headers will not be included
| in a redirected request" applied only to the URL-userinfo Basic-auth
| path, not to headers passed explicitly by the caller.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-7017
https://www.cve.org/CVERecord?id=CVE-2026-7017
[1] https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/pull/36
[2] https://lists.security.metacpan.org/cve-announce/msg/41618211/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libhttp-tiny-perl
Source-Version: 0.096-1
Done: gregor herrmann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libhttp-tiny-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated libhttp-tiny-perl
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 08 Jul 2026 18:42:44 +0200
Source: libhttp-tiny-perl
Architecture: source
Version: 0.096-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 1141638
Changes:
libhttp-tiny-perl (0.096-1) unstable; urgency=medium
.
* Import upstream version 0.096.
Includes fix for CVE-2026-7017 since 0.095.
Closes: #1141638
* Drop debian/patches/CVE-2026-7010-*.patch.
These patches were taken from upstream Git and are included in
the 0.093 release.
* Update years of upstream copyright.
Checksums-Sha1:
6a384e4b0acddbd4ddbad5e971c85827beaa2c10 2525 libhttp-tiny-perl_0.096-1.dsc
2095f2557627f1db6cbbb3f371526e8152fd7e73 81773
libhttp-tiny-perl_0.096.orig.tar.gz
f93e571537951934735ec58a9d43b10d74e9fb2f 5152
libhttp-tiny-perl_0.096-1.debian.tar.xz
Checksums-Sha256:
29038608e753cc2d8fc92abe0efe31e5ca3323fe29645358cdacead772197ef2 2525
libhttp-tiny-perl_0.096-1.dsc
1df1a8caecbf97a2cbe002a655e0fe21d4cd5bbee9e40656a3a602423f98eaef 81773
libhttp-tiny-perl_0.096.orig.tar.gz
52389182e1f2e9b08644f6bd92ccb662b782239c7fca588008473a30c6e6b172 5152
libhttp-tiny-perl_0.096-1.debian.tar.xz
Files:
c24b50de8216b81bc718386d59c0abd8 2525 perl optional
libhttp-tiny-perl_0.096-1.dsc
7a2c39293ccd0e0b3fd8d065f5b6ba3c 81773 perl optional
libhttp-tiny-perl_0.096.orig.tar.gz
ef9bbfedf51b7f8cb1c0f3921b20402d 5152 perl optional
libhttp-tiny-perl_0.096-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmpOf49fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qga6Dw/+LnGZP4IDuFoJtEGazaMhBAfqPBuTJiAvK2mYg+X+Yg9ojnblDTGffs7n
BV+jk8qljupUcgQLC+cnSGbFGPKa8d6EYWZfZjQDhOhTWWj0eTc/XdCHzxZf5lOC
oPZ/QsGD9wSxojeOJ6A+xfV6WB4+X5j1Dj4q6lK+EItW1JOgNKcLnA9L7mquOT43
zgo5xG3YainWlcl8kfu19Cii6bIuwJ2zMk5nnkEYHYP4EXmiSwquJLRSIc4fU+Oq
JWp8cxsYOwFrPvePmqSCfmqvLZGC3nrrrDxGtXKJW98dlGH238ogE2ASROC09AMS
uSb7odfO1VnS8WQj8No1kzmQ7ShW8mj5uJ22jfLJmITflyri1/Dw8Ouwr1BQ9w6I
ectvq6c3i2OmJvTgapjomUHwuO/8fH+AJdu0V/OAkI4xOMy/Fl+TYDFpdiQH8nKn
YQxbLoyr8ALlmXao7eFD1rJl/ff7LLtKosJnqTNHw0uSkTr/jnVOftGR9cnLXqQE
ljZtaEV7EYuZ7DHAEQ+YL6eF7qFWwFvrhPJDMiYjvXv/T6babzb6aAcYSs+Nixd2
J8dDvr6gM/zfDw+qkL+YoQxHSbwSzmXIlBuxNyuayiKQ+n2mEQ0EglSlw5SqWqvI
E0NBJEq62sBLWocTxqbW7qH1Co9auy3MApchrKWJOINqMKckh2s=
=CjnY
-----END PGP SIGNATURE-----
pgpEXnYdHvevm.pgp
Description: PGP signature
--- End Message ---