Source: libnet-statsd-perl Version: 0.12-3 Severity: important Tags: security upstream Forwarded: https://github.com/cosimo/perl5-net-statsd/pull/10 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 0.12-4 Control: found -1 0.12-5
Hi, The following vulnerability was published for libnet-statsd-perl. CVE-2026-46739[0]: | Net::Statsd versions before 0.13 for Perl allow metric injections. | The metric names are not checked for newlines, colons or pipes. | Metrics generated from untrusted sources could inject additional | statsd metrics. The update_stats (used for updating counters) and | gauge methods do not check that values are numeric (which would | block metric injection). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-46739 https://www.cve.org/CVERecord?id=CVE-2026-46739 [1] https://github.com/cosimo/perl5-net-statsd/pull/10 [2] https://lists.security.metacpan.org/cve-announce/msg/40702251/ [3] https://github.com/cosimo/perl5-net-statsd/commit/a10b10173d6751991b7ade14b86dd272439d2283 [4] https://github.com/cosimo/perl5-net-statsd/commit/583dfdf0385120768d6cfca7264a6ebf337ff377 Regards, Salvatore
