https://bugzilla.redhat.com/show_bug.cgi?id=2476481
Michal Josef Spacek <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #1 from Michal Josef Spacek <[email protected]> --- 6.83 2026-05-12 11:41:48Z - LWP::UserAgent now strips Authorization and Proxy-Authorization headers on cross-origin redirects (a different scheme, host, or port) to prevent credential leakage to the redirect target. Same-origin redirects retain credentials. Opt out with allow_credentialed_redirects => 1. CVE-2026-8368 reported by Kai Zen; PoC and initial patch by Stig Palmquist. - LWP::UserAgent now refuses https to http redirects by default to prevent leaking remaining request headers and bodies over plaintext. Opt in with allow_downgrade => 1. Related hardening alongside CVE-2026-8368; PoC by Stig Palmquist. For Fedora Rawhide, F44 and F43 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2476481 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202476481%23c1 -- _______________________________________________ perl-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
