Your message dated Tue, 05 May 2026 14:50:04 +0000
with message-id <[email protected]>
and subject line Bug#1135229: fixed in starman 0.4018-1
has caused the Debian Bug report #1135229,
regarding starman: CVE-2026-40560
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135229: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135229
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: starman
Version: 0.4017-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for starman.
CVE-2026-40560[0]:
| Starman versions before 0.4018 for Perl allows HTTP Request
| Smuggling via Improper Header Precedence. Starman incorrectly
| prioritizes "Content-Length" over "Transfer-Encoding: chunked" when
| both headers are present in an HTTP request. Per RFC 7230 3.3.3,
| Transfer-Encoding must take precedence. An attacker could exploit
| this to smuggle malicious HTTP requests via a front-end reverse
| proxy.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-40560
https://www.cve.org/CVERecord?id=CVE-2026-40560
[1] https://lists.security.metacpan.org/cve-announce/msg/39426182/
[2]
https://github.com/miyagawa/Starman/commit/ced205f0805027e9d9c0731f8c40b104220604ed
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: starman
Source-Version: 0.4018-1
Done: gregor herrmann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
starman, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated starman package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 05 May 2026 16:26:26 +0200
Source: starman
Architecture: source
Version: 0.4018-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 1135229
Changes:
starman (0.4018-1) unstable; urgency=medium
.
* Team upload.
* Import upstream version 0.4018.
- Fix HTTP request smuggling: Transfer-Encoding now takes precedence
over Content-Length per RFC 7230 §3.3.3 (CVE-2026-40560)
Closes: #1135229
* Declare compliance with Debian Policy 4.7.4.
* Remove «Rules-Requires-Root: no», which is the current default.
* Remove «Priority: optional», which is the current default.
Checksums-Sha1:
58210a57151451ce7f5faa1d9e6e56624dc233f0 2525 starman_0.4018-1.dsc
ce65fb8a483ed740b437b89f9854b47e77efa313 33079 starman_0.4018.orig.tar.gz
d644240835dc935e6f07f4eea2002081f984f0c8 4148 starman_0.4018-1.debian.tar.xz
Checksums-Sha256:
e65a795d8f72ed35ed9f9c5e8594aa9ba452447075a2e1706a5b55864f1cf462 2525
starman_0.4018-1.dsc
6d8db297d851141fa4ff7748dff0551be2ba8f9a442ed9caac644dbcc9a36edd 33079
starman_0.4018.orig.tar.gz
b67245feae809f4e41ffd07ece3b545d85903e7ee8d3f10581b3dea7ce082d51 4148
starman_0.4018-1.debian.tar.xz
Files:
1afd1285c5b0c389f7073df6c603af91 2525 perl optional starman_0.4018-1.dsc
15a65eefb14b2e8f89bb7f8e155ae5ed 33079 perl optional starman_0.4018.orig.tar.gz
41ab088e616060e30a244e87e644fecb 4148 perl optional
starman_0.4018-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmn5/p9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgY1ew//YiR87HF+lwjpNeFESUkOu3yNYFwPouX/Xc1L3MW2bFirFh/ecTZ8tSXR
yioQay4hUGXPicrRCdOV6xjtpW6D6l5/B4wpIV6QQJ5oKlUM4DNNdLrY/rGb1cP9
rJ8i6YgkmQfXrdPKuHNvPgXB6W3v4+GnrAn9ufwVUltLCamVhE0ct27OeSL+iBk2
vwUAbJTCifxjRHf1OLWu84bEy67KJX6A45FM4VYhs2PyrrtYMhTgOdgT93ljfUS2
eJCeEnxs0vAMHNIRVp0nq91YcfEY7RoQgWZ0MqQLcbso+4eMIhAXRA7ikqTNiKWa
LuJ28VV+U16IqYhUyeg2mqEKSLTKkIvoW7YjuY+4rYv7T0B1OOdfSnunSLJ0/clh
zIvcsr4b8KY0aRS0YATJP3uWc9LTsNTthpndhdp8GgCZJJWafVRIf7aW4/GdpL51
9mTX0DZ6xrXdoSABblKzJMifANS1rikySm3eNv4KieIJBu0EdLV88jCZQpkyuY+I
L4SffJACH88xFO/OoXpF6yK85DjMnnQ/5COWBC3a9GFxL6aJOhDLpIVLEjevxIXo
C8RiYtmbZI8KgPHdCwJ8PwkJojBlFo8ifELUhhYtxyjWfkYTLs2c9rysWZQtf2ru
mSmhGoD4Y7dN+gE0UDcuQ6J/V5oyI+vp2mZBnlGnHQjxRDq41g8=
=9yse
-----END PGP SIGNATURE-----
pgpjDtelWWg95.pgp
Description: PGP signature
--- End Message ---
