Your message dated Tue, 05 May 2026 15:18:49 +0000
with message-id <[email protected]>
and subject line Bug#1135584: fixed in starlet 0.31-3
has caused the Debian Bug report #1135584,
regarding starlet: CVE-2026-40561
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135584: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135584
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: starlet
Version: 0.31-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for starlet.
CVE-2026-40561[0]:
| Starlet versions through 0.31 for Perl allows HTTP Request Smuggling
| via Improper Header Precedence. Starlet incorrectly prioritizes
| "Content-Length" over "Transfer-Encoding: chunked" when both headers
| are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-
| Encoding must take precedence. An attacker could exploit this to
| smuggle malicious HTTP requests via a front-end reverse proxy.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-40561
https://www.cve.org/CVERecord?id=CVE-2026-40561
[1[ https://lists.security.metacpan.org/cve-announce/msg/39593408/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: starlet
Source-Version: 0.31-3
Done: gregor herrmann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
starlet, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated starlet package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 05 May 2026 16:54:18 +0200
Source: starlet
Architecture: source
Version: 0.31-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 1135584
Changes:
starlet (0.31-3) unstable; urgency=medium
.
* Team upload.
* Add debian/upstream/metadata.
* Add patch from upstream Git to prevent HTTP Smuggling.
Fixes CVE-2026-40561. (Closes: #1135584)
* Declare compliance with Debian Policy 4.7.4.
* Remove «Priority: optional», which is the current default.
* Annotate test-only build dependencies with <!nocheck>.
Checksums-Sha1:
83227941341a3aa2bef68f2b4826e73d6718458e 2421 starlet_0.31-3.dsc
cd3163f56330588abcb54d3a35c123860e2c2319 5156 starlet_0.31-3.debian.tar.xz
6d13101cdbf96738b4112a474e2123c0ee0fbba8 211384 starlet_0.31-3.git.tar.xz
69780af7e1186efa6ecc8d47aca0ec9ec20df0a4 17344 starlet_0.31-3_source.buildinfo
Checksums-Sha256:
9c6be139606a650b9f06e8a99235343a9828f606a38a056555b563ae0f0c1229 2421
starlet_0.31-3.dsc
0d758e2149261e4e8e38dd21b148554d9dc38d41a7a3df311303b8f4c534df85 5156
starlet_0.31-3.debian.tar.xz
e5aa865eb7614efb4034dba1593038beca2adaf79560a0bef3cb18222520ccd7 211384
starlet_0.31-3.git.tar.xz
0f742e9cba9be458789e84f3fd3a3de98fd7281eda4b374a774e63935f99b134 17344
starlet_0.31-3_source.buildinfo
Files:
f40426f28d66a0729149087e4e1bf0dc 2421 perl optional starlet_0.31-3.dsc
7a948a591b6bbd7082f21b13d13cd66e 5156 perl optional
starlet_0.31-3.debian.tar.xz
8ae03506d1d76490aeea6c175df09db5 211384 perl None starlet_0.31-3.git.tar.xz
6f51092be3f85a90712585ea5cc26cca 17344 perl optional
starlet_0.31-3_source.buildinfo
Git-Tag-Info: tag=a1945e655fd26ed4b4b759e91aa7f4e5ad08083d
fp=d1e1316e93a760a8104d85fabb3a68018649aa06
Git-Tag-Tagger: gregor herrmann <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmn6BbcACgkQYG0ITkaD
wHlHLA/+NOl1wqX055Lo0ZErXLvt8GQOlBZGmN3xZjc1q9mK+Sh8oCf24D4cA8cQ
SxP4PLPlar2Bphx+9rzYUp1Ig8xFmADs+W6/S5NjO9ZWAAa9EoYxd+mJS680Pyzu
jKvjmLlgCp3908sKH3iM64aT8SMEKc4BuRrPorZXkaV4h238kmNynRY1BybsQpZz
ycc7y/S4dxzSALcZmsguZNCeV1apAW3GRc7PzEY5BcHEKmnmPdy4o1vx+O01GubT
52o2xVAzRCBEJzqGKnvi1uuEFo8ggQ//deatoRGrZMfHT6EiLb4BmIbAykMyajR1
Plaf8shKfdcDaxrJkBcfMOjGp/htnjMoyD5R6PaJz5yIc4Z+cN/4yT7CwQ6SsUI3
bRqskvgxyqO6BaRxd4lOH758VdTuSZO6KdgSHhXONK1MMCWKKz+yPKJ+1B/x+CXG
gOHH+4PxIYzEcprAwbCDk3Moz9VRnvau/5h4lh7w5exJ7LZAgnIMwrYtDwdhXjYV
M0x8kVy2cyUpwuFmRQtmtQ0h6Hjb+G70S4bK8RniJL9RbdiU8sP6Yf0a/17HGToq
D6/lINIPE+HKerJXsx8U8Rz6Ma99NX+162IaBAuOK3oOQ99Kv6UK++rRCLzgCj/a
osC2hwuA2Y6GduLy4FQNJa9kTDgb4IXWLjcMbtBmYb3nP24Xdik=
=DvpB
-----END PGP SIGNATURE-----
pgpF5t0__5cBj.pgp
Description: PGP signature
--- End Message ---
