Your message dated Thu, 07 May 2026 09:47:06 +0000
with message-id <[email protected]>
and subject line Bug#1135584: fixed in starlet 0.31-2+deb13u1
has caused the Debian Bug report #1135584,
regarding starlet: CVE-2026-40561
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135584: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135584
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: starlet
Version: 0.31-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for starlet.
CVE-2026-40561[0]:
| Starlet versions through 0.31 for Perl allows HTTP Request Smuggling
| via Improper Header Precedence. Starlet incorrectly prioritizes
| "Content-Length" over "Transfer-Encoding: chunked" when both headers
| are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-
| Encoding must take precedence. An attacker could exploit this to
| smuggle malicious HTTP requests via a front-end reverse proxy.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-40561
https://www.cve.org/CVERecord?id=CVE-2026-40561
[1[ https://lists.security.metacpan.org/cve-announce/msg/39593408/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: starlet
Source-Version: 0.31-2+deb13u1
Done: gregor herrmann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
starlet, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated starlet package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 06 May 2026 17:21:29 +0200
Source: starlet
Architecture: source
Version: 0.31-2+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 1135584
Changes:
starlet (0.31-2+deb13u1) trixie; urgency=medium
.
* Add patch from upstream Git to prevent HTTP Smuggling.
Fixes CVE-2026-40561. (Closes: #1135584)
Checksums-Sha1:
248227d66f7a724e619f8d304b139ee33a9961e9 2381 starlet_0.31-2+deb13u1.dsc
f280c6521e305ef00b3d12b7e6b4279b4ed6b4b2 5036
starlet_0.31-2+deb13u1.debian.tar.xz
Checksums-Sha256:
243afe433bcbfd563282c3f4bfedfc5deea1f7469e8b4d765b4136f0d0bb7469 2381
starlet_0.31-2+deb13u1.dsc
a51586f2611346dedc3594ee19c77b681e7fa7302864d94441dde61892aedf48 5036
starlet_0.31-2+deb13u1.debian.tar.xz
Files:
fc2ff32c8ab9b8a051f4e32f0bfa302b 2381 perl optional starlet_0.31-2+deb13u1.dsc
86e83813b2ccaafd2906e30a7f4fc44a 5036 perl optional
starlet_0.31-2+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmn7d81fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgYxMRAAxAosB9IZDV5HEgvL+dBxqpteU3kKVKTvYW/fCY1wvK3ncIJsWZ22qOMw
bhTYJ+0Xd+to0iw5ep5HRLN1OSuBFq7I465ee3eIu8LCr4VQJU3abtjJgwA45wg7
tsUTHYprZlkRuuJ4AlW2RwpdeOnR+Qxj9Rlb17+4uley4FQVIcL9D4tKYmda3u7m
ebRQOnEXIMQeskO3CeUx57PaTQ5ON6w5swsywbRhuHLFAPp2/wF1T1PbRUyV3e93
1Chz5u6E2wPhMXGfArbbUHsu5+zyy30p3zj4Mh3tDDDEXnmlqtYsMaFIAD89vRWx
iGm5zeO9oyfienUCJf50cKOyCAkC2LoxWuogNr7+pD8RP174a0osslNHwRkgFk5w
LrWEk/OU276jDIvx3LsxWtncmQdXAsq3MH0pIgNikXKOxJnUYYl90JtTuWvxkjmL
5lBzyMK+JzmbrqJ+970iqSUoXUWh/rWsfQVqAz+JJadKKn4sXg9U7Qe7YJ8KacOc
pI8CAsXVdabaUU6U1n9WkADqdMbIsWP0eiIbTlrZ13OFwdRem48yJBUlyLyuKIRd
Qn2vlyGfhJLxykmuCV2Kq2oiZzynZAOm7/H4aho5dTUoVfMcjyDAQszoGrl5ymLW
ICT8y0w3P3hSU77qO/BAik3WRaSgILse6XLdJJLAPmd2fTprX/4=
=tTJo
-----END PGP SIGNATURE-----
pgpbbxdt0yl38.pgp
Description: PGP signature
--- End Message ---
