Your message dated Thu, 14 May 2026 16:04:36 +0000
with message-id <[email protected]>
and subject line Bug#1136449: fixed in libwww-perl 6.83-1
has caused the Debian Bug report #1136449,
regarding libwww-perl: CVE-2026-8368
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136449: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136449
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libwww-perl
Version: 6.82-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libwww-perl.
CVE-2026-8368[0]:
| LWP::UserAgent versions before 6.83 for Perl leak Authorization and
| Proxy-Authorization headers on cross-origin redirects. On a 3xx
| response, the redirect handler strips only Host and Cookie before
| issuing the follow-up request. Caller-supplied Authorization and
| Proxy-Authorization headers are sent unchanged to the redirect
| target, including across scheme, host, or port changes. A redirect
| to an attacker controlled host therefore discloses the caller's
| credentials to that host.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-8368
https://www.cve.org/CVERecord?id=CVE-2026-8368
[1] https://lists.security.metacpan.org/cve-announce/msg/39974665/
[2] https://github.com/libwww-perl/libwww-perl/pull/512
[3] https://github.com/libwww-perl/libwww-perl/pull/284
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libwww-perl
Source-Version: 6.83-1
Done: gregor herrmann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libwww-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated libwww-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 14 May 2026 17:35:26 +0200
Source: libwww-perl
Architecture: source
Version: 6.83-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 1136449
Changes:
libwww-perl (6.83-1) unstable; urgency=medium
.
* Import upstream version 6.83.
- LWP::UserAgent now strips Authorization and Proxy-Authorization headers
on cross-origin redirects: CVE-2026-8368.
Closes: #1136449
Checksums-Sha1:
5dda70c7aa3616135f6269d87ae84212f05266d2 2963 libwww-perl_6.83-1.dsc
c1b7d8db4fd4004da47f920c131573026fef669f 190640 libwww-perl_6.83.orig.tar.gz
c2c07ff5ac107a4b69befb8b68aef90011992d77 11652 libwww-perl_6.83-1.debian.tar.xz
Checksums-Sha256:
4e8ef94e7f9b10bd35e3d7160389f620558fd9ed6df56c5b462ce5b16996d2f2 2963
libwww-perl_6.83-1.dsc
e75f0fa9d3c6f0daf5a5a72fa9f8b1c9c0d23e3a84a8522ccb4f835232b95505 190640
libwww-perl_6.83.orig.tar.gz
f8e12838d65620e2aebf16da23394eb4806603f62826de4c9eb748d51ced6934 11652
libwww-perl_6.83-1.debian.tar.xz
Files:
360b35ab115f0da0f62bd31b06d96c61 2963 perl optional libwww-perl_6.83-1.dsc
dfca8f917f4727ddbdf3d81d0979172f 190640 perl optional
libwww-perl_6.83.orig.tar.gz
11350a9eddce40085a3b0ce2e89ee112 11652 perl optional
libwww-perl_6.83-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmoF7QxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgblbw//fETfMNQq88GQlS1JEVfjBakoaLwxB7ayJlk9/pYJk3tmqmvrawVG+1ai
ix7LRWp5Jby8U3Wr/X6qFpmg33B9X3obqlx52ho5Rk8puunoVKjJZcDb2Oi1WMC5
kLruYsFwAbh3hNe3ZqJmnRslm1VamlcPPcCoh5Z/K2UrPYe6qpTi9NizfVYbD0wy
GccDHeaxDCIxLdQ/JdmGDdcm4/8s4G/WRmUBiVYQFeI1Vo5Azr7Diw78FzM/pTMH
99ma31Xwm4qcgxU9xa+S+nynMXZjXuEhABMAWRBohPyJy786+7OEfrGjsrDYJNuQ
9/4oFN0d0BOQHX9SS+7AnnBM3sVNlMmz/WNNC+BOGiK4VGFTwDPiozx8GPNDYetL
UL9UewSImpAtFxp0Bg8k9oV42hd7LmO87mTSCBFgrd/16L6g07YThoAdtUbH5c+Q
A2Arzxp7OjaAMW9VXVJTzK6nlw3Urdfop319Iz/vKVKVtDyPBO6aUatF04XreaK8
E0VKQ5ZC8U6W9NxoFZDrMm39XYt9QgDZyecALfdxSl388RSkubyQUbOrWtGYaYvF
gYmGHkozbi5/L6CS2euqTYRmUFsQKNc7u/EJqyBFkze5pk2ngsTuds0Is2SO50t0
vzvBCB+3ArW7ngGDYnUzMJjCEpBhWb+8Hl4qL0rDpPGJfhqd3zM=
=AO/X
-----END PGP SIGNATURE-----
pgpJ5zjMoeaVh.pgp
Description: PGP signature
--- End Message ---
