Your message dated Wed, 27 May 2026 18:08:18 +0000
with message-id <[email protected]>
and subject line Bug#1138050: fixed in libhttp-daemon-perl 6.17-1
has caused the Debian Bug report #1138050,
regarding libhttp-daemon-perl: CVE-2026-8450
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138050: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138050
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libhttp-daemon-perl
Version: 6.16-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/libwww-perl/HTTP-Daemon/pull/89
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libhttp-daemon-perl.
CVE-2026-8450[0]:
| HTTP::Daemon versions before 6.17 for Perl allow OS command
| injection via send_file(). send_file() opens its string argument
| with Perl's 2-arg open(). The 2-arg form interprets magic prefixes:
| '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' and '>>
| path' open the path for write or append. Untrusted input passed to
| send_file() can run OS commands at the daemon process UID. The read-
| pipe form ('cmd |') also leaks subprocess stdout into the HTTP
| response body. The write-mode forms can create or truncate files at
| attacker chosen paths.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-8450
https://www.cve.org/CVERecord?id=CVE-2026-8450
[1] https://github.com/libwww-perl/HTTP-Daemon/pull/89
[2] https://lists.security.metacpan.org/cve-announce/msg/40435207/
[3]
https://github.com/libwww-perl/HTTP-Daemon/commit/945d35141d94490f749640bd4390acd6a2193995
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libhttp-daemon-perl
Source-Version: 6.17-1
Done: gregor herrmann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libhttp-daemon-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated libhttp-daemon-perl
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 27 May 2026 19:23:34 +0200
Source: libhttp-daemon-perl
Architecture: source
Version: 6.17-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 1138050
Changes:
libhttp-daemon-perl (6.17-1) unstable; urgency=medium
.
* Import upstream version 6.17.
- Fix CVE-2026-8450: 2-arg open() in send_file() enabled RCE / arbitrary
file write / response-body exfiltration when a string argument was
derived from attacker-influenced input. send_file() now uses 3-arg
open() with an explicit '<' read mode, so the path is always treated as a
literal filename and 2-arg open() shell-magic shapes ('| cmd', 'cmd |',
'> path', etc.) are no longer interpreted.
Closes: #1138050
* Update years of upstream copyright.
* Update Upstream-Contact in debian/copyright.
* Declare compliance with Debian Policy 4.7.4.
* Remove «Rules-Requires-Root: no», which is the current default.
* Remove «Priority: optional», which is the current default.
Checksums-Sha1:
c8bd772d05d70f4ecc85d3340534d389eb0c61eb 2676 libhttp-daemon-perl_6.17-1.dsc
f3acef84c37f0f22de951f425dc034c96c2c8446 48657
libhttp-daemon-perl_6.17.orig.tar.gz
250b4e6451725976be3ffc002b3ed21baaccb06b 3692
libhttp-daemon-perl_6.17-1.debian.tar.xz
Checksums-Sha256:
141f1dbc3bfb89a26f613c28de97765785a92c486dc904b3a2c8c56e1278ff13 2676
libhttp-daemon-perl_6.17-1.dsc
16281580c40e23108d028434698b5d7d53637bf904c9df822481e253cbec920c 48657
libhttp-daemon-perl_6.17.orig.tar.gz
b8ab423f4ab3efe68770a162ac45e668ed00e62f9d3debb0b8a4d6822a1e5520 3692
libhttp-daemon-perl_6.17-1.debian.tar.xz
Files:
ef8e7757201df0982ad5acae38cc29e0 2676 perl optional
libhttp-daemon-perl_6.17-1.dsc
14f98fd61159ec4740a21781b787944e 48657 perl optional
libhttp-daemon-perl_6.17.orig.tar.gz
5a5598dd80328c932df8d93ecd1cce56 3692 perl optional
libhttp-daemon-perl_6.17-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmoXKPdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgaE3BAAiTL23+QmMYyA85AifpBMYwBOxT/FYfXbj9FUHfzFdJsYXN6YkyhQwbww
rAPnZyjcycu5IRSqlEW01r1LSEke5lXcw/fHuaOQ2AwIspPH+pOQ+k3m8/e6l6d6
fiiM/CRdYAImbGsDyVfXp3GS0bvwwR/9Ovr4w7ld5V/TsmklMDrmK/MrjLRakiRm
oB909M2aogUHboPLlxlPlElDHv6F9Q8ncppvxW0Avtor9IBbBPTbqS+rwlSaZjmU
aVN0sEOXZt24ISFiauKJYFxRvodBEm1KRPTRUyb142E9xrIlXXV+h3lFvg6sr+Du
WowWIpIoybaQ8X7fsrWXwGqadOoAhD4So6jEwCG/ZXtnthK8WlVbF3eU3Feug2VO
kDFTTSwv3/aLLPo8Rga9aX0nUHD/gKNt9ndio4S4IwZWobJ9jfbpoh4nqxbgarPH
hFvVs+cbGtdd7POan6WZ9/7D3+JiRGD3Y5T4XwsYAG6criLLroKkjxWzdELFjstb
6NqAoYuf8H/CyMgCpB6Q6yFcSFXvm331ZESl00YIAsjPVQ0Ke6y1h2/8MCuoh5Vu
qN7yiJj+xRyisBRCNmVnd/D15i/EulUwWZtM7xWl0eqqenYp6x5RoTaEQKwhLroC
J28JUbDd0yF6Bf6oZwqnZsoY9I/jbRF4q8L8pD1PztF4C6FlETA=
=zKc7
-----END PGP SIGNATURE-----
pgprf1y4AiOcy.pgp
Description: PGP signature
--- End Message ---
