Hi Salvatore, thanks for your report.
Il giorno dom 4 giu 2023 alle 21:13:04 +02:00:00, Salvatore Bonaccorso
<car...@debian.org> ha scritto:
The following vulnerability was published for cpp-httplib.
CVE-2023-26130[0]:
| Versions of the package yhirose/cpp-httplib before 0.12.4 are
| vulnerable to CRLF Injection when untrusted user input is used to
set
| the content-type header in the HTTP .Patch, .Post, .Put and .Delete
| requests. This can lead to logical errors and other misbehaviors.
| **Note:** This issue is present due to an incomplete fix for
| [CVE-2020-11709](https://security.snyk.io/vuln/SNYK-UNMANAGED-
| YHIROSECPPHTTPLIB-2366507).
The related CVE-2020-11709 was fixed before the initial upload to
Debian.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
Fixing this in stable shouldn't be hard, but since I've little
experience in backporting security fixes to stable I'm not sure how I
should act. Should I simply push the updated package to
bookworm-security? I'm only a Debian Maintainer, can I still do it? If
not, could you please sponsor my upload?
Thanks again :D
