Debian Package Tracker
Register | Log in
Subscribe

libhttp-tiny-perl

Perl module that implements a small, simple, correct HTTP/1.1 client

Choose email to subscribe with

general
  • source: libhttp-tiny-perl (main)
  • version: 0.096-1
  • maintainer: Debian Perl Group (archive) (DMD) (LowNMU)
  • uploaders: gregor herrmann [DMD] – Nick Morrott [DMD]
  • arch: all
  • std-ver: 4.7.4
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • oldstable: 0.082-2
  • stable: 0.090-1
  • testing: 0.096-1
  • unstable: 0.096-1
versioned links
  • 0.082-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.090-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.096-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • libhttp-tiny-perl
action needed
Debci reports failed tests high
  • unstable: pass (log)
    The tests ran in 0:02:07
    Last run: 2026-06-08T04:57:10.000Z
    Previous status: unknown

  • testing: fail (log)
    The tests ran in 0:02:10
    Last run: 2026-06-14T16:49:41.000Z
    Previous status: unknown

  • stable: pass (log)
    The tests ran in 0:01:15
    Last run: 2025-11-09T09:16:04.000Z
    Previous status: unknown

Created: 2026-06-14 Last update: 2026-07-16 01:03
2 security issues in bookworm high

There are 2 open security issues in bookworm.

1 important issue:
  • CVE-2026-7017: HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets. When the server returns a 3xx redirect, `_maybe_redirect` follows the `Location:` header and `_prepare_headers_and_cb` re-merges the caller's `headers` argument into the new request, without checking whether the redirect target shares an origin with the original URL. Caller-supplied `Authorization`, `Cookie` and `Proxy-Authorization` headers are therefore re-sent to whatever host the redirect names, across scheme, host or port boundaries, and including `https` to `http` downgrades that expose them in plaintext on the wire. The HTTP::Tiny POD note that "Authorization headers will not be included in a redirected request" applied only to the URL-userinfo Basic-auth path, not to headers passed explicitly by the caller.
1 issue left for the package maintainer to handle:
  • CVE-2026-7010: (needs triaging) HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values. An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-05-12 Last update: 2026-07-11 04:32
2 low-priority security issues in trixie low

There are 2 open security issues in trixie.

2 issues left for the package maintainer to handle:
  • CVE-2026-7010: (needs triaging) HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values. An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.
  • CVE-2026-7017: (needs triaging) HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets. When the server returns a 3xx redirect, `_maybe_redirect` follows the `Location:` header and `_prepare_headers_and_cb` re-merges the caller's `headers` argument into the new request, without checking whether the redirect target shares an origin with the original URL. Caller-supplied `Authorization`, `Cookie` and `Proxy-Authorization` headers are therefore re-sent to whatever host the redirect names, across scheme, host or port boundaries, and including `https` to `http` downgrades that expose them in plaintext on the wire. The HTTP::Tiny POD note that "Authorization headers will not be included in a redirected request" applied only to the URL-userinfo Basic-auth path, not to headers passed explicitly by the caller.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-05-12 Last update: 2026-07-11 04:32
news
[rss feed]
  • [2026-07-11] libhttp-tiny-perl 0.096-1 MIGRATED to testing (Debian testing watch)
  • [2026-07-08] Accepted libhttp-tiny-perl 0.096-1 (source) into unstable (gregor herrmann)
  • [2026-06-18] libhttp-tiny-perl 0.092-3 MIGRATED to testing (Debian testing watch)
  • [2026-06-15] Accepted libhttp-tiny-perl 0.092-3 (source) into unstable (gregor herrmann)
  • [2026-05-21] libhttp-tiny-perl 0.092-2 MIGRATED to testing (Debian testing watch)
  • [2026-05-12] Accepted libhttp-tiny-perl 0.092-2 (source) into unstable (Salvatore Bonaccorso)
  • [2026-01-03] libhttp-tiny-perl 0.092-1 MIGRATED to testing (Debian testing watch)
  • [2026-01-01] Accepted libhttp-tiny-perl 0.092-1 (source) into unstable (gregor herrmann)
  • [2024-11-17] libhttp-tiny-perl 0.090-1 MIGRATED to testing (Debian testing watch)
  • [2024-11-15] Accepted libhttp-tiny-perl 0.090-1 (source) into unstable (gregor herrmann)
  • [2024-01-17] libhttp-tiny-perl 0.088-1 MIGRATED to testing (Debian testing watch)
  • [2024-01-13] Accepted libhttp-tiny-perl 0.088-1 (source) into unstable (gregor herrmann)
  • [2022-10-18] libhttp-tiny-perl 0.082-2 MIGRATED to testing (Debian testing watch)
  • [2022-10-15] Accepted libhttp-tiny-perl 0.082-2 (source) into unstable (Jelmer Vernooij) (signed by: Jelmer Vernooij)
  • [2022-07-30] libhttp-tiny-perl 0.082-1 MIGRATED to testing (Debian testing watch)
  • [2022-07-27] Accepted libhttp-tiny-perl 0.082-1 (source) into unstable (gregor herrmann)
  • [2021-11-28] Accepted libhttp-tiny-perl 0.080-1 (source) into unstable (Florian Schlichting)
  • [2020-12-18] libhttp-tiny-perl REMOVED from testing (Debian testing watch)
  • [2018-08-11] libhttp-tiny-perl 0.076-1 MIGRATED to testing (Debian testing watch)
  • [2018-08-09] Accepted libhttp-tiny-perl 0.076-1 (source) into unstable (gregor herrmann)
  • [2018-08-08] libhttp-tiny-perl 0.074-1 MIGRATED to testing (Debian testing watch)
  • [2018-08-05] Accepted libhttp-tiny-perl 0.074-1 (source) into unstable (gregor herrmann)
  • [2016-11-04] libhttp-tiny-perl 0.070-1 MIGRATED to testing (Debian testing watch)
  • [2016-10-29] Accepted libhttp-tiny-perl 0.070-1 (source) into unstable (gregor herrmann)
  • [2016-09-04] libhttp-tiny-perl 0.064-1 MIGRATED to testing (Debian testing watch)
  • [2016-08-29] Accepted libhttp-tiny-perl 0.064-1 (source) into unstable (gregor herrmann)
  • [2016-07-31] libhttp-tiny-perl 0.058-1 MIGRATED to testing (Debian testing watch)
  • [2016-07-25] Accepted libhttp-tiny-perl 0.058-1 (source all) into unstable (Nick Morrott) (signed by: Lucas Kanashiro)
  • [2015-06-21] libhttp-tiny-perl 0.056-1 MIGRATED to testing (Britney)
  • [2015-06-12] Accepted libhttp-tiny-perl 0.056-1 (source all) into unstable (Damyan Ivanov)
  • 1
  • 2
bugs [bug history graph]
  • all: 0
links
  • homepage
  • lintian
  • buildd: logs, reproducibility
  • popcon
  • browse source code
  • other distros
  • security tracker
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 0.096-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing