-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 27 May 2026 19:23:34 +0200 Source: libhttp-daemon-perl Architecture: source Version: 6.17-1 Distribution: unstable Urgency: medium Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org> Changed-By: gregor herrmann <gregoa@debian.org> Closes: 1138050 Changes: libhttp-daemon-perl (6.17-1) unstable; urgency=medium . * Import upstream version 6.17. - Fix CVE-2026-8450: 2-arg open() in send_file() enabled RCE / arbitrary file write / response-body exfiltration when a string argument was derived from attacker-influenced input. send_file() now uses 3-arg open() with an explicit '<' read mode, so the path is always treated as a literal filename and 2-arg open() shell-magic shapes ('| cmd', 'cmd |', '> path', etc.) are no longer interpreted. Closes: #1138050 * Update years of upstream copyright. * Update Upstream-Contact in debian/copyright. * Declare compliance with Debian Policy 4.7.4. * Remove «Rules-Requires-Root: no», which is the current default. * Remove «Priority: optional», which is the current default. Checksums-Sha1: c8bd772d05d70f4ecc85d3340534d389eb0c61eb 2676 libhttp-daemon-perl_6.17-1.dsc f3acef84c37f0f22de951f425dc034c96c2c8446 48657 libhttp-daemon-perl_6.17.orig.tar.gz 250b4e6451725976be3ffc002b3ed21baaccb06b 3692 libhttp-daemon-perl_6.17-1.debian.tar.xz Checksums-Sha256: 141f1dbc3bfb89a26f613c28de97765785a92c486dc904b3a2c8c56e1278ff13 2676 libhttp-daemon-perl_6.17-1.dsc 16281580c40e23108d028434698b5d7d53637bf904c9df822481e253cbec920c 48657 libhttp-daemon-perl_6.17.orig.tar.gz b8ab423f4ab3efe68770a162ac45e668ed00e62f9d3debb0b8a4d6822a1e5520 3692 libhttp-daemon-perl_6.17-1.debian.tar.xz Files: ef8e7757201df0982ad5acae38cc29e0 2676 perl optional libhttp-daemon-perl_6.17-1.dsc 14f98fd61159ec4740a21781b787944e 48657 perl optional libhttp-daemon-perl_6.17.orig.tar.gz 5a5598dd80328c932df8d93ecd1cce56 3692 perl optional libhttp-daemon-perl_6.17-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmoXKPdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ qgaE3BAAiTL23+QmMYyA85AifpBMYwBOxT/FYfXbj9FUHfzFdJsYXN6YkyhQwbww rAPnZyjcycu5IRSqlEW01r1LSEke5lXcw/fHuaOQ2AwIspPH+pOQ+k3m8/e6l6d6 fiiM/CRdYAImbGsDyVfXp3GS0bvwwR/9Ovr4w7ld5V/TsmklMDrmK/MrjLRakiRm oB909M2aogUHboPLlxlPlElDHv6F9Q8ncppvxW0Avtor9IBbBPTbqS+rwlSaZjmU aVN0sEOXZt24ISFiauKJYFxRvodBEm1KRPTRUyb142E9xrIlXXV+h3lFvg6sr+Du WowWIpIoybaQ8X7fsrWXwGqadOoAhD4So6jEwCG/ZXtnthK8WlVbF3eU3Feug2VO kDFTTSwv3/aLLPo8Rga9aX0nUHD/gKNt9ndio4S4IwZWobJ9jfbpoh4nqxbgarPH hFvVs+cbGtdd7POan6WZ9/7D3+JiRGD3Y5T4XwsYAG6criLLroKkjxWzdELFjstb 6NqAoYuf8H/CyMgCpB6Q6yFcSFXvm331ZESl00YIAsjPVQ0Ke6y1h2/8MCuoh5Vu qN7yiJj+xRyisBRCNmVnd/D15i/EulUwWZtM7xWl0eqqenYp6x5RoTaEQKwhLroC J28JUbDd0yF6Bf6oZwqnZsoY9I/jbRF4q8L8pD1PztF4C6FlETA= =zKc7 -----END PGP SIGNATURE-----
