Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted perl 5.40.1-8 (source) into unstable
Date: Sat, 06 Jun 2026 17:33:51 +0000
Signed by: Niko Tyni <ntyni@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Format: 1.8
Date: Sat, 06 Jun 2026 17:22:29 +0300
Source: perl
Architecture: source
Version: 5.40.1-8
Distribution: unstable
Urgency: medium
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Niko Tyni <ntyni@debian.org>
Closes: 1137345 1138854 1138855 1138856 1138858 1138863 1138905 1138906
Changes:
 perl (5.40.1-8) unstable; urgency=medium
 .
   * [SECURITY] backport various fixes from upstream:
     + CVE-2025-15649: header parsing in IO::Uncompress::Unzip.
         (Closes: #1138863)
     + CVE-2026-7010:  CRLF-validation in HTTP::Tiny.
         (Closes: #1138858)
     + CVE-2026-8376:  Buffer overflow in Perl_study_chunk.
         (Closes: #1137345)
     + CVE-2026-48959: CPU exhaustion in IO::Uncompress::Unzip.
         (Closes: #1138856)
     + CVE-2026-48961: crash in zipdetails.
         (Closes: #1138855)
     + CVE-2026-48962: code execution in IO-Compress via output globs.
         (Closes: #1138854)
     + buffer overflows in pack().
         (Closes: #1138905)
     + buffer overflow in Storable.
         (Closes: #1138906)
Checksums-Sha1:
 feff9b43463d196f6744b2f51ab3094537900678 2372 perl_5.40.1-8.dsc
 a275dffed86a0d9a43dc87b7ffec3a03b8aab38d 179088 perl_5.40.1-8.debian.tar.xz
 efc987732ec29a37204e0cc26d43d761be2671d3 5338 perl_5.40.1-8_source.buildinfo
Checksums-Sha256:
 0df3684ddbed6c62651b8f682df33d2af54d47ee238958f30fa26ac066ee88d5 2372 perl_5.40.1-8.dsc
 621e16fec9e822ec835071aa3665ebd329142bcd270b86a6f9bb04cb94a1de08 179088 perl_5.40.1-8.debian.tar.xz
 bbf2de68263b588b9b82209e60f9ed9704f7021ffa9b08fab2da43f9c9485b93 5338 perl_5.40.1-8_source.buildinfo
Files:
 d9d1456beca9bb3f5535b82405708bfe 2372 perl standard perl_5.40.1-8.dsc
 46569b65055e962347a20985b9ec245a 179088 perl standard perl_5.40.1-8.debian.tar.xz
 ffcf467b4231949b678af8c4ae3651e3 5338 perl standard perl_5.40.1-8_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iKcEARMJAC8WIQTuZv2Xfg2x/uVxefeK/rNkDrE5sgUCaiRB+hEcbnR5bmlAZGVi
aWFuLm9yZwAKCRCK/rNkDrE5st5SAX9cPTfxh8ivQ7d4IBnal//ySr/1+zI8TyyB
J09rCB4SqkDM74u0tZtsSeIXuILCJ5UBgKav4TN0s0BVQ/Kv78fVzoAvLfYtm7dn
nojCgyWR8Nw+dYy5Gg04H/JmVY8GWBMzpA==
=Vizr
-----END PGP SIGNATURE-----

News for package perl