Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org> , <debian-experimental-changes@lists.debian.org>
Subject: Accepted perl 5.42.2-2 (source) into experimental
Date: Sat, 06 Jun 2026 17:33:58 +0000
Signed by: Niko Tyni <ntyni@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Format: 1.8
Date: Sat, 06 Jun 2026 18:02:30 +0300
Source: perl
Architecture: source
Version: 5.42.2-2
Distribution: experimental
Urgency: medium
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Niko Tyni <ntyni@debian.org>
Closes: 1137345 1138854 1138855 1138856 1138858 1138863 1138905 1138906
Changes:
 perl (5.42.2-2) experimental; urgency=medium
 .
   * [SECURITY] backport various fixes from upstream:
     + CVE-2025-15649: header parsing in IO::Uncompress::Unzip.
         (Closes: #1138863)
     + CVE-2026-7010:  CRLF-validation in HTTP::Tiny.
         (Closes: #1138858)
     + CVE-2026-8376:  Buffer overflow in Perl_study_chunk.
         (Closes: #1137345)
     + CVE-2026-48959: CPU exhaustion in IO::Uncompress::Unzip.
         (Closes: #1138856)
     + CVE-2026-48961: crash in zipdetails.
         (Closes: #1138855)
     + CVE-2026-48962: code execution in IO-Compress via output globs.
         (Closes: #1138854)
     + buffer overflows in pack().
         (Closes: #1138905)
     + buffer overflow in Storable.
         (Closes: #1138906)
Checksums-Sha1:
 fac7a2aa4e40bb502f1d0ce479f05bb76f4e7fe1 2372 perl_5.42.2-2.dsc
 9060d73f124395f973a8cfe3d6e412fbb93217ce 175608 perl_5.42.2-2.debian.tar.xz
 9cea33e3faf2aceb567e9db40aa4fff67e9264ad 5338 perl_5.42.2-2_source.buildinfo
Checksums-Sha256:
 e33c40124c7932ccebc7343c768e74347545dabf04b48a7b94a3b8d1a829a15c 2372 perl_5.42.2-2.dsc
 03dc1d547aa8271832042b2a66b8c71a72035c28ca736166fd27dc6d2aaa8afb 175608 perl_5.42.2-2.debian.tar.xz
 1b9c3872189b57ee52820e2d497dd8e99fdfb243e03a872f0013322a801380b2 5338 perl_5.42.2-2_source.buildinfo
Files:
 13b7988bfedecc286305774e1817e7d0 2372 perl standard perl_5.42.2-2.dsc
 0a7ad2361cdc8b893dbcad3628bcd09f 175608 perl standard perl_5.42.2-2.debian.tar.xz
 8ed1e5c781a84858dfb01c5d963d86a3 5338 perl standard perl_5.42.2-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iKcEARMJAC8WIQTuZv2Xfg2x/uVxefeK/rNkDrE5sgUCaiRCvBEcbnR5bmlAZGVi
aWFuLm9yZwAKCRCK/rNkDrE5soOOAXoDqPuy2hIDNgbVMnotKgfi7tU1TjmeDkEC
OfUCv1UOU/zgnn4mqFkVY0EtjSc74iUBf3LHLX7Tab7loNX6UtKcvkCmoY1uXvWf
a7YWnv6aOXsw9oPetRDgHQcOE9AHI6Mz8w==
=YN5x
-----END PGP SIGNATURE-----

News for package perl