Package: perl Version: 5.40.1-6 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], [email protected] Forwarded: https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/d73c7651e82ace02693842df55928b6c3ae7c38d Control: found -1 5.32.1-4 Control: found -1 5.36.0-1 Control: found -1 5.42.2-1
The following vulnerability was published[0] for HTTP-Tiny: CVE ID: CVE-2026-7010 Distribution: HTTP-Tiny Versions: before 0.093 MetaCPAN: https://metacpan.org/dist/HTTP-Tiny VCS Repo: https://github.com/Perl-Toolchain-Gang/HTTP-Tiny HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values. An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server. This CPAN module is shipped in both libhttp-tiny-perl and perl. The libhttp-tiny-perl package was already fixed for sid + forky in version 0.092-2. The issue is marked as no-dsa in the security tracker [1]. Copying the libhttp-tiny-perl maintainers, and Salvatore for his security hat. I suppose we can manage without a separate libhttp-tiny-perl bug at this point, but feel free to clone one if it helps. [0] https://lists.security.metacpan.org/cve-announce/msg/39952806/ [1] https://security-tracker.debian.org/tracker/CVE-2026-7010 -- Niko Tyni [email protected]
