Source: libhttp-tiny-perl Version: 0.092-3 Severity: important Tags: security upstream Forwarded: https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/pull/36 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: clone -1 -2 Control: reassign -2 src:perl 5.40.1-8
Hi, The following vulnerability was published for libhttp-tiny-perl. CVE-2026-7017[0]: | HTTP::Tiny versions before 0.095 for Perl forward credential headers | to cross-origin redirect targets. When the server returns a 3xx | redirect, `_maybe_redirect` follows the `Location:` header and | `_prepare_headers_and_cb` re-merges the caller's `headers` argument | into the new request, without checking whether the redirect target | shares an origin with the original URL. Caller-supplied | `Authorization`, `Cookie` and `Proxy-Authorization` headers are | therefore re-sent to whatever host the redirect names, across | scheme, host or port boundaries, and including `https` to `http` | downgrades that expose them in plaintext on the wire. The | HTTP::Tiny POD note that "Authorization headers will not be included | in a redirected request" applied only to the URL-userinfo Basic-auth | path, not to headers passed explicitly by the caller. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-7017 https://www.cve.org/CVERecord?id=CVE-2026-7017 [1] https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/pull/36 [2] https://lists.security.metacpan.org/cve-announce/msg/41618211/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore

