Fedora Account System
Red Hat Associate
Red Hat Customer
Releases retrieved: 6.17 Upstream release that is considered latest: 6.17 Current version/release in rawhide: 6.16-8.fc44 URL: http://search.cpan.org/dist/HTTP-Daemon/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/2975/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/perl-HTTP-Daemon
Changes: 6.17 2026-05-19 23:11:06Z - Fix CVE-2026-8450 (affects 6.15 and earlier): 2-arg open() in send_file() enabled RCE / arbitrary file write / response-body exfiltration when a string argument was derived from attacker- influenced input. send_file() now uses 3-arg open() with an explicit '<' read mode, so the path is always treated as a literal filename and 2-arg open() shell-magic shapes ('| cmd', 'cmd |', '> path', etc.) are no longer interpreted. send_file() now also returns '0E0' (true zero) on a successful zero-byte transfer so callers can distinguish empty file from open failure (undef). See https://www.cve.org/CVERecord?id=CVE-2026-8450 for the advisory. Reported and patched by Stig Palmquist (stigtsp). (Stig Palmquist, Olaf Alders) For rawhide, F44, F43, F42
Fedora 42 was mistake, this is out of scope.
FEDORA-2026-8982379b5c (perl-HTTP-Daemon-6.17-1.fc44) has been submitted as an update to Fedora 44. https://bodhi.fedoraproject.org/updates/FEDORA-2026-8982379b5c
FEDORA-2026-f276b2154e (perl-HTTP-Daemon-6.17-1.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2026-f276b2154e
FEDORA-2026-8982379b5c has been pushed to the Fedora 44 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-8982379b5c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-8982379b5c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2026-f276b2154e has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-f276b2154e` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-f276b2154e See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2026-8982379b5c (perl-HTTP-Daemon-6.17-1.fc44) has been pushed to the Fedora 44 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2026-f276b2154e (perl-HTTP-Daemon-6.17-1.fc43) has been pushed to the Fedora 43 stable repository. If problem still persists, please make note of it in this bug report.