Alerts This Week
Warning Icon 1 680
Alerts This Week
Warning Icon 1 680

Fedora 44 perl-HTTP-Daemon Important Remote Code Exec Patch 2026-8982379b5c

fedora
Calendar Grey June 18, 2026
Dist Fedora Esm H88
Critical update for Fedora 44 addressing remote code execution in perl-HTTP-Daemon due to flaws in send_file().
Changes: 6.17 2026-05-19 23:11:06Z Fix CVE-2026-8450 (affects 6.15 and earlier): 2-arg open() in send_file() enabled RCE / arbitrary file write / response-body exfiltration when ...

Summary

Instances of the HTTP::Daemon class are HTTP/1.1 servers that listen on a

socket for incoming requests. The HTTP::Daemon is a subclass of

IO::Socket::IP, so you can perform socket operations directly on it too.

Update Information:

Changes: 6.17 2026-05-19 23:11:06Z Fix CVE-2026-8450 (affects 6.15 and earlier): 2-arg open() in send_file() enabled RCE / arbitrary file write / response-body exfiltration when a string argument was derived from attacker- influenced input. send_file() now uses 3-arg open() with an explicit '<' read mode, so the path is always treated as a literal filename and 2-arg open() shell-magic shapes ('| cmd', 'cmd |', '> path', etc.) are no longer interpreted. send_file() now also returns '0E0' (true zero) on a successful zero-byte transfer so callers can distinguish empty file from open failure (undef). See https://www.cve.org/CVERecord?id=CVE-2026-8450 for the advisory. Reported and patched by Stig Palmquist (stigtsp). (Stig Palmquist, Olaf Alders)

Topics%20covered

Topics Covered

security advisory fedora critical remote code execution file write response exfiltration

Change Log

* Wed May 20 2026 Michal Josef Špaček - 6.17-1 - 6.17 bump

References


[ 1 ] Bug #2480076 - perl-HTTP-Daemon-6.17 is available https://bugzilla.redhat.com/show_bug.cgi?id=2480076

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-8982379b5c' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
critical
Lowest
Low
Medium
High
Critical

Name: perl-HTTP-Daemon
Product: Fedora 44
Version: 6.17
Release: 1.fc44
URL: https://metacpan.org/release/HTTP-Daemon
Summary: Simple HTTP server class

Topics%20covered

Topics Covered

security advisory fedora critical remote code execution file write response exfiltration

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here