Fedora 43 ruby-Puma Severe Web Request Manipulation 2026-5dcb750495

fedora

May 8, 2026

Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence

Summary

Starman is a PSGI perl web server that has unique features such as high

performance, preforking, use of signals and a small memory footprint. It is PSGI

compatible and offers HTTP/1.1 support.

Update Information:

Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starman incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy. This package updates Starman to 0.4018 where Transfer-Encoding now takes precedence over Content-Length.

Topics Covered

security advisory fedora critical attack http request smuggling perl-starman

Change Log

* Wed Apr 29 2026 Emmanuel Seyman - 0.4018-1 - Update to 0.4018 (which contains a fix for CVE-2026-40560)

References

[ 1 ] Bug #2463491 - perl-Starman-0.4018 is available https://bugzilla.redhat.com/show_bug.cgi?id=2463491 [ 2 ] Bug #2463795 - CVE-2026-40560 perl-Starman: Starman: HTTP Request Smuggling via improper header precedence [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2463795

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-4cca750484' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity

critical

Lowest

Low

Medium

High

Critical

Name: perl-Starman

Product: Fedora 42

Version: 0.4018

Release: 1.fc42

URL: https://metacpan.org/dist/Starman

Summary: High-performance preforking PSGI/Plack web server

Topics Covered

security advisory fedora critical attack http request smuggling perl-starman

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Like staying secure? So do we.
Sign up for updates, tips, and alerts!

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

Fedora 43 ruby-Puma Severe Web Request Manipulation 2026-5dcb750495

Summary

Topics Covered

Change Log

References

Update Instructions

Topics Covered

Get the latest News and Insights

Related News

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

Fedora 43 ruby-Puma Severe Web Request Manipulation 2026-5dcb750495

Summary

Topics Covered

Change Log

References

Update Instructions

Topics Covered

Get the latest News and Insights

Related Articles

Related News

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!