CVS commit: pkgsrc/www/p5-HTTP-Daemon

["Thomas Klausner" <wiz%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   wiz
Date:           Sun May 24 17:49:41 UTC 2026

Modified Files:
        pkgsrc/www/p5-HTTP-Daemon: Makefile distinfo

Log Message:
p5-HTTP-Daemon: update to 6.17.

6.17      2026-05-19 23:11:06Z
  - Fix CVE-2026-8450 (affects 6.15 and earlier): 2-arg open() in
    send_file() enabled RCE / arbitrary file write / response-body
    exfiltration when a string argument was derived from attacker-
    influenced input. send_file() now uses 3-arg open() with an
    explicit '<' read mode, so the path is always treated as a literal
    filename and 2-arg open() shell-magic shapes ('| cmd', 'cmd |',
    '> path', etc.) are no longer interpreted. send_file() now also
    returns '0E0' (true zero) on a successful zero-byte transfer so
    callers can distinguish empty file from open failure (undef). See
    https://www.cve.org/CVERecord?id=CVE-2026-8450 for the advisory.
    Reported and patched by Stig Palmquist (stigtsp). (Stig Palmquist,
    Olaf Alders)


To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.29 pkgsrc/www/p5-HTTP-Daemon/Makefile
cvs rdiff -u -r1.11 -r1.12 pkgsrc/www/p5-HTTP-Daemon/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/p5-HTTP-Daemon/Makefile
diff -u pkgsrc/www/p5-HTTP-Daemon/Makefile:1.28 pkgsrc/www/p5-HTTP-Daemon/Makefile:1.29
--- pkgsrc/www/p5-HTTP-Daemon/Makefile:1.28     Fri Jul  4 08:49:15 2025
+++ pkgsrc/www/p5-HTTP-Daemon/Makefile  Sun May 24 17:49:41 2026
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.28 2025/07/04 08:49:15 wiz Exp $
+# $NetBSD: Makefile,v 1.29 2026/05/24 17:49:41 wiz Exp $
 
-DISTNAME=      HTTP-Daemon-6.16
+DISTNAME=      HTTP-Daemon-6.17
 PKGNAME=       p5-${DISTNAME}
-PKGREVISION=   3
 CATEGORIES=    www perl5
 MASTER_SITES=  ${MASTER_SITE_PERL_CPAN:=../../authors/id/O/OA/OALDERS/}
 

Index: pkgsrc/www/p5-HTTP-Daemon/distinfo
diff -u pkgsrc/www/p5-HTTP-Daemon/distinfo:1.11 pkgsrc/www/p5-HTTP-Daemon/distinfo:1.12
--- pkgsrc/www/p5-HTTP-Daemon/distinfo:1.11     Sat Apr 29 09:25:45 2023
+++ pkgsrc/www/p5-HTTP-Daemon/distinfo  Sun May 24 17:49:41 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.11 2023/04/29 09:25:45 wen Exp $
+$NetBSD: distinfo,v 1.12 2026/05/24 17:49:41 wiz Exp $
 
-BLAKE2s (HTTP-Daemon-6.16.tar.gz) = bbcf52e8797771f2222be2827ce194a0774a1231086899bf01be2a6ec6c7d788
-SHA512 (HTTP-Daemon-6.16.tar.gz) = 09e3c5c98c6f22bcb494eae9a28990d52a98c3b1be1b0ca001fc364b3891f7f43f0468aa7274070c64ca11c6b6313591e064084c0b2f5bc6b8bd71708f390d64
-Size (HTTP-Daemon-6.16.tar.gz) = 45830 bytes
+BLAKE2s (HTTP-Daemon-6.17.tar.gz) = 7f398c5e3992204fc00f9618e87001aec0d7d45b6d182088324126232e14b9b4
+SHA512 (HTTP-Daemon-6.17.tar.gz) = a745babab5165e5948014adf6b5f3e628730cfd472327835169174836002fb252e053165a4f99621d855b2b7adb9b15d52c2952114e16e79752cdeb2faf421d9
+Size (HTTP-Daemon-6.17.tar.gz) = 48657 bytes