Backport upstream fix (commit 945d3514) for CVE-2026-8450 to
perl-HTTP-Daemon 6.01. The send_file() method in
HTTP::Daemon::ClientConn used the insecure 2-argument form of
open(), which allowed shell-magic interpretation of filenames
(pipe commands, redirections, etc.). The fix switches to
3-argument open() with an explicit '<' mode, replacing the
typeglob with a lexical filehandle. Additional hardening
includes proper binmode() failure handling and a '0E0'
true-zero return for empty successful transfers.
CVE: CVE-2026-8450
Upstream patches:
- 945d35141d.patch
Resolves: RHEL-184825
This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent.
Assisted-by: Ymir