Fedora is rolling out important security patches across versions 42, 43, and 44 to address recent vulnerabilities in widely used packages. The perl-Starman update brings version 0.4018 to all three releases, fixing a header precedence flaw that previously allowed attackers to smuggle malicious HTTP requests through reverse proxies. Meanwhile, Fedora 42 gets a separate OpenSSL upgrade that patches an RSA encryption validation issue tied to CVE-2026-31790.

Fedora 42 Update: perl-Starman-0.4018-1.fc42
Fedora 42 Update: openssl-3.2.6-4.fc42
Fedora 43 Update: perl-Starman-0.4018-1.fc43
Fedora 44 Update: perl-Starman-0.4018-1.fc44

[SECURITY] Fedora 42 Update: perl-Starman-0.4018-1.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-4cca750484
2026-05-08 01:24:13.569803+00:00
--------------------------------------------------------------------------------

Name : perl-Starman
Product : Fedora 42
Version : 0.4018
Release : 1.fc42
URL : https://metacpan.org/dist/Starman
Summary : High-performance preforking PSGI/Plack web server
Description :
Starman is a PSGI perl web server that has unique features such as high
performance, preforking, use of signals and a small memory footprint. It is PSGI
compatible and offers HTTP/1.1 support.

--------------------------------------------------------------------------------
Update Information:

Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via
Improper Header Precedence. Starman incorrectly prioritizes "Content-Length"
over "Transfer-Encoding: chunked" when both headers are present in an HTTP
request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker
could exploit this to smuggle malicious HTTP requests via a front-end reverse
proxy.
This package updates Starman to 0.4018 where Transfer-Encoding now takes
precedence over Content-Length.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 29 2026 Emmanuel Seyman [emmanuel@seyman.fr] - 0.4018-1
- Update to 0.4018 (which contains a fix for CVE-2026-40560)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2463491 - perl-Starman-0.4018 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2463491
[ 2 ] Bug #2463795 - CVE-2026-40560 perl-Starman: Starman: HTTP Request Smuggling via improper header precedence [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2463795
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-4cca750484' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 42 Update: openssl-3.2.6-4.fc42

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-7af660d639
2026-05-08 01:24:13.569769+00:00
--------------------------------------------------------------------------------

Name : openssl
Product : Fedora 42
Version : 3.2.6
Release : 4.fc42
URL : http://www.openssl.org/
Summary : Utilities from the general purpose cryptography library with TLS implementation
Description :
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.

--------------------------------------------------------------------------------
Update Information:

Validate RSA_public_encrypt() result in RSASVE
--------------------------------------------------------------------------------
ChangeLog:

* Mon Apr 20 2026 Pavol ??????ik [pzacik@redhat.com] - 1:3.2.6-4
- Validate RSA_public_encrypt() result in RSASVE
Resolves: CVE-2026-31790
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-7af660d639' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

[SECURITY] Fedora 43 Update: perl-Starman-0.4018-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-b94aad33a5
2026-05-08 01:00:54.371992+00:00
--------------------------------------------------------------------------------

Name : perl-Starman
Product : Fedora 43
Version : 0.4018
Release : 1.fc43
URL : https://metacpan.org/dist/Starman
Summary : High-performance preforking PSGI/Plack web server
Description :
Starman is a PSGI perl web server that has unique features such as high
performance, preforking, use of signals and a small memory footprint. It is PSGI
compatible and offers HTTP/1.1 support.

--------------------------------------------------------------------------------
Update Information:

Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via
Improper Header Precedence. Starman incorrectly prioritizes "Content-Length"
over "Transfer-Encoding: chunked" when both headers are present in an HTTP
request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker
could exploit this to smuggle malicious HTTP requests via a front-end reverse
proxy.
This package updates Starman to 0.4018 where Transfer-Encoding now takes
precedence over Content-Length.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 29 2026 Emmanuel Seyman [emmanuel@seyman.fr] - 0.4018-1
- Update to 0.4018 (which contains a fix for CVE-2026-40560)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2463491 - perl-Starman-0.4018 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2463491
[ 2 ] Bug #2463795 - CVE-2026-40560 perl-Starman: Starman: HTTP Request Smuggling via improper header precedence [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2463795
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-b94aad33a5' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: perl-Starman-0.4018-1.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-5bb108e1b7
2026-05-08 00:49:16.521725+00:00
--------------------------------------------------------------------------------

Name : perl-Starman
Product : Fedora 44
Version : 0.4018
Release : 1.fc44
URL : https://metacpan.org/dist/Starman
Summary : High-performance preforking PSGI/Plack web server
Description :
Starman is a PSGI perl web server that has unique features such as high
performance, preforking, use of signals and a small memory footprint. It is PSGI
compatible and offers HTTP/1.1 support.

--------------------------------------------------------------------------------
Update Information:

Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via
Improper Header Precedence. Starman incorrectly prioritizes "Content-Length"
over "Transfer-Encoding: chunked" when both headers are present in an HTTP
request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker
could exploit this to smuggle malicious HTTP requests via a front-end reverse
proxy.
This package updates Starman to 0.4018 where Transfer-Encoding now takes
precedence over Content-Length.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 29 2026 Emmanuel Seyman [emmanuel@seyman.fr] - 0.4018-1
- Update to 0.4018 (which contains a fix for CVE-2026-40560)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2463491 - perl-Starman-0.4018 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2463491
[ 2 ] Bug #2463795 - CVE-2026-40560 perl-Starman: Starman: HTTP Request Smuggling via improper header precedence [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2463795
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-5bb108e1b7' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new