ALAS2023-2026-1765

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1765
Advisory Released Date: 2026-06-08
Advisory Updated Date: 2026-06-08

Severity: Medium

References: CVE-2026-7010
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values.

The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values.

An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server. (CVE-2026-7010)

Affected Packages:

perl-HTTP-Tiny

Issue Correction:
Run dnf update perl-HTTP-Tiny --releasever 2023.12.20260608 or dnf update --advisory ALAS2023-2026-1765 --releasever 2023.12.20260608 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

noarch:
    perl-HTTP-Tiny-0.092-2.amzn2023.0.2.noarch
    perl-HTTP-Tiny-tests-0.092-2.amzn2023.0.2.noarch

src:
    perl-HTTP-Tiny-0.092-2.amzn2023.0.2.src

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2026-7010

Mitre: CVE-2026-7010