Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.bugs.dist > #1293797

Bug#1136626: Bug#1136625: trixie-pu: package libapache-session-browseable-perl/1.3.16-1+deb13u1

From Xavier <yadd@debian.org>
Newsgroups linux.debian.bugs.dist, linux.debian.devel.release
Subject Bug#1136626: Bug#1136625: trixie-pu: package libapache-session-browseable-perl/1.3.16-1+deb13u1
Date 2026-05-15 07:20 +0200
Message-ID <MUT7P-5fdK-1@gated-at.bofh.it> (permalink)
References <MUx7j-50ve-3@gated-at.bofh.it> <MUJUR-592H-1@gated-at.bofh.it> <MUT7P-5fdK-3@gated-at.bofh.it> <MUxgZ-50yO-7@gated-at.bofh.it> <MUT7P-5fdK-3@gated-at.bofh.it>
Organization linux.* mail to news gateway

Cross-posted to 2 groups.

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Le 15/05/2026 à 07:09, Xavier a écrit :
> Le 14/05/2026 à 21:23, Adrian Bunk a écrit :
>> On Thu, May 14, 2026 at 07:45:42AM +0200, Xavier Guimard wrote:
>>> ...
>>> [ Reason ]
>>> Apache::Session::Generate::SHA256 seeded its session identifier from
>>> low-entropy sources (time(), PID, rand(), stringified hash ref).
>>> CVE-2026-8503
>>> ...
>>> +libapache-session-browseable-perl (1.3.16-1+deb13u1) trixie; 
>>> urgency=medium
>>> +
>>> +  * Improve Apache::Session::Generate::SHA256 entropy (Closes: 
>>> CVE-2025-40931)
>>> ...
>>
>> Which CVE number is correct?
> 
> Hi,
> 
> the correct CVE is the one given in last debdiff: CVE-2026-8503 which is 
> a copy of CVE-2025-40931 but for this package.
> 
>>> ...
>>
>> libapache-session-browseable-perl should really add a dependency on
>> libcrypt-urandom-perl (also in unstable), currently this happens to work
>> due to a transitive dependency via libapache-session-perl but that's
>> fragile and might break.
> 
> Thank you, it's done in the 3:
> - unstable (pending)
> - trixie in the attached debdiff
> - bookworm
> 
> Best regards,
> Xavier

Hi,

same fix here (depends to libcrypt-urandom-perl)

Back to linux.debian.bugs.dist | Previous | NextPrevious in thread | Find similar

Thread

Bug#1136625: trixie-pu: package libapache-session-browseable-perl/1.3.16-1+deb13u1 Xavier Guimard <yadd@debian.org> - 2026-05-14 07:50 +0200
  Bug#1136625: trixie-pu: package libapache-session-browseable-perl/1.3.16-1+deb13u1 Xavier <yadd@debian.org> - 2026-05-14 08:00 +0200
  Bug#1136625: trixie-pu: package libapache-session-browseable-perl/1.3.16-1+deb13u1 Adrian Bunk <bunk@debian.org> - 2026-05-14 21:30 +0200
    Bug#1136625: trixie-pu: package libapache-session-browseable-perl/1.3.16-1+deb13u1 Xavier <yadd@debian.org> - 2026-05-15 07:20 +0200
      Bug#1136626: Bug#1136625: trixie-pu: package libapache-session-browseable-perl/1.3.16-1+deb13u1 Xavier <yadd@debian.org> - 2026-05-15 07:20 +0200

csiph-web