Bug#930659: libapache-session-perl: poor source of entropy for session id generation
Raphael Geissert
geissert at debian.org
Mon Jun 17 21:44:50 BST 2019
Package: libapache-session-perl
Version: 1.93-3
Severity: important
Tags: security
Hi,
As discussed in oss-security[1], libapache-session-perl uses a poor
source of entropy in Apache::Session::Generate::MD5. The critical part
is moving away from rand (e.g. to using urandom), but it would also be
a good time to update the way the id is generated.
The details are in the oss-sec thread.
[1] https://www.openwall.com/lists/oss-security/2019/06/15/1
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org
More information about the pkg-perl-maintainers
mailing list