Bug#930660: libapache-sessionx-perl: poor source of entropy for session id generation
Raphael Geissert
geissert at debian.org
Mon Jun 17 21:44:52 BST 2019
Package: libapache-sessionx-perl
Version: 2.01-5
Severity: important
Tags: security
Hi,
As discussed in oss-security[1], libapache-sessionx-perl uses a poor
source of entropy in Apache::Session::Generate::MD5. The critical part
is moving away from rand (e.g. to using urandom), but it would also be
a good time to update the way the id is generated.
The details are in the oss-sec thread.
[1] https://www.openwall.com/lists/oss-security/2019/06/15/1
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org
More information about the pkg-perl-maintainers
mailing list