Bug#930659: libapache-session-perl: poor source of entropy for session id generation
Xavier
yadd at debian.org
Tue Jun 18 08:46:26 BST 2019
Le 17/06/2019 à 22:44, Raphael Geissert a écrit :
> Package: libapache-session-perl
> Version: 1.93-3
> Severity: important
> Tags: security
>
> Hi,
>
> As discussed in oss-security[1], libapache-session-perl uses a poor
> source of entropy in Apache::Session::Generate::MD5. The critical part
> is moving away from rand (e.g. to using urandom), but it would also be
> a good time to update the way the id is generated.
>
> The details are in the oss-sec thread.
>
> [1] https://www.openwall.com/lists/oss-security/2019/06/15/1
>
> Cheers,
Hi all,
lemonldap-ng is not affected by this issue even if it depends on
Apache::Session: it uses its own
Lemonldap::NG::Common::Apache::Session::Generate::SHA256 which uses
Crypt::URandom instead of rand(). This can be easily backported to
Apache::Session but changes the generated id: SHA256 is longer.
Cheers,
Xavier
More information about the pkg-perl-maintainers
mailing list