Bug#930659: libapache-session-perl: poor source of entropy for session id generation
Xavier
yadd at debian.org
Tue Jun 18 08:56:52 BST 2019
Le 18/06/2019 à 09:46, Xavier a écrit :
> Le 17/06/2019 à 22:44, Raphael Geissert a écrit :
>> Package: libapache-session-perl
>> Version: 1.93-3
>> Severity: important
>> Tags: security
>>
>> Hi,
>>
>> As discussed in oss-security[1], libapache-session-perl uses a poor
>> source of entropy in Apache::Session::Generate::MD5. The critical part
>> is moving away from rand (e.g. to using urandom), but it would also be
>> a good time to update the way the id is generated.
>>
>> The details are in the oss-sec thread.
>>
>> [1] https://www.openwall.com/lists/oss-security/2019/06/15/1
>>
>> Cheers,
>
> Hi all,
>
> lemonldap-ng is not affected by this issue even if it depends on
> Apache::Session: it uses its own
> Lemonldap::NG::Common::Apache::Session::Generate::SHA256 which uses
> Crypt::URandom instead of rand(). This can be easily backported to
> Apache::Session but changes the generated id: SHA256 is longer.
This is true for lemonldap-ng ≥ 2.0.2 (buster), 1.9.x versions (stretch)
are concerned by this issue.
Fix is referenced here:
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1633
More information about the pkg-perl-maintainers
mailing list