Bug#930659: libapache-session-perl: poor source of entropy for session id generation

Xavier yadd at debian.org
Thu Jun 20 06:24:52 BST 2019


Le 18/06/2019 à 09:56, Xavier a écrit :
> Le 18/06/2019 à 09:46, Xavier a écrit :
>> Le 17/06/2019 à 22:44, Raphael Geissert a écrit :
>>> Package: libapache-session-perl
>>> Version: 1.93-3
>>> Severity: important
>>> Tags: security
>>>
>>> Hi,
>>>
>>> As discussed in oss-security[1], libapache-session-perl uses a poor
>>> source of entropy in Apache::Session::Generate::MD5. The critical part
>>> is moving away from rand (e.g. to using urandom), but it would also be
>>> a good time to update the way the id is generated.
>>>
>>> The details are in the oss-sec thread.
>>>
>>> [1] https://www.openwall.com/lists/oss-security/2019/06/15/1
>>>
>>> Cheers,
>>
>> Hi all,
>>
>> lemonldap-ng is not affected by this issue even if it depends on
>> Apache::Session: it uses its own
>> Lemonldap::NG::Common::Apache::Session::Generate::SHA256 which uses
>> Crypt::URandom instead of rand(). This can be easily backported to
>> Apache::Session but changes the generated id: SHA256 is longer.
> 
> This is true for lemonldap-ng ≥ 2.0.2 (buster), 1.9.x versions (stretch)
> are concerned by this issue.
> 
> Fix is referenced here:
> https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1633

I proposed a fix here:
https://salsa.debian.org/perl-team/modules/packages/libapache-session-perl/merge_requests/1

Cheers,
Xavier



More information about the pkg-perl-maintainers mailing list