Bug#930660: libapache-sessionx-perl: poor source of entropy for session id generation

gregor herrmann gregoa at debian.org
Sat May 17 13:36:41 BST 2025


Control: severity -1 serious

On Sat, 17 May 2025 13:38:22 +0300, Niko Tyni wrote:

>On Mon, Jun 17, 2019 at 10:44:52PM +0200, Raphael Geissert wrote:
>> Package: libapache-sessionx-perl
>> Version: 2.01-5
>> Severity: important
>> Tags: security
>>
>> Hi,
>>
>> As discussed in oss-security[1], libapache-sessionx-perl uses a poor
>> source of entropy in Apache::Session::Generate::MD5. The critical part
>> is moving away from rand (e.g. to using urandom), but it would also be
>> a good time to update the way the id is generated.
>>
>> The details are in the oss-sec thread.
>>
>> [1] https://www.openwall.com/lists/oss-security/2019/06/15/1
>
>AFAICS libapache-sessionx-perl only exists to support libembperl-perl.
>As we're not going to ship libembperl-perl in trixie due to #1042845,
>I wonder if we should remove libapache-sessionx-perl from testing too?

Agreed.
I'm raising the severity to trigger the auto-removal from testing.

>Alternatively, the approach taken for libapache-session-perl #930659
>(using Crypt::URandom) seems easy to apply here as well.
>  https://sources.debian.org/src/libapache-session-perl/1.94-2/debian/patches/use-crypt-urandom.patch/

Ack, if someone is interested in the package; otherwise just getting 
it out of testing seems fine to me.


Cheers,
gregor

-- 
  .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
  : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
  `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
    `-   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: Digital Signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20250517/5f2d4e02/attachment.sig>


More information about the pkg-perl-maintainers mailing list