Your message dated Sun, 10 Aug 2025 20:42:13 +0000
with message-id <[email protected]>
and subject line Bug#1109406: fixed in libauthen-sasl-perl 2.1900-1
has caused the Debian Bug report #1109406,
regarding libauthen-sasl-perl: CVE-2025-40918
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109406: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109406
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libauthen-sasl-perl
Version: 2.1700-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/gbarr/perl-authen-sasl/pull/22
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libauthen-sasl-perl.
CVE-2025-40918[0]:
| Authen::SASL::Perl::DIGEST_MD5 versions 2.04 through 2.1800 for Perl
| generates the cnonce insecurely. The cnonce (client nonce) is
| generated from an MD5 hash of the PID, the epoch time and the built-
| in rand function. The PID will come from a small set of numbers, and
| the epoch time may be guessed, if it is not leaked from the HTTP
| Date header. The built-in rand function is unsuitable for
| cryptographic usage. According to RFC 2831, The cnonce-value is an
| opaque quoted string value provided by the client and used by both
| client and server to avoid chosen plaintext attacks, and to provide
| mutual authentication. The security of the implementation depends
| on a good choice. It is RECOMMENDED that it contain at least 64 bits
| of entropy.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-40918
https://www.cve.org/CVERecord?id=CVE-2025-40918
[1] https://github.com/gbarr/perl-authen-sasl/pull/22
[2]
https://security.metacpan.org/patches/A/Authen-SASL/2.1800/CVE-2025-40918-r1.patch
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libauthen-sasl-perl
Source-Version: 2.1900-1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libauthen-sasl-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated
libauthen-sasl-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 Aug 2025 21:49:44 +0200
Source: libauthen-sasl-perl
Architecture: source
Version: 2.1900-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1109406
Changes:
libauthen-sasl-perl (2.1900-1) unstable; urgency=medium
.
* Team upload.
* Import upstream version 2.1900.
- Generate cnonce and nonce from system randomness (CVE-2025-40918)
(Closes: #1109406)
* Add (Build-)Depends(-Indep) on libcrypt-urandom-perl
* d/u/metadata: Update according to new upstream location
Checksums-Sha1:
8b1052212b8df8909305ee506c77868f40a1c7bf 2374 libauthen-sasl-perl_2.1900-1.dsc
4baaca700ba1ff6624db40daddf52b13b518bf9a 40345
libauthen-sasl-perl_2.1900.orig.tar.gz
f24a289fbae94b83c12f55bbdf3bcf2ff830190b 4888
libauthen-sasl-perl_2.1900-1.debian.tar.xz
Checksums-Sha256:
6d6b134be1354894aaad0c6882ddd39d43771c0e82096db9cec90805b5e5dedb 2374
libauthen-sasl-perl_2.1900-1.dsc
be3533a6891b2e677150b479c1a0d4bf11c8bbeebed3e7b8eba34053e93923b0 40345
libauthen-sasl-perl_2.1900.orig.tar.gz
82b5cc474f8ee07bd8a6dc3c448b76cac30d0250c0bc83fcc31817830171e94f 4888
libauthen-sasl-perl_2.1900-1.debian.tar.xz
Files:
5c280fa617e44ba278e3da99497d8145 2374 perl optional
libauthen-sasl-perl_2.1900-1.dsc
ae386b2d166c7d10d7bd5bbc9c44a75e 40345 perl optional
libauthen-sasl-perl_2.1900.orig.tar.gz
b6583ead0166d5d3bc521584be14b2ef 4888 perl optional
libauthen-sasl-perl_2.1900-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmiY+DhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ECN8P/2U0hFI+KbfG8X3wh9iSuxW/32QlvNKq
M4usVJUBWqfI1+R5I3IWYbfNpyb8dkvX+PsFW9HW2J53bc6TLeSGoW6kiL7hxiYL
/MErq0ronpkAn1HJzOvEe5RBPCFSSd5yUJEgqW0Kj8GWm6U2z6MOobdduo7m5eH6
hA97HR1XocVZSlylJJy+XRj69w/Tr3uL3nVmeiI0M0PR1kA89wRx8SCKe6LOHQae
D0gBtO08rSXlEc50/TrnAyPLJaLIMc9/IfwKdKqv+XjvUsN4ERYiSu6WWN332lZL
2R2dbbMEDpjF0Q5zycBXOb1BcMydxNwuucouo57HPCQQ/tt9xS/o1jJHNKhWNG7g
nP/QYsQlD01iS0+OkkmSHXtYMBtw0zGXDI7XEm49QddjA+TsyOCLag/9hBd6JdGG
07TVBnnVwgA3Yvhh6ayIncIPrFXnojd+7wNYNjsMCdpimufYJlsOLTIYysJM0u02
Rvaf1Ng7rbZDIf5rqQ1wV2LvAX9k1FTAGwXaZUujwVbMMF9xCjbN5pqsc9KqMax6
+2xuaz0iNZZba4vLT9XW0VUmstRlae9k+Br8PiY1+43UQCJl4XkQ9TGbOuwiGKmc
/s+3S3T3b/NYMi3DNF2TmkeLA0bSIZXN+4FPcVOy1XJU71VN/caiCyg3sLM/CoOJ
qIx+icoZOGL4
=+2lW
-----END PGP SIGNATURE-----
pgpw0213uGIJU.pgp
Description: PGP signature
--- End Message ---
