Bug#930662: marked as done (libauth-googleauth-perl: poor source of entropy for secret generation)

Sun, 21 Sep 2025 10:57:17 -0700 

Your message dated Sun, 21 Sep 2025 17:54:52 +0000
with message-id <[email protected]>
and subject line Bug#930662: fixed in libauth-googleauth-perl 1.09-1
has caused the Debian Bug report #930662,
regarding libauth-googleauth-perl: poor source of entropy for secret generation
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
930662: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930662
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: libauth-googleauth-perl
Version: 1.02-1
Severity: important
Tags: security

Hi,

Auth::GoogleAuth uses the rand function to generate a 16-bytes secret
key for TOTP authentication. Sadly, rand is a poor source of
randomness and unsuitable for crypto-related uses.

Following RFC6238's SHOULDs, Auth::GoogleAuth should use a CSPRNG like
urandom as a source to generate the key, and possibly generate a
20-bytes key to follow a second SHOULD.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org

--- End Message ---
--- Begin Message --- 
Source: libauth-googleauth-perl
Source-Version: 1.09-1
Done: gregor herrmann <[email protected]>

We believe that the bug you reported is fixed in the latest version of
libauth-googleauth-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated 
libauth-googleauth-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 21 Sep 2025 19:15:07 +0200
Source: libauth-googleauth-perl
Architecture: source
Version: 1.09-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 930662
Changes:
 libauth-googleauth-perl (1.09-1) unstable; urgency=medium
 .
   * Team upload.
   * Import upstream version 1.09.
     Uses Crypt::PRNG for rand.
     Closes: #930662
   * Update test and runtime dependencies.
   * Install new SECURITY.md document.
   * Declare compliance with Debian Policy 4.7.2.
   * Remove «Rules-Requires-Root: no», which is the current default.
   * Remove «Priority: optional», which is the current default.
Checksums-Sha1:
 9c05aa0d8fe22c4e51103ecfa65d9cb8028f3add 2603 
libauth-googleauth-perl_1.09-1.dsc
 1793d1cffd4c0a27eb1d598e284e2810b1fe12d2 13368 
libauth-googleauth-perl_1.09.orig.tar.gz
 50e8650af62c0722393b04444383ce8d68880788 5288 
libauth-googleauth-perl_1.09-1.debian.tar.xz
Checksums-Sha256:
 7f04dcf58ead528da9c5b85350f2f0d5c635d99d1a66c52394909768197eb64e 2603 
libauth-googleauth-perl_1.09-1.dsc
 8bf43ef727835ba3fb41e5b4469a1d8d15c1578fc2c307b48788dd4387c2d75c 13368 
libauth-googleauth-perl_1.09.orig.tar.gz
 69ed95419d79413b28348c1efd0fdee901df74da4121beb7843b8e42fe5cdad7 5288 
libauth-googleauth-perl_1.09-1.debian.tar.xz
Files:
 fff717b7484245c0312055a575f5fb88 2603 perl optional 
libauth-googleauth-perl_1.09-1.dsc
 ae954ac932599fff862a08a6a08805e2 13368 perl optional 
libauth-googleauth-perl_1.09.orig.tar.gz
 fc25daabd8d4a804e549fa5a13d7d2af 5288 perl optional 
libauth-googleauth-perl_1.09-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmjQMu9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgYEQg//WlDn38mQGRwunmjL8j1zDyoq+vTSkaWkpXWxV3Fum2PLghGKgEXLDid7
erJ3qFJ1hPMM/a1wC3UkQ0td4FL6HEmxhlv2SjPA/Okq/bP3138fA9NLjOhv7XTr
wCtZ4Mc1bgKkmkuT+CWCFs/NYAoHauvPtdDMEc627uEYcEWEdoSW4NlJXs/rnO6i
4xlJO0uYynDJsBOborF4kFqq5MUbYdibbrOd7WTrK/CGkEZgf/NTm6YQO4RRN2EH
TXW3GvZQtPB702hxer+CYxOul3ZyJKHnOZ2vCkDMK2cYz9LeJT+WXlg/bfhXbVhw
KWeYxzdVeZ5n8ZxXoaC/7p+km4xVepFYr1So/2Ib2IGOb8oLzE3VYEfTlPl3vjoe
tW3Fg4gWEUx2RHiNFafgs/YSIuYqxLxQdwnqM8ruHGkLMXDVOhEBWqjQbBfGgfCr
PuMcSVXn+EBx0jKBGZJq5Tv+AN0+E3eC/Lrq80k1JJOVplZIyNLwoBKJqFf1jpPa
a3bpEf7uNw/9Y/M9IDkmf52R+h+e2q1Dzh9NSiY21PPdU7/cLZHSEE4U4yLvQ75W
m7a3YKfFYaCZU/irADKTEsUL7fgLRCVjmDb1PAHPORHLnc9OGu59C3ZK6+zMFgVX
juexct0Zc7GpX0kN7w+d3tPVi78wAeKu47bi1o0gSa3UdiT4aO0=
=GVpD
-----END PGP SIGNATURE-----

Attachment: pgpLX3HtQ4pcD.pgp
Description: PGP signature


--- End Message ---

Reply via email to