Your message dated Fri, 12 Jun 2026 22:18:40 +0000
with message-id <[email protected]>
and subject line Bug#1139867: fixed in libcrypt-pbkdf2-perl 0.261630-1
has caused the Debian Bug report #1139867,
regarding libcrypt-pbkdf2-perl: CVE-2026-9638 CVE-2026-9641 CVE-2017-20240
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1139867: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139867
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libcrypt-pbkdf2-perl
Version: 0.161520-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for libcrypt-pbkdf2-perl.

CVE-2026-9638[0]:
| Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure
| random values for salts.  These versions use the built-in rand
| function, which is predictable and unsuitable for cryptography.


CVE-2026-9641[1]:
| Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default
| algorithm and number of iterations.  The default algorithm is HMAC-
| SHA1, which should only be used for legacy systems.  These versions
| default to using 1000 iterations.  Depending on the chosen
| algorithm, 220,000 to 1,400,000 iterations should be used.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-9638
    https://www.cve.org/CVERecord?id=CVE-2026-9638
[1] https://security-tracker.debian.org/tracker/CVE-2026-9641
    https://www.cve.org/CVERecord?id=CVE-2026-9641

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: libcrypt-pbkdf2-perl
Source-Version: 0.261630-1
Done: gregor herrmann <[email protected]>

We believe that the bug you reported is fixed in the latest version of
libcrypt-pbkdf2-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated libcrypt-pbkdf2-perl 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 13 Jun 2026 00:01:11 +0200
Source: libcrypt-pbkdf2-perl
Architecture: source
Version: 0.261630-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 1139867
Changes:
 libcrypt-pbkdf2-perl (0.261630-1) unstable; urgency=medium
 .
   * Team upload.
   * Import upstream version 0.261630.
     - Change the default hash algorithm to HMAC-SHA256, and increase the
       default number of iterations to 600,000 (CVE-2026-9641).
     - Generate salts using Crypt::URandom instead of perl's builtin `rand()`
       (CVE-2026-9638).
     - Use a constant-time comparison in `validate` to avoid timing attacks
       (CVE-2017-20240).
     Closes: #1139867
   * Update debian/upstream/metadata.
   * Update years of upstream copyright.
   * debian/control: update build/test/runtime dependencies.
   * Declare compliance with Debian Policy 4.7.4.
   * Remove «Priority: optional», which is the current default.
   * Annotate test-only build dependencies with <!nocheck>.
Checksums-Sha1:
 ab207064965b55696295f18d043e8f0df5758ea9 2794 
libcrypt-pbkdf2-perl_0.261630-1.dsc
 699cfaeb3ea8e679a514bf400703b31d68af4f42 17986 
libcrypt-pbkdf2-perl_0.261630.orig.tar.gz
 70d8b5c5575c22687f1d3f078a3810c52db91d85 3096 
libcrypt-pbkdf2-perl_0.261630-1.debian.tar.xz
Checksums-Sha256:
 735c6f21b25c34ef047c02a15e0605c26ef0b54bf3a7d5ffa21b5b29a2e06fff 2794 
libcrypt-pbkdf2-perl_0.261630-1.dsc
 18757189638932b309b34c45bb810aa3e4856e3ed580100017dade65793f46c0 17986 
libcrypt-pbkdf2-perl_0.261630.orig.tar.gz
 e3838a0a70d2ff721b3a9edf0dd51be45ec685bc00a7f731ebb0b957a3e806ee 3096 
libcrypt-pbkdf2-perl_0.261630-1.debian.tar.xz
Files:
 1dbb462b47c2b89694b6844733994aac 2794 perl optional 
libcrypt-pbkdf2-perl_0.261630-1.dsc
 7ecd1f4830904a0e9c0a2eea79ca74a5 17986 perl optional 
libcrypt-pbkdf2-perl_0.261630.orig.tar.gz
 26dafb754eb13af02020e2c93580b358 3096 perl optional 
libcrypt-pbkdf2-perl_0.261630-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmosgqBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgaM/Q/+OeOQYulKVaWEUoKwxb7Db4lUWMNoiok3gCXJ1d7YTfFsSoQ7ZyyZM7Q/
/ZWmnEUOjkrhR0aSB8RAGVtSXe4d6ts7Rd6uwymzPFbd22ZvKTCHNO7e3FMNkGbq
MSfOemOvXI46AnapW1UnNjibh7Hy7vrGC4PWIkm5BeA+xVJbkFtrpKcLATeoxVvu
lSfg+qOj+EW++KrIa1i4B3hop8kqO3OInzYDDybg0z52pPJ84RtmVyCS09Y5pOQ9
wslNxwhhfUf0ZTAd5pHztEHcxcJRfxZUhRkMxX70KfHGufslh4OnRaXhmnxqe3CH
kkLeUMx/PGlvIIiYfWitAjKQQXjGcJPs8Gh1a5hFIbYDvMcwsBThbSjqOwUIXben
cOIAjZ7Xm/tGx4dsVAmmCsGjuet0VpWYtNftNlzC8YZ+2uwh5hZAgOgEb5MbdP7g
247V3Ynl0PLof89bi2CRJfvUZtOrWwVKIMtTIbQB058HDJ3zAnrKV6cW2MtMwUE3
St2s1pmDigibfJXveKJ/9/dEYKGZ2WRbf/I6HFN+X2cvTeYxMD4COG8M3vskDBzU
3RmKValJbXCkpZOi9QskMmI2eiNKuphGYXDOV/ipYeOUVabXrpj29fDBSvFXE/gZ
o+ONe1LIjCZdTbEhrlhIzkhnNv6QTrjdvz9vtH6wG4j/PyCnKKw=
=n8WO
-----END PGP SIGNATURE-----

Attachment: pgpXDuZuc7vXv.pgp
Description: PGP signature


--- End Message ---

Reply via email to