Your message dated Tue, 16 Jun 2026 20:47:35 +0000
with message-id <[email protected]>
and subject line Bug#1139867: fixed in libcrypt-pbkdf2-perl 
0.261630-1~deb13u1~deb12u1
has caused the Debian Bug report #1139867,
regarding libcrypt-pbkdf2-perl: CVE-2026-9638 CVE-2026-9641 CVE-2017-20240
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1139867: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139867
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libcrypt-pbkdf2-perl
Version: 0.161520-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for libcrypt-pbkdf2-perl.

CVE-2026-9638[0]:
| Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure
| random values for salts.  These versions use the built-in rand
| function, which is predictable and unsuitable for cryptography.


CVE-2026-9641[1]:
| Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default
| algorithm and number of iterations.  The default algorithm is HMAC-
| SHA1, which should only be used for legacy systems.  These versions
| default to using 1000 iterations.  Depending on the chosen
| algorithm, 220,000 to 1,400,000 iterations should be used.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-9638
    https://www.cve.org/CVERecord?id=CVE-2026-9638
[1] https://security-tracker.debian.org/tracker/CVE-2026-9641
    https://www.cve.org/CVERecord?id=CVE-2026-9641

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: libcrypt-pbkdf2-perl
Source-Version: 0.261630-1~deb13u1~deb12u1
Done: Salvatore Bonaccorso <[email protected]>

We believe that the bug you reported is fixed in the latest version of
libcrypt-pbkdf2-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated 
libcrypt-pbkdf2-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 13 Jun 2026 11:44:25 +0200
Source: libcrypt-pbkdf2-perl
Architecture: source
Version: 0.261630-1~deb13u1~deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1139867
Changes:
 libcrypt-pbkdf2-perl (0.261630-1~deb13u1~deb12u1) bookworm; urgency=medium
 .
   * Rebuild for bookworm
 .
 libcrypt-pbkdf2-perl (0.261630-1~deb13u1) trixie; urgency=medium
 .
   * Rebuild for trixie
   * Revert "Annotate test-only build dependencies with <!nocheck>."
   * Revert "Remove «Priority: optional», which is the current default."
   * Revert "Declare compliance with Debian Policy 4.7.4."
 .
 libcrypt-pbkdf2-perl (0.261630-1) unstable; urgency=medium
 .
   * Team upload.
   * Import upstream version 0.261630.
     - Change the default hash algorithm to HMAC-SHA256, and increase the
       default number of iterations to 600,000 (CVE-2026-9641).
     - Generate salts using Crypt::URandom instead of perl's builtin `rand()`
       (CVE-2026-9638).
     - Use a constant-time comparison in `validate` to avoid timing attacks
       (CVE-2017-20240).
     Closes: #1139867
   * Update debian/upstream/metadata.
   * Update years of upstream copyright.
   * debian/control: update build/test/runtime dependencies.
   * Declare compliance with Debian Policy 4.7.4.
   * Remove «Priority: optional», which is the current default.
   * Annotate test-only build dependencies with <!nocheck>.
Checksums-Sha1: 
 fad42c21848cc5c2db12b9f445145feab64569ca 2645 
libcrypt-pbkdf2-perl_0.261630-1~deb13u1~deb12u1.dsc
 e13f51e8c7c4207f3a3388037bdd7220ab43a3da 3144 
libcrypt-pbkdf2-perl_0.261630-1~deb13u1~deb12u1.debian.tar.xz
Checksums-Sha256: 
 f4ec042834364d8d21b4911418f87481ff74f3929f34d2ddceef6ba163e92738 2645 
libcrypt-pbkdf2-perl_0.261630-1~deb13u1~deb12u1.dsc
 e0d246652b45fc2df5bd53dccfadb98ec112ebb3f9c1c3e4fa54625d5296e1b3 3144 
libcrypt-pbkdf2-perl_0.261630-1~deb13u1~deb12u1.debian.tar.xz
Files: 
 49b0155894f7edc8c75392c4359dd265 2645 perl optional 
libcrypt-pbkdf2-perl_0.261630-1~deb13u1~deb12u1.dsc
 a521da6cfd7fdb61d3c5b9f69d9fc6f9 3144 perl optional 
libcrypt-pbkdf2-perl_0.261630-1~deb13u1~deb12u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmotcRdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E8YYP/jef3lpIjhs7Z9LpitYZzV0vBzo5FmkC
9WP0vvfkp8qSg0AIRF+UVYXFZU8YIwVqcwkUKwV+DftEoqh+qyPgUxudnTnc0Tzq
+jSxPf8NjhUoti6Gc/CPhnnNSycz2qy7ntUE967Gwew4llsoIz0yhhFHdbEXushk
wohlzqOUU+3T2GfXFvQd9KAeUTb73W3VppMdLiXkDP+BrKitftPp5Kg4WSS0zN4k
hzkbfZiwusdBdeUoFxu0pqUMvJJIz3bWEi0ntQn24OxXhECJcDRrVjMs8zmGAWyG
9P4OjAS3o6NWv/0zZpjGixB6abnn5fEO5rCHZ+64HISYhUhph/84yoKrNu2+IoPu
jvcrepGi8x0FeFUSoilg+VE5afSPDnQYZwYcvDT3JK402LuoWqxiYcuIx//3lJs8
FctWkOOqPM3kmJo1aexWFdH7hfDGOROtx1w4IL/MVN7j6cRVI/Rsj1An3DY4/Cwf
WGg2IYj/fiVUAb2tEi76SeJp9vTOhXx5O+qpc0xs45oFc2yQOeukezT1zkfy/1S8
X3/aShy+JSZHpKAiTF/TX1YjLszwqjkV6t0YxQPIQAA0c3UR1T3jDX6xGaXCCq5L
LIJMLZKWuuwRWKNFBy9i18V6skEwGJM2ZJzyd3eBvl3W8WTHzbmfp75Yo+Uu1gH8
SGAeUig0hzq1
=KBUR
-----END PGP SIGNATURE-----

Attachment: pgp5jRf9LUOjk.pgp
Description: PGP signature


--- End Message ---

Reply via email to