Your message dated Sat, 11 Jul 2026 10:42:30 +0000
with message-id <[email protected]>
and subject line Released in 12.15
has caused the Debian Bug report #1136626,
regarding bookworm-pu: package
libapache-session-browseable-perl/1.3.11-3+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136626: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136626
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected],
[email protected]
Control: affects -1 + src:libapache-session-browseable-perl
User: [email protected]
Usertags: pu
[ Reason ]
Apache::Session::Generate::SHA256 seeded its session identifier from
low-entropy sources (time(), PID, rand(), stringified hash ref).
CVE-2026-8503
[ Impact ]
Medium security issue
[ Tests ]
Test pass
[ Risks ]
No risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Use Crypt::URandom
diff --git a/debian/changelog b/debian/changelog
index 9495053..60e3365 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+libapache-session-browseable-perl (1.3.11-3+deb12u1) bookworm; urgency=medium
+
+ * Improve Apache::Session::Generate::SHA256 entropy (Closes: CVE-2026-8503)
+
+ -- Xavier Guimard <[email protected]> Thu, 14 May 2026 07:47:45 +0200
+
libapache-session-browseable-perl (1.3.11-3) unstable; urgency=medium
[ Debian Janitor ]
diff --git a/debian/patches/CVE-2026-8503.patch
b/debian/patches/CVE-2026-8503.patch
new file mode 100644
index 0000000..088e740
--- /dev/null
+++ b/debian/patches/CVE-2026-8503.patch
@@ -0,0 +1,50 @@
+Description: Use Crypt::URandom for session ID generation
+ Apache::Session::Generate::SHA256 seeded its session identifier from
+ low-entropy sources (time(), PID, rand(), stringified hash ref). The
+ seed could be guessed, allowing prediction of session IDs. This mirrors
+ CVE-2025-40931 / CVE-2025-40932 in the upstream MD5 generators.
+Author: Yadd <[email protected]>
+Origin: upstream, commit:cc915cbbd
+Forwarded: not-needed
+Applied-Upstream: 1.3.19, commit:cc915cbbd
+Last-Update: 2026-05-14
+
+--- a/lib/Apache/Session/Generate/SHA256.pm
++++ b/lib/Apache/Session/Generate/SHA256.pm
+@@ -4,6 +4,7 @@
+ use strict;
+ use vars qw($VERSION);
+ use Digest::SHA qw(sha256 sha256_hex sha256_base64);
++use Crypt::URandom;
+
+ $VERSION = '1.2.2';
+
+@@ -15,13 +16,21 @@
+ $length = $session->{args}->{IDLength};
+ }
+
+- $session->{data}->{_session_id} = substr(
+- Digest::SHA::sha256_hex(
+- Digest::SHA::sha256_hex( time() . {} . rand() . $$ )
+- ),
+- 0, $length
+- );
+-
++ eval {
++ $session->{data}->{_session_id} = substr(
++ unpack( 'H*', Crypt::URandom::urandom( int( ( $length + 1 ) / 2 )
) ),
++ 0, $length
++ );
++ };
++ if ($@) {
++ require Digest::SHA;
++ $session->{data}->{_session_id} = substr(
++ Digest::SHA::sha256_hex(
++ Digest::SHA::sha256_hex( time() . {} . rand() . $$ )
++ ),
++ 0, $length
++ );
++ }
+ }
+
+ sub validate {
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..1f244c0
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2026-8503.patch
--- End Message ---
--- Begin Message ---
Version: 12.15
This update was released as part of 12.15.
--- End Message ---