Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:libapache-session-browseable-perl User: [email protected] Usertags: pu
[ Reason ] Apache::Session::Generate::SHA256 seeded its session identifier from low-entropy sources (time(), PID, rand(), stringified hash ref). CVE-2026-8503 [ Impact ] Medium security issue [ Tests ] Test pass [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Use Crypt::URandom
diff --git a/debian/changelog b/debian/changelog index 9495053..60e3365 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +libapache-session-browseable-perl (1.3.11-3+deb12u1) bookworm; urgency=medium + + * Improve Apache::Session::Generate::SHA256 entropy (Closes: CVE-2026-8503) + + -- Xavier Guimard <[email protected]> Thu, 14 May 2026 07:47:45 +0200 + libapache-session-browseable-perl (1.3.11-3) unstable; urgency=medium [ Debian Janitor ] diff --git a/debian/patches/CVE-2026-8503.patch b/debian/patches/CVE-2026-8503.patch new file mode 100644 index 0000000..088e740 --- /dev/null +++ b/debian/patches/CVE-2026-8503.patch @@ -0,0 +1,50 @@ +Description: Use Crypt::URandom for session ID generation + Apache::Session::Generate::SHA256 seeded its session identifier from + low-entropy sources (time(), PID, rand(), stringified hash ref). The + seed could be guessed, allowing prediction of session IDs. This mirrors + CVE-2025-40931 / CVE-2025-40932 in the upstream MD5 generators. +Author: Yadd <[email protected]> +Origin: upstream, commit:cc915cbbd +Forwarded: not-needed +Applied-Upstream: 1.3.19, commit:cc915cbbd +Last-Update: 2026-05-14 + +--- a/lib/Apache/Session/Generate/SHA256.pm ++++ b/lib/Apache/Session/Generate/SHA256.pm +@@ -4,6 +4,7 @@ + use strict; + use vars qw($VERSION); + use Digest::SHA qw(sha256 sha256_hex sha256_base64); ++use Crypt::URandom; + + $VERSION = '1.2.2'; + +@@ -15,13 +16,21 @@ + $length = $session->{args}->{IDLength}; + } + +- $session->{data}->{_session_id} = substr( +- Digest::SHA::sha256_hex( +- Digest::SHA::sha256_hex( time() . {} . rand() . $$ ) +- ), +- 0, $length +- ); +- ++ eval { ++ $session->{data}->{_session_id} = substr( ++ unpack( 'H*', Crypt::URandom::urandom( int( ( $length + 1 ) / 2 ) ) ), ++ 0, $length ++ ); ++ }; ++ if ($@) { ++ require Digest::SHA; ++ $session->{data}->{_session_id} = substr( ++ Digest::SHA::sha256_hex( ++ Digest::SHA::sha256_hex( time() . {} . rand() . $$ ) ++ ), ++ 0, $length ++ ); ++ } + } + + sub validate { diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..1f244c0 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2026-8503.patch
