Bug#1136625: trixie-pu: package libapache-session-browseable-perl/1.3.16-1+deb13u1

Xavier Wed, 13 May 2026 22:59:15 -0700

Le 14/05/2026 à 07:45, Xavier Guimard a écrit :

[ Reason ]
Apache::Session::Generate::SHA256 seeded its session identifier from
low-entropy sources (time(), PID, rand(), stringified hash ref).
CVE-2026-8503


[ Impact ]
Medium security issue

[ Tests ]
Test pass

[ Risks ]
No risk, patch is trivial

[ Checklist ]
   [X]*all* changes are documented in the d/changelog
   [X] I reviewed all changes and I approve them
   [X] attach debdiff against the package in (old)stable
   [X] the issue is verified as fixed in unstable

[ Changes ]
Use Crypt::URandom


Here is a better debdiff

diff --git a/debian/changelog b/debian/changelog
index 1f3d151..3ea729a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+libapache-session-browseable-perl (1.3.16-1+deb13u1) trixie; urgency=medium
+
+  * Improve Apache::Session::Generate::SHA256 entropy (Closes: CVE-2026-8503)
+
+ -- Xavier Guimard <[email protected]>  Thu, 14 May 2026 07:42:04 +0200
+
 libapache-session-browseable-perl (1.3.16-1) unstable; urgency=medium
 
   * Import upstream version 1.3.16.
diff --git a/debian/patches/CVE-2026-8503.patch 
b/debian/patches/CVE-2026-8503.patch
new file mode 100644
index 0000000..088e740
--- /dev/null
+++ b/debian/patches/CVE-2026-8503.patch
@@ -0,0 +1,50 @@
+Description: Use Crypt::URandom for session ID generation
+ Apache::Session::Generate::SHA256 seeded its session identifier from
+ low-entropy sources (time(), PID, rand(), stringified hash ref). The
+ seed could be guessed, allowing prediction of session IDs. This mirrors
+ CVE-2025-40931 / CVE-2025-40932 in the upstream MD5 generators.
+Author: Yadd <[email protected]>
+Origin: upstream, commit:cc915cbbd
+Forwarded: not-needed
+Applied-Upstream: 1.3.19, commit:cc915cbbd
+Last-Update: 2026-05-14
+
+--- a/lib/Apache/Session/Generate/SHA256.pm
++++ b/lib/Apache/Session/Generate/SHA256.pm
+@@ -4,6 +4,7 @@
+ use strict;
+ use vars qw($VERSION);
+ use Digest::SHA qw(sha256 sha256_hex sha256_base64);
++use Crypt::URandom;
+ 
+ $VERSION = '1.2.2';
+ 
+@@ -15,13 +16,21 @@
+         $length = $session->{args}->{IDLength};
+     }
+ 
+-    $session->{data}->{_session_id} = substr(
+-        Digest::SHA::sha256_hex(
+-            Digest::SHA::sha256_hex( time() . {} . rand() . $$ )
+-        ),
+-        0, $length
+-    );
+-
++    eval {
++        $session->{data}->{_session_id} = substr(
++            unpack( 'H*', Crypt::URandom::urandom( int( ( $length + 1 ) / 2 ) 
) ),
++            0, $length
++        );
++    };
++    if ($@) {
++        require Digest::SHA;
++        $session->{data}->{_session_id} = substr(
++            Digest::SHA::sha256_hex(
++                Digest::SHA::sha256_hex( time() . {} . rand() . $$ )
++            ),
++            0, $length
++        );
++    }
+ }
+ 
+ sub validate {
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..1f244c0
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2026-8503.patch

Bug#1136625: trixie-pu: package libapache-session-browseable-perl/1.3.16-1+deb13u1

Reply via email to