On Thu, May 14, 2026 at 07:45:42AM +0200, Xavier Guimard wrote:
>...
> [ Reason ]
> Apache::Session::Generate::SHA256 seeded its session identifier from
> low-entropy sources (time(), PID, rand(), stringified hash ref).
> CVE-2026-8503
>...
> +libapache-session-browseable-perl (1.3.16-1+deb13u1) trixie; urgency=medium
> +
> + * Improve Apache::Session::Generate::SHA256 entropy (Closes:
> CVE-2025-40931)
>...
Which CVE number is correct?
>...
> +--- a/lib/Apache/Session/Generate/SHA256.pm
> ++++ b/lib/Apache/Session/Generate/SHA256.pm
> +@@ -4,6 +4,7 @@
> + use strict;
> + use vars qw($VERSION);
> + use Digest::SHA qw(sha256 sha256_hex sha256_base64);
> ++use Crypt::URandom;
> +
> + $VERSION = '1.2.2';
> +
> +@@ -15,13 +16,21 @@
> + $length = $session->{args}->{IDLength};
> + }
> +
> +- $session->{data}->{_session_id} = substr(
> +- Digest::SHA::sha256_hex(
> +- Digest::SHA::sha256_hex( time() . {} . rand() . $$ )
> +- ),
> +- 0, $length
> +- );
> +-
> ++ eval {
> ++ $session->{data}->{_session_id} = substr(
> ++ unpack( 'H*', Crypt::URandom::urandom( int( ( $length + 1 ) / 2
> ) ) ),
> ++ 0, $length
> ++ );
> ++ };
> ++ if ($@) {
> ++ require Digest::SHA;
> ++ $session->{data}->{_session_id} = substr(
> ++ Digest::SHA::sha256_hex(
> ++ Digest::SHA::sha256_hex( time() . {} . rand() . $$ )
> ++ ),
> ++ 0, $length
> ++ );
> ++ }
>...
libapache-session-browseable-perl should really add a dependency on
libcrypt-urandom-perl (also in unstable), currently this happens to work
due to a transitive dependency via libapache-session-perl but that's
fragile and might break.
cu
Adrian
