Le 14/05/2026 à 21:23, Adrian Bunk a écrit :
On Thu, May 14, 2026 at 07:45:42AM +0200, Xavier Guimard wrote:
...
[ Reason ]
Apache::Session::Generate::SHA256 seeded its session identifier from
low-entropy sources (time(), PID, rand(), stringified hash ref).
CVE-2026-8503
...
+libapache-session-browseable-perl (1.3.16-1+deb13u1) trixie; urgency=medium
+
+ * Improve Apache::Session::Generate::SHA256 entropy (Closes: CVE-2025-40931)
...
Which CVE number is correct?
Hi,
the correct CVE is the one given in last debdiff: CVE-2026-8503 which is
a copy of CVE-2025-40931 but for this package.
...
libapache-session-browseable-perl should really add a dependency on
libcrypt-urandom-perl (also in unstable), currently this happens to work
due to a transitive dependency via libapache-session-perl but that's
fragile and might break.
Thank you, it's done in the 3:
- unstable (pending)
- trixie in the attached debdiff
- bookworm
Best regards,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 1f3d151..3ea729a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+libapache-session-browseable-perl (1.3.16-1+deb13u1) trixie; urgency=medium
+
+ * Improve Apache::Session::Generate::SHA256 entropy (Closes: CVE-2026-8503)
+
+ -- Xavier Guimard <[email protected]> Thu, 14 May 2026 07:42:04 +0200
+
libapache-session-browseable-perl (1.3.16-1) unstable; urgency=medium
* Import upstream version 1.3.16.
diff --git a/debian/control b/debian/control
index c6db777..2ae24b7 100644
--- a/debian/control
+++ b/debian/control
@@ -8,6 +8,7 @@ Build-Depends: debhelper-compat (= 13),
libmodule-build-perl,
perl
Build-Depends-Indep: libapache-session-perl <!nocheck>,
+ libcrypt-urandom-perl <!nocheck>,
libdbd-cassandra-perl <!nocheck>,
libdbd-mysql-perl <!nocheck>,
libdbd-sqlite3-perl <!nocheck>,
@@ -27,6 +28,7 @@ Multi-Arch: foreign
Depends: ${misc:Depends},
${perl:Depends},
libapache-session-perl,
+ libcrypt-urandom-perl,
libjson-perl
Suggests: libdbd-cassandra-perl,
libdbi-perl,
diff --git a/debian/patches/CVE-2026-8503.patch
b/debian/patches/CVE-2026-8503.patch
new file mode 100644
index 0000000..088e740
--- /dev/null
+++ b/debian/patches/CVE-2026-8503.patch
@@ -0,0 +1,50 @@
+Description: Use Crypt::URandom for session ID generation
+ Apache::Session::Generate::SHA256 seeded its session identifier from
+ low-entropy sources (time(), PID, rand(), stringified hash ref). The
+ seed could be guessed, allowing prediction of session IDs. This mirrors
+ CVE-2025-40931 / CVE-2025-40932 in the upstream MD5 generators.
+Author: Yadd <[email protected]>
+Origin: upstream, commit:cc915cbbd
+Forwarded: not-needed
+Applied-Upstream: 1.3.19, commit:cc915cbbd
+Last-Update: 2026-05-14
+
+--- a/lib/Apache/Session/Generate/SHA256.pm
++++ b/lib/Apache/Session/Generate/SHA256.pm
+@@ -4,6 +4,7 @@
+ use strict;
+ use vars qw($VERSION);
+ use Digest::SHA qw(sha256 sha256_hex sha256_base64);
++use Crypt::URandom;
+
+ $VERSION = '1.2.2';
+
+@@ -15,13 +16,21 @@
+ $length = $session->{args}->{IDLength};
+ }
+
+- $session->{data}->{_session_id} = substr(
+- Digest::SHA::sha256_hex(
+- Digest::SHA::sha256_hex( time() . {} . rand() . $$ )
+- ),
+- 0, $length
+- );
+-
++ eval {
++ $session->{data}->{_session_id} = substr(
++ unpack( 'H*', Crypt::URandom::urandom( int( ( $length + 1 ) / 2 )
) ),
++ 0, $length
++ );
++ };
++ if ($@) {
++ require Digest::SHA;
++ $session->{data}->{_session_id} = substr(
++ Digest::SHA::sha256_hex(
++ Digest::SHA::sha256_hex( time() . {} . rand() . $$ )
++ ),
++ 0, $length
++ );
++ }
+ }
+
+ sub validate {
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..1f244c0
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2026-8503.patch
