Source: libcrypt-pbkdf2-perl Version: 0.161520-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for libcrypt-pbkdf2-perl. CVE-2026-9638[0]: | Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure | random values for salts. These versions use the built-in rand | function, which is predictable and unsuitable for cryptography. CVE-2026-9641[1]: | Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default | algorithm and number of iterations. The default algorithm is HMAC- | SHA1, which should only be used for legacy systems. These versions | default to using 1000 iterations. Depending on the chosen | algorithm, 220,000 to 1,400,000 iterations should be used. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-9638 https://www.cve.org/CVERecord?id=CVE-2026-9638 [1] https://security-tracker.debian.org/tracker/CVE-2026-9641 https://www.cve.org/CVERecord?id=CVE-2026-9641 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
