Your message dated Sat, 11 Jul 2026 10:32:47 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1140807,
regarding trixie-pu: package libbytes-random-secure-perl/0.29-4~deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1140807: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140807
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected],
[email protected], [email protected], [email protected],
[email protected]
Control: affects -1 + src:libbytes-random-secure-perl
User: [email protected]
Usertags: pu
Hi SRMers
[ Reason ]
libbytes-random-secure-perl is affected by CVE-2026-11625, that were
an object is initialised before forking, or when the functional
interface is used, then the internal state for the PRNG is shared
across processes and identical random streams will be produced.
[ Impact ]
Secrets generated in multiprocess applications are predictable across
processes.
[ Tests ]
Running test suite and done a debusine upload as well as
https://debusine.debian.net/debian/developers/work-request/894383/
[ Risks ]
The upstream pull request is not yet merged, but the patch referenced
in the CPAN security advisory and taken from there.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
> fix for this will save the current PID when the object is created,
> and then (in the bytes method) call instantiate_rng unless the PID
> is the same.
[ Other info ]
Nothing special.
Regards,
Salvatore
diff -Nru libbytes-random-secure-perl-0.29/debian/changelog
libbytes-random-secure-perl-0.29/debian/changelog
--- libbytes-random-secure-perl-0.29/debian/changelog 2022-12-08
12:41:21.000000000 +0000
+++ libbytes-random-secure-perl-0.29/debian/changelog 2026-06-26
18:32:02.000000000 +0000
@@ -1,3 +1,16 @@
+libbytes-random-secure-perl (0.29-4~deb13u1) trixie; urgency=medium
+
+ * Rebuild for trixie
+
+ -- Salvatore Bonaccorso <[email protected]> Fri, 26 Jun 2026 20:32:02 +0200
+
+libbytes-random-secure-perl (0.29-4) unstable; urgency=medium
+
+ * Team upload.
+ * Fix incorrect usage of seed in PRNG (CVE-2026-11625)
+
+ -- Salvatore Bonaccorso <[email protected]> Fri, 26 Jun 2026 17:27:21 +0200
+
libbytes-random-secure-perl (0.29-3) unstable; urgency=medium
[ Debian Janitor ]
diff -Nru
libbytes-random-secure-perl-0.29/debian/patches/CVE-2026-11625-r1.patch
libbytes-random-secure-perl-0.29/debian/patches/CVE-2026-11625-r1.patch
--- libbytes-random-secure-perl-0.29/debian/patches/CVE-2026-11625-r1.patch
1970-01-01 00:00:00.000000000 +0000
+++ libbytes-random-secure-perl-0.29/debian/patches/CVE-2026-11625-r1.patch
2026-06-26 18:32:02.000000000 +0000
@@ -0,0 +1,57 @@
+From 20828ef859e215565ba17a9a24af3a42b0c4360a Mon Sep 17 00:00:00 2001
+From: Robert Rothenberg <[email protected]>
+Date: Thu, 25 Jun 2026 14:43:11 +0100
+Subject: [PATCH] Fix for CVE-2026-11625
+
+---
+ lib/Bytes/Random/Secure.pm | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/lib/Bytes/Random/Secure.pm b/lib/Bytes/Random/Secure.pm
+index 65fbfe2..5bd3714 100644
+--- a/lib/Bytes/Random/Secure.pm
++++ b/lib/Bytes/Random/Secure.pm
+@@ -156,6 +156,7 @@ sub _build_attributes {
+ $self->{$arg} = exists $args->{$arg} ? $args->{$arg} : $default;
+ }
+
++ $self->{_pid} = $$;
+ $self->{_RNG} = undef; # Lazy initialization.
+ return $self;
+ }
+@@ -171,6 +172,8 @@ sub _instantiate_rng {
+ my @seeds = $self->_generate_seed( %seed_opts );
+ $self->{_RNG} = Math::Random::ISAAC->new(@seeds);
+
++ $self->{_pid} = $$;
++
+ return $self->{_RNG};
+ }
+
+@@ -224,7 +227,7 @@ sub bytes {
+ $bytes = defined $bytes ? $bytes : 0; # Default to zero bytes.
+ $self->_validate_int( $bytes ); # Throws on violation.
+
+- $self->_instantiate_rng unless defined $self->{_RNG};
++ $self->_instantiate_rng unless $$ == $self->{_pid} && defined $self->{_RNG};
+
+ my $str = '';
+
+@@ -302,7 +305,7 @@ sub _ranged_randoms {
+ $count = defined $count ? $count : 0;
+
+ # Lazily seed the RNG so we don't waste available strong entropy.
+- $self->_instantiate_rng unless defined $self->{_RNG};
++ $self->_instantiate_rng unless $$ == $self->{_pid} && defined
$self->{_RNG};
+
+ my $divisor = $self->_closest_divisor($range);
+
+@@ -354,7 +357,7 @@ sub _closest_divisor {
+
+ sub irand {
+ my( $self ) = @_;
+- $self->_instantiate_rng unless defined $self->{_RNG};
++ $self->_instantiate_rng unless $$ == $self->{_pid} && defined $self->{_RNG};
+ return $self->{_RNG}->irand;
+ }
+
diff -Nru libbytes-random-secure-perl-0.29/debian/patches/series
libbytes-random-secure-perl-0.29/debian/patches/series
--- libbytes-random-secure-perl-0.29/debian/patches/series 1970-01-01
00:00:00.000000000 +0000
+++ libbytes-random-secure-perl-0.29/debian/patches/series 2026-06-26
18:32:02.000000000 +0000
@@ -0,0 +1 @@
+CVE-2026-11625-r1.patch
--- End Message ---
--- Begin Message ---
Version: 13.6
This update was released as part of 13.6.
--- End Message ---