Hi Xavier, On Thu, Apr 09, 2026 at 08:43:06AM +0200, Xavier wrote: > Le 15/03/2026 à 17:35, Salvatore Bonaccorso a écrit : > > Source: libapache-session-perl > > Version: 1.94-2 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: [email protected], Debian Security Team > > <[email protected]> > > > > Hi, > > > > The following vulnerability was published for libapache-session-perl. > > > > CVE-2025-40931[0]: > > | Apache::Session::Generate::MD5 versions through 1.94 for Perl create > > | insecure session id. Apache::Session::Generate::MD5 generates > > | session ids insecurely. The default session id generator returns a > > | MD5 hash seeded with the built-in rand() function, the epoch time, > > | and the PID. The PID will come from a small set of numbers, and the > > | epoch time may be guessed, if it is not leaked from the HTTP Date > > | header. The built-in rand function is unsuitable for cryptographic > > | usage. Predicable session ids could allow an attacker to gain access > > | to systems. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2025-40931 > > https://www.cve.org/CVERecord?id=CVE-2025-40931 > > [1] https://lists.security.metacpan.org/cve-announce/msg/37639294/ > > > > Please adjust the affected versions in the BTS as needed. > > Hi, > > I fixed partially this issue 6 years ago (https://bugs.debian.org/930659). > This patch keeps md5 format but uses Crypt::Urandom for best entropy.
Thanks, I have added a note on it to the security-tracker and as well mentioned your approach to the CPANSec folks. Regards, Salvatore
