On 2026/02/20 19:28, Andrew Hewus Fresh wrote: > This has fixes for CVE-2026-2474. > > https://metacpan.org/dist/Crypt-URandom/changes > > https://lists.security.metacpan.org/cve-announce/msg/37085458/ > > Comments? OK? Should I commit to -stable?
OK. Low risk in terms of how it's used in ports anyway (most are fixed length; Crypt::DSA and Crypt::CBC call it with variable length but don't seem likely to be able to go negative) but yes it makes sense to push to -stable too. > > Index: Makefile > =================================================================== > RCS file: /cvs/ports/security/p5-Crypt-URandom/Makefile,v > diff -u -p -r1.4 Makefile > --- Makefile 17 Jul 2025 11:22:43 -0000 1.4 > +++ Makefile 17 Feb 2026 18:41:29 -0000 > @@ -1,6 +1,7 @@ > COMMENT = provide non blocking randomness > > -DISTNAME = Crypt-URandom-0.54 > +DISTNAME = Crypt-URandom-0.55 > +CPAN_AUTHOR = DDICK > > CATEGORIES = security > > Index: distinfo > =================================================================== > RCS file: /cvs/ports/security/p5-Crypt-URandom/distinfo,v > diff -u -p -r1.4 distinfo > --- distinfo 17 Jul 2025 11:22:43 -0000 1.4 > +++ distinfo 17 Feb 2026 18:41:29 -0000 > @@ -1,2 +1,2 @@ > -SHA256 (Crypt-URandom-0.54.tar.gz) = > SnPNOUkzMo2khKrrhkXXNbNUZd9gEJ5VngoosGYFOlc= > -SIZE (Crypt-URandom-0.54.tar.gz) = 23803 > +SHA256 (Crypt-URandom-0.55.tar.gz) = > 759EFBBzwTVz6FsUj/mpCJxFglt9ZgjYMuQmOJnTotQ= > +SIZE (Crypt-URandom-0.55.tar.gz) = 24023 >
