Your message dated Sat, 04 Jan 2025 20:40:43 +0000
with message-id <[email protected]>
and subject line Bug#1092056: fixed in libnet-oauth-perl 0.30-1
has caused the Debian Bug report #1092056,
regarding libnet-oauth-perl: CVE-2025-22376: Default nonce for Net::OAuth 
package for perl is not cryptographically strong
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1092056: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1092056
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libnet-oauth-perl
Version: 0.28-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 0.28-3

Hi,

The following vulnerability was published for libnet-oauth-perl.

CVE-2025-22376[0]:
| In Net::OAuth::Client in the Net::OAuth package before 0.29 for
| Perl, the default nonce is a 32-bit integer generated from the
| built-in rand() function, which is not cryptographically strong.

Fixed in 0.30 upstream with a followup bugfix and adding the
Crypt::URandom dependency.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-22376
    https://www.cve.org/CVERecord?id=CVE-2025-22376

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: libnet-oauth-perl
Source-Version: 0.30-1
Done: gregor herrmann <[email protected]>

We believe that the bug you reported is fixed in the latest version of
libnet-oauth-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated libnet-oauth-perl 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 04 Jan 2025 21:08:16 +0100
Source: libnet-oauth-perl
Architecture: source
Version: 0.30-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 1092056
Changes:
 libnet-oauth-perl (0.30-1) unstable; urgency=medium
 .
   * Import upstream version 0.30.
     - Net::OAuth::Client uses a better source of randomness for generating the
       nonce
 .
     [SECURITY] CVE-2025-22376:
     Default nonce for Net::OAuth package for perl is not cryptographically
     strong.
 .
     Closes: #1092056
 .
   * Add test and runtime dependency on libcrypt-urandom-perl as part of
     the fix for #1092056 / CVE-2025-22376.
   * Update build/test/runtime dependencies.
   * Drop patches, both applied upstream.
   * Update years of upstream and packaging copyright.
   * Update Upstream-Contact.
   * Add debian/upstream/metadata.
   * Declare compliance with Debian Policy 4.7.0.
Checksums-Sha1:
 944b1f65cedae64d0a732edb61028f628f07640c 2658 libnet-oauth-perl_0.30-1.dsc
 e505b86e19f4b0f2aab493189ee4682f8d287810 30347 
libnet-oauth-perl_0.30.orig.tar.gz
 898f2f057dbc6b0d48208e14041ca2886d21ce2f 4104 
libnet-oauth-perl_0.30-1.debian.tar.xz
Checksums-Sha256:
 20a88591123e1f3b286034574a4f67140cbc4a2c4e9b13ca1dfd30ffa778eb3e 2658 
libnet-oauth-perl_0.30-1.dsc
 ed22ea36834c6cb99165c145b87766468de6a69a71e7bd6fb854966127aecfac 30347 
libnet-oauth-perl_0.30.orig.tar.gz
 a4c27db201507fe81d46dfed53a34738103f98e8c46f7b94afed68d7fc571d2a 4104 
libnet-oauth-perl_0.30-1.debian.tar.xz
Files:
 5b364132dc082f8d35dee99f5b5bfcf0 2658 perl optional 
libnet-oauth-perl_0.30-1.dsc
 85aa3bbb7dfab20de922bcafda5a55a7 30347 perl optional 
libnet-oauth-perl_0.30.orig.tar.gz
 dd81c41de02950f2237dd6819288fecd 4104 perl optional 
libnet-oauth-perl_0.30-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmd5lgxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgbcUA//dWlf1vnBw1izjKjhEF63ac0/dvDM6BzYMQhaBN7cR1r80V/Lo9d7lCvw
J/7IEU8CW85Vuui0GLJtuiaLcQjoe1MJtOSN1bmnYYHTI0lSVypOHIm6IsrzHXNs
6N8rxMuk3iMpthOMgFFqKvutbYd6qMDb/28HR0b5edDuRs6JDJpnHz7+wB6vXWuQ
HVGqCtVHxXZjGIZPcyWdYtNLtvqAkxznB9cZxKpbp4ZGUd18GapWZ89cYECl5Q+z
KYdqeNGLbNAneffh1PTc45JiDfwbG9n6chiCVWIjmm6y9rEjwL0S0G+y4orLgZ+h
0htlrLDu1Vhi7dfjEgmwVv9ZDSm9Kc8J4CW5W1u2RIecIQheNZ6/t4E4bO/qpoZ5
VxoYHyRjkIhV1ybyb6QJ3sQhjSJ1mWMGYXZOMS+xTVXt3tK5Z5yqRcq7LtvUN2Ix
icEz67j6qbsYutZz/8ecR5HE2JIKyWp/9KiXQ0CYTte4dY6ZawBM6z5Q520zkxHv
eQb0+1NCUnj7DI/KXedrskPIS6+OQvkM2geiB2YLIwwZURtSCqsV8OaAmK1qLZTP
kuIA07001Io3H2+tpVxeeVRnUYKI3Nl0nO8ZC6RCaZMeqzifJ6aQCvf9XXFW5jVF
YeVUt1zcCmcb0WbuVaYF1pCdCEY/WigEyzswnIqPdM63KI5CG3k=
=finG
-----END PGP SIGNATURE-----

Attachment: pgp30jsuryWYe.pgp
Description: PGP signature


--- End Message ---

Reply via email to