Your message dated Sat, 12 Apr 2025 10:20:15 +0000
with message-id <[email protected]>
and subject line Bug#1101502: fixed in libstring-compare-constanttime-perl
0.321-3
has caused the Debian Bug report #1101502,
regarding libstring-compare-constanttime-perl: CVE-2024-13939
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1101502: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101502
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libstring-compare-constanttime-perl
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for
libstring-compare-constanttime-perl.
CVE-2024-13939[0]:
| String::Compare::ConstantTime for Perl through 0.321 is vulnerable
| to timing attacks that allow an attacker to guess the length of a
| secret string. As stated in the documentation: "If the lengths of
| the strings are different, because equals returns false right away
| the size of the secret string may be leaked (but not its contents)."
| This is similar to CVE-2020-36829
https://metacpan.org/release/FRACTAL/String-Compare-ConstantTime-0.321/view/lib/String/Compare/ConstantTime.pm#TIMING-SIDE-CHANNEL
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-13939
https://www.cve.org/CVERecord?id=CVE-2024-13939
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: libstring-compare-constanttime-perl
Source-Version: 0.321-3
Done: gregor herrmann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libstring-compare-constanttime-perl, which is due to be installed in the Debian
FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated
libstring-compare-constanttime-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 12 Apr 2025 12:05:35 +0200
Source: libstring-compare-constanttime-perl
Architecture: source
Version: 0.321-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 1101502
Changes:
libstring-compare-constanttime-perl (0.321-3) unstable; urgency=medium
.
* Team upload.
* Add patch from upstream PR to prevent revealing the secret length.
Fixes CVE-2024-13939. (Closes: #1101502)
* Declare compliance with Debian Policy 4.7.2.
Checksums-Sha1:
4165939b00d44816c7662b8f60e54014b9225e03 2588
libstring-compare-constanttime-perl_0.321-3.dsc
a03476951fb8bae1d6d0b7b2ff28764c2c49291c 5072
libstring-compare-constanttime-perl_0.321-3.debian.tar.xz
Checksums-Sha256:
adb4852ab63c79a938f8b5fbdb62c4e8be04f86319c736f6bc4aa5fb730b270c 2588
libstring-compare-constanttime-perl_0.321-3.dsc
51cfe006f20faedc3442ed2675409bc24b647d8ce8ab169e3b0fac761dde20dc 5072
libstring-compare-constanttime-perl_0.321-3.debian.tar.xz
Files:
a435692d140b697c08008f3c74255d82 2588 perl optional
libstring-compare-constanttime-perl_0.321-3.dsc
646d218e972e8e7bc3f8a0eb22c6674d 5072 perl optional
libstring-compare-constanttime-perl_0.321-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmf6O9lfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgaANw/+NAR/qPqvTQq4/Ll4xBDnP1RrGs29Sl6OOwhH5dN1qdad/Bi74zK0T0zB
Cp3uAISbZ6msFpJ1i+MFBrY8gR7dEiLrzMcb8YB6VQsiHMr0/LjdhwqK3UbT6td7
K5wtZGIT0VDA/C1Zm1jRYCczmxtPft8QFaCBHILOO0m4U4pnbG7Sy25rrpxAv6/f
EZ6pogjI6q5U7hndsjHF3vvkmFugiC0XAzi6IQYxyteg3goXiqcHPuOVevJ6AmCv
q6zt2wK5aC2RsJ59uglO/yDDc4mpvlqi0szodYN5S8HBJ5kH7zG1zhzXc+soSTKy
uA1JXHpC9aBO0z+UZ4k46+SgZiMvNClmWEC0RlXqucZe9rMWt8VunNyiMWteSzEu
CdQTUkO4BnpjbTwQKQmkgOUkEJ/msgFsghxh403tqD0gt5OTMqxseqkmi4fA7Yg+
tbRJlS4sTRI6nr4A2XL1T8gci7Pwm9Kc1ZNh6FFp8oyppcwI+szTsrPi0HE5d5in
TFU/S15CpSDs/xiPjDfcgMSuzBiTIg037puokh93P91ZSbms1+llEJwXYb++0D1D
ZOPtPpk6AcNpFMagnd21q1DKpBjCfynqcEOe8PzqmbX9sEhfBKFy0lvuJFVfet/y
CGzDgEJbf9TaXFpDlNbXiTZ5BeoY/7rgiQLi1UGxtdKGHAqy6RQ=
=FJTZ
-----END PGP SIGNATURE-----
pgpSc3gfrWz5C.pgp
Description: PGP signature
--- End Message ---
