Your message dated Sun, 10 Aug 2025 13:02:56 +0000
with message-id <[email protected]>
and subject line Bug#1109405: fixed in libplack-middleware-session-perl 0.36-1
has caused the Debian Bug report #1109405,
regarding libplack-middleware-session-perl: CVE-2025-40923
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109405: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109405
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libplack-middleware-session-perl
Version: 0.34-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/plack/Plack-Middleware-Session/pull/52
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libplack-middleware-session-perl.
CVE-2025-40923[0]:
| Plack-Middleware-Session before version 0.35 for Perl generates
| session ids insecurely. The default session id generator returns a
| SHA-1 hash seeded with the built-in rand function, the epoch time,
| and the PID. The PID will come from a small set of numbers, and the
| epoch time may be guessed, if it is not leaked from the HTTP Date
| header. The built-in rand function is unsuitable for cryptographic
| usage. Predicable session ids could allow an attacker to gain
| access to systems.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-40923
https://www.cve.org/CVERecord?id=CVE-2025-40923
[1] https://github.com/plack/Plack-Middleware-Session/pull/52
[2] https://lists.security.metacpan.org/cve-announce/msg/31223483/
[3]
https://github.com/plack/Plack-Middleware-Session/commit/1fbfbb355e34e7f4b3906f66cf958cedadd2b9be
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libplack-middleware-session-perl
Source-Version: 0.36-1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libplack-middleware-session-perl, which is due to be installed in the Debian
FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated
libplack-middleware-session-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 Aug 2025 13:47:33 +0200
Source: libplack-middleware-session-perl
Architecture: source
Version: 0.36-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1109405
Changes:
libplack-middleware-session-perl (0.36-1) unstable; urgency=medium
.
* Team upload.
* Import upstream version 0.36.
- Added secure session ID generation using Crypt::SysRandom
(CVE-2025-40923) (Closes: #1109405)
* Declare compliance with Debian policy 4.7.2
* Add (Build-)Depends(-Indep) on libcrypt-sysrandom-perl
Checksums-Sha1:
fd8d633605756189f64461f5c9e207e64c6ac14a 2808
libplack-middleware-session-perl_0.36-1.dsc
9c22dedf744f628dbed2bb5b0c302e8cab338824 30119
libplack-middleware-session-perl_0.36.orig.tar.gz
704f9b3c75cbe8da8cab9e12d1bda58c544ab7fc 3180
libplack-middleware-session-perl_0.36-1.debian.tar.xz
Checksums-Sha256:
176d3c5b789321a00f555ca6f7001194d73a2c9a4e435def6e4ae2e0db90813f 2808
libplack-middleware-session-perl_0.36-1.dsc
92a5831658810d23732e6e3bae7a44a1fa5a7d8a6a6e6dcd75b91c6a9c24b466 30119
libplack-middleware-session-perl_0.36.orig.tar.gz
9ce9377cd141c0f45a2e6f30716e162a8a9bbb8d2c7958db954b3cec7f6b804b 3180
libplack-middleware-session-perl_0.36-1.debian.tar.xz
Files:
c8f684af9a9102a438f3f4521f122c09 2808 perl optional
libplack-middleware-session-perl_0.36-1.dsc
78ec1cb2ad73bb6729204ebb69bd2e54 30119 perl optional
libplack-middleware-session-perl_0.36.orig.tar.gz
81315fd9c3c46e41e4b3d06712834c63 3180 perl optional
libplack-middleware-session-perl_0.36-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmiYhz1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EcF0QAJns7DBJrwYaqw9CqXVhMRJhRDIbZVTk
2k/Pa8q6fVcp03emZ4foRA7FqVWkmZ9qI312lBqx6qzOUYGG58YiYjqncLAfpeim
5g6Ds1OLvsQhewpI7keIxBnxT6kwvZDU2auxZxsFyz3pOrnvEZ0IDouomvi973mo
eEY6ksbqa7TUzquJnddfkKiKI3iqrRiesS9ISgzGsbnIGE3dtp+8aIGWb65ePagy
n3iGMAb7xRfrW6KKZhurnx/kbNV6eQx07foK+VAcPUuoJYnAOUSN0OCljm15iSzQ
HvaeVHPDnGlTdAbR6HKIkst4FNOgv6bH+lrKnIk1poVdd1CGDICP5yLjM6dj78/p
LFy5H0InQxLuC01PatQEehTpNzMjVZlDWahC+GafFzu0mJQB/u0/s3IyurJK3WUB
dlJmLQAXUR1qq7Za6E9L68OynWAlCQ8fV5lYy1svHLJ4gvE48lAKj7cNBrotd/5j
B2Nn8r7mWhdl5ZUA2wvDtoTOim1YfhqFHSoQVS6fnAHQEYjasOiRnm2ccFeNAExY
NUE1ZzfUSjEXRc5PkGb0ngoPVJQ0trWbTkS68Bq3qeeI2iqEnKhUjB7RfPkpQu1E
N33JDPmAv2A49oTKlZZsnG34npZGsBdHowUuA84DrBKtT6RgedQrMGJ3oqE1oKE1
ZhcGT3wnpHRT
=u+eZ
-----END PGP SIGNATURE-----
pgpfs0m7xhguo.pgp
Description: PGP signature
--- End Message ---
