Your message dated Sun, 10 Aug 2025 22:51:28 +0000
with message-id <[email protected]>
and subject line Bug#1109439: fixed in libcatalyst-plugin-session-perl 0.44-1
has caused the Debian Bug report #1109439,
regarding libcatalyst-plugin-session-perl: CVE-2025-40924
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109439: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109439
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libcatalyst-plugin-session-perl
Version: 0.43-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/perl-catalyst/Catalyst-Plugin-Session/pull/5
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libcatalyst-plugin-session-perl.
CVE-2025-40924[0]:
| Catalyst::Plugin::Session before version 0.44 for Perl generates
| session ids insecurely. The session id is generated from a (usually
| SHA-1) hash of a simple counter, the epoch time, the built-in rand
| function, the PID and the current Catalyst context. This information
| is of low entropy. The PID will come from a small set of numbers,
| and the epoch time may be guessed, if it is not leaked from the HTTP
| Date header. The built-in rand function is unsuitable for
| cryptographic usage. Predicable session ids could allow an attacker
| to gain access to systems.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-40924
https://www.cve.org/CVERecord?id=CVE-2025-40924
[1] https://github.com/perl-catalyst/Catalyst-Plugin-Session/pull/5
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libcatalyst-plugin-session-perl
Source-Version: 0.44-1
Done: gregor herrmann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libcatalyst-plugin-session-perl, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated
libcatalyst-plugin-session-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 11 Aug 2025 00:30:36 +0200
Source: libcatalyst-plugin-session-perl
Architecture: source
Version: 0.44-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 1109439
Changes:
libcatalyst-plugin-session-perl (0.44-1) unstable; urgency=medium
.
* Team upload.
* Import upstream version 0.44.
Fixes CVE-2025-40924:
"Catalyst::Plugin::Session before version 0.44 for Perl generates session
ids insecurely."
Closes: #1109439
* Add test and runtime dependency on libcrypt-sysrandom-perl (part of
the fix for CVE-2025-40924).
* Update years of upstream copyright.
* Declare compliance with Debian Policy 4.7.2.
* Remove Rules-Requires-Root: no.
Checksums-Sha1:
4b0b1387b5fd9240d8a19c79324f9039e310d702 3002
libcatalyst-plugin-session-perl_0.44-1.dsc
e2825e97fc57c0151eca4123e3ad19d541cc796c 40101
libcatalyst-plugin-session-perl_0.44.orig.tar.gz
e516ba5896bbd35e103a0c83532bf6479d7d0e0f 3012
libcatalyst-plugin-session-perl_0.44-1.debian.tar.xz
Checksums-Sha256:
cbe00150230a70bb71da62ecf311c66be63ce2da339bb7c679ccc24e4d989535 3002
libcatalyst-plugin-session-perl_0.44-1.dsc
092c8d80e0350f925dc765f272c0ee28f992300b14f5b8698412204e6c857c42 40101
libcatalyst-plugin-session-perl_0.44.orig.tar.gz
dd5b762e7251c59d1bcff4d73475856497e65fb55ac6ca650d04d0318d585c59 3012
libcatalyst-plugin-session-perl_0.44-1.debian.tar.xz
Files:
a35003879e2dfe8b6b2cdc9bcec339d8 3002 perl optional
libcatalyst-plugin-session-perl_0.44-1.dsc
32984ac460ca44ad2f566205010c249a 40101 perl optional
libcatalyst-plugin-session-perl_0.44.orig.tar.gz
038ba47eab8d053d7e70ce2f4bed578a 3012 perl optional
libcatalyst-plugin-session-perl_0.44-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmiZHiJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgYWMxAApNNvt/X0tE5TQ48QZcwKXMEmbhssPjwOrmqeGUCJsTQ6drThpGge0Aav
y5FPWKa7UNKMJKOOyahKyScjgtlccKyBN9M/jvYtQsbQA2TX0xFmZsC7z/Suu3r9
yRstYQkuRAzZ/q5bdHymCOGTh0mLsk/ccekigsEPzPPB/e+gk5tHFlGGKdf8RIPw
1qqv1yheUb0wZA9+UyK1dL3UkkkmyeFljhQGvfIPIx7RLZwAehkckFbv6gekqfwI
5UrOXz2Moc7kV3Cf0JS1H5XbOvKHd79x/FEX9cRTuDAhzAJRQhLmn/dUpN+Zie0V
Ls1yZIWfwhvYu3RjBTjQpHXLIjdKlyQ8sg2tXIX61pTZ3nQIkCYqJg1+wRhNi2oC
/bv4sZL+h/Lwe5KC4URK3FLuKNMeug1bPweBezW9ZgT3eXjTICYZsrezO785IYOf
mDqoy+8fyEKcu0AQrZooyB9KbewPIGNBqPtoxv4pwQveYE+dDSN/I9hJxBzazq6j
KWif5MI8yAMjQUB9+cLDEPt1+A80YqU7GoPjOyfz7fQ1PZcmBp3+n7wFCz9aZenr
W5va9oiiEYmiYeqc+eJ7oRDPNk+UGDsM9Tj3i/lF7yG4Q4oy1mfEC0Rz3h+kKHdR
XmaFaR+Bq5mAfWJPb9alSxccX76ZFeRMxJI5h414fkgleSVjGp8=
=MY1+
-----END PGP SIGNATURE-----
pgpxp6Lkvm8QK.pgp
Description: PGP signature
--- End Message ---