Your message dated Mon, 11 Aug 2025 17:37:03 +0000
with message-id <[email protected]>
and subject line Bug#1110120: fixed in libcrypt-cbc-perl 3.07-1
has caused the Debian Bug report #1110120,
regarding libcrypt-cbc-perl: CVE-2025-2814
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1110120: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110120
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libcrypt-cbc-perl
Version: 3.04-3
Severity: normal
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libcrypt-cbc-perl.
CVE-2025-2814[0]:
| Crypt::CBC versions between 1.21 and 3.05 for Perl may use the
| rand() function as the default source of entropy, which is not
| cryptographically secure, for cryptographic functions. This issue
| affects operating systems where "/dev/urandom'" is unavailable. In
| that case, Crypt::CBC will fallback to use the insecure rand()
| function.
Upstream has released a new version 3.07 which fixes it by switching
to Crypt::URandom.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-2814
https://www.cve.org/CVERecord?id=CVE-2025-2814
[1] https://lists.security.metacpan.org/cve-announce/msg/28699380/
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libcrypt-cbc-perl
Source-Version: 3.07-1
Done: gregor herrmann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libcrypt-cbc-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated libcrypt-cbc-perl
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 11 Aug 2025 18:59:53 +0200
Source: libcrypt-cbc-perl
Architecture: source
Version: 3.07-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 1110120
Changes:
libcrypt-cbc-perl (3.07-1) unstable; urgency=medium
.
* Import upstream version 3.07.
- Fix CVE-2025-2814 by using Crypt::URandom
Closes: #1110120
* Add test and runtime dependency on libcrypt-urandom-perl
(CVE-2025-2814 fix).
* Add debian/upstream/metadata.
* Install new upstream vulnerabilities.txt file.
* Add a comment to debian/copyright.
* Update years of upstream and packaging copyright.
* Declare compliance with Debian Policy 4.7.2.
* Remove Rules-Requires-Root: no.
Checksums-Sha1:
0ca2611a5ccc849fc15933be9c6c64e8120c724c 2706 libcrypt-cbc-perl_3.07-1.dsc
bed971be2a8276669f7c43e50e2d0903d0c114bf 52298
libcrypt-cbc-perl_3.07.orig.tar.gz
39d52d2d328d80aa7cb4bb27b2fc779f237649e5 4568
libcrypt-cbc-perl_3.07-1.debian.tar.xz
Checksums-Sha256:
d2c63bb80001fbece286c919103ba406c400eacdfb9e2510ec9ad50d426290fd 2706
libcrypt-cbc-perl_3.07-1.dsc
f4ddfb4dd6ac5013df8341bfa734d9c9ee0f10e2e71215ec8fe5bf780b7c9127 52298
libcrypt-cbc-perl_3.07.orig.tar.gz
39ac21316a38a1fbda39c5f49541c084f4e39ef90dca359d69f57f68e9660c6b 4568
libcrypt-cbc-perl_3.07-1.debian.tar.xz
Files:
9e89fa85fb10c2cc8d6dc372c157571e 2706 perl optional
libcrypt-cbc-perl_3.07-1.dsc
ccd56523f2477df076ab7756825d1639 52298 perl optional
libcrypt-cbc-perl_3.07.orig.tar.gz
30e493993e590790e280f753c9c90cfb 4568 perl optional
libcrypt-cbc-perl_3.07-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmiaIhZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgY1Kg//agNLrUMH1/5KI7roi7Y7dZYK+LM8f+QwuBwrLnaGNGwAEVJtjSwaHu2o
EzFYLTKV9THy6BsiCeZG7mM8X7uR1mbbxh/99XtbSoDMuK8PVnV2e8chPGqAKunS
GziJI2Clcm0YNsNS3B8DxQZG0Tt+Cs7rhPEcl6Dtfk3A3SQzGEglJ8vqXedvwkGk
cGPkyGWz7YawVZY2ew4o5CL+6yuscuWfB1TL7Vv6OMDSuW8nf5NUkwPGhA6qhLap
/lqnvntyaACKCSVQ23C1GMQS1GQDJgPkAvuCnFW6RfbJ4h9VyBF/Vwttu1PtcXRa
l7bZ02X/YmMGrSRrgoSMq82COCikWkHSfifp6oMSTQjUoTLNdGN6HFj2PHxKHr59
O9+bgZZSj40t4h5SwvtqunS61mHH5gH8lEt411pqWMvkjwnPjK57CmGxZvg88PUf
RmuPVLBIMh5JtT4PMczjfpmSgylOWbcSiA3biZtr2Fqms77ydgluI+KY/KghIEop
J/vAu0nvQ7trdD2hq1Wpf8jXeVK60RUWG3fKBr1AjUZow4kQZp6wIuB/UxQDHtyL
4unr5P8KDVFUtjcG8Ii0uDsUFvV9bDkc/Cfs4Y7bBsPBe1hdEEkSTkx1W8Uk6uJi
MHiRodSX5aFZ3unoA/RVC+ftA4UriaA1mJUYpGCnh/xvc8eVYTA=
=sLgm
-----END PGP SIGNATURE-----
pgpOxvxN5Dzpa.pgp
Description: PGP signature
--- End Message ---
