Your message dated Tue, 12 Aug 2025 15:05:58 +0000
with message-id <[email protected]>
and subject line Bug#1110887: fixed in
libcatalyst-authentication-credential-http-perl 1.018-4
has caused the Debian Bug report #1110887,
regarding libcatalyst-authentication-credential-http-perl: CVE-2025-40920
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1110887: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110887
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libcatalyst-authentication-credential-http-perl
Version: 1.018-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1.018-1
Hi,
The following vulnerability was published for
libcatalyst-authentication-credential-http-perl.
CVE-2025-40920[0]:
| Catalyst::Authentication::Credential::HTTP versions 1.018 and
| earlier for Perl generate nonces using the Perl Data::UUID library.
| * Data::UUID does not use a strong cryptographic source for
| generating UUIDs. * Data::UUID returns v3 UUIDs, which are
| generated from known information and are unsuitable for security, as
| per RFC 9562. * The nonces should be generated from a strong
| cryptographic source, as per RFC 7616.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-40920
https://www.cve.org/CVERecord?id=CVE-2025-40920
[1] https://lists.security.metacpan.org/cve-announce/msg/31902514/
[2]
https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP/pull/1
[3]
https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP/commit/ad2c03aad95406db4ce35dfb670664ebde004c18
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libcatalyst-authentication-credential-http-perl
Source-Version: 1.018-4
Done: gregor herrmann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libcatalyst-authentication-credential-http-perl, which is due to be installed
in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated
libcatalyst-authentication-credential-http-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 12 Aug 2025 16:49:32 +0200
Source: libcatalyst-authentication-credential-http-perl
Architecture: source
Version: 1.018-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 1110887
Changes:
libcatalyst-authentication-credential-http-perl (1.018-4) unstable;
urgency=medium
.
* Team upload.
* Convert from cdbs to dh(1).
* Add patch from upstream pull request to fix CVE-2025-40920:
Use Crypt::SysRandom to generate nonces instead of Data::UUID.
(Closes: #1110887)
* Update test and runtime dependencies to CVE-2025-40920.patch.
* debian/control: separate Build-Depends{,-Indep}, add <!nocheck>, sort.
* Declare compliance with Debian Policy 4.7.2.
* debian/watch: use version 4 and macros.
Checksums-Sha1:
f69f70584e10c0d8994f587979d92fea1fcda549 3073
libcatalyst-authentication-credential-http-perl_1.018-4.dsc
58e713b143fece94ffc14fea8fd6e5649186736d 5072
libcatalyst-authentication-credential-http-perl_1.018-4.debian.tar.xz
Checksums-Sha256:
4f5fea08a7764041881a24c9b3cd950aeba62e6ea2b6093de246cbc97fc838b7 3073
libcatalyst-authentication-credential-http-perl_1.018-4.dsc
c652e0b24ee8ac4ef1cf602978bb8f8a60f1be130db0da444b57d0799a163d0d 5072
libcatalyst-authentication-credential-http-perl_1.018-4.debian.tar.xz
Files:
99ee364fbac9ed0477324b841655a316 3073 perl optional
libcatalyst-authentication-credential-http-perl_1.018-4.dsc
e4c31ca40ae9b2d8dc0ff9b5e1422c37 5072 perl optional
libcatalyst-authentication-credential-http-perl_1.018-4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmibVZFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgZTLRAAq/XHNbk9E78Cel3/nRSYWhnTKIgkSCb8P3FBpUB2tRHs3xccAJP79bnA
K+84pM0D0DTkB/4m031KTwWVoCCoftbcXZRyO0poDpZY6bB8PVotYY3tbks/Bx6I
TTz6fwcbfCKd84YpRebxgzoTFLU0uiCoCjoILE4K60KkXGl2jttnRGlxIRyp3Aig
DXiz3RobQtcay6vlVCjurfqrIhKK9sRP01RuC4dEl02pZ9bquSKPr1LFEtCMoUNC
T4ayzwWu7ExKFO9+7ph8HNtx2TvasSYrNLZDZnOxoPcOCgLSsQpZCJHLDym0ybdD
XneK90MjF8BGQlBkB8aFHUImVuKGUY5JiPUOowbH2UoO3kxlV14tBoJtj6x0VoNU
MshySC25DQZtlK4iIRfOxXlM0WMiBF54R6l9332Ho5wcgG6bzEmLIDTzEsDH/rc2
W9Iq6dgnAqp8DaCrtihvqYGXCdP3OLIbms7YZG0CMPRYErbt1E8BTjVJTnwvtDMK
mbf5L6HURK7UjoQp5YMluabXUMyW/VQdDr1SWz3lf9+L0lFJ2DwHscSUfSfE8owC
Lxvob6ZxXFegYbGBRLS0zimzEglKANfNWNfgF1DkNNT0qzdaHk4kcbQg6BMOLUNH
jmuDT5O4u+pT5dp9MTJ7j7S+Pl0VqsNnGqD1XloHrRaKw3XzGsM=
=lAA9
-----END PGP SIGNATURE-----
pgpsxEkDxlzCF.pgp
Description: PGP signature
--- End Message ---
