Your message dated Tue, 05 May 2026 15:34:26 +0000
with message-id <[email protected]>
and subject line Bug#1135322: fixed in libdancer-perl 1.3522-2
has caused the Debian Bug report #1135322,
regarding libdancer-perl: CVE-2026-5080
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135322: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135322
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libdancer-perl
Version: 1.3522-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libdancer-perl.
CVE-2026-5080[0]:
| Dancer::Session::Abstract versions through 1.3522 for Perl generates
| session ids insecurely. The session id is generated from summing
| the character codepoints of the absolute pathname with the process
| id, the epoch time and calls to the built-in rand() function to
| return a number between 0 and 999-billion, and concatenating that
| result three times. The path name might be known or guessed by an
| attacker, especially for applications known to be written using
| Dancer with standard installation locations. The epoch time can be
| guessed by an attacker, and may be leaked in the HTTP header. The
| process id comes from a small set of numbers, and workers may have
| sequential process ids. The built-in rand() function is seeded with
| 32-bits and is considered unsuitable for security applications.
| Predictable session ids could allow an attacker to gain access to
| systems.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-5080
https://www.cve.org/CVERecord?id=CVE-2026-5080
[1] https://lists.security.metacpan.org/cve-announce/msg/39488574/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libdancer-perl
Source-Version: 1.3522-2
Done: gregor herrmann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libdancer-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated libdancer-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 05 May 2026 17:12:29 +0200
Source: libdancer-perl
Architecture: source
Version: 1.3522-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 1135322
Changes:
libdancer-perl (1.3522-2) unstable; urgency=medium
.
* Add patch from CPANSEC to fix CVE-2026-5080.
Use Crypt::SysRandom instead of manually generating sessions ids.
(Closes: #1135322)
* Add test and runtime dependency on libcrypt-sysrandom-perl for the
CVE-2026-5080 fix.
* Declare compliance with Debian Policy 4.7.4.
Checksums-Sha1:
271745a0af23672ba28897b96b81179a401a1e53 3372 libdancer-perl_1.3522-2.dsc
74f649db4ced7ac2f53a0fe35b2e8fcc0e6abee5 11548
libdancer-perl_1.3522-2.debian.tar.xz
adceac8daa9a20631660398929fb9ecfe187ab98 923588
libdancer-perl_1.3522-2.git.tar.xz
ce86bc2ec89bf1be146322b5487fb4618a20c452 17380
libdancer-perl_1.3522-2_source.buildinfo
Checksums-Sha256:
cdfcf94d876c9aeace158aba85d87340ce60d654ab53e1c13b1253c61bf01d63 3372
libdancer-perl_1.3522-2.dsc
bdc68f59974fae476ed05777253357c6e473a872ed5cd4dc2cc2e4b595e4c329 11548
libdancer-perl_1.3522-2.debian.tar.xz
75046ca73def7ebff5905917376758d1d3fda79e91626d606568607d4d2505e6 923588
libdancer-perl_1.3522-2.git.tar.xz
b90ec091ded8d47b0dab1be58e5accc67bfe60b642c1422fc49d313b6c2c60c3 17380
libdancer-perl_1.3522-2_source.buildinfo
Files:
fc43806e4676d381dd1789bef3bec489 3372 perl optional libdancer-perl_1.3522-2.dsc
4b25df2293737bd51158e4aff55fc88a 11548 perl optional
libdancer-perl_1.3522-2.debian.tar.xz
dd11540eecac01eeb91fd1fe0f72fa7c 923588 perl None
libdancer-perl_1.3522-2.git.tar.xz
1150d543ed7234ab479da0d4dd7129fa 17380 perl optional
libdancer-perl_1.3522-2_source.buildinfo
Git-Tag-Info: tag=d02dd35b8b22c5b235439a7617ccca879e58c2bd
fp=d1e1316e93a760a8104d85fabb3a68018649aa06
Git-Tag-Tagger: gregor herrmann <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmn6CigACgkQYG0ITkaD
wHkhjRAAkqVjJ+jmHWO8GanZgyygUNJ4dDa8WOAICW0869wnm8VfiAYTco83NBXe
5UmRASr67uny5Olt4QKI1HhfXHmSX1X8VPFpfGz0Pa0j4GRTa0tOO/H6TF2ys4G+
7wwPTVAh6V9Y+SPubnqHP/9qIvYNzsLYBmbcRSmLwouEDtR0xt5wSRMBS+hIwOHn
ZyNKpV3zKgnNZw9qw9hziMaQmhSyDn7dlXUQ2tJO/rwxGCkzsccG1qK0FF8nb5Il
SdV6BrD/6AOApZ4O4PBJ8+N4ViyNeU12epkcbJ+LVLrhIRfgc4/PQ32mWnfdvchg
0wiNOzjStWhQL4Qn+EV1TOsH4Vb08w7iFdRreT3S3gipAtJvI4njqLSG5OsD6qvk
1BXG5xQPGPbsnqivZr9vljIlcBFROgCYAtYsjgeQXkDCMl6xu+7VWbbpHwyfbTf8
HzmmXg5SuMXQ9ferLAxouv77Uo6zQzJ0o7Bhev88Miu+eFlpRxYbGXpJI//WaYeR
WjVcWaHSOce1XIRfTXPGaAJISMsr9f5Ms6B8pp1Z3PrsKOrodqlbQ/VgWZqHH4l6
p6ZaOVf/odJCR4Ab67WHLuKXP+p9ozm7jv1uq+6xP5WZP7hYXDtleIiFzjbBu5UF
FrAasYW3TfYjaCLVoL1cjXAjn0QX6nsyZE2V1c2ZvK5Uz2yE/HM=
=lezC
-----END PGP SIGNATURE-----
pgp4Z5RaT2FeK.pgp
Description: PGP signature
--- End Message ---
