Your message dated Thu, 21 May 2026 20:50:32 +0000
with message-id <[email protected]>
and subject line Bug#1137253: fixed in libcrypt-saltedhash-perl 0.11-1
has caused the Debian Bug report #1137253,
regarding libcrypt-saltedhash-perl: CVE-2026-47372 CVE-2026-47373
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137253: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137253
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libcrypt-saltedhash-perl
Version: 0.09-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for libcrypt-saltedhash-perl.
CVE-2026-47372[0]:
| Crypt::SaltedHash versions through 0.09 for Perl generate insecure
| random values for salts. These versions use the built-in rand
| function, which is predictable and unsuitable for cryptography.
CVE-2026-47373[1]:
| Crypt::SaltedHash versions through 0.09 for Perl is susceptible to
| timing attacks. These versions use Perl's built-in eq comparison.
| Discrepencies in timing could be used to guess the underlying hash.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-47372
https://www.cve.org/CVERecord?id=CVE-2026-47372
https://lists.security.metacpan.org/cve-announce/msg/40252126/
https://github.com/robrwo/perl-Crypt-SaltedHash/commit/9b68437d2cd420b819b3a795474c3870338d38d5
[1] https://security-tracker.debian.org/tracker/CVE-2026-47373
https://www.cve.org/CVERecord?id=CVE-2026-47373
https://lists.security.metacpan.org/cve-announce/msg/40249915/
https://github.com/robrwo/perl-Crypt-SaltedHash/commit/c07bfc5c23185b0667233d0f2e1252d81f1f027a
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libcrypt-saltedhash-perl
Source-Version: 0.11-1
Done: gregor herrmann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libcrypt-saltedhash-perl, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated
libcrypt-saltedhash-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 21 May 2026 22:29:31 +0200
Source: libcrypt-saltedhash-perl
Architecture: source
Version: 0.11-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 1137253
Changes:
libcrypt-saltedhash-perl (0.11-1) unstable; urgency=medium
.
* Import upstream version 0.11.
- Security: Use system randomness source to generate the salt
CVE-2026-47372
- Security: Use constant-time comparison of hashes CVE-2026-47373
Closes: #1137253
* Add test and runtime dependency on libcrypt-sysrandom-perl.
* Update years of upstream copyright.
* debian/copyright: update Upstream-Contact.
* Add deprecation notice to long description.
* Update debian/upstream/metadata.
* Update test dependencies.
* Declare compliance with Debian Policy 4.7.4.
* Remove «Priority: optional», which is the current default.
* Annotate test-only build dependencies with <!nocheck>.
* Add /me to Uploaders.
Checksums-Sha1:
b0fc4e6facbf354bfab7ecf3056973169f4d632c 2500
libcrypt-saltedhash-perl_0.11-1.dsc
ca51c70c8ec41079b1c90bf93d922196ca2fb17d 20179
libcrypt-saltedhash-perl_0.11.orig.tar.gz
70178c985442b4754120c0679c03dc5b316d0af8 2752
libcrypt-saltedhash-perl_0.11-1.debian.tar.xz
Checksums-Sha256:
1e18dcd6a04a28442afb5f1609322db76da93e2ec582a7affacbe86be5b9f3f6 2500
libcrypt-saltedhash-perl_0.11-1.dsc
7b596ebf3f554c816b55aafdead87cf72db1b0403de7db5153be23cef9501941 20179
libcrypt-saltedhash-perl_0.11.orig.tar.gz
383d8f7208b7c4ce394d4c13ed854e3e6f93fe672b70b2ae35eb0b8983c9911c 2752
libcrypt-saltedhash-perl_0.11-1.debian.tar.xz
Files:
50f485cf5be5499a773450a70ae8943a 2500 perl optional
libcrypt-saltedhash-perl_0.11-1.dsc
aa3051deb52f8ea1b9c3f47042203e03 20179 perl optional
libcrypt-saltedhash-perl_0.11.orig.tar.gz
237ac55be264189cb06b4db57a0a880f 2752 perl optional
libcrypt-saltedhash-perl_0.11-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmoPa8FfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgaHJw//Rf7TbYuAVLCqpxEOFL1SZ0/Fdtg9OO6G2dIIrUZ/hS5wFs81XO6OZKVU
iV/ksQUsvRSrV+R8qvJe2TkRVTKbQbtcsbz5mVITBeUN6kezyeeTgeLbwJOsKNBP
KyLJrg+M4ERnxdr3Cjg7QLe2cnbRHDSA4P6X863/uMvidP3L9l1QM6skuxrX0wHg
tnZpIwPt0ltg1P2oZ+fflNa1DFAfN9OGV00HutJn+tLAYP+SKfm7U4Jk21CqZSli
BEaFYLnJnJIyUS4bZe+029ns3DrXEy7xfmZhgcKXxuHeq7qbHOTXhRf+sFiAidVs
AF9YC/1l9Jau2l14F4IS7AlsVxrQHqvPQLpaLFMMYBvjqXwWpwa1BUkTP1RXLpGh
4D+0dA0aNSccJln8lyqDKhWavCGU1LQMDpImQHIEN8eSv2R98mWkig3QxolreP0h
DmLMUKVKHLpJceYOif2joLrYTIpm5MFObTWr7vF29D/RWSYcb7vDm5rmwloDjnax
03M1YmU4tyyVmIvFogiGKxuaTVtnKyWm44lZJhnhN730sq9VgwkkWganzVPukCZu
MBmpZK4dyUEWuOG325gD5QjNx7Zx1MVRNl5WA4PxCvRCFKki51TcfJuD+KAckzSH
LAHmoreyf75J15T5SgrFgnBixXLuhMKpBkgoOxW/oMHjWdLJ9AQ=
=kNu3
-----END PGP SIGNATURE-----
pgpE9JIMVpib3.pgp
Description: PGP signature
--- End Message ---
