Your message dated Fri, 22 May 2026 23:09:17 +0000
with message-id <[email protected]>
and subject line Bug#1137325: fixed in libcatalyst-plugin-authentication-perl
0.10026-1
has caused the Debian Bug report #1137325,
regarding libcatalyst-plugin-authentication-perl: CVE-2026-5091
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137325: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137325
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libcatalyst-plugin-authentication-perl
Version: 0.10024-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for
libcatalyst-plugin-authentication-perl.
CVE-2026-5091[0]:
| Catalyst::Plugin::Authentication versions through 0.10024 for Perl
| is susceptible to timing attacks. These versions use Perl's built-
| in eq comparison. Discrepencies in timing could be used to guess the
| underlying hash or password.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-5091
https://www.cve.org/CVERecord?id=CVE-2026-5091
[1] https://lists.security.metacpan.org/cve-announce/msg/40281889/
[2]
https://github.com/perl-catalyst/Catalyst-Plugin-Authentication/commit/b0515f492257438cf07082acf1e10d06e8088a5e
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libcatalyst-plugin-authentication-perl
Source-Version: 0.10026-1
Done: gregor herrmann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libcatalyst-plugin-authentication-perl, which is due to be installed in the
Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated
libcatalyst-plugin-authentication-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 23 May 2026 00:50:21 +0200
Source: libcatalyst-plugin-authentication-perl
Architecture: source
Version: 0.10026-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 1137325
Changes:
libcatalyst-plugin-authentication-perl (0.10026-1) unstable; urgency=medium
.
* Team upload.
* Import upstream version 0.10026.
- fix password comparison to avoid timing attacks (CVE-2026-5091)
Closes: #1137325
* Update years of upstream copyright.
* Refresh pod-spelling.patch (offset).
* Declare compliance with Debian Policy 4.7.4.
* Remove «Rules-Requires-Root: no», which is the current default.
* Remove «Priority: optional», which is the current default.
Checksums-Sha1:
eb0c72ae13a009a903c95c297fc478f344502d19 2960
libcatalyst-plugin-authentication-perl_0.10026-1.dsc
a1e4eb0d31ed653f85db99965f05c79910947be1 62772
libcatalyst-plugin-authentication-perl_0.10026.orig.tar.gz
0d6543b5eda7459969e6e2e44d6cdb80053dfbb0 3636
libcatalyst-plugin-authentication-perl_0.10026-1.debian.tar.xz
Checksums-Sha256:
9eaea815dcf8e3347b3d1079f735e4abd3cc915d3e0ddbbee90d3bba3ce75b44 2960
libcatalyst-plugin-authentication-perl_0.10026-1.dsc
fed60a17b3ad3e7a5a65284a1444ecc33d9aacb94f7cd740a166fc9a236b625d 62772
libcatalyst-plugin-authentication-perl_0.10026.orig.tar.gz
c572ec2e47f761dbd02477d14b131b4253861b2e931127de335b39b5eb0da3f0 3636
libcatalyst-plugin-authentication-perl_0.10026-1.debian.tar.xz
Files:
9e8396e73cf062628a331a6e925e7c35 2960 perl optional
libcatalyst-plugin-authentication-perl_0.10026-1.dsc
1f57ac3f5b7b7fd7d03165ba4cf243c0 62772 perl optional
libcatalyst-plugin-authentication-perl_0.10026.orig.tar.gz
73e98e49c19ca041ca0c708fe203ed6d 3636 perl optional
libcatalyst-plugin-authentication-perl_0.10026-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmoQ3mNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgbPvg//R3zY1Y395XkppSJP+k90HKsDzBztG33KLl4l/AZTZXPjNNqHuTOA4Xxh
S1oJXKmfwkP1LzN+7sTU3xf3T9O/2A/TR8yz0dA8qPOq4qPbeWvVSSgR9qtsl7dT
VgoFj9WR5/xtLCL33CaSohjV+VruE64LHRbI/4eEyAFmXgvtJggXOglS8F8bBhhm
3KLrGmmmS1u0KYNHrswr2RIskeECqwQHApMcQcZrGkZGmsOtpF10KMb0ub+vhEgZ
FCmn3JAejjJukHGMkXJM9EJQy3/cNSM4aqlK2FHGIPhygogLoP63K4AgHVWCCfJU
ylBoUNomWGAOGwVFb8mo3XQSzqqRxSfWJATf5TLVKGVXoImZ9zq3XTZ3AHKuWn6u
meAtkpNVfcE/v9SqkGWimsutxJ6kfLA2fwC8z1z1bHIOmnIJh44+GNXXlkFrMTFM
iE0QNinRMSw8WaNOlFM1QJIWHijbU2unIC+mCQMyGVLZ0uXz+XqU4qTiLh2Z4D2Q
1j1lMEj9iftAjBcJIWmmpQdi4lJEm5TSKZaM5CJ0BF2Rftu8ca5wPQG2Z05WHtCM
xPjU90DHeasG23Mrt9F+DKXu8Uwxnr1VH/3WrDqV7Lmz3YQraq4rJG5ZozNXac/U
iKhwjW0JWftdbumhIxer9/F15hbu6UzxRVD0FFJbsInu3J/7lPM=
=cmJp
-----END PGP SIGNATURE-----
pgpQlzlPv8cnY.pgp
Description: PGP signature
--- End Message ---
