Your message dated Wed, 01 Jul 2026 15:19:21 +0000
with message-id <[email protected]>
and subject line Bug#1141197: fixed in libcgi-session-perl 4.49-1
has caused the Debian Bug report #1141197,
regarding libcgi-session-perl: CVE-2026-56016
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1141197: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141197
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libcgi-session-perl
Version: 4.48-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for libcgi-session-perl.

CVE-2026-56016[0]:
| CGI::Session::ID::md5 versions before 4.49 for Perl generate
| predictable session ids from low-entropy sources.  The generate_id
| method builds the session id from a MD5 digest of the process id,
| the epoch time, and the built-in rand() function. All three are
| predictable, low-entropy sources: the PID is drawn from a small
| range, the epoch time can be guessed or read from the HTTP Date
| header, and Perl's rand() is unsuitable for security purposes
| because it is predictable and reversible.  An attacker who predicts
| a session id can impersonate the corresponding session and bypass
| authentication.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-56016
    https://www.cve.org/CVERecord?id=CVE-2026-56016
[1] https://lists.security.metacpan.org/cve-announce/msg/41439279/

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: libcgi-session-perl
Source-Version: 4.49-1
Done: gregor herrmann <[email protected]>

We believe that the bug you reported is fixed in the latest version of
libcgi-session-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated libcgi-session-perl 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 01 Jul 2026 16:50:56 +0200
Source: libcgi-session-perl
Architecture: source
Version: 4.49-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 1141197
Changes:
 libcgi-session-perl (4.49-1) unstable; urgency=medium
 .
   * Import upstream version 4.49.
     - SECURITY: Strengthen cryptographic randomness of MD5 driver,
       CVE-2026-56016
       Closes: #1141197
   * Add test and runtime dependency on libcrypt-sysrandom-perl for the new
     randomness generation.
   * Remove test data only via dh_clean.
   * Update years of packaging copyright.
   * Declare compliance with Debian Policy 4.7.4.
   * Remove «Priority: optional», which is the current default.
   * Drop outdated alternative dependencies.
   * Annotate test-only build dependencies with <!nocheck>.
Checksums-Sha1:
 7c2bd8bd9016e646ad7b182bd50e131030a804c1 2609 libcgi-session-perl_4.49-1.dsc
 7a2aeea23905c8593daf89d2364044bbb3364a1b 92674 
libcgi-session-perl_4.49.orig.tar.gz
 08c8d1a03e184bc62242e6cd7ec9b823775e750e 5904 
libcgi-session-perl_4.49-1.debian.tar.xz
Checksums-Sha256:
 a4b810092721c1dab9b16d05ace7326c7e6bf395083627f38923d4634add0a67 2609 
libcgi-session-perl_4.49-1.dsc
 5fd88a830a35f54526787f036ae5e4a7d14b61c414cd29ad8631bf46e6971207 92674 
libcgi-session-perl_4.49.orig.tar.gz
 48be4cc4213854e52e4ce984d5ca177154b8d419acb0775237330465b421270a 5904 
libcgi-session-perl_4.49-1.debian.tar.xz
Files:
 6dbcc9ca6c8759acbba09ce0d343a380 2609 perl optional 
libcgi-session-perl_4.49-1.dsc
 9c2613f4066495195ee16cdaa9e08166 92674 perl optional 
libcgi-session-perl_4.49.orig.tar.gz
 3be59525eb79bed3ed7109a5355be15b 5904 perl optional 
libcgi-session-perl_4.49-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmpFKnlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgavHQ/9HmWXv0k7QTLecXWYzjPe3hZvMIsPNTu5ibgjrS/Op4cIcTGW8kW55uQH
8RmUpGxEdmL+BafYdRjGAekb/hHjPYUa0BV8ZDRDwipHNF04bbKQIaNlc2No3D7E
vqZNzSGqNHTs5BENMukrPUUkcXk+86YG24uQ0PQldqepYGfvSOsTCHhmkQBkbSU9
doFMjR9eKow0yscjt+yvyc7Usj5ZKwzMbMXVfg/J7HmrDtOzb04/53BHifUqWIMf
JJTS+qV8z4sPUYqV+t8huy3AzCZSh7HsRW8GHyk/YzgPc+6tg/LS0XY16uPQtNqu
CVLaNSTYOQesHNQY2yJyNvzPBKPmz/Lh/pJYJktUnwLt1sXD4qgnf6fG98e2HX48
tMvHTWOtkg8tli93eLZllfB+URXtJ+i/hWYeyXlnleYJJbewqnJw80cVW8gC40es
AlaBloH60TZVTdV/X0NxE2ZEQXISMe2nJbxof2NVsnr5cEVapr+bst5GgaXQX1xr
8iTBwjqj6ncJE+DR6Ru7fpiGfZRKmE9GkDTqpn53530cxCzBziuwnoRINR6NoAXu
kxaWiOcaw+HwlpHZYrlJaag3hWupKAFGmb6yGtyLVBGRe+15o3KLpgmYA4yi5qmt
2BhSXAVaZNhumx9+HeiDXcHjGS4MCj8wkYiRQ6C2xl2ph0RpXQ0=
=eSVz
-----END PGP SIGNATURE-----

Attachment: pgpeG4fCOzHaL.pgp
Description: PGP signature


--- End Message ---

Reply via email to