Your message dated Mon, 06 Jul 2026 20:24:15 +0000
with message-id <[email protected]>
and subject line Bug#1136091: fixed in libcrypt-passwdmd5-perl 1.44-1
has caused the Debian Bug report #1136091,
regarding libcrypt-passwdmd5-perl: CVE-2026-6659
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136091: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136091
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libcrypt-passwdmd5-perl
Version: 1.42-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libcrypt-passwdmd5-perl.
The CVE primarlly I guess will server for documentation. No patch
exist to make it securely generating random values for the salts and
to move away from rand().
CVE-2026-6659[0]:
| Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure
| random values for salts. The built-in rand function is predictable,
| and unsuitable for cryptography.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-6659
https://www.cve.org/CVERecord?id=CVE-2026-6659
[1] https://lists.security.metacpan.org/cve-announce/msg/39857355/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libcrypt-passwdmd5-perl
Source-Version: 1.44-1
Done: gregor herrmann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libcrypt-passwdmd5-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated
libcrypt-passwdmd5-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 06 Jul 2026 21:43:40 +0200
Source: libcrypt-passwdmd5-perl
Architecture: source
Version: 1.44-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 1136091
Changes:
libcrypt-passwdmd5-perl (1.44-1) unstable; urgency=medium
.
* Team upload.
.
* Remove libmodule-build-perl from Build-Depends.
This distribution uses ExtUtils::MakeMaker.
.
* Import upstream version 1.44.
- Accept pull request from Paul Howarth to replace use of the
cryptographically weak rand() function with the much stronger
Crypt::URandom::urandom().
CVE-2026-6659
Closes: #1136091
* New dependency: libcrypt-urandom-perl.
* Install new upstream document.
* Declare compliance with Debian Policy 4.7.4.
* Remove «Rules-Requires-Root: no», which is the current default.
* Remove «Priority: optional», which is the current default.
* Annotate test-only build dependencies with <!nocheck>.
* Set upstream metadata fields: Security-Contact.
Checksums-Sha1:
6cc7706333587a40208d993b0f5c26583641395c 2450
libcrypt-passwdmd5-perl_1.44-1.dsc
f8ce01f885df845dfb4d8c625b0edbc91f5c61c7 11819
libcrypt-passwdmd5-perl_1.44.orig.tar.gz
e4ab8f23791410590df3ff19a9b3ce66818ccc4f 3532
libcrypt-passwdmd5-perl_1.44-1.debian.tar.xz
Checksums-Sha256:
635f0cb53c72eb4a13295095e63485d9884a07c9637945770ce5d728ef82fee4 2450
libcrypt-passwdmd5-perl_1.44-1.dsc
136e4f56d291fba61ce9857f3bab3f653106ddbb8cc930543359598d83e40ce7 11819
libcrypt-passwdmd5-perl_1.44.orig.tar.gz
507a55c09cd0d996ebecdfa52cc2a9d4555a8b568d62e00638d6d178b244c0d0 3532
libcrypt-passwdmd5-perl_1.44-1.debian.tar.xz
Files:
9133bc8c46139059a3ed7589b22d601a 2450 perl optional
libcrypt-passwdmd5-perl_1.44-1.dsc
0dbac4dbb09b5f2f17dfdaa1ad2cb25f 11819 perl optional
libcrypt-passwdmd5-perl_1.44.orig.tar.gz
181247fdab13dcd1a9e7e2e6bffad037 3532 perl optional
libcrypt-passwdmd5-perl_1.44-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmpMBkFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgaCMg/+JGW6fIxUZ9ZnLmGAMBn4KeXluvaNzTZiixYhO5LKVa34nyyhnp0ZVRSa
oUYNbzQgCHNplhgxqOGH4cS6NUGA9y3SLipm96cWIU0pZkAPkbEpLlpV5ufFHr0g
zeICjRmzHGFF51QHBqdKSYdqs071ijNYKI46yTn6GvDywJYNNKhrRwb0hj6KGbKW
ESBkTlrum44WRYpA/FD9+mzkX+ENgxeTiGCfu9yXdUJh6N+h6zO1tjDwkkDq/DHe
+mnbOrEqGt9o+MQ86SvL2aTpsU9MqM461mL9lYEysMeYrRaT9ah9B8s5mqqNkTFp
oy54cRkRO1neysu9BmlcVvg+pR4gZLnuOTF22UCYu6LfLq26sofSv99QMyXWzdo/
KiqQbVMxfMz/dMOTh5O7fjFBuSsZSv1zht6DPs/lxYA+kIMgJLS0x+JOeVT8+VEE
0uXADHAGHBiEDMEhChrX3w8tSkTI9GP+S74hjUcAF+8owtGDe5qHhzg3BRtqXHjR
vk3ZPtAOJ4toAjAs9qQxfKKPiX7mILShcPcfPU3Yn7U+w6V/D1AR4v8MbhNuC4VA
dBExZACTSG3Bt8IkjLZg8fFhCWaJ0gk7u3HV7p+/ISpFC/e02YyJfQEfxEdNxFWH
g+5RnOYqdi2g/QNaeCKnYDzvZtj4VNiY6grvpfopRFM54oUPLsU=
=tPVh
-----END PGP SIGNATURE-----
pgp6keXPlziKT.pgp
Description: PGP signature
--- End Message ---