Le 17/06/2019 à 22:44, Raphael Geissert a écrit : > Package: libapache-session-perl > Version: 1.93-3 > Severity: important > Tags: security > > Hi, > > As discussed in oss-security[1], libapache-session-perl uses a poor > source of entropy in Apache::Session::Generate::MD5. The critical part > is moving away from rand (e.g. to using urandom), but it would also be > a good time to update the way the id is generated. > > The details are in the oss-sec thread. > > [1] https://www.openwall.com/lists/oss-security/2019/06/15/1 > > Cheers,
Hi all, lemonldap-ng is not affected by this issue even if it depends on Apache::Session: it uses its own Lemonldap::NG::Common::Apache::Session::Generate::SHA256 which uses Crypt::URandom instead of rand(). This can be easily backported to Apache::Session but changes the generated id: SHA256 is longer. Cheers, Xavier