Le 18/06/2019 à 09:46, Xavier a écrit : > Le 17/06/2019 à 22:44, Raphael Geissert a écrit : >> Package: libapache-session-perl >> Version: 1.93-3 >> Severity: important >> Tags: security >> >> Hi, >> >> As discussed in oss-security[1], libapache-session-perl uses a poor >> source of entropy in Apache::Session::Generate::MD5. The critical part >> is moving away from rand (e.g. to using urandom), but it would also be >> a good time to update the way the id is generated. >> >> The details are in the oss-sec thread. >> >> [1] https://www.openwall.com/lists/oss-security/2019/06/15/1 >> >> Cheers, > > Hi all, > > lemonldap-ng is not affected by this issue even if it depends on > Apache::Session: it uses its own > Lemonldap::NG::Common::Apache::Session::Generate::SHA256 which uses > Crypt::URandom instead of rand(). This can be easily backported to > Apache::Session but changes the generated id: SHA256 is longer.
This is true for lemonldap-ng ≥ 2.0.2 (buster), 1.9.x versions (stretch) are concerned by this issue. Fix is referenced here: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1633