Source: libcrypt-cbc-perl Version: 3.04-3 Severity: normal Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for libcrypt-cbc-perl. CVE-2025-2814[0]: | Crypt::CBC versions between 1.21 and 3.05 for Perl may use the | rand() function as the default source of entropy, which is not | cryptographically secure, for cryptographic functions. This issue | affects operating systems where "/dev/urandom'" is unavailable. In | that case, Crypt::CBC will fallback to use the insecure rand() | function. Upstream has released a new version 3.07 which fixes it by switching to Crypt::URandom. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-2814 https://www.cve.org/CVERecord?id=CVE-2025-2814 [1] https://lists.security.metacpan.org/cve-announce/msg/28699380/ Regards, Salvatore

