Source: libcrypt-saltedhash-perl Version: 0.09-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for libcrypt-saltedhash-perl. CVE-2026-47372[0]: | Crypt::SaltedHash versions through 0.09 for Perl generate insecure | random values for salts. These versions use the built-in rand | function, which is predictable and unsuitable for cryptography. CVE-2026-47373[1]: | Crypt::SaltedHash versions through 0.09 for Perl is susceptible to | timing attacks. These versions use Perl's built-in eq comparison. | Discrepencies in timing could be used to guess the underlying hash. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-47372 https://www.cve.org/CVERecord?id=CVE-2026-47372 https://lists.security.metacpan.org/cve-announce/msg/40252126/ https://github.com/robrwo/perl-Crypt-SaltedHash/commit/9b68437d2cd420b819b3a795474c3870338d38d5 [1] https://security-tracker.debian.org/tracker/CVE-2026-47373 https://www.cve.org/CVERecord?id=CVE-2026-47373 https://lists.security.metacpan.org/cve-announce/msg/40249915/ https://github.com/robrwo/perl-Crypt-SaltedHash/commit/c07bfc5c23185b0667233d0f2e1252d81f1f027a Regards, Salvatore
