-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4120-1 [email protected] https://www.debian.org/lts/security/ Andrej Shadura April 08, 2025 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : libnet-easytcp-perl Version : 0.26-6+deb11u1 CVE ID : CVE-2024-56830 Net::EasyTCP Perl module includes encryption functionality that requires a secure random number generator. Until and including the version 0.26, this module used a random number generator without any such guarantees. The reason for this was that it relied on Crypt::Random, a Perl module not available in Debian, and fell back to the insecure rand() built-in, so only a tiny fraction of its users who had Crypt::Random installed from CPAN used a suitable random number generator. For Debian 11 bullseye, this problem has been fixed in version 0.26-6+deb11u1. The fallback to rand() has been removed, and the module will use Bytes::Random::Secure to get random numbers, which has been made a mandatory dependency. In the unlikely event Bytes::Random::Secure is still unavailable (e.g. manually removed), Net::EasyTCP will crash rather than use insecure random number generator. We recommend that you upgrade your libnet-easytcp-perl packages. For the detailed security status of libnet-easytcp-perl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libnet-easytcp-perl Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQSD3NF/RLIsyDZW7aHoRGtKyMdyYQUCZ/TRuwAKCRDoRGtKyMdy YcSFAP9nkKKsFDpiltgFcf4ZXGOMoN9GVdROnvTkGsAR7enEGwEA/av7lU9Fjpbs 2skPwlm+Hq94l4mQ/tPWE1Bt9Q2zdwE= =tyfb -----END PGP SIGNATURE-----
