Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected],
[email protected], [email protected], [email protected],
[email protected]
Control: affects -1 + src:libcrypt-pbkdf2-perl
User: [email protected]
Usertags: pu
Hi
[ Reason ]
libcrypt-pbkdf2-perl recently got 3 CVE assigned, CVE-2026-9641,
CVE-2026-9638, CVE-2017-20240. The packae did not got touched for
almost a decade so the CVEs are as well about updating from weak
algorithm and low number of iterations.
I'm a bit unsure if this really should be backported to older series,
thus X-Debbugs-CC as well debian-lts for bookworm and older.
On the other hand rand() is not cryptographically secure, so there
might be enough reasoning wanting to fix things in the older suites,
*but* libcrypt-pbkdf2-perl might even be less wider used the way back,
see https://qa.debian.org/popcon.php?package=libcrypt-pbkdf2-perl .
[ Impact ]
Crypt::PBKDF2 will use wak default algorithm and number of iterations,
generate insecure random values for salts, and can be vulnerable to
timing attacks.
[ Tests ]
Test suite is run successfully, additionally triggered a debusine work
request:
https://debusine.debian.net/debian/developers/work-request/839364/
[ Risks ]
Following upstream on all changes fairly low I would say at least for
the newer suites. For making salts switch to using Crypt::URandom and
thus needing new (Build-)Dependency.
[ Checklist ]
[x] *all* changes are documented in the d/changelog (see below)
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
As per upstream addressing the assigned CVEs
(Explain *all* the changes)
[ Other info ]
Switching to the new upstreeam version introduces as well bit of
updated metadata on upstream side, but switching as well from
Makefile.PL to Build.PL, and introducing a new build-dependency on
libmodule-build-tiny-perl .
I reverted from the unstable version though in particular:
* Revert "Annotate test-only build dependencies with <!nocheck>."
* Revert "Remove «Priority: optional», which is the current default."
* Revert "Declare compliance with Debian Policy 4.7.4."
I have *not* uploaded, as I would like to hear from you (SRM) if you
are fine with this approach or if you prefer that the single changes
get cherry picked.
Regards,
Salvatore
diff -Nru libcrypt-pbkdf2-perl-0.161520/Build.PL
libcrypt-pbkdf2-perl-0.261630/Build.PL
--- libcrypt-pbkdf2-perl-0.161520/Build.PL 1970-01-01 01:00:00.000000000
+0100
+++ libcrypt-pbkdf2-perl-0.261630/Build.PL 2026-06-12 03:00:50.000000000
+0200
@@ -0,0 +1,9 @@
+# This Build.PL for Crypt-PBKDF2 was generated by
Dist::Zilla::Plugin::ModuleBuildTiny 0.020.
+use strict;
+use warnings;
+
+
+use 5.006;
+use Module::Build::Tiny 0.034;
+Build_PL();
+
diff -Nru libcrypt-pbkdf2-perl-0.161520/Changes
libcrypt-pbkdf2-perl-0.261630/Changes
--- libcrypt-pbkdf2-perl-0.161520/Changes 2016-05-31 20:55:01.000000000
+0200
+++ libcrypt-pbkdf2-perl-0.261630/Changes 2026-06-12 03:00:50.000000000
+0200
@@ -1,5 +1,15 @@
Changes for Crypt::PBKDF2
+Version 0.261630: 2026-06-11
+ * Change the default hash algorithm to HMAC-SHA256, and increase the
+ default number of iterations to 600,000, in line with current OWASP
+ recommendations (CVE-2026-9641).
+ * Generate salts using Crypt::URandom (a strong system RNG) instead of
+ perl's builtin `rand()`, which is not cryptographically secure
+ (CVE-2026-9638).
+ * Use a constant-time comparison in `validate` to avoid timing attacks
+ (CVE-2017-20240).
+
Version 0.161520: 2016-05-31
* Require an up-to-date Types::Standard to prevent errors about ConsumerOf
and Enum not being found on installation. There is no need to upgrade if
diff -Nru libcrypt-pbkdf2-perl-0.161520/LICENSE
libcrypt-pbkdf2-perl-0.261630/LICENSE
--- libcrypt-pbkdf2-perl-0.161520/LICENSE 2016-05-31 20:55:01.000000000
+0200
+++ libcrypt-pbkdf2-perl-0.261630/LICENSE 2026-06-12 03:00:50.000000000
+0200
@@ -1,4 +1,4 @@
-This software is copyright (c) 2016 by Andrew Rodland.
+This software is copyright (c) 2026 by Andrew Rodland.
This is free software; you can redistribute it and/or modify it under
the same terms as the Perl 5 programming language system itself.
@@ -12,7 +12,7 @@
--- The GNU General Public License, Version 1, February 1989 ---
-This software is Copyright (c) 2016 by Andrew Rodland.
+This software is Copyright (c) 2026 by Andrew Rodland.
This is free software, licensed under:
@@ -22,7 +22,7 @@
Version 1, February 1989
Copyright (C) 1989 Free Software Foundation, Inc.
- 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
@@ -236,8 +236,7 @@
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301
USA
+ along with this program; if not, see <https://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
@@ -264,116 +263,149 @@
program `Gnomovision' (a program to direct compilers to make passes
at assemblers) written by James Hacker.
- <signature of Ty Coon>, 1 April 1989
- Ty Coon, President of Vice
+ <signature of Moe Ghoul>, 1 April 1989
+ Moe Ghoul, President of Vice
That's all there is to it!
---- The Artistic License 1.0 ---
+--- The Perl Artistic License 1.0 ---
-This software is Copyright (c) 2016 by Andrew Rodland.
+This software is Copyright (c) 2026 by Andrew Rodland.
This is free software, licensed under:
- The Artistic License 1.0
+ The Perl Artistic License 1.0
-The Artistic License
-Preamble
-The intent of this document is to state the conditions under which a Package
-may be copied, such that the Copyright Holder maintains some semblance of
-artistic control over the development of the package, while giving the users of
-the package the right to use and distribute the Package in a more-or-less
-customary fashion, plus the right to make reasonable modifications.
+
+
+ The "Artistic License"
+
+ Preamble
+
+The intent of this document is to state the conditions under which a
+Package may be copied, such that the Copyright Holder maintains some
+semblance of artistic control over the development of the package,
+while giving the users of the package the right to use and distribute
+the Package in a more-or-less customary fashion, plus the right to make
+reasonable modifications.
Definitions:
- - "Package" refers to the collection of files distributed by the Copyright
- Holder, and derivatives of that collection of files created through
- textual modification.
- - "Standard Version" refers to such a Package if it has not been modified,
- or has been modified in accordance with the wishes of the Copyright
- Holder.
- - "Copyright Holder" is whoever is named in the copyright or copyrights for
- the package.
- - "You" is you, if you're thinking about copying or distributing this
Package.
- - "Reasonable copying fee" is whatever you can justify on the basis of media
- cost, duplication charges, time of people involved, and so on. (You will
- not be required to justify it to the Copyright Holder, but only to the
- computing community at large as a market that must bear the fee.)
- - "Freely Available" means that no fee is charged for the item itself, though
- there may be fees involved in handling the item. It also means that
- recipients of the item may redistribute it under the same conditions they
- received it.
+ "Package" refers to the collection of files distributed by the
+ Copyright Holder, and derivatives of that collection of files
+ created through textual modification.
+
+ "Standard Version" refers to such a Package if it has not been
+ modified, or has been modified in accordance with the wishes
+ of the Copyright Holder as specified below.
+
+ "Copyright Holder" is whoever is named in the copyright or
+ copyrights for the package.
+
+ "You" is you, if you're thinking about copying or distributing
+ this Package.
+
+ "Reasonable copying fee" is whatever you can justify on the
+ basis of media cost, duplication charges, time of people involved,
+ and so on. (You will not be required to justify it to the
+ Copyright Holder, but only to the computing community at large
+ as a market that must bear the fee.)
+
+ "Freely Available" means that no fee is charged for the item
+ itself, though there may be fees involved in handling the item.
+ It also means that recipients of the item may redistribute it
+ under the same conditions they received it.
1. You may make and give away verbatim copies of the source form of the
Standard Version of this Package without restriction, provided that you
duplicate all of the original copyright notices and associated disclaimers.
-2. You may apply bug fixes, portability fixes and other modifications derived
-from the Public Domain or from the Copyright Holder. A Package modified in such
-a way shall still be considered the Standard Version.
-
-3. You may otherwise modify your copy of this Package in any way, provided that
-you insert a prominent notice in each changed file stating how and when you
-changed that file, and provided that you do at least ONE of the following:
-
- a) place your modifications in the Public Domain or otherwise make them
- Freely Available, such as by posting said modifications to Usenet or an
- equivalent medium, or placing the modifications on a major archive site
- such as ftp.uu.net, or by allowing the Copyright Holder to include your
- modifications in the Standard Version of the Package.
-
- b) use the modified Package only within your corporation or organization.
-
- c) rename any non-standard executables so the names do not conflict with
- standard executables, which must also be provided, and provide a separate
- manual page for each non-standard executable that clearly documents how it
- differs from the Standard Version.
-
- d) make other distribution arrangements with the Copyright Holder.
-
-4. You may distribute the programs of this Package in object code or executable
-form, provided that you do at least ONE of the following:
-
- a) distribute a Standard Version of the executables and library files,
- together with instructions (in the manual page or equivalent) on where to
- get the Standard Version.
-
- b) accompany the distribution with the machine-readable source of the Package
- with your modifications.
-
- c) accompany any non-standard executables with their corresponding Standard
- Version executables, giving the non-standard executables non-standard
- names, and clearly documenting the differences in manual pages (or
- equivalent), together with instructions on where to get the Standard
- Version.
+2. You may apply bug fixes, portability fixes and other modifications
+derived from the Public Domain or from the Copyright Holder. A Package
+modified in such a way shall still be considered the Standard Version.
- d) make other distribution arrangements with the Copyright Holder.
+3. You may otherwise modify your copy of this Package in any way, provided
+that you insert a prominent notice in each changed file stating how and
+when you changed that file, and provided that you do at least ONE of the
+following:
-5. You may charge a reasonable copying fee for any distribution of this
-Package. You may charge any fee you choose for support of this Package. You
-may not charge a fee for this Package itself. However, you may distribute this
-Package in aggregate with other (possibly commercial) programs as part of a
-larger (possibly commercial) software distribution provided that you do not
-advertise this Package as a product of your own.
-
-6. The scripts and library files supplied as input to or produced as output
-from the programs of this Package do not automatically fall under the copyright
-of this Package, but belong to whomever generated them, and may be sold
-commercially, and may be aggregated with this Package.
+ a) place your modifications in the Public Domain or otherwise make them
+ Freely Available, such as by posting said modifications to Usenet or
+ an equivalent medium, or placing the modifications on a major archive
+ site such as uunet.uu.net, or by allowing the Copyright Holder to include
+ your modifications in the Standard Version of the Package.
+
+ b) use the modified Package only within your corporation or organization.
+
+ c) rename any non-standard executables so the names do not conflict
+ with standard executables, which must also be provided, and provide
+ a separate manual page for each non-standard executable that clearly
+ documents how it differs from the Standard Version.
-7. C or perl subroutines supplied by you and linked into this Package shall not
-be considered part of this Package.
+ d) make other distribution arrangements with the Copyright Holder.
+
+4. You may distribute the programs of this Package in object code or
+executable form, provided that you do at least ONE of the following:
+
+ a) distribute a Standard Version of the executables and library files,
+ together with instructions (in the manual page or equivalent) on where
+ to get the Standard Version.
+
+ b) accompany the distribution with the machine-readable source of
+ the Package with your modifications.
+
+ c) give non-standard executables non-standard names, and clearly
+ document the differences in manual pages (or equivalent), together
+ with instructions on where to get the Standard Version.
+
+ d) make other distribution arrangements with the Copyright Holder.
+
+5. You may charge a reasonable copying fee for any distribution of this
+Package. You may charge any fee you choose for support of this
+Package. You may not charge a fee for this Package itself. However,
+you may distribute this Package in aggregate with other (possibly
+commercial) programs as part of a larger (possibly commercial) software
+distribution provided that you do not advertise this Package as a
+product of your own. You may embed this Package's interpreter within
+an executable of yours (by linking); this shall be construed as a mere
+form of aggregation, provided that the complete Standard Version of the
+interpreter is so embedded.
+
+6. The scripts and library files supplied as input to or produced as
+output from the programs of this Package do not automatically fall
+under the copyright of this Package, but belong to whoever generated
+them, and may be sold commercially, and may be aggregated with this
+Package. If such scripts or library files are aggregated with this
+Package via the so-called "undump" or "unexec" methods of producing a
+binary executable image, then distribution of such an image shall
+neither be construed as a distribution of this Package nor shall it
+fall under the restrictions of Paragraphs 3 and 4, provided that you do
+not represent such an executable image as a Standard Version of this
+Package.
+
+7. C subroutines (or comparably compiled subroutines in other
+languages) supplied by you and linked into this Package in order to
+emulate subroutines and variables of the language defined by this
+Package shall not be considered part of this Package, but are the
+equivalent of input as in Paragraph 6, provided these subroutines do
+not change the language in any way that would cause it to fail the
+regression tests for the language.
+
+8. Aggregation of this Package with a commercial distribution is always
+permitted provided that the use of this Package is embedded; that is,
+when no overt attempt is made to make this Package's interfaces visible
+to the end user of the commercial distribution. Such use shall not be
+construed as a distribution of this Package.
-8. The name of the Copyright Holder may not be used to endorse or promote
+9. The name of the Copyright Holder may not be used to endorse or promote
products derived from this software without specific prior written permission.
-9. THIS PACKAGE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED
-WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
-MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+10. THIS PACKAGE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
+IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
-The End
+ The End
diff -Nru libcrypt-pbkdf2-perl-0.161520/MANIFEST
libcrypt-pbkdf2-perl-0.261630/MANIFEST
--- libcrypt-pbkdf2-perl-0.161520/MANIFEST 2016-05-31 20:55:01.000000000
+0200
+++ libcrypt-pbkdf2-perl-0.261630/MANIFEST 2026-06-12 03:00:50.000000000
+0200
@@ -1,10 +1,12 @@
-# This file was automatically generated by Dist::Zilla::Plugin::Manifest
v5.043.
+# This file was automatically generated by Dist::Zilla::Plugin::Manifest v6.037
+Build.PL
Changes
LICENSE
MANIFEST
MANIFEST.SKIP
+META.json
META.yml
-Makefile.PL
+README
dist.ini
lib/Crypt/PBKDF2.pm
lib/Crypt/PBKDF2/Hash.pm
diff -Nru libcrypt-pbkdf2-perl-0.161520/META.json
libcrypt-pbkdf2-perl-0.261630/META.json
--- libcrypt-pbkdf2-perl-0.161520/META.json 1970-01-01 01:00:00.000000000
+0100
+++ libcrypt-pbkdf2-perl-0.261630/META.json 2026-06-12 03:00:50.000000000
+0200
@@ -0,0 +1,80 @@
+{
+ "abstract" : "The PBKDF2 password hash algorithm",
+ "author" : [
+ "Andrew Rodland <[email protected]>"
+ ],
+ "dynamic_config" : 0,
+ "generated_by" : "Dist::Zilla version 6.037, CPAN::Meta::Converter version
2.150010",
+ "license" : [
+ "perl_5"
+ ],
+ "meta-spec" : {
+ "url" : "http://search.cpan.org/perldoc?CPAN::Meta::Spec";,
+ "version" : 2
+ },
+ "name" : "Crypt-PBKDF2",
+ "no_index" : {
+ "directory" : [
+ "t"
+ ]
+ },
+ "prereqs" : {
+ "configure" : {
+ "requires" : {
+ "Module::Build::Tiny" : "0.034"
+ }
+ },
+ "runtime" : {
+ "requires" : {
+ "Carp" : "0",
+ "Crypt::URandom" : "0",
+ "Digest" : "1.16",
+ "Digest::HMAC" : "1.01",
+ "Digest::SHA" : "0",
+ "Digest::SHA3" : "0.22",
+ "MIME::Base64" : "0",
+ "Module::Runtime" : "0",
+ "Moo" : "2",
+ "Moo::Role" : "2",
+ "Scalar::Util" : "0",
+ "Try::Tiny" : "0.04",
+ "Type::Tiny" : "0",
+ "Types::Standard" : "1.000005",
+ "namespace::autoclean" : "0",
+ "strictures" : "2"
+ }
+ },
+ "test" : {
+ "requires" : {
+ "Encode" : "0",
+ "Test::Fatal" : "0",
+ "Test::More" : "0",
+ "constant" : "0",
+ "strict" : "0",
+ "warnings" : "0"
+ }
+ }
+ },
+ "release_status" : "stable",
+ "resources" : {
+ "bugtracker" : {
+ "mailto" : "[email protected]",
+ "web" :
"https://rt.cpan.org/Public/Dist/Display.html?Name=Crypt-PBKDF2";
+ },
+ "homepage" : "http://metacpan.org/release/Crypt-PBKDF2";,
+ "license" : [
+ "http://dev.perl.org/licenses/";
+ ],
+ "repository" : {
+ "type" : "git",
+ "url" : "git://github.com/arodland/Crypt-PBKDF2.git",
+ "web" : "http://github.com/arodland/Crypt-PBKDF2";
+ }
+ },
+ "version" : "0.261630",
+ "x_authority" : "cpan:ARODLAND",
+ "x_generated_by_perl" : "v5.42.2",
+ "x_serialization_backend" : "Cpanel::JSON::XS version 4.42",
+ "x_spdx_expression" : "Artistic-1.0-Perl OR GPL-1.0-or-later"
+}
+
diff -Nru libcrypt-pbkdf2-perl-0.161520/META.yml
libcrypt-pbkdf2-perl-0.261630/META.yml
--- libcrypt-pbkdf2-perl-0.161520/META.yml 2016-05-31 20:55:01.000000000
+0200
+++ libcrypt-pbkdf2-perl-0.261630/META.yml 2026-06-12 03:00:50.000000000
+0200
@@ -1,7 +1,7 @@
---
abstract: 'The PBKDF2 password hash algorithm'
author:
- - 'Andrew Rodland <[email protected]>'
+ - 'Andrew Rodland <[email protected]>'
build_requires:
Encode: '0'
Test::Fatal: '0'
@@ -10,9 +10,9 @@
strict: '0'
warnings: '0'
configure_requires:
- ExtUtils::MakeMaker: '0'
+ Module::Build::Tiny: '0.034'
dynamic_config: 0
-generated_by: 'Dist::Zilla version 5.043, CPAN::Meta::Converter version
2.150005'
+generated_by: 'Dist::Zilla version 6.037, CPAN::Meta::Converter version
2.150010'
license: perl
meta-spec:
url: http://module-build.sourceforge.net/META-spec-v1.4.html
@@ -23,6 +23,7 @@
- t
requires:
Carp: '0'
+ Crypt::URandom: '0'
Digest: '1.16'
Digest::HMAC: '1.01'
Digest::SHA: '0'
@@ -42,5 +43,8 @@
homepage: http://metacpan.org/release/Crypt-PBKDF2
license: http://dev.perl.org/licenses/
repository: git://github.com/arodland/Crypt-PBKDF2.git
-version: '0.161520'
+version: '0.261630'
x_authority: cpan:ARODLAND
+x_generated_by_perl: v5.42.2
+x_serialization_backend: 'YAML::Tiny version 1.76'
+x_spdx_expression: 'Artistic-1.0-Perl OR GPL-1.0-or-later'
diff -Nru libcrypt-pbkdf2-perl-0.161520/Makefile.PL
libcrypt-pbkdf2-perl-0.261630/Makefile.PL
--- libcrypt-pbkdf2-perl-0.161520/Makefile.PL 2016-05-31 20:55:01.000000000
+0200
+++ libcrypt-pbkdf2-perl-0.261630/Makefile.PL 1970-01-01 01:00:00.000000000
+0100
@@ -1,84 +0,0 @@
-# This file was automatically generated by Dist::Zilla::Plugin::MakeMaker
v5.043.
-use strict;
-use warnings;
-
-
-
-use ExtUtils::MakeMaker;
-
-my %WriteMakefileArgs = (
- "ABSTRACT" => "The PBKDF2 password hash algorithm",
- "AUTHOR" => "Andrew Rodland <arodland\@cpan.org>",
- "CONFIGURE_REQUIRES" => {
- "ExtUtils::MakeMaker" => 0
- },
- "DISTNAME" => "Crypt-PBKDF2",
- "LICENSE" => "perl",
- "NAME" => "Crypt::PBKDF2",
- "PREREQ_PM" => {
- "Carp" => 0,
- "Digest" => "1.16",
- "Digest::HMAC" => "1.01",
- "Digest::SHA" => 0,
- "Digest::SHA3" => "0.22",
- "MIME::Base64" => 0,
- "Module::Runtime" => 0,
- "Moo" => 2,
- "Moo::Role" => 2,
- "Scalar::Util" => 0,
- "Try::Tiny" => "0.04",
- "Type::Tiny" => 0,
- "Types::Standard" => "1.000005",
- "namespace::autoclean" => 0,
- "strictures" => 2
- },
- "TEST_REQUIRES" => {
- "Encode" => 0,
- "Test::Fatal" => 0,
- "Test::More" => 0,
- "constant" => 0,
- "strict" => 0,
- "warnings" => 0
- },
- "VERSION" => "0.161520",
- "test" => {
- "TESTS" => "t/*.t"
- }
-);
-
-
-my %FallbackPrereqs = (
- "Carp" => 0,
- "Digest" => "1.16",
- "Digest::HMAC" => "1.01",
- "Digest::SHA" => 0,
- "Digest::SHA3" => "0.22",
- "Encode" => 0,
- "MIME::Base64" => 0,
- "Module::Runtime" => 0,
- "Moo" => 2,
- "Moo::Role" => 2,
- "Scalar::Util" => 0,
- "Test::Fatal" => 0,
- "Test::More" => 0,
- "Try::Tiny" => "0.04",
- "Type::Tiny" => 0,
- "Types::Standard" => "1.000005",
- "constant" => 0,
- "namespace::autoclean" => 0,
- "strict" => 0,
- "strictures" => 2,
- "warnings" => 0
-);
-
-
-unless ( eval { ExtUtils::MakeMaker->VERSION(6.63_03) } ) {
- delete $WriteMakefileArgs{TEST_REQUIRES};
- delete $WriteMakefileArgs{BUILD_REQUIRES};
- $WriteMakefileArgs{PREREQ_PM} = \%FallbackPrereqs;
-}
-
-delete $WriteMakefileArgs{CONFIGURE_REQUIRES}
- unless eval { ExtUtils::MakeMaker->VERSION(6.52) };
-
-WriteMakefile(%WriteMakefileArgs);
diff -Nru libcrypt-pbkdf2-perl-0.161520/README
libcrypt-pbkdf2-perl-0.261630/README
--- libcrypt-pbkdf2-perl-0.161520/README 1970-01-01 01:00:00.000000000
+0100
+++ libcrypt-pbkdf2-perl-0.261630/README 2026-06-12 03:00:50.000000000
+0200
@@ -0,0 +1,12 @@
+This archive contains the distribution Crypt-PBKDF2,
+version 0.261630:
+
+ The PBKDF2 password hash algorithm
+
+This software is copyright (c) 2026 by Andrew Rodland.
+
+This is free software; you can redistribute it and/or modify it under
+the same terms as the Perl 5 programming language system itself.
+
+
+This README file was generated by Dist::Zilla::Plugin::Readme v6.037.
diff -Nru libcrypt-pbkdf2-perl-0.161520/debian/changelog
libcrypt-pbkdf2-perl-0.261630/debian/changelog
--- libcrypt-pbkdf2-perl-0.161520/debian/changelog 2022-06-12
23:28:53.000000000 +0200
+++ libcrypt-pbkdf2-perl-0.261630/debian/changelog 2026-06-13
09:43:05.000000000 +0200
@@ -1,3 +1,32 @@
+libcrypt-pbkdf2-perl (0.261630-1~deb13u1) trixie; urgency=medium
+
+ * Rebuild for trixie
+ * Revert "Annotate test-only build dependencies with <!nocheck>."
+ * Revert "Remove «Priority: optional», which is the current default."
+ * Revert "Declare compliance with Debian Policy 4.7.4."
+
+ -- Salvatore Bonaccorso <[email protected]> Sat, 13 Jun 2026 09:43:05 +0200
+
+libcrypt-pbkdf2-perl (0.261630-1) unstable; urgency=medium
+
+ * Team upload.
+ * Import upstream version 0.261630.
+ - Change the default hash algorithm to HMAC-SHA256, and increase the
+ default number of iterations to 600,000 (CVE-2026-9641).
+ - Generate salts using Crypt::URandom instead of perl's builtin `rand()`
+ (CVE-2026-9638).
+ - Use a constant-time comparison in `validate` to avoid timing attacks
+ (CVE-2017-20240).
+ Closes: #1139867
+ * Update debian/upstream/metadata.
+ * Update years of upstream copyright.
+ * debian/control: update build/test/runtime dependencies.
+ * Declare compliance with Debian Policy 4.7.4.
+ * Remove «Priority: optional», which is the current default.
+ * Annotate test-only build dependencies with <!nocheck>.
+
+ -- gregor herrmann <[email protected]> Sat, 13 Jun 2026 00:01:11 +0200
+
libcrypt-pbkdf2-perl (0.161520-2) unstable; urgency=medium
[ Damyan Ivanov ]
diff -Nru libcrypt-pbkdf2-perl-0.161520/debian/control
libcrypt-pbkdf2-perl-0.261630/debian/control
--- libcrypt-pbkdf2-perl-0.161520/debian/control 2022-06-12
23:28:53.000000000 +0200
+++ libcrypt-pbkdf2-perl-0.261630/debian/control 2026-06-13
09:43:05.000000000 +0200
@@ -5,8 +5,10 @@
Uploaders:
Russ Allbery <[email protected]>,
Salvatore Bonaccorso <[email protected]>
-Build-Depends: debhelper-compat (= 13)
+Build-Depends: debhelper-compat (= 13),
+ libmodule-build-tiny-perl
Build-Depends-Indep:
+ libcrypt-urandom-perl,
libdigest-hmac-perl,
libdigest-sha3-perl,
libmodule-runtime-perl,
@@ -26,6 +28,7 @@
Package: libcrypt-pbkdf2-perl
Architecture: all
Depends:
+ libcrypt-urandom-perl,
libdigest-hmac-perl,
libdigest-sha3-perl,
libmodule-runtime-perl,
diff -Nru libcrypt-pbkdf2-perl-0.161520/debian/copyright
libcrypt-pbkdf2-perl-0.261630/debian/copyright
--- libcrypt-pbkdf2-perl-0.161520/debian/copyright 2022-06-12
23:28:53.000000000 +0200
+++ libcrypt-pbkdf2-perl-0.261630/debian/copyright 2026-06-13
09:43:05.000000000 +0200
@@ -4,7 +4,7 @@
Upstream-Name: Crypt-PBKDF2
Files: *
-Copyright: 2013-2016, Andrew Rodland <[email protected]>
+Copyright: 2013-2026, Andrew Rodland <[email protected]>
License: Artistic or GPL-1+
Files: debian/*
diff -Nru libcrypt-pbkdf2-perl-0.161520/debian/upstream/metadata
libcrypt-pbkdf2-perl-0.261630/debian/upstream/metadata
--- libcrypt-pbkdf2-perl-0.161520/debian/upstream/metadata 2022-06-12
23:28:53.000000000 +0200
+++ libcrypt-pbkdf2-perl-0.261630/debian/upstream/metadata 2026-06-13
09:43:05.000000000 +0200
@@ -1,6 +1,6 @@
---
Archive: CPAN
Bug-Database: https://rt.cpan.org/Public/Dist/Display.html?Name=Crypt-PBKDF2
-Homepage: http://metacpan.org/release/Crypt-PBKDF2
+Bug-Submit: [email protected]
Repository: https://github.com/arodland/Crypt-PBKDF2.git
Repository-Browse: https://github.com/arodland/Crypt-PBKDF2
diff -Nru libcrypt-pbkdf2-perl-0.161520/dist.ini
libcrypt-pbkdf2-perl-0.261630/dist.ini
--- libcrypt-pbkdf2-perl-0.161520/dist.ini 2016-05-31 20:55:01.000000000
+0200
+++ libcrypt-pbkdf2-perl-0.261630/dist.ini 2026-06-12 03:00:50.000000000
+0200
@@ -1,5 +1,5 @@
name = Crypt-PBKDF2
-author = Andrew Rodland <[email protected]>
+author = Andrew Rodland <[email protected]>
license = Perl_5
copyright_holder = Andrew Rodland
abstract = The PBKDF2 password hash algorithm
diff -Nru libcrypt-pbkdf2-perl-0.161520/lib/Crypt/PBKDF2/Hash/DigestHMAC.pm
libcrypt-pbkdf2-perl-0.261630/lib/Crypt/PBKDF2/Hash/DigestHMAC.pm
--- libcrypt-pbkdf2-perl-0.161520/lib/Crypt/PBKDF2/Hash/DigestHMAC.pm
2016-05-31 20:55:01.000000000 +0200
+++ libcrypt-pbkdf2-perl-0.261630/lib/Crypt/PBKDF2/Hash/DigestHMAC.pm
2026-06-12 03:00:50.000000000 +0200
@@ -1,6 +1,6 @@
package Crypt::PBKDF2::Hash::DigestHMAC;
# ABSTRACT: Digest::HMAC hash support for Crypt::PBKDF2.
-our $VERSION = '0.161520'; # VERSION
+our $VERSION = '0.261630'; # VERSION
our $AUTHORITY = 'cpan:ARODLAND'; # AUTHORITY
use Moo 2;
use strictures 2;
@@ -79,12 +79,12 @@
=head1 VERSION
-version 0.161520
+version 0.261630
=head1 DESCRIPTION
Uses L<Digest::HMAC> to make nearly any L<Digest>-compatible module
-compatible with L<Crypt::PKBDF2> by driving it with the standard HMAC
+compatible with L<Crypt::PBKDF2> by driving it with the standard HMAC
algorithm to combine the key and the data.
=head1 ATTRIBUTES
@@ -95,11 +95,11 @@
=head1 AUTHOR
-Andrew Rodland <[email protected]>
+Andrew Rodland <[email protected]>
=head1 COPYRIGHT AND LICENSE
-This software is copyright (c) 2016 by Andrew Rodland.
+This software is copyright (c) 2026 by Andrew Rodland.
This is free software; you can redistribute it and/or modify it under
the same terms as the Perl 5 programming language system itself.
diff -Nru libcrypt-pbkdf2-perl-0.161520/lib/Crypt/PBKDF2/Hash/HMACSHA1.pm
libcrypt-pbkdf2-perl-0.261630/lib/Crypt/PBKDF2/Hash/HMACSHA1.pm
--- libcrypt-pbkdf2-perl-0.161520/lib/Crypt/PBKDF2/Hash/HMACSHA1.pm
2016-05-31 20:55:01.000000000 +0200
+++ libcrypt-pbkdf2-perl-0.261630/lib/Crypt/PBKDF2/Hash/HMACSHA1.pm
2026-06-12 03:00:50.000000000 +0200
@@ -1,6 +1,6 @@
package Crypt::PBKDF2::Hash::HMACSHA1;
# ABSTRACT: HMAC-SHA1 support for Crypt::PBKDF2 using Digest::SHA
-our $VERSION = '0.161520'; # VERSION
+our $VERSION = '0.261630'; # VERSION
our $AUTHORITY = 'cpan:ARODLAND'; # AUTHORITY
use Moo 2;
use strictures 2;
@@ -41,7 +41,7 @@
=head1 VERSION
-version 0.161520
+version 0.261630
=head1 DESCRIPTION
@@ -50,11 +50,11 @@
=head1 AUTHOR
-Andrew Rodland <[email protected]>
+Andrew Rodland <[email protected]>
=head1 COPYRIGHT AND LICENSE
-This software is copyright (c) 2016 by Andrew Rodland.
+This software is copyright (c) 2026 by Andrew Rodland.
This is free software; you can redistribute it and/or modify it under
the same terms as the Perl 5 programming language system itself.
diff -Nru libcrypt-pbkdf2-perl-0.161520/lib/Crypt/PBKDF2/Hash/HMACSHA2.pm
libcrypt-pbkdf2-perl-0.261630/lib/Crypt/PBKDF2/Hash/HMACSHA2.pm
--- libcrypt-pbkdf2-perl-0.161520/lib/Crypt/PBKDF2/Hash/HMACSHA2.pm
2016-05-31 20:55:01.000000000 +0200
+++ libcrypt-pbkdf2-perl-0.261630/lib/Crypt/PBKDF2/Hash/HMACSHA2.pm
2026-06-12 03:00:50.000000000 +0200
@@ -1,6 +1,6 @@
package Crypt::PBKDF2::Hash::HMACSHA2;
# ABSTRACT: HMAC-SHA2 support for Crypt::PBKDF2 using Digest::SHA
-our $VERSION = '0.161520'; # VERSION
+our $VERSION = '0.261630'; # VERSION
our $AUTHORITY = 'cpan:ARODLAND'; # AUTHORITY
use Moo 2;
use strictures 2;
@@ -69,7 +69,7 @@
=head1 VERSION
-version 0.161520
+version 0.261630
=head1 DESCRIPTION
@@ -78,11 +78,11 @@
=head1 AUTHOR
-Andrew Rodland <[email protected]>
+Andrew Rodland <[email protected]>
=head1 COPYRIGHT AND LICENSE
-This software is copyright (c) 2016 by Andrew Rodland.
+This software is copyright (c) 2026 by Andrew Rodland.
This is free software; you can redistribute it and/or modify it under
the same terms as the Perl 5 programming language system itself.
diff -Nru libcrypt-pbkdf2-perl-0.161520/lib/Crypt/PBKDF2/Hash/HMACSHA3.pm
libcrypt-pbkdf2-perl-0.261630/lib/Crypt/PBKDF2/Hash/HMACSHA3.pm
--- libcrypt-pbkdf2-perl-0.161520/lib/Crypt/PBKDF2/Hash/HMACSHA3.pm
2016-05-31 20:55:01.000000000 +0200
+++ libcrypt-pbkdf2-perl-0.261630/lib/Crypt/PBKDF2/Hash/HMACSHA3.pm
2026-06-12 03:00:50.000000000 +0200
@@ -1,6 +1,6 @@
package Crypt::PBKDF2::Hash::HMACSHA3;
# ABSTRACT: HMAC-SHA3 support for Crypt::PBKDF2 using Digest::SHA
-our $VERSION = '0.161520'; # VERSION
+our $VERSION = '0.261630'; # VERSION
our $AUTHORITY = 'cpan:ARODLAND'; # AUTHORITY
use Moo 2;
use strictures 2;
@@ -70,7 +70,7 @@
=head1 VERSION
-version 0.161520
+version 0.261630
=head1 DESCRIPTION
@@ -82,11 +82,11 @@
=head1 AUTHOR
-Andrew Rodland <[email protected]>
+Andrew Rodland <[email protected]>
=head1 COPYRIGHT AND LICENSE
-This software is copyright (c) 2016 by Andrew Rodland.
+This software is copyright (c) 2026 by Andrew Rodland.
This is free software; you can redistribute it and/or modify it under
the same terms as the Perl 5 programming language system itself.
diff -Nru libcrypt-pbkdf2-perl-0.161520/lib/Crypt/PBKDF2/Hash.pm
libcrypt-pbkdf2-perl-0.261630/lib/Crypt/PBKDF2/Hash.pm
--- libcrypt-pbkdf2-perl-0.161520/lib/Crypt/PBKDF2/Hash.pm 2016-05-31
20:55:01.000000000 +0200
+++ libcrypt-pbkdf2-perl-0.261630/lib/Crypt/PBKDF2/Hash.pm 2026-06-12
03:00:50.000000000 +0200
@@ -1,6 +1,6 @@
package Crypt::PBKDF2::Hash;
# ABSTRACT: Abstract role for PBKDF2 hashing algorithms.
-our $VERSION = '0.161520'; # VERSION
+our $VERSION = '0.261630'; # VERSION
our $AUTHORITY = 'cpan:ARODLAND'; # AUTHORITY
use Moo::Role 2;
use strictures 2;
@@ -28,7 +28,7 @@
=head1 VERSION
-version 0.161520
+version 0.261630
=head1 METHODS
@@ -56,11 +56,11 @@
=head1 AUTHOR
-Andrew Rodland <[email protected]>
+Andrew Rodland <[email protected]>
=head1 COPYRIGHT AND LICENSE
-This software is copyright (c) 2016 by Andrew Rodland.
+This software is copyright (c) 2026 by Andrew Rodland.
This is free software; you can redistribute it and/or modify it under
the same terms as the Perl 5 programming language system itself.
diff -Nru libcrypt-pbkdf2-perl-0.161520/lib/Crypt/PBKDF2.pm
libcrypt-pbkdf2-perl-0.261630/lib/Crypt/PBKDF2.pm
--- libcrypt-pbkdf2-perl-0.161520/lib/Crypt/PBKDF2.pm 2016-05-31
20:55:01.000000000 +0200
+++ libcrypt-pbkdf2-perl-0.261630/lib/Crypt/PBKDF2.pm 2026-06-12
03:00:50.000000000 +0200
@@ -1,11 +1,12 @@
package Crypt::PBKDF2;
# ABSTRACT: The PBKDF2 password hashing algorithm.
-our $VERSION = '0.161520'; # VERSION
+our $VERSION = '0.261630'; # VERSION
our $AUTHORITY = 'cpan:ARODLAND'; # AUTHORITY
use Moo 2;
use strictures 2;
use namespace::autoclean;
use MIME::Base64 ();
+use Crypt::URandom ();
use Carp qw(croak);
use Module::Runtime;
use Try::Tiny;
@@ -22,7 +23,7 @@
has hash_class => (
is => 'ro',
isa => Str,
- default => 'HMACSHA1',
+ default => 'HMACSHA2',
predicate => 'has_hash_class',
);
@@ -66,7 +67,7 @@
has iterations => (
is => 'ro',
isa => Int,
- default => 1000,
+ default => 600000,
);
@@ -85,11 +86,7 @@
sub _random_salt {
my ($self) = @_;
- my $ret = "";
- for my $n (1 .. $self->salt_len) {
- $ret .= chr(int rand 256);
- }
- return $ret;
+ return Crypt::URandom::urandom($self->salt_len);
}
@@ -144,7 +141,19 @@
my $check_hash = $checker->PBKDF2($info->{salt}, $password);
- return ($check_hash eq $info->{hash});
+ return _secure_compare($check_hash, $info->{hash});
+}
+
+# Constant-time string comparison, to avoid timing attacks on the hash check.
+sub _secure_compare {
+ my ($a, $b) = @_;
+
+ my $r = length($a) != length($b);
+ $a = $b if $r;
+
+ $r |= ord(substr($a, $_)) ^ ord(substr($b, $_)) for 0 .. length($a) - 1;
+
+ return $r == 0;
}
@@ -364,16 +373,16 @@
=head1 VERSION
-version 0.161520
+version 0.261630
=head1 SYNOPSIS
use Crypt::PBKDF2;
my $pbkdf2 = Crypt::PBKDF2->new(
- hash_class => 'HMACSHA1', # this is the default
- iterations => 1000, # so is this
- output_len => 20, # and this
+ hash_class => 'HMACSHA2', # this is the default (HMAC-SHA256)
+ iterations => 600000, # so is this
+ output_len => 32, # and this
salt_len => 4, # and this.
);
@@ -397,13 +406,16 @@
=head2 hash_class
-B<Type:> String, B<Default:> HMACSHA1
+B<Type:> String, B<Default:> HMACSHA2
The name of the default class that will provide PBKDF2's Pseudo-Random
Function (the backend hash). If the value starts with a C<+>, the C<+> will
be removed and the remainder will be taken as a fully-qualified package
name. Otherwise, the value will be appended to C<Crypt::PBKDF2::Hash::>.
+The default class is C<HMACSHA2>, which (with its own default C<sha_size> of
+256) provides HMAC-SHA256.
+
=head2 hash_args
B<Type:> HashRef, B<Default:> {}
@@ -419,7 +431,7 @@
=head2 iterations
-B<Type:> Integer, B<Default:> 1000.
+B<Type:> Integer, B<Default:> 600000.
The default number of iterations of the hashing function to use for the
C<generate> and C<PBKDF2> methods.
@@ -568,11 +580,11 @@
=head1 AUTHOR
-Andrew Rodland <[email protected]>
+Andrew Rodland <[email protected]>
=head1 COPYRIGHT AND LICENSE
-This software is copyright (c) 2016 by Andrew Rodland.
+This software is copyright (c) 2026 by Andrew Rodland.
This is free software; you can redistribute it and/or modify it under
the same terms as the Perl 5 programming language system itself.
diff -Nru libcrypt-pbkdf2-perl-0.161520/t/02-validate.t
libcrypt-pbkdf2-perl-0.261630/t/02-validate.t
--- libcrypt-pbkdf2-perl-0.161520/t/02-validate.t 2016-05-31
20:55:01.000000000 +0200
+++ libcrypt-pbkdf2-perl-0.261630/t/02-validate.t 2026-06-12
03:00:50.000000000 +0200
@@ -19,8 +19,8 @@
my $hash = $pbkdf2->generate($password);
ok $pbkdf2->validate($hash, $password), "Validate password $i: $password
($encoding)";
- is length $pbkdf2->PBKDF2('test', $password), 20, "raw length $password";
- is length $pbkdf2->PBKDF2_hex('test', $password), 40, "hex length
$password";
- is length $pbkdf2->PBKDF2_base64('test', $password), 28, "base64 length
$password";
+ is length $pbkdf2->PBKDF2('test', $password), 32, "raw length $password";
+ is length $pbkdf2->PBKDF2_hex('test', $password), 64, "hex length
$password";
+ is length $pbkdf2->PBKDF2_base64('test', $password), 44, "base64 length
$password";
}
}
