Le samedi 13 juin 2026, 10:37:39 heure d’été d’Europe centrale Salvatore Bonaccorso a écrit : Hi,
> Hi > > [ Reason ] > libcrypt-pbkdf2-perl recently got 3 CVE assigned, CVE-2026-9641, > CVE-2026-9638, CVE-2017-20240. The packae did not got touched for > almost a decade so the CVEs are as well about updating from weak > algorithm and low number of iterations. > > I'm a bit unsure if this really should be backported to older series, > thus X-Debbugs-CC as well debian-lts for bookworm and older. > > On the other hand rand() is not cryptographically secure, so there > might be enough reasoning wanting to fix things in the older suites, > *but* libcrypt-pbkdf2-perl might even be less wider used the way back, > see https://qa.debian.org/popcon.php?package=libcrypt-pbkdf2-perl . I believe it is used and LTS team will welcome this kind of improvement and backport rouca (with FD LTS hat) > > [ Impact ] > Crypt::PBKDF2 will use wak default algorithm and number of iterations, > generate insecure random values for salts, and can be vulnerable to > timing attacks. > > [ Tests ] > Test suite is run successfully, additionally triggered a debusine work > request: > https://debusine.debian.net/debian/developers/work-request/839364/ > > [ Risks ] > Following upstream on all changes fairly low I would say at least for > the newer suites. For making salts switch to using Crypt::URandom and > thus needing new (Build-)Dependency. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog (see below) > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > As per upstream addressing the assigned CVEs > (Explain *all* the changes) > > [ Other info ] > Switching to the new upstreeam version introduces as well bit of > updated metadata on upstream side, but switching as well from > Makefile.PL to Build.PL, and introducing a new build-dependency on > libmodule-build-tiny-perl . > > I reverted from the unstable version though in particular: > * Revert "Annotate test-only build dependencies with <!nocheck>." > * Revert "Remove «Priority: optional», which is the current default." > * Revert "Declare compliance with Debian Policy 4.7.4." > > I have *not* uploaded, as I would like to hear from you (SRM) if you > are fine with this approach or if you prefer that the single changes > get cherry picked. > > Regards, > Salvatore >
signature.asc
Description: This is a digitally signed message part.
