Hi Bastien, On Sat, Jun 13, 2026 at 10:44:54AM +0200, Bastien Roucaries wrote: > Le samedi 13 juin 2026, 10:37:39 heure d’été d’Europe centrale Salvatore > Bonaccorso a écrit : > Hi, > > > Hi > > > > [ Reason ] > > libcrypt-pbkdf2-perl recently got 3 CVE assigned, CVE-2026-9641, > > CVE-2026-9638, CVE-2017-20240. The packae did not got touched for > > almost a decade so the CVEs are as well about updating from weak > > algorithm and low number of iterations. > > > > I'm a bit unsure if this really should be backported to older series, > > thus X-Debbugs-CC as well debian-lts for bookworm and older. > > > > On the other hand rand() is not cryptographically secure, so there > > might be enough reasoning wanting to fix things in the older suites, > > *but* libcrypt-pbkdf2-perl might even be less wider used the way back, > > see https://qa.debian.org/popcon.php?package=libcrypt-pbkdf2-perl . > > I believe it is used and LTS team will welcome this kind of > improvement and backport
Thanks for your feedback, I will send one as well for bookworm then. Regards, Salvatore
