#1106699 libnet-cidr-set-perl: CVE-2025-40911

Package:
src:libnet-cidr-set-perl
Source:
src:libnet-cidr-set-perl
Submitter:
Salvatore Bonaccorso
Date:
2025-05-28 10:21:01 UTC
Severity:
normal
Tags:
#1106699#5
Date:
2025-05-28 07:07:54 UTC
From:
To:
Hi,

The following vulnerability was published for libnet-cidr-set-perl.

CVE-2025-40911[0]:
| Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly
| handle leading zero characters in IP CIDR address strings, which
| could allow attackers to bypass access control that is based on IP
| addresses.  Leading zeros are used to indicate octal numbers, which
| can confuse users who are intentionally using octal notation, as
| well as users who believe they are using decimal notation.
| Net::CIDR::Set used code from Net::CIDR::Lite, which had a similar
| vulnerability CVE-2021-47154.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-40911
https://www.cve.org/CVERecord?id=CVE-2025-40911
[1] https://github.com/robrwo/perl-Net-CIDR-Set/commit/be7d91e8446ad8013b08b4be313d666dab003a8a

Regards,
Salvatore
#1106699#12
Date:
2025-05-28 10:19:10 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
libnet-cidr-set-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1106699@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roland Rosenfeld <roland@debian.org> (supplier of updated libnet-cidr-set-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 28 May 2025 11:51:45 +0200
Source: libnet-cidr-set-perl
Architecture: source
Version: 0.15-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Roland Rosenfeld <roland@debian.org>
Closes: 1106699
Changes:
 libnet-cidr-set-perl (0.15-1) unstable; urgency=medium
 .
   * New upstream version, fixes CVE-2025-40911 (Closes: #1106699).
   * New upstream maintainer (adapted upstream/metadata, d/copyright).
   * Declare compliance with Debian Policy 4.7.2.
Checksums-Sha1:
 3b90663cf18292dd06d442cdeef2fb16ceda39b6 2133 libnet-cidr-set-perl_0.15-1.dsc
 6f9f00557f2839864f31764fd7632987fbe44bea 14038 libnet-cidr-set-perl_0.15.orig.tar.gz
 f840f0be4e00fdc0d108f91328bb20d87b3a4314 3048 libnet-cidr-set-perl_0.15-1.debian.tar.xz
 207935aeecd616a64bf86514c36c2014938057de 6444 libnet-cidr-set-perl_0.15-1_source.buildinfo
Checksums-Sha256:
 892d04baec7ca403462cef94efdf9b202000e669d89878b68f419005678e2308 2133 libnet-cidr-set-perl_0.15-1.dsc
 e6321dd1d321eb885768528fe7001cafc936461e992afd2cf26ac20bc8f8e2e1 14038 libnet-cidr-set-perl_0.15.orig.tar.gz
 4a0b626b23133093ddb5d02ed48522d8f73a422a1859e6ec2c95af6aca4bde62 3048 libnet-cidr-set-perl_0.15-1.debian.tar.xz
 a198fd941449dc953c2db543330b3b8d2235992386e9d3f07d7f49c148b60bd6 6444 libnet-cidr-set-perl_0.15-1_source.buildinfo
Files:
 b0844edab981970c4bb581875d22dbdf 2133 perl optional libnet-cidr-set-perl_0.15-1.dsc
 82972dd3df71ab278da987613bc8cd6c 14038 perl optional libnet-cidr-set-perl_0.15.orig.tar.gz
 a2f0a3a4060bb5f6744906a82669d205 3048 perl optional libnet-cidr-set-perl_0.15-1.debian.tar.xz
 aa3d561e102c762698ea22650d3254d5 6444 perl optional libnet-cidr-set-perl_0.15-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErC+9sQSUPYpEoCEdAnE7z8pUELIFAmg23NsACgkQAnE7z8pU
ELKmBA//SEjNn6y3f1cWBqGDmJVkrgvNfmKgKo78Q8pgQd9RHbGfPpGWsSpdPgNy
+YH3ndLGwJK21K85gtNz/LoS2zRbjuL+PbVDPBBt3t+1l7h3hLpPw0HFHrJ4sUde
3bHqeqmS+/giTWjym/PNp324piuVR+i6+WWx5AowIHzEUYqQV5kojg/ht8O4QZXX
50NpfvX3PZbIlq59V7UMPryWNIS84vUZF8ovIuZGdkT0PmEhXtJjPeLaii4wlgjJ
6ymyfjGG7zzUxHspicOJyYPzCKXOUZOEERgUgxV4waHup/rKAQZ7ntsAkIPjMtAO
jQcIC+qk43JU7fDwc4cTKk2Z+cYuy5iZuEhqtxsMu150BFBXtT/mcsmkGKrlS4gj
LqBUCT0a06W/4aovPHR9zx2V9oOG86mlkvk53mPMR7xME0el4BlXZbCer4XsJpkj
tWu/HX5E/cWYcAuv+m6rJZ6dDpi1qzSm0ESG9AzCmg+R1fHvWpv4f0Y8pfY1OSIz
z1dez+cTF4y0KeHq5pGQ57GXID1WdSkK01+LYpaHEUnCSg+UN6Sf2M2WTRdrUfzJ
O8b5Mv5DxpeD+tGp74Olu0utSKgTtT51dQvaUUFelte/dVNrWFjdC79P7mk2V/VC
QJm9/S1waD+hIusGHgfLaXk1u5z9mEWIgnxXVoZrrSJn5WKrJP4=
=9S1Z
-----END PGP SIGNATURE-----