#1136625 trixie-pu: package libapache-session-browseable-perl/1.3.16-1+deb13u1

#1136625#5
Date:
2026-05-14 05:45:42 UTC
From:
To:
[ Reason ]
Apache::Session::Generate::SHA256 seeded its session identifier from
low-entropy sources (time(), PID, rand(), stringified hash ref).
CVE-2026-8503

[ Impact ]
Medium security issue

[ Tests ]
Test pass

[ Risks ]
No risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Use Crypt::URandom

#1136625#12
Date:
2026-05-14 05:56:04 UTC
From:
To:
Le 14/05/2026 à 07:45, Xavier Guimard a écrit :

Here is a better debdiff

#1136625#17
Date:
2026-05-14 19:23:52 UTC
From:
To:
Which CVE number is correct?

libapache-session-browseable-perl should really add a dependency on
libcrypt-urandom-perl (also in unstable), currently this happens to work
due to a transitive dependency via libapache-session-perl but that's
fragile and might break.

cu
Adrian

#1136625#22
Date:
2026-05-15 05:09:49 UTC
From:
To:
Le 14/05/2026 à 21:23, Adrian Bunk a écrit :

Hi,

the correct CVE is the one given in last debdiff: CVE-2026-8503 which is
a copy of CVE-2025-40931 but for this package.
- unstable (pending)
- trixie in the attached debdiff
- bookworm

Best regards,
Xavier

#1136625#27
Date:
2026-05-23 13:35:29 UTC
From:
To:
package release.debian.org
tags 1136625 = trixie pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian trixie.

Thanks for your contribution!

Upload details
==============

Package: libapache-session-browseable-perl
Version: 1.3.16-1+deb13u1

Explanation: improve entropy source [CVE-2026-8503]

#1136625#32
Date:
2026-05-23 13:35:29 UTC
From:
To:
package release.debian.org
tags 1136625 = trixie pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian trixie.

Thanks for your contribution!

Upload details
==============

Package: libapache-session-browseable-perl
Version: 1.3.16-1+deb13u1

Explanation: improve entropy source [CVE-2026-8503]