- Package:
- release.debian.org
- Source:
- release.debian.org
- Submitter:
- Xavier Guimard
- Date:
- 2026-05-23 13:37:03 UTC
- Severity:
- normal
- Tags:
[ Reason ] Apache::Session::Generate::SHA256 seeded its session identifier from low-entropy sources (time(), PID, rand(), stringified hash ref). CVE-2026-8503 [ Impact ] Medium security issue [ Tests ] Test pass [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Use Crypt::URandom
Le 14/05/2026 à 07:45, Xavier Guimard a écrit : Here is a better debdiff
Which CVE number is correct? libapache-session-browseable-perl should really add a dependency on libcrypt-urandom-perl (also in unstable), currently this happens to work due to a transitive dependency via libapache-session-perl but that's fragile and might break. cu Adrian
Le 14/05/2026 à 21:23, Adrian Bunk a écrit : Hi, the correct CVE is the one given in last debdiff: CVE-2026-8503 which is a copy of CVE-2025-40931 but for this package. - unstable (pending) - trixie in the attached debdiff - bookworm Best regards, Xavier
package release.debian.org tags 1136625 = trixie pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian trixie. Thanks for your contribution! Upload details ============== Package: libapache-session-browseable-perl Version: 1.3.16-1+deb13u1 Explanation: improve entropy source [CVE-2026-8503]
package release.debian.org tags 1136625 = trixie pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian trixie. Thanks for your contribution! Upload details ============== Package: libapache-session-browseable-perl Version: 1.3.16-1+deb13u1 Explanation: improve entropy source [CVE-2026-8503]