#1137253 libcrypt-saltedhash-perl: CVE-2026-47372 CVE-2026-47373

#1137253#5
Date:
2026-05-21 19:16:31 UTC
From:
To:
Hi,

The following vulnerabilities were published for libcrypt-saltedhash-perl.

CVE-2026-47372[0]:
| Crypt::SaltedHash versions through 0.09 for Perl generate insecure
| random values for salts.  These versions use the built-in rand
| function, which is predictable and unsuitable for cryptography.


CVE-2026-47373[1]:
| Crypt::SaltedHash versions through 0.09 for Perl is susceptible to
| timing attacks.  These versions use Perl's built-in eq comparison.
| Discrepencies in timing could be used to guess the underlying hash.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-47372
https://www.cve.org/CVERecord?id=CVE-2026-47372
https://lists.security.metacpan.org/cve-announce/msg/40252126/
https://github.com/robrwo/perl-Crypt-SaltedHash/commit/9b68437d2cd420b819b3a795474c3870338d38d5
[1] https://security-tracker.debian.org/tracker/CVE-2026-47373
https://www.cve.org/CVERecord?id=CVE-2026-47373
https://lists.security.metacpan.org/cve-announce/msg/40249915/
https://github.com/robrwo/perl-Crypt-SaltedHash/commit/c07bfc5c23185b0667233d0f2e1252d81f1f027a

Regards,
Salvatore

#1137253#10
Date:
2026-05-21 20:50:32 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
libcrypt-saltedhash-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1137253@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated libcrypt-saltedhash-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 21 May 2026 22:29:31 +0200
Source: libcrypt-saltedhash-perl
Architecture: source
Version: 0.11-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Closes: 1137253
Changes:
 libcrypt-saltedhash-perl (0.11-1) unstable; urgency=medium
 .
   * Import upstream version 0.11.
     - Security: Use system randomness source to generate the salt CVE-2026-47372
     - Security: Use constant-time comparison of hashes CVE-2026-47373
     Closes: #1137253
   * Add test and runtime dependency on libcrypt-sysrandom-perl.
   * Update years of upstream copyright.
   * debian/copyright: update Upstream-Contact.
   * Add deprecation notice to long description.
   * Update debian/upstream/metadata.
   * Update test dependencies.
   * Declare compliance with Debian Policy 4.7.4.
   * Remove «Priority: optional», which is the current default.
   * Annotate test-only build dependencies with <!nocheck>.
   * Add /me to Uploaders.
Checksums-Sha1:
 b0fc4e6facbf354bfab7ecf3056973169f4d632c 2500 libcrypt-saltedhash-perl_0.11-1.dsc
 ca51c70c8ec41079b1c90bf93d922196ca2fb17d 20179 libcrypt-saltedhash-perl_0.11.orig.tar.gz
 70178c985442b4754120c0679c03dc5b316d0af8 2752 libcrypt-saltedhash-perl_0.11-1.debian.tar.xz
Checksums-Sha256:
 1e18dcd6a04a28442afb5f1609322db76da93e2ec582a7affacbe86be5b9f3f6 2500 libcrypt-saltedhash-perl_0.11-1.dsc
 7b596ebf3f554c816b55aafdead87cf72db1b0403de7db5153be23cef9501941 20179 libcrypt-saltedhash-perl_0.11.orig.tar.gz
 383d8f7208b7c4ce394d4c13ed854e3e6f93fe672b70b2ae35eb0b8983c9911c 2752 libcrypt-saltedhash-perl_0.11-1.debian.tar.xz
Files:
 50f485cf5be5499a773450a70ae8943a 2500 perl optional libcrypt-saltedhash-perl_0.11-1.dsc
 aa3051deb52f8ea1b9c3f47042203e03 20179 perl optional libcrypt-saltedhash-perl_0.11.orig.tar.gz
 237ac55be264189cb06b4db57a0a880f 2752 perl optional libcrypt-saltedhash-perl_0.11-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmoPa8FfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgaHJw//Rf7TbYuAVLCqpxEOFL1SZ0/Fdtg9OO6G2dIIrUZ/hS5wFs81XO6OZKVU
iV/ksQUsvRSrV+R8qvJe2TkRVTKbQbtcsbz5mVITBeUN6kezyeeTgeLbwJOsKNBP
KyLJrg+M4ERnxdr3Cjg7QLe2cnbRHDSA4P6X863/uMvidP3L9l1QM6skuxrX0wHg
tnZpIwPt0ltg1P2oZ+fflNa1DFAfN9OGV00HutJn+tLAYP+SKfm7U4Jk21CqZSli
BEaFYLnJnJIyUS4bZe+029ns3DrXEy7xfmZhgcKXxuHeq7qbHOTXhRf+sFiAidVs
AF9YC/1l9Jau2l14F4IS7AlsVxrQHqvPQLpaLFMMYBvjqXwWpwa1BUkTP1RXLpGh
4D+0dA0aNSccJln8lyqDKhWavCGU1LQMDpImQHIEN8eSv2R98mWkig3QxolreP0h
DmLMUKVKHLpJceYOif2joLrYTIpm5MFObTWr7vF29D/RWSYcb7vDm5rmwloDjnax
03M1YmU4tyyVmIvFogiGKxuaTVtnKyWm44lZJhnhN730sq9VgwkkWganzVPukCZu
MBmpZK4dyUEWuOG325gD5QjNx7Zx1MVRNl5WA4PxCvRCFKki51TcfJuD+KAckzSH
LAHmoreyf75J15T5SgrFgnBixXLuhMKpBkgoOxW/oMHjWdLJ9AQ=
=kNu3
-----END PGP SIGNATURE-----