- Package:
- src:libcrypt-pbkdf2-perl
- Source:
- src:libcrypt-pbkdf2-perl
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-16 21:19:02 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerabilities were published for libcrypt-pbkdf2-perl. CVE-2026-9638[0]: | Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure | random values for salts. These versions use the built-in rand | function, which is predictable and unsuitable for cryptography. CVE-2026-9641[1]: | Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default | algorithm and number of iterations. The default algorithm is HMAC- | SHA1, which should only be used for legacy systems. These versions | default to using 1000 iterations. Depending on the chosen | algorithm, 220,000 to 1,400,000 iterations should be used. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-9638 https://www.cve.org/CVERecord?id=CVE-2026-9638 [1] https://security-tracker.debian.org/tracker/CVE-2026-9641 https://www.cve.org/CVERecord?id=CVE-2026-9641 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of
libcrypt-pbkdf2-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1139867@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated libcrypt-pbkdf2-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 13 Jun 2026 00:01:11 +0200
Source: libcrypt-pbkdf2-perl
Architecture: source
Version: 0.261630-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Closes: 1139867
Changes:
libcrypt-pbkdf2-perl (0.261630-1) unstable; urgency=medium
.
* Team upload.
* Import upstream version 0.261630.
- Change the default hash algorithm to HMAC-SHA256, and increase the
default number of iterations to 600,000 (CVE-2026-9641).
- Generate salts using Crypt::URandom instead of perl's builtin `rand()`
(CVE-2026-9638).
- Use a constant-time comparison in `validate` to avoid timing attacks
(CVE-2017-20240).
Closes: #1139867
* Update debian/upstream/metadata.
* Update years of upstream copyright.
* debian/control: update build/test/runtime dependencies.
* Declare compliance with Debian Policy 4.7.4.
* Remove «Priority: optional», which is the current default.
* Annotate test-only build dependencies with <!nocheck>.
Checksums-Sha1:
ab207064965b55696295f18d043e8f0df5758ea9 2794 libcrypt-pbkdf2-perl_0.261630-1.dsc
699cfaeb3ea8e679a514bf400703b31d68af4f42 17986 libcrypt-pbkdf2-perl_0.261630.orig.tar.gz
70d8b5c5575c22687f1d3f078a3810c52db91d85 3096 libcrypt-pbkdf2-perl_0.261630-1.debian.tar.xz
Checksums-Sha256:
735c6f21b25c34ef047c02a15e0605c26ef0b54bf3a7d5ffa21b5b29a2e06fff 2794 libcrypt-pbkdf2-perl_0.261630-1.dsc
18757189638932b309b34c45bb810aa3e4856e3ed580100017dade65793f46c0 17986 libcrypt-pbkdf2-perl_0.261630.orig.tar.gz
e3838a0a70d2ff721b3a9edf0dd51be45ec685bc00a7f731ebb0b957a3e806ee 3096 libcrypt-pbkdf2-perl_0.261630-1.debian.tar.xz
Files:
1dbb462b47c2b89694b6844733994aac 2794 perl optional libcrypt-pbkdf2-perl_0.261630-1.dsc
7ecd1f4830904a0e9c0a2eea79ca74a5 17986 perl optional libcrypt-pbkdf2-perl_0.261630.orig.tar.gz
26dafb754eb13af02020e2c93580b358 3096 perl optional libcrypt-pbkdf2-perl_0.261630-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmosgqBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgaM/Q/+OeOQYulKVaWEUoKwxb7Db4lUWMNoiok3gCXJ1d7YTfFsSoQ7ZyyZM7Q/
/ZWmnEUOjkrhR0aSB8RAGVtSXe4d6ts7Rd6uwymzPFbd22ZvKTCHNO7e3FMNkGbq
MSfOemOvXI46AnapW1UnNjibh7Hy7vrGC4PWIkm5BeA+xVJbkFtrpKcLATeoxVvu
lSfg+qOj+EW++KrIa1i4B3hop8kqO3OInzYDDybg0z52pPJ84RtmVyCS09Y5pOQ9
wslNxwhhfUf0ZTAd5pHztEHcxcJRfxZUhRkMxX70KfHGufslh4OnRaXhmnxqe3CH
kkLeUMx/PGlvIIiYfWitAjKQQXjGcJPs8Gh1a5hFIbYDvMcwsBThbSjqOwUIXben
cOIAjZ7Xm/tGx4dsVAmmCsGjuet0VpWYtNftNlzC8YZ+2uwh5hZAgOgEb5MbdP7g
247V3Ynl0PLof89bi2CRJfvUZtOrWwVKIMtTIbQB058HDJ3zAnrKV6cW2MtMwUE3
St2s1pmDigibfJXveKJ/9/dEYKGZ2WRbf/I6HFN+X2cvTeYxMD4COG8M3vskDBzU
3RmKValJbXCkpZOi9QskMmI2eiNKuphGYXDOV/ipYeOUVabXrpj29fDBSvFXE/gZ
o+ONe1LIjCZdTbEhrlhIzkhnNv6QTrjdvz9vtH6wG4j/PyCnKKw=
=n8WO
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
libcrypt-pbkdf2-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1139867@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libcrypt-pbkdf2-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 13 Jun 2026 11:44:25 +0200
Source: libcrypt-pbkdf2-perl
Architecture: source
Version: 0.261630-1~deb13u1~deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1139867
Changes:
libcrypt-pbkdf2-perl (0.261630-1~deb13u1~deb12u1) bookworm; urgency=medium
.
* Rebuild for bookworm
.
libcrypt-pbkdf2-perl (0.261630-1~deb13u1) trixie; urgency=medium
.
* Rebuild for trixie
* Revert "Annotate test-only build dependencies with <!nocheck>."
* Revert "Remove «Priority: optional», which is the current default."
* Revert "Declare compliance with Debian Policy 4.7.4."
.
libcrypt-pbkdf2-perl (0.261630-1) unstable; urgency=medium
.
* Team upload.
* Import upstream version 0.261630.
- Change the default hash algorithm to HMAC-SHA256, and increase the
default number of iterations to 600,000 (CVE-2026-9641).
- Generate salts using Crypt::URandom instead of perl's builtin `rand()`
(CVE-2026-9638).
- Use a constant-time comparison in `validate` to avoid timing attacks
(CVE-2017-20240).
Closes: #1139867
* Update debian/upstream/metadata.
* Update years of upstream copyright.
* debian/control: update build/test/runtime dependencies.
* Declare compliance with Debian Policy 4.7.4.
* Remove «Priority: optional», which is the current default.
* Annotate test-only build dependencies with <!nocheck>.
Checksums-Sha1:
fad42c21848cc5c2db12b9f445145feab64569ca 2645 libcrypt-pbkdf2-perl_0.261630-1~deb13u1~deb12u1.dsc
e13f51e8c7c4207f3a3388037bdd7220ab43a3da 3144 libcrypt-pbkdf2-perl_0.261630-1~deb13u1~deb12u1.debian.tar.xz
Checksums-Sha256:
f4ec042834364d8d21b4911418f87481ff74f3929f34d2ddceef6ba163e92738 2645 libcrypt-pbkdf2-perl_0.261630-1~deb13u1~deb12u1.dsc
e0d246652b45fc2df5bd53dccfadb98ec112ebb3f9c1c3e4fa54625d5296e1b3 3144 libcrypt-pbkdf2-perl_0.261630-1~deb13u1~deb12u1.debian.tar.xz
Files:
49b0155894f7edc8c75392c4359dd265 2645 perl optional libcrypt-pbkdf2-perl_0.261630-1~deb13u1~deb12u1.dsc
a521da6cfd7fdb61d3c5b9f69d9fc6f9 3144 perl optional libcrypt-pbkdf2-perl_0.261630-1~deb13u1~deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmotcRdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E8YYP/jef3lpIjhs7Z9LpitYZzV0vBzo5FmkC
9WP0vvfkp8qSg0AIRF+UVYXFZU8YIwVqcwkUKwV+DftEoqh+qyPgUxudnTnc0Tzq
+jSxPf8NjhUoti6Gc/CPhnnNSycz2qy7ntUE967Gwew4llsoIz0yhhFHdbEXushk
wohlzqOUU+3T2GfXFvQd9KAeUTb73W3VppMdLiXkDP+BrKitftPp5Kg4WSS0zN4k
hzkbfZiwusdBdeUoFxu0pqUMvJJIz3bWEi0ntQn24OxXhECJcDRrVjMs8zmGAWyG
9P4OjAS3o6NWv/0zZpjGixB6abnn5fEO5rCHZ+64HISYhUhph/84yoKrNu2+IoPu
jvcrepGi8x0FeFUSoilg+VE5afSPDnQYZwYcvDT3JK402LuoWqxiYcuIx//3lJs8
FctWkOOqPM3kmJo1aexWFdH7hfDGOROtx1w4IL/MVN7j6cRVI/Rsj1An3DY4/Cwf
WGg2IYj/fiVUAb2tEi76SeJp9vTOhXx5O+qpc0xs45oFc2yQOeukezT1zkfy/1S8
X3/aShy+JSZHpKAiTF/TX1YjLszwqjkV6t0YxQPIQAA0c3UR1T3jDX6xGaXCCq5L
LIJMLZKWuuwRWKNFBy9i18V6skEwGJM2ZJzyd3eBvl3W8WTHzbmfp75Yo+Uu1gH8
SGAeUig0hzq1
=KBUR
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
libcrypt-pbkdf2-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1139867@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libcrypt-pbkdf2-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 13 Jun 2026 09:43:05 +0200
Source: libcrypt-pbkdf2-perl
Architecture: source
Version: 0.261630-1~deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1139867
Changes:
libcrypt-pbkdf2-perl (0.261630-1~deb13u1) trixie; urgency=medium
.
* Rebuild for trixie
* Revert "Annotate test-only build dependencies with <!nocheck>."
* Revert "Remove «Priority: optional», which is the current default."
* Revert "Declare compliance with Debian Policy 4.7.4."
.
libcrypt-pbkdf2-perl (0.261630-1) unstable; urgency=medium
.
* Team upload.
* Import upstream version 0.261630.
- Change the default hash algorithm to HMAC-SHA256, and increase the
default number of iterations to 600,000 (CVE-2026-9641).
- Generate salts using Crypt::URandom instead of perl's builtin `rand()`
(CVE-2026-9638).
- Use a constant-time comparison in `validate` to avoid timing attacks
(CVE-2017-20240).
Closes: #1139867
* Update debian/upstream/metadata.
* Update years of upstream copyright.
* debian/control: update build/test/runtime dependencies.
* Declare compliance with Debian Policy 4.7.4.
* Remove «Priority: optional», which is the current default.
* Annotate test-only build dependencies with <!nocheck>.
Checksums-Sha1:
5b50379b2f028d5e416f6f080798812216fb33f6 2613 libcrypt-pbkdf2-perl_0.261630-1~deb13u1.dsc
9b3f328827bffb17edc8bcf43f644df6f6d19745 3116 libcrypt-pbkdf2-perl_0.261630-1~deb13u1.debian.tar.xz
Checksums-Sha256:
aee6fab44d722ca1601e7e21df574b9096c09b8508bf07e0b55e062abb237767 2613 libcrypt-pbkdf2-perl_0.261630-1~deb13u1.dsc
e3425465e0c9d6ac561ca4c44e450787eb29000931cd036b41f6c5933ef4612c 3116 libcrypt-pbkdf2-perl_0.261630-1~deb13u1.debian.tar.xz
Files:
29bf7bc46cbac52ece4eeeea1e0d4ab0 2613 perl optional libcrypt-pbkdf2-perl_0.261630-1~deb13u1.dsc
2a7fbc30855fa0364e3be6ad300b0dcd 3116 perl optional libcrypt-pbkdf2-perl_0.261630-1~deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmotcOJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EmrYP/2KU1hhHpWXvBAfA363MHFipP+UGeNed
DcYUmGT5xjiEebiqFCFDTWDqjKB9wYNziD3xwlaq5HQ2Eg4WhFirUDvMqvwR1Bwu
7DTMNlCiLaPa/NjlNOTUU3kCUvfZA/TRywhffl0OB9DR9eGPWFtmldjkCObNAJMg
rTWqM5qJYGbmvkgApDqoOkuk6nTrZKlXQGRwaJzmIKFo2XelAXQ/ZGhq80mVnpH8
kTrRibYLJa58wwsuzvvCLh3uwYKuG4MXmpfKpwURl8KYgK8rbsgC0CLEAIe2e3OD
gEoSxMY32/3GV44Zm/bEssyZV+Xo+uwDW2GUwVN+EUhJSmtpLJBE5wo17WY5UE4S
M+otMaMFffkfrfT+fLTwYl4CrAgy+jbovdAhFd+lJD+s/KgxjPusMsOrU9EwIHgT
EB8/op2irw+enCCewBt6RYp5FfOxjjlQ2uC3/VvvPTL7mQYRqUu/Zhnl43gVk212
ga3TaPNdUxoB0cXLweOkAaE7myxkD36JOvHU/4lvZHmH4oL7uSR7KsPskTBJCwsw
cZMDiWx8aNtfr/JZ6/OOZRpbszNcwVyv4x4578asvVD7Fs6QXcYddILOGF5SrkfQ
AlTZrKbwPDFVghP5nXfP3VBNneV7aS+7bjWbUhlfltauu5umcAMkSO/VC8bLScZO
4qq1e+izYr8B
=bCj/
-----END PGP SIGNATURE-----