#1140105 libcrypt-dsa-perl: CVE-2026-12205

Package:
src:libcrypt-dsa-perl
Source:
src:libcrypt-dsa-perl
Submitter:
Salvatore Bonaccorso
Date:
2026-06-16 05:07:02 UTC
Severity:
normal
Tags:
#1140105#5
Date:
2026-06-15 20:53:58 UTC
From:
To:
Hi,

The following vulnerability was published for libcrypt-dsa-perl.

CVE-2026-12205[0]:
| key material reuse for multiple signing events

I'm opening this at RC level, with the following question: Should
libcrypt-dsa-perl be removed from unstable and so forky? Upstream
clearly states:
| Deprecated.
| The maintainer of this distribution has indicated that it is
| deprecated and no longer suitable for use.
https://metacpan.org/dist/Crypt-DSA

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-12205
https://www.cve.org/CVERecord?id=CVE-2026-12205
[1] https://lists.security.metacpan.org/cve-announce/msg/41004653/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1140105#12
Date:
2026-06-15 21:24:25 UTC
From:
To:
Probably yes. No reverse dependencies, low popcon, deprecated
upstream …


Cheers,
gregor
#1140105#17
Date:
2026-06-15 22:35:42 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
libcrypt-dsa-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1140105@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated libcrypt-dsa-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 15 Jun 2026 23:21:39 +0200
Source: libcrypt-dsa-perl
Architecture: source
Version: 1.21-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Closes: 1140105
Changes:
 libcrypt-dsa-perl (1.21-1) unstable; urgency=medium
 .
   * Team upload.
   * Import upstream version 1.21.
     - Fixed CVE-2026-12205 key material reuse for multiple signing events
     Closes: #1140105
   * Add deprecation notice to long description.
Checksums-Sha1:
 042ca1b323719f97bc50835702188444875f0828 2609 libcrypt-dsa-perl_1.21-1.dsc
 d0fde5918901a112027e3c82f55f080cc7a1a57c 31022 libcrypt-dsa-perl_1.21.orig.tar.gz
 1f5046ad6a3a7c2de87ce410a41b7af52c297b6d 2928 libcrypt-dsa-perl_1.21-1.debian.tar.xz
Checksums-Sha256:
 bc20e83edf01d71390acc71d9fabe37da6691682d50fc917c1f0c56c3179b98e 2609 libcrypt-dsa-perl_1.21-1.dsc
 a46201e8390e8ba3bbe51111d76489f31dafda0f6a60b0ab9319dd52bd2b32b0 31022 libcrypt-dsa-perl_1.21.orig.tar.gz
 f5d7a01fc5927504757deaeaba3deceb6f89e9a331f3e93e7a57627f8aa7d331 2928 libcrypt-dsa-perl_1.21-1.debian.tar.xz
Files:
 652a53fe4097afa21571fa8d87604e6c 2609 perl optional libcrypt-dsa-perl_1.21-1.dsc
 1c1537aabeba06cb0124c71c07440917 31022 perl optional libcrypt-dsa-perl_1.21.orig.tar.gz
 0fefe1139f21ee3e8951efcf15b43c25 2928 perl optional libcrypt-dsa-perl_1.21-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmowcChfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgZEOxAAgAa/uSElpMqoj1+lWw8QyhPGPcqHx4IabIPDgT0U8A8K7PeHBfCjS3ib
nvp0kw8Q4DKk5CCwC2XoLKE9HoKdjPhmWVuOx6jZcbC0k4z6gty0sA2JpqisZ03y
8IbB0GiUwxupQGBrtma7hV/JuBYqkDOhjgxkdO2NdCExTmOs9rfNWntf4R2zLuG4
phoHmyJm4dvFRUxwK+dZ1JS/yYmyy4Z7vJ4oGJDITACglxJ7KcfxlpksQ98C+Z+j
L0hlCvULkPZEPzRykz3GsD0DJyIFIbX8dA1RQAvGtc3yTkxEaGmU/NmuYRoinqCL
Guzl0P37zP803Z+odUiCiVeFzy+B2yNXX1xCuj8O9+vCJJTwsq6fZv6nCifolk60
gf/ZNfqqUfab4bPQ6TkrHwBflrmqV8DzwexpUT8q6CkoRcsDSUwe/MMXpFa3j/Xv
qE6Qp9gcX+i2PFvNvKirBYC5lWpNFbz9k5FG8qpdE6HtC804vCGIerXw7Grg7+FV
PFt1xO1DVTDQivXmvECQ7/AWmQF1ZYH1/ayZiqLP0GBcA+VmF3mMiSM2yqxwJ78K
vTlMFWOZMVLP7Am9MnPICaTcjrLJ0Tr9opWXef5OCPFLAsFL5VeG3lqc6V7QLuZm
QzbPJNH/fcfCEFc+3YXnjKhzZoEqeRm7lIyUgnmR0c6D6k52pWQ=
=OBB8
-----END PGP SIGNATURE-----
#1140105#22
Date:
2026-06-16 05:05:34 UTC
From:
To:
Hi Gregor,

I made separate bug for this, #1140120.

Regards,
Salvatore