Hi SRMers

[ Reason ]
libbytes-random-secure-perl is affected by CVE-2026-11625, that were
an object is initialised before forking, or when the functional
interface is used, then the internal state for the PRNG is shared
across processes and identical random streams will be produced.

[ Impact ]
Secrets generated in multiprocess applications are predictable across
processes.

[ Tests ]
Running test suite and done a debusine upload as well as
https://debusine.debian.net/debian/developers/work-request/894383/

[ Risks ]
The upstream pull request is not yet merged, but the patch referenced
in the CPAN security advisory and taken from there.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

[ Other info ]
Nothing special.

Regards,
Salvatore

package release.debian.org
tags 1140807 = trixie pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian trixie.

Thanks for your contribution!

Upload details
==============

Package: libbytes-random-secure-perl
Version: 0.29-4~deb13u1

Explanation: fix incorrect usage of seed in PRNG [CVE-2026-11625]

package release.debian.org
tags 1140807 = trixie pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian trixie.

Thanks for your contribution!

Upload details
==============

Package: libbytes-random-secure-perl
Version: 0.29-4~deb13u1

Explanation: fix incorrect usage of seed in PRNG [CVE-2026-11625]