- Package:
- libapache-sessionx-perl
- Source:
- libapache-sessionx-perl
- Submitter:
- Raphael Geissert
- Date:
- 2026-02-27 13:03:01 UTC
- Severity:
- important
- Tags:
Package: libapache-sessionx-perl Version: 2.01-5 Severity: important Tags: security Hi, As discussed in oss-security[1], libapache-sessionx-perl uses a poor source of entropy in Apache::Session::Generate::MD5. The critical part is moving away from rand (e.g. to using urandom), but it would also be a good time to update the way the id is generated. The details are in the oss-sec thread. [1] https://www.openwall.com/lists/oss-security/2019/06/15/1 Cheers,
AFAICS libapache-sessionx-perl only exists to support libembperl-perl. As we're not going to ship libembperl-perl in trixie due to #1042845, I wonder if we should remove libapache-sessionx-perl from testing too? Alternatively, the approach taken for libapache-session-perl #930659 (using Crypt::URandom) seems easy to apply here as well. https://sources.debian.org/src/libapache-session-perl/1.94-2/debian/patches/use-crypt-urandom.patch/
Control: severity -1 serious Agreed. I'm raising the severity to trigger the auto-removal from testing. Ack, if someone is interested in the package; otherwise just getting it out of testing seems fine to me. Cheers, gregor