1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#930660: libapache-sessionx-perl: poor source of entropy for session

    From Niko Tyni@21:1/5 to Raphael Geissert on Sat May 17 12:50:01 2025
    On Mon, Jun 17, 2019 at 10:44:52PM +0200, Raphael Geissert wrote:
    Package: libapache-sessionx-perl
    Version: 2.01-5
    Severity: important
    Tags: security

    Hi,

    As discussed in oss-security[1], libapache-sessionx-perl uses a poor
    source of entropy in Apache::Session::Generate::MD5. The critical part
    is moving away from rand (e.g. to using urandom), but it would also be
    a good time to update the way the id is generated.

    The details are in the oss-sec thread.

    [1] https://www.openwall.com/lists/oss-security/2019/06/15/1

    AFAICS libapache-sessionx-perl only exists to support libembperl-perl.
    As we're not going to ship libembperl-perl in trixie due to #1042845,
    I wonder if we should remove libapache-sessionx-perl from testing too?

    Alternatively, the approach taken for libapache-session-perl #930659
    (using Crypt::URandom) seems easy to apply here as well.

    https://sources.debian.org/src/libapache-session-perl/1.94-2/debian/patches/use-crypt-urandom.patch/

    --
    Niko Tyni ntyni@debian.org

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From gregor herrmann@21:1/5 to Niko Tyni on Sat May 17 14:40:01 2025
    Control: severity -1 serious

    On Sat, 17 May 2025 13:38:22 +0300, Niko Tyni wrote:

    On Mon, Jun 17, 2019 at 10:44:52PM +0200, Raphael Geissert wrote:
    Package: libapache-sessionx-perl
    Version: 2.01-5
    Severity: important
    Tags: security

    Hi,

    As discussed in oss-security[1], libapache-sessionx-perl uses a poor
    source of entropy in Apache::Session::Generate::MD5. The critical part
    is moving away from rand (e.g. to using urandom), but it would also be
    a good time to update the way the id is generated.

    The details are in the oss-sec thread.

    [1] https://www.openwall.com/lists/oss-security/2019/06/15/1

    AFAICS libapache-sessionx-perl only exists to support libembperl-perl.
    As we're not going to ship libembperl-perl in trixie due to #1042845,
    I wonder if we should remove libapache-sessionx-perl from testing too?

    Agreed.
    I'm raising the severity to trigger the auto-removal from testing.

    Alternatively, the approach taken for libapache-session-perl #930659
    (using Crypt::URandom) seems easy to apply here as well.
    https://sources.debian.org/src/libapache-session-perl/1.94-2/debian/patches/use-crypt-urandom.patch/

    Ack, if someone is interested in the package; otherwise just getting
    it out of testing seems fine to me.


    Cheers,
    gregor

    --
    .''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org
    : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06
    `. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
    `-

    -----BEGIN PGP SIGNATURE-----

    iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmgogt5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ qgajDg/+PXR+d9b24zMVeXEisJW/IUWvn7Cut8PFsfH8KWyCPzeRUpguKN31GU0J hexQuf28+JHQtSdIU1pZ5X7A4U2Q9fcRzPIOxr4oELMRU6dXhLCn30TZ6hI7mt6t bOky4uL5snCxDU1QE+w+7yfp+q1jGR1mKebjvVTachOqaGBUqss+HMnPPBDohgmO SFKPLbS9szyV/QfBBNEtwyGRQP/vDmbZPbgjMfyytA3crocDWhlOGIUmKXqUYcL8 fSWAiw7V01PAear8EDBUOOzQ9xERM0uFL/wDZKkP96aMqCelqilBcMTpVpp+UAOj Dwu8fEw8bcDcxtzVOUa2ImpMtLNcbqgDWzFsKNPrO45VEw+QFE5gAdj+RGGVsrjl UkGPu3Yh5A3h08FxSIRhl6gjGahRqASdWkYxlra09N6Q2gAqGz2y91jBV2Wrcu6v 4Jr0w76CAVAZGZv6urXeJ00JRqK1frWb+YNtkxQSdduFJEdgpnGT+nc2TEMRRGJC n7Tp+b6UFh6Ta+l7AJY5HIzGBijR/15HzB/4A4F98VThKV/dBI8b7rZmgtMC6mMU SInbrBPtwRsGcDyycVyobQpGwZnQc4wn4C6qsUPn2NyKVGWSL3l+I9rz5huCixkr 93agAhAl5zjI8NqQpI54NEktOe9diRxE97wThxZXUjm0Gwm7gKU=
    =kPfU
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)