Le 18/06/2019 à 09:56, Xavier a écrit : > Le 18/06/2019 à 09:46, Xavier a écrit : >> Le 17/06/2019 à 22:44, Raphael Geissert a écrit : >>> Package: libapache-session-perl >>> Version: 1.93-3 >>> Severity: important >>> Tags: security >>> >>> Hi, >>> >>> As discussed in oss-security[1], libapache-session-perl uses a poor >>> source of entropy in Apache::Session::Generate::MD5. The critical part >>> is moving away from rand (e.g. to using urandom), but it would also be >>> a good time to update the way the id is generated. >>> >>> The details are in the oss-sec thread. >>> >>> [1] https://www.openwall.com/lists/oss-security/2019/06/15/1 >>> >>> Cheers, >> >> Hi all, >> >> lemonldap-ng is not affected by this issue even if it depends on >> Apache::Session: it uses its own >> Lemonldap::NG::Common::Apache::Session::Generate::SHA256 which uses >> Crypt::URandom instead of rand(). This can be easily backported to >> Apache::Session but changes the generated id: SHA256 is longer. > > This is true for lemonldap-ng ≥ 2.0.2 (buster), 1.9.x versions (stretch) > are concerned by this issue. > > Fix is referenced here: > https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1633
I proposed a fix here: https://salsa.debian.org/perl-team/modules/packages/libapache-session-perl/merge_requests/1 Cheers, Xavier
