Source: libcatalyst-authentication-credential-http-perl Version: 1.018-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 1.018-1
Hi, The following vulnerability was published for libcatalyst-authentication-credential-http-perl. CVE-2025-40920[0]: | Catalyst::Authentication::Credential::HTTP versions 1.018 and | earlier for Perl generate nonces using the Perl Data::UUID library. | * Data::UUID does not use a strong cryptographic source for | generating UUIDs. * Data::UUID returns v3 UUIDs, which are | generated from known information and are unsuitable for security, as | per RFC 9562. * The nonces should be generated from a strong | cryptographic source, as per RFC 7616. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-40920 https://www.cve.org/CVERecord?id=CVE-2025-40920 [1] https://lists.security.metacpan.org/cve-announce/msg/31902514/ [2] https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP/pull/1 [3] https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP/commit/ad2c03aad95406db4ce35dfb670664ebde004c18 Regards, Salvatore
