Source: libstring-compare-constanttime-perl X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for libstring-compare-constanttime-perl. CVE-2024-13939[0]: | String::Compare::ConstantTime for Perl through 0.321 is vulnerable | to timing attacks that allow an attacker to guess the length of a | secret string. As stated in the documentation: "If the lengths of | the strings are different, because equals returns false right away | the size of the secret string may be leaked (but not its contents)." | This is similar to CVE-2020-36829 https://metacpan.org/release/FRACTAL/String-Compare-ConstantTime-0.321/view/lib/String/Compare/ConstantTime.pm#TIMING-SIDE-CHANNEL If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-13939 https://www.cve.org/CVERecord?id=CVE-2024-13939 Please adjust the affected versions in the BTS as needed.
