Source: libplack-middleware-session-perl Version: 0.34-1 Severity: important Tags: security upstream Forwarded: https://github.com/plack/Plack-Middleware-Session/pull/52 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for libplack-middleware-session-perl. CVE-2025-40923[0]: | Plack-Middleware-Session before version 0.35 for Perl generates | session ids insecurely. The default session id generator returns a | SHA-1 hash seeded with the built-in rand function, the epoch time, | and the PID. The PID will come from a small set of numbers, and the | epoch time may be guessed, if it is not leaked from the HTTP Date | header. The built-in rand function is unsuitable for cryptographic | usage. Predicable session ids could allow an attacker to gain | access to systems. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-40923 https://www.cve.org/CVERecord?id=CVE-2025-40923 [1] https://github.com/plack/Plack-Middleware-Session/pull/52 [2] https://lists.security.metacpan.org/cve-announce/msg/31223483/ [3] https://github.com/plack/Plack-Middleware-Session/commit/1fbfbb355e34e7f4b3906f66cf958cedadd2b9be Please adjust the affected versions in the BTS as needed. Regards, Salvatore
