libapache-session-browseable-perl - Debian Package Tracker

general

source: libapache-session-browseable-perl (main)
version: 1.3.19-1
maintainer: Debian Perl Group (archive) (DMD) (LowNMU)
uploaders: Yadd [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.3.8-1
oldstable: 1.3.11-3
old-bpo: 1.3.16-1~bpo12+1
stable: 1.3.16-1
testing: 1.3.18-1
unstable: 1.3.19-1

versioned links

1.3.8-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.11-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.16-1~bpo12+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.16-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.18-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.19-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libapache-session-browseable-perl

action needed

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-8503: Apache::Session::Generate::SHA256 versions before 1.3.19 for Perl create insecure session ids. Apache::Session::Generate::SHA256 generated session ids insecurely. The default session id generator returns a SHA-256 hash of the built-in rand() function, the epoch time, and the PID, that is hashed again. These are predictable, low-entropy sources. Predicable session ids could allow an attacker to gain access to systems. Note that version 1.3.19 has a fallback without warning to use insecure session generation method if the call to Crypt::URandom::urandom fails. However, this is unlikely as Crypt::URandom is a hardcoded requirement of the module. This issue is similar to CVE-2025-40931 for Apache::Session::Generate::MD5.

Created: 2026-05-15 Last update: 2026-05-16 05:16

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2026-8503: Apache::Session::Generate::SHA256 versions before 1.3.19 for Perl create insecure session ids. Apache::Session::Generate::SHA256 generated session ids insecurely. The default session id generator returns a SHA-256 hash of the built-in rand() function, the epoch time, and the PID, that is hashed again. These are predictable, low-entropy sources. Predicable session ids could allow an attacker to gain access to systems. Note that version 1.3.19 has a fallback without warning to use insecure session generation method if the call to Crypt::URandom::urandom fails. However, this is unlikely as Crypt::URandom is a hardcoded requirement of the module. This issue is similar to CVE-2025-40931 for Apache::Session::Generate::MD5.

Created: 2026-05-15 Last update: 2026-05-16 05:16

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 1.3.19-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 7c4e08fbd875138331cb51e287f7f0fc238aab15
Author: Xavier Guimard <yadd@debian.org>
Date:   Fri May 15 11:58:58 2026 +0200

    Set CVE-2026-8503 in 1.3.19-1 entry

commit 7baef48abe4714febf68794c77276e0d2e3cba4d
Author: Yadd <yadd@debian.org>
Date:   Fri May 15 07:06:47 2026 +0200

    Add explicit dependency to libcrypt-urandom-perl

Created: 2026-05-15 Last update: 2026-05-15 12:01

lintian reports 5 warnings normal

Lintian reports 5 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-05-14 Last update: 2026-05-14 19:30

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2026-8503: (needs triaging) Apache::Session::Generate::SHA256 versions before 1.3.19 for Perl create insecure session ids. Apache::Session::Generate::SHA256 generated session ids insecurely. The default session id generator returns a SHA-256 hash of the built-in rand() function, the epoch time, and the PID, that is hashed again. These are predictable, low-entropy sources. Predicable session ids could allow an attacker to gain access to systems. Note that version 1.3.19 has a fallback without warning to use insecure session generation method if the call to Crypt::URandom::urandom fails. However, this is unlikely as Crypt::URandom is a hardcoded requirement of the module. This issue is similar to CVE-2025-40931 for Apache::Session::Generate::MD5.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-05-15 Last update: 2026-05-16 05:16

testing migrations

excuses:
- Migration status for libapache-session-browseable-perl (1.3.18-1 to 1.3.19-1): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Autopkgtest for libapache-session-browseable-perl/1.3.19-1: amd64: Pass, arm64: Pass, i386: Test triggered, loong64: Pass, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Too young, only 3 of 5 days old
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/liba/libapache-session-browseable-perl.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- Not considered

news

[rss feed]

[2026-05-14] Accepted libapache-session-browseable-perl 1.3.19-1 (source) into unstable (Xavier Guimard)
[2025-10-02] libapache-session-browseable-perl 1.3.18-1 MIGRATED to testing (Debian testing watch)
[2025-09-29] Accepted libapache-session-browseable-perl 1.3.18-1 (source) into unstable (gregor herrmann)
[2025-09-25] libapache-session-browseable-perl 1.3.17-1 MIGRATED to testing (Debian testing watch)
[2025-09-25] libapache-session-browseable-perl 1.3.17-1 MIGRATED to testing (Debian testing watch)
[2025-09-21] Accepted libapache-session-browseable-perl 1.3.17-1 (source) into unstable (gregor herrmann)
[2025-04-15] Accepted libapache-session-browseable-perl 1.3.16-1~bpo12+1 (source all) into stable-backports (Debian FTP Masters) (signed by: Xavier Guimard)
[2025-04-14] libapache-session-browseable-perl 1.3.16-1 MIGRATED to testing (Debian testing watch)
[2025-04-12] Accepted libapache-session-browseable-perl 1.3.16-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2025-04-10] Accepted libapache-session-browseable-perl 1.3.15-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-12-21] libapache-session-browseable-perl 1.3.14-1 MIGRATED to testing (Debian testing watch)
[2024-12-19] Accepted libapache-session-browseable-perl 1.3.14-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-09-27] libapache-session-browseable-perl 1.3.13-1 MIGRATED to testing (Debian testing watch)
[2023-09-24] Accepted libapache-session-browseable-perl 1.3.13-1 (source) into unstable (gregor herrmann)
[2023-01-28] Accepted libapache-session-browseable-perl 1.3.0-1+deb10u1 (source) into oldstable (Guilhem Moulin)
[2022-12-10] libapache-session-browseable-perl 1.3.11-3 MIGRATED to testing (Debian testing watch)
[2022-12-07] Accepted libapache-session-browseable-perl 1.3.11-3 (source) into unstable (Jelmer Vernooĳ) (signed by: Jelmer Vernooij)
[2022-10-16] libapache-session-browseable-perl 1.3.11-2 MIGRATED to testing (Debian testing watch)
[2022-10-14] Accepted libapache-session-browseable-perl 1.3.11-2 (source) into unstable (Jelmer Vernooĳ) (signed by: Jelmer Vernooij)
[2022-09-29] libapache-session-browseable-perl 1.3.11-1 MIGRATED to testing (Debian testing watch)
[2022-09-26] Accepted libapache-session-browseable-perl 1.3.11-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-03-11] libapache-session-browseable-perl 1.3.10-1 MIGRATED to testing (Debian testing watch)
[2022-03-08] Accepted libapache-session-browseable-perl 1.3.10-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-08-16] libapache-session-browseable-perl 1.3.9-1 MIGRATED to testing (Debian testing watch)
[2021-08-10] Accepted libapache-session-browseable-perl 1.3.9-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2020-09-11] Accepted libapache-session-browseable-perl 1.3.8-1~bpo10+1 (source all) into buster-backports, buster-backports (Debian FTP Masters) (signed by: Xavier Guimard)
[2020-09-09] libapache-session-browseable-perl 1.3.8-1 MIGRATED to testing (Debian testing watch)
[2020-09-07] libapache-session-browseable-perl 1.3.7-1 MIGRATED to testing (Debian testing watch)
[2020-09-07] libapache-session-browseable-perl 1.3.7-1 MIGRATED to testing (Debian testing watch)
[2020-09-06] Accepted libapache-session-browseable-perl 1.3.8-1 (source) into unstable (Xavier Guimard)

bugs [bug history graph]

all: 0

links

homepage
lintian (0, 5)
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.3.18-1