libapache-sessionx-perl - Debian Package Tracker

general

source: libapache-sessionx-perl (main)
version: 2.01-6
maintainer: Debian Perl Group (archive) (DMD) (LowNMU)
uploaders: Ansgar Burchardt [DMD] – gregor herrmann [DMD]
arch: all
std-ver: 4.6.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.01-5
oldstable: 2.01-5
unstable: 2.01-6

versioned links

2.01-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.01-6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libapache-sessionx-perl (1 bugs: 1, 0, 0, 0)

action needed

Debci reports failed tests high

unstable: neutral (log)
The tests ran in 0:01:09
Last run: 2026-04-22T10:05:55.000Z
Previous status: unknown

testing: neutral (log)
The tests ran in 0:00:41
Last run: 2025-05-16T21:55:27.000Z
Previous status: unknown

stable: fail (log)
The tests ran in 0:00:22
Last run: 2025-08-11T06:58:37.000Z
Previous status: unknown

Created: 2025-08-11 Last update: 2026-05-15 12:30

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2025-40932: Apache::SessionX versions through 2.01 for Perl create insecure session id. Apache::SessionX generates session ids insecurely. The default session id generator in Apache::SessionX::Generate::MD5 returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

Created: 2026-02-27 Last update: 2026-04-28 19:02

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2026-04-13 Last update: 2026-05-15 11:33

4 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 1b654799a2e67b251384cd92c087d4312927b797
Author: Alexandre Detiste <alexandre.detiste@gmail.com>
Date:   Sat May 9 00:58:51 2026 +0200

    use dh-cruft to register & purge /var/lib/libapache-sessionx-perl/Config.pm

commit b5c5e6494c46fb6dab65bebea3b2df5c725d5920
Author: Alexandre Detiste <alexandre.detiste@gmail.com>
Date:   Sat May 9 00:58:18 2026 +0200

    wrap-and-sort -ast

commit 5fab71ca15cee0ee7f5ddc83240a5c392a8e0b08
Merge: e2bfd82 e797f6b
Author: gregor herrmann <gregoa@debian.org>
Date:   Sat Mar 29 00:46:55 2025 +0000

    Merge branch 'update-translation-ca' into 'master'
    
    Update/add Catalan po-debconf translation
    
    See merge request perl-team/modules/packages/libapache-sessionx-perl!2

commit e797f6bad35737bbfe6240422881db9b0cee57c1
Author: Carles Pina i Estany <carles@pina.cat>
Date:   Fri Mar 28 07:37:59 2025 +0000

    Added po-debconf Catalan translation

Created: 2025-03-29 Last update: 2026-05-09 00:34

lintian reports 2 warnings normal

Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2024-03-05 Last update: 2024-03-05 06:09

1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:

CVE-2025-40932: (needs triaging) Apache::SessionX versions through 2.01 for Perl create insecure session id. Apache::SessionX generates session ids insecurely. The default session id generator in Apache::SessionX::Generate::MD5 returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-02-27 Last update: 2026-04-28 19:02

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.6.2).

Created: 2024-04-07 Last update: 2026-03-31 15:01

testing migrations

excuses:
- Migration status for libapache-sessionx-perl (- to 2.01-6): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Updating libapache-sessionx-perl would introduce bugs in testing: #930660
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/liba/libapache-sessionx-perl.html
- ∙ ∙ Autopkgtest for libapache-sessionx-perl/2.01-6: amd64: No tests, superficial or marked flaky ♻, arm64: No tests, superficial or marked flaky ♻, i386: No tests, superficial or marked flaky ♻, loong64: No tests, superficial or marked flaky ♻, ppc64el: No tests, superficial or marked flaky ♻, riscv64: No tests, superficial or marked flaky ♻, s390x: No tests, superficial or marked flaky ♻
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- ∙ ∙ 801 days old (needed 5 days)
- Not considered

news

[rss feed]

[2025-06-03] libapache-sessionx-perl REMOVED from testing (Debian testing watch)
[2024-03-11] libapache-sessionx-perl 2.01-6 MIGRATED to testing (Debian testing watch)
[2024-03-11] libapache-sessionx-perl 2.01-6 MIGRATED to testing (Debian testing watch)
[2024-03-04] Accepted libapache-sessionx-perl 2.01-6 (source) into unstable (gregor herrmann)
[2018-09-07] libapache-sessionx-perl 2.01-5 MIGRATED to testing (Debian testing watch)
[2018-08-30] Accepted libapache-sessionx-perl 2.01-5 (source) into unstable (Xavier Guimard)
[2012-02-03] libapache-sessionx-perl 2.01-4 MIGRATED to testing (Debian testing watch)
[2012-01-23] Accepted libapache-sessionx-perl 2.01-4 (source all) (gregor herrmann)
[2011-06-02] libapache-sessionx-perl 2.01-3 MIGRATED to testing (Debian testing watch)
[2011-05-22] Accepted libapache-sessionx-perl 2.01-3 (source all) (gregor herrmann)
[2010-02-12] libapache-sessionx-perl 2.01-2 MIGRATED to testing (Debian testing watch)
[2010-02-01] Accepted libapache-sessionx-perl 2.01-2 (source all) (Ansgar Burchardt) (signed by: gregor herrmann)
[2008-11-12] libapache-sessionx-perl 2.01-1.1 MIGRATED to testing (Debian testing watch)
[2008-10-31] Accepted libapache-sessionx-perl 2.01-1.1 (source all) (Christian Perrier)
[2008-01-21] libapache-sessionx-perl 2.01-1 MIGRATED to testing (Debian testing watch)
[2008-01-10] Accepted libapache-sessionx-perl 2.01-1 (source all) (Angus Lees)
[2007-03-13] libapache-sessionx-perl 2.00b5-3.2 MIGRATED to testing (Debian testing watch)
[2007-03-02] Accepted libapache-sessionx-perl 2.00b5-3.2 (source all) (Christian Perrier)
[2006-12-09] libapache-sessionx-perl 2.00b5-3.1 MIGRATED to testing (Debian testing watch)
[2006-11-28] Accepted libapache-sessionx-perl 2.00b5-3.1 (source all) (Christian Perrier)
[2005-07-28] Accepted libapache-sessionx-perl 2.00b5-3 (source all) (Angus Lees)
[2005-03-07] Accepted libapache-sessionx-perl 2.00b5-2 (all source) (Angus Lees)
[2003-03-11] Accepted libapache-sessionx-perl 2.00b5-1 (all source) (Angus Lees)
[2002-10-03] Accepted libapache-sessionx-perl 2.00b3-2 (all source) (Angus Lees)

bugs [bug history graph]

all: 1
RC: 1
I&N: 0
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 2)
buildd: logs
popcon
browse source code
other distros
security tracker
l10n (100, -)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.01-6