libauthen-sasl-perl - Debian Package Tracker

general

source: libauthen-sasl-perl (main)
version: 2.1700-1
maintainer: Debian Perl Group (archive) (DMD) (LowNMU)
uploaders: Ansgar Burchardt [DMD]
arch: all
std-ver: 4.6.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 2.1600-1.1
stable: 2.1600-3
testing: 2.1700-1
unstable: 2.1700-1

versioned links

2.1600-1.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.1600-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.1700-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libauthen-sasl-perl (2 bugs: 0, 1, 1, 0)

action needed

A new upstream version is available: 2.1800 high

A new upstream version 2.1800 is available, you should consider packaging it.

Created: 2025-07-15 Last update: 2025-07-20 17:00

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2025-40918: Authen::SASL::Perl::DIGEST_MD5 versions 2.04 through 2.1800 for Perl generates the cnonce insecurely. The cnonce (client nonce) is generated from an MD5 hash of the PID, the epoch time and the built-in rand function. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. According to RFC 2831, The cnonce-value is an opaque quoted string value provided by the client and used by both client and server to avoid chosen plaintext attacks, and to provide mutual authentication. The security of the implementation depends on a good choice. It is RECOMMENDED that it contain at least 64 bits of entropy.

Created: 2025-07-16 Last update: 2025-07-17 04:30

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2025-40918: Authen::SASL::Perl::DIGEST_MD5 versions 2.04 through 2.1800 for Perl generates the cnonce insecurely. The cnonce (client nonce) is generated from an MD5 hash of the PID, the epoch time and the built-in rand function. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. According to RFC 2831, The cnonce-value is an opaque quoted string value provided by the client and used by both client and server to avoid chosen plaintext attacks, and to provide mutual authentication. The security of the implementation depends on a good choice. It is RECOMMENDED that it contain at least 64 bits of entropy.

Created: 2025-07-16 Last update: 2025-07-17 04:30

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 2.1800-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit eaea6d17c70e75c481f30fb411eb3ce085cf6b8a
Author: gregor herrmann <gregoa@debian.org>
Date:   Sun May 18 12:53:36 2025 +0200

    update changelog / add WAITS-FOR
    
    Gbp-Dch: Ignore

commit 065b2713155b0bdf42586fe2638a3e5f9a7629ef
Author: gregor herrmann <gregoa@debian.org>
Date:   Sun May 18 12:52:50 2025 +0200

    Remove Rules-Requires-Root: no.

commit 588d34f7302379530b8645e75e7f1487fce7e795
Author: gregor herrmann <gregoa@debian.org>
Date:   Sun May 18 12:52:50 2025 +0200

    Declare compliance with Debian Policy 4.7.2.

commit b7bba4eb5301d196728f0bde06da0e9a6fa64384
Author: gregor herrmann <gregoa@debian.org>
Date:   Sun May 18 12:52:11 2025 +0200

    Update libauthen-sasl-perl.examples (moved files).

commit 4b80938fbe129b897ed3ae2933e13a2b046830e9
Author: gregor herrmann <gregoa@debian.org>
Date:   Sun May 18 12:51:33 2025 +0200

    Update years of upstream copyright.

commit ab92eb88fb24bae5fbbf56c3b321d273b1c43b9c
Author: gregor herrmann <gregoa@debian.org>
Date:   Sun May 18 12:47:09 2025 +0200

    debian/copyright: add info about new files.

commit 2069bfbca3bbf4c51fd99ad808497ca935ffe086
Author: gregor herrmann <gregoa@debian.org>
Date:   Sun May 18 12:42:59 2025 +0200

    Update debian/changelog
    
    Gbp-Dch: Ignore

commit 577182aaa5f917dd80fae192a7614a8fbfdb3237
Merge: 9453532 a06b45e
Author: gregor herrmann <gregoa@debian.org>
Date:   Sun May 18 12:42:59 2025 +0200

    Update upstream source from tag 'upstream/2.1800'
    
    Update to upstream version '2.1800'
    with Debian dir 390d65789a56bd4de5985d0a981a4b075d7ba816

commit a06b45e181d6635e536e34526a5b996468115926
Merge: c74840e e456840
Author: gregor herrmann <gregoa@debian.org>
Date:   Sun May 18 12:42:59 2025 +0200

    New upstream version 2.1800

commit e456840b47c3b9ec8527c28eb954c2e548f27708
Author: Erik Huelsmann <ehuels@gmail.com>
Date:   Fri Apr 25 18:01:13 2025 +0200

    Update docs for 2.1800 release

commit 958a3aa165d30cf4e3cbb36dc45306de627aa13f
Author: Aditya Garg <gargaditya08@live.com>
Date:   Fri Apr 25 20:20:11 2025 +0530

    Add support for OAuth2.0 based authentication methods (#19)
    
    * Add support for XOAUTH2 authentication
    * Add support for OAUTHBEARER authentication
    * Improvements to client_step for XOAUTH2 and OAUTHBEARER
    * The use of JSON::PP increases the minimum requirement to 5.14.0
    
    ---------
    
    Co-authored-by: Erik Huelsmann <ehuels@gmail.com>

commit 2bcfbe916b63dbcb13a04a9d63d942c6752cd104
Author: Erik Huelsmann <ehuels@gmail.com>
Date:   Fri Apr 25 14:44:23 2025 +0200

    Store examples in the eg/ directory

commit 94535320079ec852819f3f4fb37e0b4c23d27cf7
Author: gregor herrmann <gregoa@debian.org>
Date:   Fri Oct 27 00:13:22 2023 +0200

    update changelog
    
    Gbp-Dch: Ignore

commit cdf7dd9f195012da9e54c7f74a61f1be31958321
Author: gregor herrmann <gregoa@debian.org>
Date:   Fri Oct 27 00:11:53 2023 +0200

    Update long description.
    
    Don't mention Authen::SASL::Cyrus anymore, which is deprecated and not in
    Debian any longer.

commit ee7624b2bdfa0c14dcd2c98f5a6051cb91229067
Author: Erik Huelsmann <ehuels@gmail.com>
Date:   Sat Oct 14 22:28:40 2023 +0200

    Update Changes

commit 386ba4947373c35369ed736cae65da7feba7d207
Merge: 8b299d9 ab8cd59
Author: Erik Huelsmann <ehuels@gmail.com>
Date:   Sat Oct 14 22:03:30 2023 +0200

    Merge pull request #3 from stevenl/master
    
    Provide more information in the error message

commit 8b299d96af40a93eb6077d4ea45bd48d8d91cf80
Merge: 56c2741 09431b1
Author: Erik Huelsmann <ehuels@gmail.com>
Date:   Sat Oct 14 16:20:50 2023 +0200

    Merge pull request #12 from ehuelsmann/acceptable-callbacks
    
    Allow mechanism classes to decline based on callbacks

commit 09431b1275b2bc406e9b8e19e82a1448bbeb1b16
Author: Erik Huelsmann <ehuels@gmail.com>
Date:   Sun Aug 6 11:50:57 2023 +0200

    Allow mechanism classes to decline based on callbacks

commit ab8cd59beaad3fd56cf32384cf5e11e0eec03c22
Author: Steven Lee <stevenwh.lee@gmail.com>
Date:   Fri Apr 25 15:50:19 2014 +0800

    Provide more information in the error message

Created: 2023-10-27 Last update: 2025-07-20 01:33

1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:

CVE-2025-40918: (needs triaging) Authen::SASL::Perl::DIGEST_MD5 versions 2.04 through 2.1800 for Perl generates the cnonce insecurely. The cnonce (client nonce) is generated from an MD5 hash of the PID, the epoch time and the built-in rand function. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. According to RFC 2831, The cnonce-value is an opaque quoted string value provided by the client and used by both client and server to avoid chosen plaintext attacks, and to provide mutual authentication. The security of the implementation depends on a good choice. It is RECOMMENDED that it contain at least 64 bits of entropy.

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-07-16 Last update: 2025-07-17 04:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.6.2).

Created: 2024-04-07 Last update: 2025-02-27 13:25

news

[rss feed]

[2023-10-27] libauthen-sasl-perl 2.1700-1 MIGRATED to testing (Debian testing watch)
[2023-09-24] Accepted libauthen-sasl-perl 2.1700-1 (source) into unstable (gregor herrmann)
[2022-10-16] libauthen-sasl-perl 2.1600-3 MIGRATED to testing (Debian testing watch)
[2022-10-13] Accepted libauthen-sasl-perl 2.1600-3 (source) into unstable (Jelmer Vernooĳ) (signed by: Jelmer Vernooij)
[2022-06-11] libauthen-sasl-perl 2.1600-2 MIGRATED to testing (Debian testing watch)
[2022-06-08] Accepted libauthen-sasl-perl 2.1600-2 (source) into unstable (Jelmer Vernooĳ) (signed by: Jelmer Vernooij)
[2020-12-24] libauthen-sasl-perl 2.1600-1.1 MIGRATED to testing (Debian testing watch)
[2020-12-18] Accepted libauthen-sasl-perl 2.1600-1.1 (source) into unstable (Holger Levsen)
[2014-03-21] libauthen-sasl-perl 2.1600-1 MIGRATED to testing (Debian testing watch)
[2014-03-10] Accepted libauthen-sasl-perl 2.1600-1 (source all) (Daniel Lintott) (signed by: gregor herrmann)
[2010-06-17] libauthen-sasl-perl 2.1500-1 MIGRATED to testing (Debian testing watch)
[2010-06-06] Accepted libauthen-sasl-perl 2.1500-1 (source all) (Ansgar Burchardt) (signed by: Chris Butler)
[2010-04-04] libauthen-sasl-perl 2.14-1 MIGRATED to testing (Debian testing watch)
[2010-03-17] Accepted libauthen-sasl-perl 2.14-1 (source all) (Franck Joncourt)
[2009-10-08] libauthen-sasl-perl 2.13-1 MIGRATED to testing (Debian testing watch)
[2009-09-27] Accepted libauthen-sasl-perl 2.13-1 (source all) (Gunnar Wolf) (signed by: Gunnar Eyal Wolf Iszaevich)
[2008-07-12] libauthen-sasl-perl 2.12-1 MIGRATED to testing (Debian testing watch)
[2008-07-01] Accepted libauthen-sasl-perl 2.12-1 (source all) (Gunnar Wolf)
[2008-05-07] libauthen-sasl-perl 2.11-1 MIGRATED to testing (Debian testing watch)
[2008-04-26] Accepted libauthen-sasl-perl 2.11-1 (source all) (AGOSTINI Yves) (signed by: gregor herrmann)
[2008-04-16] libauthen-sasl-perl 2.10-1.1 MIGRATED to testing (Debian testing watch)
[2008-04-05] Accepted libauthen-sasl-perl 2.10-1.1 (source all) (Stephen Gran)
[2006-04-14] libauthen-sasl-perl 2.10-1 MIGRATED to testing (Debian testing watch)
[2006-04-02] Accepted libauthen-sasl-perl 2.10-1 (source all) (Florian Ragwitz)
[2005-08-12] Accepted libauthen-sasl-perl 2.09-1 (source all) (Florian Ragwitz) (signed by: Joachim Breitner)
[2005-04-09] Accepted libauthen-sasl-perl 2.08-2 (all source) (Davide Puricelli (evo)) (signed by: Davide Puricelli)
[2004-08-21] Accepted libauthen-sasl-perl 2.08-1 (all source) (Davide Puricelli (evo)) (signed by: Davide Puricelli)
[2003-10-23] Accepted libauthen-sasl-perl 2.05-1 (all source) (Davide Puricelli (evo)) (signed by: Davide Puricelli)

bugs [bug history graph]

all: 3
RC: 0
I&N: 2
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.1700-1
1 bug