Debian Package Tracker
Register | Log in
Subscribe

libcgi-session-perl

persistent session data in CGI applications

Choose email to subscribe with

general
  • source: libcgi-session-perl (main)
  • version: 4.49-1
  • maintainer: Debian Perl Group (archive) (DMD) (LowNMU)
  • uploaders: gregor herrmann [DMD] – Ansgar Burchardt [DMD]
  • arch: all
  • std-ver: 4.7.4
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 4.48-3
  • oldstable: 4.48-4
  • stable: 4.48-4
  • testing: 4.48-4
  • unstable: 4.49-1
versioned links
  • 4.48-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 4.48-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 4.49-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • libcgi-session-perl (1 bugs: 0, 1, 0, 0)
action needed
1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:
  • CVE-2026-56016: CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources. The generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID is drawn from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl's rand() is unsuitable for security purposes because it is predictable and reversible. An attacker who predicts a session id can impersonate the corresponding session and bypass authentication.
Created: 2026-07-01 Last update: 2026-07-02 04:02
1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:
  • CVE-2026-56016: CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources. The generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID is drawn from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl's rand() is unsuitable for security purposes because it is predictable and reversible. An attacker who predicts a session id can impersonate the corresponding session and bypass authentication.
Created: 2026-07-01 Last update: 2026-07-02 04:02
1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:
  • CVE-2026-56016: CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources. The generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID is drawn from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl's rand() is unsuitable for security purposes because it is predictable and reversible. An attacker who predicts a session id can impersonate the corresponding session and bypass authentication.
Created: 2026-07-01 Last update: 2026-07-02 04:02
1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:
  • CVE-2026-56016: (needs triaging) CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources. The generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID is drawn from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl's rand() is unsuitable for security purposes because it is predictable and reversible. An attacker who predicts a session id can impersonate the corresponding session and bypass authentication.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-07-01 Last update: 2026-07-02 04:02
testing migrations
  • excuses:
    • Migration status for libcgi-session-perl (4.48-4 to 4.49-1): Waiting for test results or another package, or too young (no action required now - check later)
    • Issues preventing migration:
    • ∙ ∙ Too young, only 1 of 2 days old
    • Additional info (not blocking):
    • ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/libc/libcgi-session-perl.html
    • ∙ ∙ Autopkgtest for libcgi-session-perl/4.49-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
    • ∙ ∙ Reproduced on amd64 - info
    • ∙ ∙ Reproduced on arm64 - info
    • ∙ ∙ Reproduced on armhf - info
    • ∙ ∙ Reproduced on i386 - info
    • ∙ ∙ Required age reduced by 3 days because of autopkgtest
    • Not considered
news
[rss feed]
  • [2026-07-01] Accepted libcgi-session-perl 4.49-1 (source) into unstable (gregor herrmann)
  • [2022-06-13] libcgi-session-perl 4.48-4 MIGRATED to testing (Debian testing watch)
  • [2022-06-10] Accepted libcgi-session-perl 4.48-4 (source) into unstable (Jelmer Vernooij) (signed by: Jelmer Vernooij)
  • [2016-01-21] libcgi-session-perl 4.48-3 MIGRATED to testing (Debian testing watch)
  • [2016-01-15] Accepted libcgi-session-perl 4.48-1+deb8u1 (source all) into proposed-updates->stable-new, proposed-updates (Niko Tyni)
  • [2016-01-15] Accepted libcgi-session-perl 4.48-3 (source) into unstable (Niko Tyni)
  • [2015-06-01] Accepted libcgi-session-perl 4.48-2 (source all) into unstable (gregor herrmann)
  • [2013-06-06] libcgi-session-perl 4.48-1 MIGRATED to testing (Debian testing watch)
  • [2013-05-26] Accepted libcgi-session-perl 4.48-1 (source all) (gregor herrmann)
  • [2011-07-19] libcgi-session-perl 4.46-1 MIGRATED to testing (Debian testing watch)
  • [2011-07-08] Accepted libcgi-session-perl 4.46-1 (source all) (Nicholas Bamber) (signed by: gregor herrmann)
  • [2011-02-06] libcgi-session-perl 4.43-1 MIGRATED to testing (Debian testing watch)
  • [2010-12-19] Accepted libcgi-session-perl 4.43-1 (source all) (Nicholas Bamber) (signed by: gregor herrmann)
  • [2009-04-09] libcgi-session-perl 4.41-1 MIGRATED to testing (Debian testing watch)
  • [2009-03-29] Accepted libcgi-session-perl 4.41-1 (source all) (gregor herrmann)
  • [2009-02-16] libcgi-session-perl 4.40-1 MIGRATED to testing (Debian testing watch)
  • [2009-01-05] Accepted libcgi-session-perl 4.40-1 (source all) (Ansgar Burchardt)
  • [2008-12-17] Accepted libcgi-session-perl 4.39-1 (source all) (Rene Mayorga)
  • [2008-11-02] Accepted libcgi-session-perl 4.38-1 (source all) (Ansgar Burchardt)
  • [2008-10-26] Accepted libcgi-session-perl 4.37-1 (source all) (Rene Mayorga)
  • [2008-09-14] Accepted libcgi-session-perl 4.36-1 (source all) (Rene Mayorga)
  • [2008-07-27] libcgi-session-perl 4.35-1 MIGRATED to testing (Debian testing watch)
  • [2008-07-16] Accepted libcgi-session-perl 4.35-1 (source all) (gregor herrmann)
  • [2008-07-08] Accepted libcgi-session-perl 4.33-1 (source all) (Rene Mayorga)
  • [2008-07-01] libcgi-session-perl 4.32-1 MIGRATED to testing (Debian testing watch)
  • [2008-06-20] Accepted libcgi-session-perl 4.32-1 (source all) (Rene Mayorga)
  • [2008-05-18] libcgi-session-perl 4.30-1 MIGRATED to testing (Debian testing watch)
  • [2008-05-07] Accepted libcgi-session-perl 4.30-1 (source all) (Rene Mayorga)
  • [2007-08-21] libcgi-session-perl 4.20-2 MIGRATED to testing (Debian testing watch)
  • [2007-08-08] Accepted libcgi-session-perl 4.20-2 (source all) (Julien Danjou)
  • 1
  • 2
bugs [bug history graph]
  • all: 1
  • RC: 0
  • I&N: 1
  • M&W: 0
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian
  • buildd: logs, reproducibility
  • popcon
  • browse source code
  • other distros
  • security tracker
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 4.48-4build1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing