libapache-session-perl - Debian Package Tracker

general

source: libapache-session-perl (main)
version: 1.94-2
maintainer: Debian Perl Group (archive) (DMD) (LowNMU)
uploaders: Damyan Ivanov [DMD] – Yadd [DMD] – gregor herrmann [DMD]
arch: all
std-ver: 4.6.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.94-1
oldstable: 1.94-2
stable: 1.94-2
testing: 1.94-2
unstable: 1.94-2

versioned links

1.94-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.94-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libapache-session-perl

action needed

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2025-40931: Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

Created: 2026-03-05 Last update: 2026-03-15 20:30

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2025-40931: Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

Created: 2026-03-05 Last update: 2026-03-15 20:30

lintian reports 1 error and 2 warnings high

Lintian reports 1 error and 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2022-11-20 Last update: 2024-11-15 21:33

debian/patches: 1 patch with invalid metadata high

Among the 2 debian patches available in version 1.94-2 of the package, we noticed the following issues:

1 patch with invalid metadata that ought to be fixed.

Created: 2023-02-26 Last update: 2023-02-26 15:54

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 1.94-3, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit bbcb0a4ef8f900b616ad9ce80ce14627e719abe0
Author: gregor herrmann <gregoa@debian.org>
Date:   Sun Mar 15 21:30:08 2026 +0100

    update changelog
    
    Gbp-Dch: Ignore

commit 6003031234813890d3ad28de1bdc77ad5645f78c
Author: Debian Janitor <janitor@jelmer.uk>
Date:   Sat Nov 19 22:38:53 2022 +0000

    Update standards version to 4.6.1, no changes needed.
    
    Changes-By: lintian-brush
    Fixes: lintian: out-of-date-standards-version
    See-also: https://lintian.debian.org/tags/out-of-date-standards-version.html

Created: 2022-11-20 Last update: 2026-03-22 08:02

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2025-40931: (postponed; to be fixed through a stable update) Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-03-05 Last update: 2026-03-15 20:30

1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:

CVE-2025-40931: (postponed; to be fixed through a stable update) Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-03-05 Last update: 2026-03-15 20:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.3 instead of 4.6.0).

Created: 2020-11-17 Last update: 2025-12-23 20:00

news

[rss feed]

[2022-11-22] libapache-session-perl 1.94-2 MIGRATED to testing (Debian testing watch)
[2022-11-19] Accepted libapache-session-perl 1.94-2 (source) into unstable (Jelmer Vernooĳ) (signed by: Jelmer Vernooij)
[2020-09-22] libapache-session-perl 1.94-1 MIGRATED to testing (Debian testing watch)
[2020-09-22] libapache-session-perl 1.94-1 MIGRATED to testing (Debian testing watch)
[2020-09-20] Accepted libapache-session-perl 1.94-1 (source) into unstable (Xavier Guimard)
[2020-04-27] libapache-session-perl 1.93-4 MIGRATED to testing (Debian testing watch)
[2020-04-25] Accepted libapache-session-perl 1.93-4 (source) into unstable (Xavier Guimard)
[2018-08-30] libapache-session-perl 1.93-3 MIGRATED to testing (Debian testing watch)
[2018-08-27] Accepted libapache-session-perl 1.93-3 (source) into unstable (Xavier Guimard) (signed by: gregor herrmann)
[2015-06-14] libapache-session-perl 1.93-2 MIGRATED to testing (Britney)
[2014-05-11] libapache-session-perl 1.93-1 MIGRATED to testing (Debian testing watch)
[2014-05-05] Accepted libapache-session-perl 1.93-1 (source all) (gregor herrmann)
[2013-05-16] libapache-session-perl 1.90-1 MIGRATED to testing (Debian testing watch)
[2013-05-05] Accepted libapache-session-perl 1.90-1 (source all) (Xavier Guimard) (signed by: gregor herrmann)
[2011-02-06] libapache-session-perl 1.89-1 MIGRATED to testing (Debian testing watch)
[2010-10-18] Accepted libapache-session-perl 1.89-1 (source all) (Nicholas Bamber) (signed by: gregor herrmann)
[2009-02-16] libapache-session-perl 1.87-1 MIGRATED to testing (Debian testing watch)
[2008-08-10] Accepted libapache-session-perl 1.87-1 (source all) (Rene Mayorga) (signed by: gregor herrmann)
[2008-02-15] libapache-session-perl 1.86-1 MIGRATED to testing (Debian testing watch)
[2008-02-03] Accepted libapache-session-perl 1.86-1 (source all) (gregor herrmann) (signed by: Roberto C. Sanchez)
[2008-01-06] libapache-session-perl 1.85-1 MIGRATED to testing (Debian testing watch)
[2007-12-26] Accepted libapache-session-perl 1.85-1 (source all) (Russ Allbery)
[2007-10-14] libapache-session-perl 1.84-1 MIGRATED to testing (Debian testing watch)
[2007-10-03] Accepted libapache-session-perl 1.84-1 (source all) (Damyan Ivanov)
[2007-07-27] libapache-session-perl 1.83-1 MIGRATED to testing (Debian testing watch)
[2007-07-16] Accepted libapache-session-perl 1.83-1 (source all) (gregor herrmann) (signed by: Damyan Ivanov)
[2007-04-09] libapache-session-perl 1.82-1 MIGRATED to testing (Debian testing watch)
[2007-03-21] Accepted libapache-session-perl 1.82-1 (source all) (Gunnar Wolf)
[2006-07-03] libapache-session-perl 1.81-1 MIGRATED to testing (Debian testing watch)
[2006-06-22] Accepted libapache-session-perl 1.81-1 (source all) (Krzysztof Krzyzaniak (eloy)) (signed by: Krzysztof Krzyżaniak)

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (1, 2)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.94-2