libdancer-perl - Debian Package Tracker

general

source: libdancer-perl (main)
version: 1.3522-2
maintainer: Debian Perl Group (archive) (DMD) (LowNMU)
uploaders: Damyan Ivanov [DMD] – gregor herrmann [DMD] – Iñigo Tejedor Arrondo [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.3513+dfsg-1
oldstable: 1.3521+dfsg-1
stable: 1.3521+dfsg-1
testing: 1.3522-1
unstable: 1.3522-2

versioned links

1.3513+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3521+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3522-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3522-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libdancer-perl

action needed

debian/patches: 1 patch with invalid metadata high

Among the 1 debian patch available in version 1.3522-2 of the package, we noticed the following issues:

1 patch with invalid metadata that ought to be fixed.

Created: 2026-05-06 Last update: 2026-05-06 06:00

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-5080: Dancer::Session::Abstract versions through 1.3522 for Perl generates session ids insecurely. The session id is generated from summing the character codepoints of the absolute pathname with the process id, the epoch time and calls to the built-in rand() function to return a number between 0 and 999-billion, and concatenating that result three times. The path name might be known or guessed by an attacker, especially for applications known to be written using Dancer with standard installation locations. The epoch time can be guessed by an attacker, and may be leaked in the HTTP header. The process id comes from a small set of numbers, and workers may have sequential process ids. The built-in rand() function is seeded with 32-bits and is considered unsuitable for security applications. Predictable session ids could allow an attacker to gain access to systems.

Created: 2026-04-30 Last update: 2026-05-06 00:00

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2026-5080: Dancer::Session::Abstract versions through 1.3522 for Perl generates session ids insecurely. The session id is generated from summing the character codepoints of the absolute pathname with the process id, the epoch time and calls to the built-in rand() function to return a number between 0 and 999-billion, and concatenating that result three times. The path name might be known or guessed by an attacker, especially for applications known to be written using Dancer with standard installation locations. The epoch time can be guessed by an attacker, and may be leaked in the HTTP header. The process id comes from a small set of numbers, and workers may have sequential process ids. The built-in rand() function is seeded with 32-bits and is considered unsuitable for security applications. Predictable session ids could allow an attacker to gain access to systems.

Created: 2026-04-30 Last update: 2026-05-06 00:00

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2026-05-11 Last update: 2026-05-14 10:33

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2026-5080: (needs triaging) Dancer::Session::Abstract versions through 1.3522 for Perl generates session ids insecurely. The session id is generated from summing the character codepoints of the absolute pathname with the process id, the epoch time and calls to the built-in rand() function to return a number between 0 and 999-billion, and concatenating that result three times. The path name might be known or guessed by an attacker, especially for applications known to be written using Dancer with standard installation locations. The epoch time can be guessed by an attacker, and may be leaked in the HTTP header. The process id comes from a small set of numbers, and workers may have sequential process ids. The built-in rand() function is seeded with 32-bits and is considered unsuitable for security applications. Predictable session ids could allow an attacker to gain access to systems.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-04-30 Last update: 2026-05-06 00:00

1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:

CVE-2026-5080: (needs triaging) Dancer::Session::Abstract versions through 1.3522 for Perl generates session ids insecurely. The session id is generated from summing the character codepoints of the absolute pathname with the process id, the epoch time and calls to the built-in rand() function to return a number between 0 and 999-billion, and concatenating that result three times. The path name might be known or guessed by an attacker, especially for applications known to be written using Dancer with standard installation locations. The epoch time can be guessed by an attacker, and may be leaked in the HTTP header. The process id comes from a small set of numbers, and workers may have sequential process ids. The built-in rand() function is seeded with 32-bits and is considered unsuitable for security applications. Predictable session ids could allow an attacker to gain access to systems.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-04-30 Last update: 2026-05-06 00:00

testing migrations

excuses:
- Migration status for libdancer-perl (1.3522-1 to 1.3522-2): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Autopkgtest for libatombus-perl/1.0405-8: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for libdancer-logger-psgi-perl/1.0.1-4: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for libdancer-logger-syslog-perl/0.6-3: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for libdancer-perl/1.3522-2: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for libdancer-plugin-auth-extensible-perl/1.00-3: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for libdancer-plugin-catmandu-oai-perl/0.0508-3: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for libdancer-plugin-database-perl/2.13-2: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for libdancer-plugin-dbic-perl/0.2104-5: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for libdancer-plugin-email-perl/1.0400-2: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for libdancer-plugin-flashmessage-perl/0.314-4: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for libdancer-plugin-rest-perl/0.12-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for libdancer-session-cookie-perl/0.30-4: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for libdancer-session-memcached-perl/0.2020-3: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/libd/libdancer-perl.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- ∙ ∙ 8 days old (needed 5 days)
- Not considered

news

[rss feed]

[2026-05-05] Accepted libdancer-perl 1.3522-2 (source) into unstable (gregor herrmann)
[2026-02-24] libdancer-perl 1.3522-1 MIGRATED to testing (Debian testing watch)
[2026-02-21] Accepted libdancer-perl 1.3522-1 (source) into unstable (gregor herrmann)
[2023-02-13] libdancer-perl 1.3521+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-02-10] Accepted libdancer-perl 1.3521+dfsg-1 (source) into unstable (gregor herrmann)
[2023-01-08] libdancer-perl 1.3520+dfsg-2 MIGRATED to testing (Debian testing watch)
[2023-01-05] Accepted libdancer-perl 1.3520+dfsg-2 (source) into unstable (gregor herrmann)
[2023-01-03] Accepted libdancer-perl 1.3520+dfsg-1 (source) into unstable (gregor herrmann)
[2022-11-18] libdancer-perl 1.3513+dfsg-2 MIGRATED to testing (Debian testing watch)
[2022-11-14] Accepted libdancer-perl 1.3513+dfsg-2 (source) into unstable (gregor herrmann)
[2020-02-02] libdancer-perl 1.3513+dfsg-1 MIGRATED to testing (Debian testing watch)
[2020-01-30] Accepted libdancer-perl 1.3513+dfsg-1 (source) into unstable (gregor herrmann)
[2018-12-26] libdancer-perl 1.3500+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-12-23] Accepted libdancer-perl 1.3500+dfsg-1 (source) into unstable (gregor herrmann)
[2018-08-31] libdancer-perl 1.3400+dfsg-2 MIGRATED to testing (Debian testing watch)
[2018-08-28] Accepted libdancer-perl 1.3400+dfsg-2 (source) into unstable (gregor herrmann)
[2018-08-12] libdancer-perl 1.3400+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-08-09] Accepted libdancer-perl 1.3400+dfsg-1 (source) into unstable (Damyan Ivanov)
[2015-11-14] libdancer-perl 1.3202+dfsg-1 MIGRATED to testing (Britney)
[2015-11-08] Accepted libdancer-perl 1.3202+dfsg-1 (source) into unstable (gregor herrmann)
[2015-07-10] libdancer-perl 1.3140+dfsg-1 MIGRATED to testing (Britney)
[2015-07-04] Accepted libdancer-perl 1.3140+dfsg-1 (source all) into unstable (gregor herrmann)
[2015-05-15] libdancer-perl 1.3135+dfsg-1 MIGRATED to testing (Britney)
[2015-05-09] Accepted libdancer-perl 1.3135+dfsg-1 (source all) into unstable (gregor herrmann)
[2014-11-03] libdancer-perl 1.3132+dfsg-1 MIGRATED to testing (Britney)
[2014-10-23] Accepted libdancer-perl 1.3132+dfsg-1 (source all) into unstable (gregor herrmann)
[2014-10-19] libdancer-perl 1.3130+dfsg-1 MIGRATED to testing (Britney)
[2014-10-08] Accepted libdancer-perl 1.3130+dfsg-1 (source all) into unstable (gregor herrmann)
[2014-07-22] libdancer-perl 1.3126+dfsg-1 MIGRATED to testing (Britney)
[2014-07-16] Accepted libdancer-perl 1.3126+dfsg-1 (source all) (gregor herrmann)

bugs [bug history graph]

all: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.3521+dfsg-1
1 bug (1 patch)