Register | Log in

libnet-cidr-set-perl

Net::CIDR::Set perl module to manipulate sets of IP addresses

Choose email to subscribe with

general

source: libnet-cidr-set-perl (main)
version: 0.21-1
maintainer: Debian Perl Group (archive) (DMD) (LowNMU)
uploaders: Roland Rosenfeld [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.13-3
oldstable: 0.13-4
stable: 0.15-1
testing: 0.20-1
unstable: 0.21-1

versioned links

0.13-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.13-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.15-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.20-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.21-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libnet-cidr-set-perl

action needed

3 security issues in forky high

There are 3 open security issues in forky.

3 important issues:

CVE-2026-49940: Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks. Unicode digits such as the Arabic-Indic One (U+0661) were accepted but not properly parsed as numbers. This could allow network masks to accept larger networks.
CVE-2026-49941: Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses. The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask. If the argument was not a well-formed IP address, then this would lead to indefinite recursion. An attacker could use this to cause a denial of service.
CVE-2026-49942: Net::CIDR::Set versions through 0.20 for Perl did not validate network masks. The mask portion of a network mask could contain Unicode digits such as the Arabic-Indic One (U+0661), or non-digits, which were ignored. This could allow network masks to accept larger networks. Leading zeros were also accepted, but treated as decimal instead of octal. This could lead to confusion about what networks are acceptable.

Created: 2026-06-03 Last update: 2026-06-05 07:00

4 security issues in bullseye high

There are 4 open security issues in bullseye.

3 important issues:

CVE-2026-49940: Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks. Unicode digits such as the Arabic-Indic One (U+0661) were accepted but not properly parsed as numbers. This could allow network masks to accept larger networks.
CVE-2026-49941: Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses. The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask. If the argument was not a well-formed IP address, then this would lead to indefinite recursion. An attacker could use this to cause a denial of service.
CVE-2026-49942: Net::CIDR::Set versions through 0.20 for Perl did not validate network masks. The mask portion of a network mask could contain Unicode digits such as the Arabic-Indic One (U+0661), or non-digits, which were ignored. This could allow network masks to accept larger networks. Leading zeros were also accepted, but treated as decimal instead of octal. This could lead to confusion about what networks are acceptable.

1 issue postponed or untriaged:

CVE-2025-40911: (postponed; to be fixed through a stable update) Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly handle leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses. Leading zeros are used to indicate octal numbers, which can confuse users who are intentionally using octal notation, as well as users who believe they are using decimal notation. Net::CIDR::Set used code from Net::CIDR::Lite, which had a similar vulnerability CVE-2021-47154.

Created: 2026-06-03 Last update: 2026-06-05 07:00

3 low-priority security issues in trixie low

There are 3 open security issues in trixie.

3 issues left for the package maintainer to handle:

CVE-2026-49940: (needs triaging) Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks. Unicode digits such as the Arabic-Indic One (U+0661) were accepted but not properly parsed as numbers. This could allow network masks to accept larger networks.
CVE-2026-49941: (needs triaging) Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses. The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask. If the argument was not a well-formed IP address, then this would lead to indefinite recursion. An attacker could use this to cause a denial of service.
CVE-2026-49942: (needs triaging) Net::CIDR::Set versions through 0.20 for Perl did not validate network masks. The mask portion of a network mask could contain Unicode digits such as the Arabic-Indic One (U+0661), or non-digits, which were ignored. This could allow network masks to accept larger networks. Leading zeros were also accepted, but treated as decimal instead of octal. This could lead to confusion about what networks are acceptable.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-06-03 Last update: 2026-06-05 07:00

4 low-priority security issues in bookworm low

There are 4 open security issues in bookworm.

4 issues left for the package maintainer to handle:

CVE-2025-40911: (needs triaging) Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly handle leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses. Leading zeros are used to indicate octal numbers, which can confuse users who are intentionally using octal notation, as well as users who believe they are using decimal notation. Net::CIDR::Set used code from Net::CIDR::Lite, which had a similar vulnerability CVE-2021-47154.
CVE-2026-49940: (needs triaging) Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks. Unicode digits such as the Arabic-Indic One (U+0661) were accepted but not properly parsed as numbers. This could allow network masks to accept larger networks.
CVE-2026-49941: (needs triaging) Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses. The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask. If the argument was not a well-formed IP address, then this would lead to indefinite recursion. An attacker could use this to cause a denial of service.
CVE-2026-49942: (needs triaging) Net::CIDR::Set versions through 0.20 for Perl did not validate network masks. The mask portion of a network mask could contain Unicode digits such as the Arabic-Indic One (U+0661), or non-digits, which were ignored. This could allow network masks to accept larger networks. Leading zeros were also accepted, but treated as decimal instead of octal. This could lead to confusion about what networks are acceptable.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-05-28 Last update: 2026-06-05 07:00

testing migrations

excuses:
- Migration status for libnet-cidr-set-perl (0.20-1 to 0.21-1): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Autopkgtest for libnet-cidr-set-perl/0.21-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Too young, only 3 of 5 days old
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/libn/libnet-cidr-set-perl.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- Not considered

news

[2026-06-03] Accepted libnet-cidr-set-perl 0.21-1 (source) into unstable (Roland Rosenfeld)
[2026-05-07] libnet-cidr-set-perl 0.20-1 MIGRATED to testing (Debian testing watch)
[2026-04-30] Accepted libnet-cidr-set-perl 0.20-1 (source) into unstable (Roland Rosenfeld)
[2025-08-19] libnet-cidr-set-perl 0.19-1 MIGRATED to testing (Debian testing watch)
[2025-08-15] Accepted libnet-cidr-set-perl 0.19-1 (source) into unstable (Roland Rosenfeld)
[2025-06-17] libnet-cidr-set-perl 0.15-1 MIGRATED to testing (Debian testing watch)
[2025-05-28] Accepted libnet-cidr-set-perl 0.15-1 (source) into unstable (Roland Rosenfeld)
[2023-12-08] libnet-cidr-set-perl 0.13-5 MIGRATED to testing (Debian testing watch)
[2023-12-04] Accepted libnet-cidr-set-perl 0.13-5 (source) into unstable (gregor herrmann)
[2022-10-11] libnet-cidr-set-perl 0.13-4 MIGRATED to testing (Debian testing watch)
[2022-10-08] Accepted libnet-cidr-set-perl 0.13-4 (source) into unstable (Roland Rosenfeld)
[2020-12-09] libnet-cidr-set-perl 0.13-3 MIGRATED to testing (Debian testing watch)
[2020-12-06] Accepted libnet-cidr-set-perl 0.13-3 (source) into unstable (Roland Rosenfeld)
[2019-01-29] libnet-cidr-set-perl 0.13-2 MIGRATED to testing (Debian testing watch)
[2019-01-27] Accepted libnet-cidr-set-perl 0.13-2 (source all) into unstable (Roland Rosenfeld)
[2018-07-29] libnet-cidr-set-perl 0.13-1 MIGRATED to testing (Debian testing watch)
[2018-07-27] Accepted libnet-cidr-set-perl 0.13-1 (source all) into unstable, unstable (Roland Rosenfeld)

bugs [bug history graph]

all: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.20-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing