libapache-session-perl - Debian Package Tracker

general

source: libapache-session-perl (main)
version: 1.94-2
maintainer: Debian Perl Group (archive) (DMD) (LowNMU)
uploaders: Damyan Ivanov [DMD] – Yadd [DMD] – gregor herrmann [DMD]
arch: all
std-ver: 4.6.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.94-1
oldstable: 1.94-2
stable: 1.94-2
testing: 1.94-2
unstable: 1.94-2

versioned links

1.94-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.94-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libapache-session-perl

action needed

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2013-10075: Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can lead to sessions being revived, potentially with data that was to be deleted.
CVE-2025-40931: Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems. Note that the libapache-session-perl package in some Debian-based Linux distributions may be patched to use Crypt::URandom.

Created: 2026-03-05 Last update: 2026-05-20 15:30

2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:

CVE-2013-10075: Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can lead to sessions being revived, potentially with data that was to be deleted.
CVE-2025-40931: Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems. Note that the libapache-session-perl package in some Debian-based Linux distributions may be patched to use Crypt::URandom.

Created: 2026-03-05 Last update: 2026-05-20 15:30

lintian reports 1 error and 2 warnings high

Lintian reports 1 error and 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2022-11-20 Last update: 2024-11-15 21:33

debian/patches: 1 patch with invalid metadata high

Among the 2 debian patches available in version 1.94-2 of the package, we noticed the following issues:

1 patch with invalid metadata that ought to be fixed.

Created: 2023-02-26 Last update: 2023-02-26 15:54

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 1.94-3, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit c752efdf9551112f5afe9b3d29f1868f091064b1
Author: Xavier Guimard <yadd@debian.org>
Date:   Wed Jun 24 22:30:32 2026 +0200

    Update d/ch

commit a69dad5df41cbbcbe0ce9583502c2551df707cb3
Author: Xavier Guimard <yadd@debian.org>
Date:   Wed Jun 24 22:29:57 2026 +0200

    debian/watch version 5

commit cd9abc6337061642cc38ec2b9e462c947245d7be
Author: Xavier Guimard <yadd@debian.org>
Date:   Wed Jun 24 22:29:51 2026 +0200

    Drop "Priority: optional"

commit 29cbb3da0971e419d886f4b7774f63908c135678
Author: Xavier Guimard <yadd@debian.org>
Date:   Wed Jun 24 22:29:51 2026 +0200

    Drop "Rules-Requires-Root: no"

commit ed26b28944d889b230b4217941a300785a407e4e
Author: Xavier Guimard <yadd@debian.org>
Date:   Wed Jun 24 22:29:51 2026 +0200

    Declare compliance with policy 4.7.4

commit bbcb0a4ef8f900b616ad9ce80ce14627e719abe0
Author: gregor herrmann <gregoa@debian.org>
Date:   Sun Mar 15 21:30:08 2026 +0100

    update changelog
    
    Gbp-Dch: Ignore

commit 6003031234813890d3ad28de1bdc77ad5645f78c
Author: Debian Janitor <janitor@jelmer.uk>
Date:   Sat Nov 19 22:38:53 2022 +0000

    Update standards version to 4.6.1, no changes needed.
    
    Changes-By: lintian-brush
    Fixes: lintian: out-of-date-standards-version
    See-also: https://lintian.debian.org/tags/out-of-date-standards-version.html

Created: 2022-11-20 Last update: 2026-06-29 22:30

2 low-priority security issues in trixie low

There are 2 open security issues in trixie.

2 issues left for the package maintainer to handle:

CVE-2013-10075: (postponed; to be fixed through a stable update) Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can lead to sessions being revived, potentially with data that was to be deleted.
CVE-2025-40931: (postponed; to be fixed through a stable update) Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems. Note that the libapache-session-perl package in some Debian-based Linux distributions may be patched to use Crypt::URandom.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-03-05 Last update: 2026-05-20 15:30

2 low-priority security issues in bookworm low

There are 2 open security issues in bookworm.

2 issues left for the package maintainer to handle:

CVE-2013-10075: (postponed; to be fixed through a stable update) Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can lead to sessions being revived, potentially with data that was to be deleted.
CVE-2025-40931: (postponed; to be fixed through a stable update) Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems. Note that the libapache-session-perl package in some Debian-based Linux distributions may be patched to use Crypt::URandom.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-03-05 Last update: 2026-05-20 15:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.6.0).

Created: 2020-11-17 Last update: 2026-03-31 15:01

news

[rss feed]

[2022-11-22] libapache-session-perl 1.94-2 MIGRATED to testing (Debian testing watch)
[2022-11-19] Accepted libapache-session-perl 1.94-2 (source) into unstable (Jelmer Vernooĳ) (signed by: Jelmer Vernooij)
[2020-09-22] libapache-session-perl 1.94-1 MIGRATED to testing (Debian testing watch)
[2020-09-22] libapache-session-perl 1.94-1 MIGRATED to testing (Debian testing watch)
[2020-09-20] Accepted libapache-session-perl 1.94-1 (source) into unstable (Xavier Guimard)
[2020-04-27] libapache-session-perl 1.93-4 MIGRATED to testing (Debian testing watch)
[2020-04-25] Accepted libapache-session-perl 1.93-4 (source) into unstable (Xavier Guimard)
[2018-08-30] libapache-session-perl 1.93-3 MIGRATED to testing (Debian testing watch)
[2018-08-27] Accepted libapache-session-perl 1.93-3 (source) into unstable (Xavier Guimard) (signed by: gregor herrmann)
[2015-06-14] libapache-session-perl 1.93-2 MIGRATED to testing (Britney)
[2014-05-11] libapache-session-perl 1.93-1 MIGRATED to testing (Debian testing watch)
[2014-05-05] Accepted libapache-session-perl 1.93-1 (source all) (gregor herrmann)
[2013-05-16] libapache-session-perl 1.90-1 MIGRATED to testing (Debian testing watch)
[2013-05-05] Accepted libapache-session-perl 1.90-1 (source all) (Xavier Guimard) (signed by: gregor herrmann)
[2011-02-06] libapache-session-perl 1.89-1 MIGRATED to testing (Debian testing watch)
[2010-10-18] Accepted libapache-session-perl 1.89-1 (source all) (Nicholas Bamber) (signed by: gregor herrmann)
[2009-02-16] libapache-session-perl 1.87-1 MIGRATED to testing (Debian testing watch)
[2008-08-10] Accepted libapache-session-perl 1.87-1 (source all) (Rene Mayorga) (signed by: gregor herrmann)
[2008-02-15] libapache-session-perl 1.86-1 MIGRATED to testing (Debian testing watch)
[2008-02-03] Accepted libapache-session-perl 1.86-1 (source all) (gregor herrmann) (signed by: Roberto C. Sanchez)
[2008-01-06] libapache-session-perl 1.85-1 MIGRATED to testing (Debian testing watch)
[2007-12-26] Accepted libapache-session-perl 1.85-1 (source all) (Russ Allbery)
[2007-10-14] libapache-session-perl 1.84-1 MIGRATED to testing (Debian testing watch)
[2007-10-03] Accepted libapache-session-perl 1.84-1 (source all) (Damyan Ivanov)
[2007-07-27] libapache-session-perl 1.83-1 MIGRATED to testing (Debian testing watch)
[2007-07-16] Accepted libapache-session-perl 1.83-1 (source all) (gregor herrmann) (signed by: Damyan Ivanov)
[2007-04-09] libapache-session-perl 1.82-1 MIGRATED to testing (Debian testing watch)
[2007-03-21] Accepted libapache-session-perl 1.82-1 (source all) (Gunnar Wolf)
[2006-07-03] libapache-session-perl 1.81-1 MIGRATED to testing (Debian testing watch)
[2006-06-22] Accepted libapache-session-perl 1.81-1 (source all) (Krzysztof Krzyzaniak (eloy)) (signed by: Krzysztof Krzyżaniak)

bugs [bug history graph]

all: 2
RC: 0
I&N: 2
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (1, 2)
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.94-2