[SECURITY] [DLA 4120-1] libnet-easytcp-perl security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4120-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andrej Shadura
April 08, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : libnet-easytcp-perl
Version : 0.26-6+deb11u1
CVE ID : CVE-2024-56830
Net::EasyTCP Perl module includes encryption functionality that requires
a secure random number generator. Until and including the version 0.26,
this module used a random number generator without any such guarantees.
The reason for this was that it relied on Crypt::Random, a Perl module
not available in Debian, and fell back to the insecure rand() built-in,
so only a tiny fraction of its users who had Crypt::Random installed
from CPAN used a suitable random number generator.
For Debian 11 bullseye, this problem has been fixed in version
0.26-6+deb11u1. The fallback to rand() has been removed, and the module
will use Bytes::Random::Secure to get random numbers, which has been
made a mandatory dependency. In the unlikely event Bytes::Random::Secure
is still unavailable (e.g. manually removed), Net::EasyTCP will crash
rather than use insecure random number generator.
We recommend that you upgrade your libnet-easytcp-perl packages.
For the detailed security status of libnet-easytcp-perl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libnet-easytcp-perl
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQSD3NF/RLIsyDZW7aHoRGtKyMdyYQUCZ/TRuwAKCRDoRGtKyMdy
YcSFAP9nkKKsFDpiltgFcf4ZXGOMoN9GVdROnvTkGsAR7enEGwEA/av7lU9Fjpbs
2skPwlm+Hq94l4mQ/tPWE1Bt9Q2zdwE=
=tyfb
-----END PGP SIGNATURE-----
Reply to: