| Name | CVE-2025-40920 |
| Description | Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. * Data::UUID does not use a strong cryptographic source for generating UUIDs. * Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562. * The nonces should be generated from a strong cryptographic source, as per RFC 7616. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1110887 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| libcatalyst-authentication-credential-http-perl (PTS) | bullseye | 1.018-1 | vulnerable |
| bookworm | 1.018-2 | vulnerable | |
| trixie | 1.018-3 | vulnerable | |
| forky, sid | 1.019-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| libcatalyst-authentication-credential-http-perl | source | (unstable) | 1.018-4 | 1110887 |
[trixie] - libcatalyst-authentication-credential-http-perl <no-dsa> (Minor issue)
[bookworm] - libcatalyst-authentication-credential-http-perl <no-dsa> (Minor issue)
[bullseye] - libcatalyst-authentication-credential-http-perl <postponed> (Minor issue; can be fixed in next update)
https://lists.security.metacpan.org/cve-announce/msg/31902514/
https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP/pull/1
Fixed by: https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP/commit/ad2c03aad95406db4ce35dfb670664ebde004c18