Version in base suite: 1.3.16-1

Base version: libapache-session-browseable-perl_1.3.16-1
Target version: libapache-session-browseable-perl_1.3.16-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/liba/libapache-session-browseable-perl/libapache-session-browseable-perl_1.3.16-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/liba/libapache-session-browseable-perl/libapache-session-browseable-perl_1.3.16-1+deb13u1.dsc

 changelog                   |    6 +++++
 control                     |    2 +
 patches/CVE-2026-8503.patch |   50 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    1 
 4 files changed, 59 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpyueepnwr/libapache-session-browseable-perl_1.3.16-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpyueepnwr/libapache-session-browseable-perl_1.3.16-1+deb13u1.dsc: no acceptable signature found
diff -Nru libapache-session-browseable-perl-1.3.16/debian/changelog libapache-session-browseable-perl-1.3.16/debian/changelog
--- libapache-session-browseable-perl-1.3.16/debian/changelog	2025-04-12 10:32:42.000000000 +0000
+++ libapache-session-browseable-perl-1.3.16/debian/changelog	2026-05-14 05:42:04.000000000 +0000
@@ -1,3 +1,9 @@
+libapache-session-browseable-perl (1.3.16-1+deb13u1) trixie; urgency=medium
+
+  * Improve Apache::Session::Generate::SHA256 entropy (Closes: CVE-2026-8503)
+
+ -- Xavier Guimard <yadd@debian.org>  Thu, 14 May 2026 07:42:04 +0200
+
 libapache-session-browseable-perl (1.3.16-1) unstable; urgency=medium
 
   * Import upstream version 1.3.16.
diff -Nru libapache-session-browseable-perl-1.3.16/debian/control libapache-session-browseable-perl-1.3.16/debian/control
--- libapache-session-browseable-perl-1.3.16/debian/control	2025-04-10 19:30:22.000000000 +0000
+++ libapache-session-browseable-perl-1.3.16/debian/control	2026-05-14 05:42:04.000000000 +0000
@@ -8,6 +8,7 @@
                libmodule-build-perl,
                perl
 Build-Depends-Indep: libapache-session-perl <!nocheck>,
+                     libcrypt-urandom-perl <!nocheck>,
                      libdbd-cassandra-perl <!nocheck>,
                      libdbd-mysql-perl <!nocheck>,
                      libdbd-sqlite3-perl <!nocheck>,
@@ -27,6 +28,7 @@
 Depends: ${misc:Depends},
          ${perl:Depends},
          libapache-session-perl,
+         libcrypt-urandom-perl,
          libjson-perl
 Suggests: libdbd-cassandra-perl,
           libdbi-perl,
diff -Nru libapache-session-browseable-perl-1.3.16/debian/patches/CVE-2026-8503.patch libapache-session-browseable-perl-1.3.16/debian/patches/CVE-2026-8503.patch
--- libapache-session-browseable-perl-1.3.16/debian/patches/CVE-2026-8503.patch	1970-01-01 00:00:00.000000000 +0000
+++ libapache-session-browseable-perl-1.3.16/debian/patches/CVE-2026-8503.patch	2026-05-14 05:42:04.000000000 +0000
@@ -0,0 +1,50 @@
+Description: Use Crypt::URandom for session ID generation
+ Apache::Session::Generate::SHA256 seeded its session identifier from
+ low-entropy sources (time(), PID, rand(), stringified hash ref). The
+ seed could be guessed, allowing prediction of session IDs. This mirrors
+ CVE-2025-40931 / CVE-2025-40932 in the upstream MD5 generators.
+Author: Yadd <yadd@debian.org>
+Origin: upstream, commit:cc915cbbd
+Forwarded: not-needed
+Applied-Upstream: 1.3.19, commit:cc915cbbd
+Last-Update: 2026-05-14
+
+--- a/lib/Apache/Session/Generate/SHA256.pm
++++ b/lib/Apache/Session/Generate/SHA256.pm
+@@ -4,6 +4,7 @@
+ use strict;
+ use vars qw($VERSION);
+ use Digest::SHA qw(sha256 sha256_hex sha256_base64);
++use Crypt::URandom;
+ 
+ $VERSION = '1.2.2';
+ 
+@@ -15,13 +16,21 @@
+         $length = $session->{args}->{IDLength};
+     }
+ 
+-    $session->{data}->{_session_id} = substr(
+-        Digest::SHA::sha256_hex(
+-            Digest::SHA::sha256_hex( time() . {} . rand() . $$ )
+-        ),
+-        0, $length
+-    );
+-
++    eval {
++        $session->{data}->{_session_id} = substr(
++            unpack( 'H*', Crypt::URandom::urandom( int( ( $length + 1 ) / 2 ) ) ),
++            0, $length
++        );
++    };
++    if ($@) {
++        require Digest::SHA;
++        $session->{data}->{_session_id} = substr(
++            Digest::SHA::sha256_hex(
++                Digest::SHA::sha256_hex( time() . {} . rand() . $$ )
++            ),
++            0, $length
++        );
++    }
+ }
+ 
+ sub validate {
diff -Nru libapache-session-browseable-perl-1.3.16/debian/patches/series libapache-session-browseable-perl-1.3.16/debian/patches/series
--- libapache-session-browseable-perl-1.3.16/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ libapache-session-browseable-perl-1.3.16/debian/patches/series	2026-05-14 05:42:04.000000000 +0000
@@ -0,0 +1 @@
+CVE-2026-8503.patch