Automatic update to v2.190.0 (2.1900)

perl-Authen-SASL-CVE-2025-40918.patch

@@ -0,0 +1,74 @@
+From 82e12b25963bd9d156a9006c9a0929f459b8536a Mon Sep 17 00:00:00 2001
+From: Robert Rothenberg <rrwo@cpan.org>
+Date: Thu, 10 Jul 2025 21:05:29 +0100
+Subject: [PATCH 1/3] Generate cnonce and nonce from system randomness
+
+This fixes CVE-2025-40918.
+---
+ lib/Authen/SASL/Perl/DIGEST_MD5.pm | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/Authen/SASL/Perl/DIGEST_MD5.pm b/lib/Authen/SASL/Perl/DIGEST_MD5.pm
+index f089849..44d2109 100644
+--- a/lib/Authen/SASL/Perl/DIGEST_MD5.pm
++++ b/lib/Authen/SASL/Perl/DIGEST_MD5.pm
+@@ -10,6 +10,7 @@ package Authen::SASL::Perl::DIGEST_MD5;
+ use strict;
+ use warnings;
+ use vars qw(@ISA $CNONCE $NONCE);
++use Crypt::URandom qw(urandom);
+ use Digest::MD5 qw(md5_hex md5);
+ use Digest::HMAC_MD5 qw(hmac_md5);
+ 
+@@ -201,7 +202,7 @@ sub server_start {
+ 
+   $self->{need_step} = 1;
+   $self->{error}     = undef;
+-  $self->{nonce}     = md5_hex($NONCE || join (":", $$, time, rand));
++  $self->{nonce}     = $NONCE? md5_hex($NONCE) : unpack('H32',urandom(16));
+ 
+   $self->init_sec_layer;
+ 
+@@ -260,7 +261,7 @@ sub client_step {   # $self, $server_sasl_credentials
+ 
+   my %response = (
+     nonce        => $sparams{'nonce'},
+-    cnonce       => md5_hex($CNONCE || join (":", $$, time, rand)),
++    cnonce       => $CNONCE? md5_hex($CNONCE) : unpack('H32',urandom(16)),
+     'digest-uri' => $self->service . '/' . $self->host,
+     # calc how often the server nonce has been seen; server expects "00000001"
+     nc           => sprintf("%08d",     ++$self->{nonce_counts}{$sparams{'nonce'}}),
+
+From 1284e47c1715ad7d0a8dc07d72d9524ca0da3f17 Mon Sep 17 00:00:00 2001
+From: Robert Rothenberg <rrwo@cpan.org>
+Date: Wed, 16 Jul 2025 19:59:42 +0100
+Subject: [PATCH 2/3] Add whitespace before conditional operator
+
+---
+ lib/Authen/SASL/Perl/DIGEST_MD5.pm | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/Authen/SASL/Perl/DIGEST_MD5.pm b/lib/Authen/SASL/Perl/DIGEST_MD5.pm
+index 44d2109..8c4a67a 100644
+--- a/lib/Authen/SASL/Perl/DIGEST_MD5.pm
++++ b/lib/Authen/SASL/Perl/DIGEST_MD5.pm
+@@ -202,7 +202,7 @@ sub server_start {
+ 
+   $self->{need_step} = 1;
+   $self->{error}     = undef;
+-  $self->{nonce}     = $NONCE? md5_hex($NONCE) : unpack('H32',urandom(16));
++  $self->{nonce}     = $NONCE ? md5_hex($NONCE) : unpack('H32',urandom(16));
+ 
+   $self->init_sec_layer;
+ 
+@@ -261,7 +261,7 @@ sub client_step {   # $self, $server_sasl_credentials
+ 
+   my %response = (
+     nonce        => $sparams{'nonce'},
+-    cnonce       => $CNONCE? md5_hex($CNONCE) : unpack('H32',urandom(16)),
++    cnonce       => $CNONCE ? md5_hex($CNONCE) : unpack('H32',urandom(16)),
+     'digest-uri' => $self->service . '/' . $self->host,
+     # calc how often the server nonce has been seen; server expects "00000001"
+     nc           => sprintf("%08d",     ++$self->{nonce_counts}{$sparams{'nonce'}}),
+
+

perl-Authen-SASL.changes

@@ -1,11 +1,5 @@
 -------------------------------------------------------------------
-Fri Aug 22 20:27:29 UTC 2025 - Tina Müller <tina.mueller@suse.com>
+Fri Aug 22 20:43:38 UTC 2025 - Tina Müller <timueller+perl@suse.de>
-
-- Remove perl-Authen-SASL-CVE-2025-40918.patch (fixed upstream)
-  CVE-2025-40918 [bsc#1246623]
-
--------------------------------------------------------------------
-Fri Aug 22 20:26:21 UTC 2025 - Tina Müller <tina.mueller@suse.com>
 
 - updated to 2.190.0 (2.1900)
    see /usr/share/doc/packages/perl-Authen-SASL/Changes

perl-Authen-SASL.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package perl-Authen-SASL
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed