From 2033caf2d6e537b57cbe0d4f115797febf24fb86f7b3824a083e757a8a4a9324 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tina=20M=C3=BCller?= Date: Fri, 22 Aug 2025 22:28:26 +0200 Subject: [PATCH] Update to 2.190.0 (2.1900) --- Authen-SASL-2.1800.tar.gz | 3 -- Authen-SASL-2.1900.tar.gz | 3 ++ perl-Authen-SASL-CVE-2025-40918.patch | 74 --------------------------- perl-Authen-SASL.changes | 12 +++++ perl-Authen-SASL.spec | 10 ++-- 5 files changed, 19 insertions(+), 83 deletions(-) delete mode 100644 Authen-SASL-2.1800.tar.gz create mode 100644 Authen-SASL-2.1900.tar.gz delete mode 100644 perl-Authen-SASL-CVE-2025-40918.patch diff --git a/Authen-SASL-2.1800.tar.gz b/Authen-SASL-2.1800.tar.gz deleted file mode 100644 index 539f10a..0000000 --- a/Authen-SASL-2.1800.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0b03686bddbbf7d5c6548e468d079a4051c9b73851df740ae28cfd2db234e922 -size 39499 diff --git a/Authen-SASL-2.1900.tar.gz b/Authen-SASL-2.1900.tar.gz new file mode 100644 index 0000000..dcfdd2d --- /dev/null +++ b/Authen-SASL-2.1900.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:be3533a6891b2e677150b479c1a0d4bf11c8bbeebed3e7b8eba34053e93923b0 +size 40345 diff --git a/perl-Authen-SASL-CVE-2025-40918.patch b/perl-Authen-SASL-CVE-2025-40918.patch deleted file mode 100644 index dea37e9..0000000 --- a/perl-Authen-SASL-CVE-2025-40918.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 82e12b25963bd9d156a9006c9a0929f459b8536a Mon Sep 17 00:00:00 2001 -From: Robert Rothenberg -Date: Thu, 10 Jul 2025 21:05:29 +0100 -Subject: [PATCH 1/3] Generate cnonce and nonce from system randomness - -This fixes CVE-2025-40918. ---- - lib/Authen/SASL/Perl/DIGEST_MD5.pm | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/lib/Authen/SASL/Perl/DIGEST_MD5.pm b/lib/Authen/SASL/Perl/DIGEST_MD5.pm -index f089849..44d2109 100644 ---- a/lib/Authen/SASL/Perl/DIGEST_MD5.pm -+++ b/lib/Authen/SASL/Perl/DIGEST_MD5.pm -@@ -10,6 +10,7 @@ package Authen::SASL::Perl::DIGEST_MD5; - use strict; - use warnings; - use vars qw(@ISA $CNONCE $NONCE); -+use Crypt::URandom qw(urandom); - use Digest::MD5 qw(md5_hex md5); - use Digest::HMAC_MD5 qw(hmac_md5); - -@@ -201,7 +202,7 @@ sub server_start { - - $self->{need_step} = 1; - $self->{error} = undef; -- $self->{nonce} = md5_hex($NONCE || join (":", $$, time, rand)); -+ $self->{nonce} = $NONCE? md5_hex($NONCE) : unpack('H32',urandom(16)); - - $self->init_sec_layer; - -@@ -260,7 +261,7 @@ sub client_step { # $self, $server_sasl_credentials - - my %response = ( - nonce => $sparams{'nonce'}, -- cnonce => md5_hex($CNONCE || join (":", $$, time, rand)), -+ cnonce => $CNONCE? md5_hex($CNONCE) : unpack('H32',urandom(16)), - 'digest-uri' => $self->service . '/' . $self->host, - # calc how often the server nonce has been seen; server expects "00000001" - nc => sprintf("%08d", ++$self->{nonce_counts}{$sparams{'nonce'}}), - -From 1284e47c1715ad7d0a8dc07d72d9524ca0da3f17 Mon Sep 17 00:00:00 2001 -From: Robert Rothenberg -Date: Wed, 16 Jul 2025 19:59:42 +0100 -Subject: [PATCH 2/3] Add whitespace before conditional operator - ---- - lib/Authen/SASL/Perl/DIGEST_MD5.pm | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/lib/Authen/SASL/Perl/DIGEST_MD5.pm b/lib/Authen/SASL/Perl/DIGEST_MD5.pm -index 44d2109..8c4a67a 100644 ---- a/lib/Authen/SASL/Perl/DIGEST_MD5.pm -+++ b/lib/Authen/SASL/Perl/DIGEST_MD5.pm -@@ -202,7 +202,7 @@ sub server_start { - - $self->{need_step} = 1; - $self->{error} = undef; -- $self->{nonce} = $NONCE? md5_hex($NONCE) : unpack('H32',urandom(16)); -+ $self->{nonce} = $NONCE ? md5_hex($NONCE) : unpack('H32',urandom(16)); - - $self->init_sec_layer; - -@@ -261,7 +261,7 @@ sub client_step { # $self, $server_sasl_credentials - - my %response = ( - nonce => $sparams{'nonce'}, -- cnonce => $CNONCE? md5_hex($CNONCE) : unpack('H32',urandom(16)), -+ cnonce => $CNONCE ? md5_hex($CNONCE) : unpack('H32',urandom(16)), - 'digest-uri' => $self->service . '/' . $self->host, - # calc how often the server nonce has been seen; server expects "00000001" - nc => sprintf("%08d", ++$self->{nonce_counts}{$sparams{'nonce'}}), - - diff --git a/perl-Authen-SASL.changes b/perl-Authen-SASL.changes index 2bccbb3..75588ca 100644 --- a/perl-Authen-SASL.changes +++ b/perl-Authen-SASL.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Fri Aug 22 20:27:29 UTC 2025 - Tina Müller + +- Remove perl-Authen-SASL-CVE-2025-40918.patch (fixed upstream) + CVE-2025-40918 [bsc#1246623] + +------------------------------------------------------------------- +Fri Aug 22 20:26:21 UTC 2025 - Tina Müller + +- updated to 2.190.0 (2.1900) + see /usr/share/doc/packages/perl-Authen-SASL/Changes + ------------------------------------------------------------------- Mon Jul 21 10:03:21 UTC 2025 - pgajdos@suse.com diff --git a/perl-Authen-SASL.spec b/perl-Authen-SASL.spec index f7c0965..13118fe 100644 --- a/perl-Authen-SASL.spec +++ b/perl-Authen-SASL.spec @@ -18,18 +18,16 @@ %define cpan_name Authen-SASL Name: perl-Authen-SASL -Version: 2.180.0 +Version: 2.190.0 Release: 0 -# 2.1800 -> normalize -> 2.180.0 -%define cpan_version 2.1800 +# 2.1900 -> normalize -> 2.190.0 +%define cpan_version 2.1900 License: Artistic-1.0 OR GPL-1.0-or-later Summary: SASL Authentication framework URL: https://metacpan.org/release/%{cpan_name} Source0: https://cpan.metacpan.org/authors/id/E/EH/EHUELS/%{cpan_name}-%{cpan_version}.tar.gz Source1: cpanspec.yml Source100: README.md -# CVE-2025-40918 [bsc#1246623], insecurely generated client nonce -Patch0: perl-Authen-SASL-CVE-2025-40918.patch BuildArch: noarch BuildRequires: perl BuildRequires: perl-macros @@ -93,7 +91,7 @@ or if you have another plugin module that supports the Authen::SASL API use Authen::SASL qw(My::SASL::Plugin); %prep -%autosetup -n %{cpan_name}-%{cpan_version} -p1 +%autosetup -n %{cpan_name}-%{cpan_version} -p1 %build perl Makefile.PL INSTALLDIRS=vendor -- 2.49.0