forked from pool/perl-Authen-SASL
Update to 2.190.0 (2.1900) #1
@@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:0b03686bddbbf7d5c6548e468d079a4051c9b73851df740ae28cfd2db234e922
|
||||
size 39499
|
||||
BIN
Authen-SASL-2.1900.tar.gz
(Stored with Git LFS)
Normal file
BIN
Authen-SASL-2.1900.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
@@ -1,74 +0,0 @@
|
||||
From 82e12b25963bd9d156a9006c9a0929f459b8536a Mon Sep 17 00:00:00 2001
|
||||
From: Robert Rothenberg <rrwo@cpan.org>
|
||||
Date: Thu, 10 Jul 2025 21:05:29 +0100
|
||||
Subject: [PATCH 1/3] Generate cnonce and nonce from system randomness
|
||||
|
||||
This fixes CVE-2025-40918.
|
||||
---
|
||||
lib/Authen/SASL/Perl/DIGEST_MD5.pm | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/Authen/SASL/Perl/DIGEST_MD5.pm b/lib/Authen/SASL/Perl/DIGEST_MD5.pm
|
||||
index f089849..44d2109 100644
|
||||
--- a/lib/Authen/SASL/Perl/DIGEST_MD5.pm
|
||||
+++ b/lib/Authen/SASL/Perl/DIGEST_MD5.pm
|
||||
@@ -10,6 +10,7 @@ package Authen::SASL::Perl::DIGEST_MD5;
|
||||
use strict;
|
||||
use warnings;
|
||||
use vars qw(@ISA $CNONCE $NONCE);
|
||||
+use Crypt::URandom qw(urandom);
|
||||
use Digest::MD5 qw(md5_hex md5);
|
||||
use Digest::HMAC_MD5 qw(hmac_md5);
|
||||
|
||||
@@ -201,7 +202,7 @@ sub server_start {
|
||||
|
||||
$self->{need_step} = 1;
|
||||
$self->{error} = undef;
|
||||
- $self->{nonce} = md5_hex($NONCE || join (":", $$, time, rand));
|
||||
+ $self->{nonce} = $NONCE? md5_hex($NONCE) : unpack('H32',urandom(16));
|
||||
|
||||
$self->init_sec_layer;
|
||||
|
||||
@@ -260,7 +261,7 @@ sub client_step { # $self, $server_sasl_credentials
|
||||
|
||||
my %response = (
|
||||
nonce => $sparams{'nonce'},
|
||||
- cnonce => md5_hex($CNONCE || join (":", $$, time, rand)),
|
||||
+ cnonce => $CNONCE? md5_hex($CNONCE) : unpack('H32',urandom(16)),
|
||||
'digest-uri' => $self->service . '/' . $self->host,
|
||||
# calc how often the server nonce has been seen; server expects "00000001"
|
||||
nc => sprintf("%08d", ++$self->{nonce_counts}{$sparams{'nonce'}}),
|
||||
|
||||
From 1284e47c1715ad7d0a8dc07d72d9524ca0da3f17 Mon Sep 17 00:00:00 2001
|
||||
From: Robert Rothenberg <rrwo@cpan.org>
|
||||
Date: Wed, 16 Jul 2025 19:59:42 +0100
|
||||
Subject: [PATCH 2/3] Add whitespace before conditional operator
|
||||
|
||||
---
|
||||
lib/Authen/SASL/Perl/DIGEST_MD5.pm | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/Authen/SASL/Perl/DIGEST_MD5.pm b/lib/Authen/SASL/Perl/DIGEST_MD5.pm
|
||||
index 44d2109..8c4a67a 100644
|
||||
--- a/lib/Authen/SASL/Perl/DIGEST_MD5.pm
|
||||
+++ b/lib/Authen/SASL/Perl/DIGEST_MD5.pm
|
||||
@@ -202,7 +202,7 @@ sub server_start {
|
||||
|
||||
$self->{need_step} = 1;
|
||||
$self->{error} = undef;
|
||||
- $self->{nonce} = $NONCE? md5_hex($NONCE) : unpack('H32',urandom(16));
|
||||
+ $self->{nonce} = $NONCE ? md5_hex($NONCE) : unpack('H32',urandom(16));
|
||||
|
||||
$self->init_sec_layer;
|
||||
|
||||
@@ -261,7 +261,7 @@ sub client_step { # $self, $server_sasl_credentials
|
||||
|
||||
my %response = (
|
||||
nonce => $sparams{'nonce'},
|
||||
- cnonce => $CNONCE? md5_hex($CNONCE) : unpack('H32',urandom(16)),
|
||||
+ cnonce => $CNONCE ? md5_hex($CNONCE) : unpack('H32',urandom(16)),
|
||||
'digest-uri' => $self->service . '/' . $self->host,
|
||||
# calc how often the server nonce has been seen; server expects "00000001"
|
||||
nc => sprintf("%08d", ++$self->{nonce_counts}{$sparams{'nonce'}}),
|
||||
|
||||
|
||||
@@ -1,3 +1,15 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Aug 22 20:27:29 UTC 2025 - Tina Müller <tina.mueller@suse.com>
|
||||
|
||||
- Remove perl-Authen-SASL-CVE-2025-40918.patch (fixed upstream)
|
||||
CVE-2025-40918 [bsc#1246623]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Aug 22 20:26:21 UTC 2025 - Tina Müller <tina.mueller@suse.com>
|
||||
|
||||
- updated to 2.190.0 (2.1900)
|
||||
see /usr/share/doc/packages/perl-Authen-SASL/Changes
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jul 21 10:03:21 UTC 2025 - pgajdos@suse.com
|
||||
|
||||
|
||||
@@ -18,18 +18,16 @@
|
||||
|
||||
%define cpan_name Authen-SASL
|
||||
Name: perl-Authen-SASL
|
||||
Version: 2.180.0
|
||||
Version: 2.190.0
|
||||
Release: 0
|
||||
# 2.1800 -> normalize -> 2.180.0
|
||||
%define cpan_version 2.1800
|
||||
# 2.1900 -> normalize -> 2.190.0
|
||||
%define cpan_version 2.1900
|
||||
License: Artistic-1.0 OR GPL-1.0-or-later
|
||||
Summary: SASL Authentication framework
|
||||
URL: https://metacpan.org/release/%{cpan_name}
|
||||
Source0: https://cpan.metacpan.org/authors/id/E/EH/EHUELS/%{cpan_name}-%{cpan_version}.tar.gz
|
||||
Source1: cpanspec.yml
|
||||
Source100: README.md
|
||||
# CVE-2025-40918 [bsc#1246623], insecurely generated client nonce
|
||||
Patch0: perl-Authen-SASL-CVE-2025-40918.patch
|
||||
BuildArch: noarch
|
||||
BuildRequires: perl
|
||||
BuildRequires: perl-macros
|
||||
@@ -93,7 +91,7 @@ or if you have another plugin module that supports the Authen::SASL API
|
||||
use Authen::SASL qw(My::SASL::Plugin);
|
||||
|
||||
%prep
|
||||
%autosetup -n %{cpan_name}-%{cpan_version} -p1
|
||||
%autosetup -n %{cpan_name}-%{cpan_version} -p1
|
||||
|
||||
%build
|
||||
perl Makefile.PL INSTALLDIRS=vendor
|
||||
|
||||
Reference in New Issue
Block a user