NIXPKGS-2025-0004

published on 16 Sep 2025

Permalink CVE-2025-40920

updated 4 months, 2 weeks ago by @Erethon Activity log

Created automatic suggestion 5 months, 2 weeks ago
@Erethon accepted 4 months, 2 weeks ago
@Erethon published on GitHub 4 months, 2 weeks ago

Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl use insecurely generated nonces

Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. * Data::UUID does not use a strong cryptographic source for generating UUIDs. * Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562. * The nonces should be generated from a strong cryptographic source, as per RFC 7616.

Affected products

Catalyst-Authentication-Credential-HTTP

=<1.018

Matching in nixpkgs

pkgs.perl538Packages.CatalystAuthenticationCredentialHTTP

HTTP Basic and Digest authentication for Catalyst

nixos-unstable 1.018
- nixpkgs-unstable 1.018
- nixos-unstable-small 1.018
nixos-25.05 -
- nixos-25.05-small 1.018

pkgs.perl540Packages.CatalystAuthenticationCredentialHTTP

HTTP Basic and Digest authentication for Catalyst

nixos-unstable 1.018
- nixpkgs-unstable 1.018
- nixos-unstable-small 1.018
nixos-25.05 -
- nixos-25.05-small 1.018

Nixpkgs Security Tracker

Details of issue NIXPKGS-2025-0004

Affected products

Matching in nixpkgs

pkgs.perl538Packages.CatalystAuthenticationCredentialHTTP

pkgs.perl540Packages.CatalystAuthenticationCredentialHTTP