Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

All statuses

Filter by:

With package: python314Packages.aiohttp-session

Found 1 matching suggestions

View:

Compact

Detailed

Untriaged

Permalink CVE-2026-3256

created 3 weeks ago

HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids

HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids. HTTP::Session defaults to using HTTP::Session::ID::SHA1 to generate session ids using a SHA-1 hash seeded with the built-in rand function, the high resolution epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. The distribution includes HTTP::session::ID::MD5 which contains a similar flaw, but uses the MD5 hash instead.

References

Affected products

http-session

=<0.53

Matching in nixpkgs

pkgs.python312Packages.aiohttp-session

Web sessions for aiohttp.web

nixos-25.11 2.12.1
- nixos-25.11-small 2.12.1
- nixpkgs-25.11-darwin 2.12.1

pkgs.python313Packages.aiohttp-session

Web sessions for aiohttp.web

nixos-unstable 2.12.1
- nixpkgs-unstable 2.12.1
- nixos-unstable-small 2.12.1
nixos-25.11 2.12.1
- nixos-25.11-small 2.12.1
- nixpkgs-25.11-darwin 2.12.1

pkgs.python314Packages.aiohttp-session

Web sessions for aiohttp.web

nixos-unstable 2.12.1
- nixpkgs-unstable 2.12.1
- nixos-unstable-small 2.12.1

pkgs.chickenPackages_5.chickenEggs.http-session

Facilities for managing HTTP sessions

nixos-unstable 2.11
- nixpkgs-unstable 2.11
- nixos-unstable-small 2.11
nixos-25.11 2.11
- nixos-25.11-small 2.11
- nixpkgs-25.11-darwin 2.11

Package maintainers

@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>

1