Bug 33923 - perl-Net-OAuth new security issue CVE-2025-22376
Summary: perl-Net-OAuth new security issue CVE-2025-22376
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-01-15 15:24 CET by Nicolas Salguero
Modified: 2025-02-13 20:09 CET (History)
3 users (show)

See Also:
Source RPM: perl-Net-OAuth-0.280.0-11.mga9.src.rpm
CVE: CVE-2025-22376
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2025-01-15 15:25:37 CET

Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in 0.30
CVE: (none) => CVE-2025-22376
Source RPM: (none) => perl-Net-OAuth-0.280.0-11.mga9.src.rpm

Comment 1 Lewis Smith 2025-01-26 20:35:32 CET 
ThierryV has just put v0.30 in Cauldron. Hopefully it will do for M9 also.

Assignee: bugsquad => perl

Nicolas Salguero 2025-01-29 15:35:50 CET

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)

Comment 2 Nicolas Salguero 2025-02-12 15:10:30 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In Net::OAuth::Client in the Net::OAuth package before 0.29 for Perl, the default nonce is a 32-bit integer generated from the built-in rand() function, which is not cryptographically strong. (CVE-2025-22376)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLAEBHWU2NBVEDHXVVKYY4Y2XLNJX2VX/
========================

Updated packages in core/updates_testing:
========================
perl-Crypt-URandom-0.370.0-1.mga9
perl-Module-Build-0.423.400-1.mga9
perl-Net-OAuth-0.300.0-1.mga9

from SRPMS:
perl-Crypt-URandom-0.370.0-1.mga9.src.rpm
perl-Module-Build-0.423.400-1.mga9.src.rpm
perl-Net-OAuth-0.300.0-1.mga9.src.rpm

Status comment: Fixed upstream in 0.30 => (none)
Status: NEW => ASSIGNED
Assignee: perl => qa-bugs

katnatek 2025-02-12 17:54:11 CET

Keywords: (none) => advisory

Comment 3 katnatek 2025-02-12 18:39:01 CET 
RH x86_64

installing perl-Module-Build-0.423.400-1.mga9.noarch.rpm perl-Crypt-URandom-0.370.0-1.mga9.noarch.rpm perl-Net-OAuth-0.300.0-1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/3: perl-Crypt-URandom    ##################################################################################################
      2/3: perl-Net-OAuth        ##################################################################################################
      3/3: perl-Module-Build     ##################################################################################################
      1/2: removing perl-Net-OAuth-0.280.0-11.mga9.noarch
                                 ##################################################################################################
      2/2: removing perl-Module-Build-1:0.423.200-1.mga9.noarch
                                 ##################################################################################################

Clean install
Comment 4 Herman Viaene 2025-02-13 14:27:09 CET 
MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues.
Indeed  clean install for this developer stuff.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 5 Thomas Andrews 2025-02-13 17:07:18 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Mageia Robot 2025-02-13 20:09:58 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0062.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.