Authen-SASL-2.1900

Security Advisories (1)

CVE-2025-40918 (2025-07-16)

Authen::SASL::Perl::DIGEST_MD5 versions 2.04 through 2.1800 for Perl generates the cnonce insecurely. The cnonce (client nonce) is generated from an MD5 hash of the PID, the epoch time and the built-in rand function. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. According to RFC 2831, The cnonce-value is an opaque quoted string value provided by the client and used by both client and server to avoid chosen plaintext attacks, and to provide mutual authentication. The security of the implementation depends on a good choice. It is RECOMMENDED that it contain at least 64 bits of entropy.

Changes for version 2.1900 - 2025-08-05

Fixed
- CVE-2025-40918 (Insecure source of randomness), required addition of dependency on Crypt::URandom
Changed
- Modules Authen::SASL::Perl::CRAM_MD5, Authen::SASL::Perl::DIGEST_MD5 and Authen::SASL::CRAM_MD5 marked as deprecated based on the respective RFC documents; thanks to @robrwo for the suggestion and @neustradamus for the pointers to the documentation
- Update module metadata to point to the new 'perl-authen-sasl' org on GitHub to which the modules moved
- Use VERSION declarations in 'package' statements, since our minimum Perl version is 5.14 anyway

Modules

Authen::SASL

SASL Authentication framework

Authen::SASL::Perl

Perl implementation of the SASL Authentication framework

Authen::SASL::Perl::ANONYMOUS

Anonymous Authentication class

Authen::SASL::Perl::CRAM_MD5

(DEPRECATED) CRAM MD5 Authentication class

Authen::SASL::Perl::DIGEST_MD5

(DEPRECATED) Digest MD5 Authentication class

Authen::SASL::Perl::EXTERNAL

External Authentication class

Authen::SASL::Perl::GSSAPI

GSSAPI (Kerberosv5) Authentication class

Authen::SASL::Perl::LOGIN

Authen::SASL::Perl::OAUTHBEARER

OAUTHBEARER Authentication class

Authen::SASL::Perl::PLAIN

Plain Login Authentication class

Authen::SASL::Perl::XOAUTH2

XOAUTH2 Authentication class

Provides

Authen::SASL::CRAM_MD5

in lib/Authen/SASL/CRAM_MD5.pm

Authen::SASL::EXTERNAL

in lib/Authen/SASL/EXTERNAL.pm

Examples

Other files

To install Authen::SASL, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Authen::SASL

CPAN shell

perl -MCPAN -e shell
install Authen::SASL

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

Changes for version 2.1900 - 2025-08-05

Modules

Provides

Examples

Other files

Module Install Instructions