CVE-2024-57868

Publication date 5 April 2025

Last updated 9 April 2025

Ubuntu priority

Web::API 2.8 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. Specifically Web::API uses the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
libweb-api-perl	24.10 oracular	Needs evaluation
	24.04 LTS noble	Needs evaluation
	22.04 LTS jammy	Needs evaluation
	20.04 LTS focal	Needs evaluation
	18.04 LTS bionic	Needs evaluation

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2024-57868
https://lists.security.metacpan.org/cve-announce/msg/28503730/
https://metacpan.org/dist/Web-API/source/lib/Web/API.pm#L20
https://metacpan.org/dist/Web-API/source/lib/Web/API.pm#L348
https://metacpan.org/release/BAREFOOT/Data-Random-0.13/source/lib/Data/Random.pm#L537
https://perldoc.perl.org/functions/rand
https://security.metacpan.org/docs/guides/random-data-for-security.html