Alerts This Week
Warning Icon 1 460
Alerts This Week
Warning Icon 1 460

Fedora 43 perl-Crypt-PBKDF2 Crucial Hashing Upgrade 2026-e8231b773d

fedora
Calendar Grey June 20, 2026
Dist Fedora Esm H88
Addressing significant security concerns in perl-Crypt-PBKDF2 for Fedora with enhanced hashing and salt generation standards.
This update addresses a number of security issues: Change the default hash algorithm to HMAC-SHA256, and increase the default number of iterations to 600,000, in line with current ...

Summary

PBKDF2 is a secure password hashing algorithm that uses the techniques of "key

strengthening" to make the complexity of a brute-force attack arbitrarily high.

PBKDF2 uses any other cryptographic hash or cipher (by convention, usually

HMAC-SHA2, but Crypt::PBKDF2 is fully pluggable), and allows for an arbitrary

number of iterations of the hashing function, and a nearly unlimited output

hash size (up to 2**32-1 times the size of the output of the backend hash).

The hash is salted, as any password hash should be, and the salt may also be of

arbitrary size.

Update Information:

This update addresses a number of security issues: Change the default hash algorithm to HMAC-SHA256, and increase the default number of iterations to 600,000, in line with current OWASP recommendations (CVE-2026-9641) Generate salts using Crypt::URandom (a strong system RNG) instead of perl's builtin rand(), which is not cryptographically secure (CVE-2026-9638) Use a constant-time comparison in validate to avoid timing attacks (CVE-2017-20240)

Topics%20covered

Topics Covered

security advisory fedora important timing attack password hashing salt generation

Change Log

* Fri Jun 12 2026 Paul Howarth - 0.261630-1 - Update to 0.261630 (rhbz#2488228) - Change the default hash algorithm to HMAC-SHA256, and increase the default number of iterations to 600,000, in line with current OWASP recommendations (CVE-2026-9641) - Generate salts using Crypt::URandom (a strong system RNG) instead of perl's builtin rand(), which is not cryptographically secure (CVE-2026-9638) - Use a constant-time comparison in 'validate' to avoid timing attacks (CVE-2017-20240) - Switch to Module::Build::Tiny flow - Package new README file * Sat Jan 17 2026 Fedora Release Engineering - 0.161520-25 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild

References


[ 1 ] Bug #2488228 - perl-Crypt-PBKDF2-0.261630 is available https://bugzilla.redhat.com/show_bug.cgi?id=2488228 [ 2 ] Bug #2488894 - CVE-2017-20240 perl-Crypt-PBKDF2: information disclosure via timing attack [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488894 [ 3 ] Bug #2488896 - CVE-2026-9641 perl-Crypt-PBKDF2: weak default algorithm and insufficient iterations [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488896 [ 4 ] Bug #2488899 - CVE-2026-9638 perl-Crypt-PBKDF2: generation of insecure random values for salts [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488899

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-e8231b773d' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
important
Lowest
Low
Medium
High
Critical

Name: perl-Crypt-PBKDF2
Product: Fedora 43
Version: 0.261630
Release: 1.fc43
URL: https://metacpan.org/release/Crypt-PBKDF2
Summary: The PBKDF2 password hashing algorithm

Topics%20covered

Topics Covered

security advisory fedora important timing attack password hashing salt generation

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here