oss-sec mailing list archives
Re: CVE-2026-9641: Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations
From: Peter Gutmann <pgut001 () cs auckland ac nz>
Date: Sat, 13 Jun 2026 01:37:19 +0000
Robert Rothenberg <rrwo () cpansec org> writes:
Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations. The default algorithm is HMAC-SHA1, which should only be used for legacy systems.
Minor nit, there's actually nothing wrong with HMAC-SHA1 since the HMAC construct prevents all of the attacks on SHA1. Even the rather broken MD5 is still fine if used in an HMAC construct. Peter.
Current thread:
- CVE-2026-9641: Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations Robert Rothenberg (Jun 12)
- Re: CVE-2026-9641: Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations Peter Gutmann (Jun 12)
