CVE-2026-8700: Crypt::DSA versions before 1.20 for Perl generate seeds using rand

CVE-2026-8700: Crypt::DSA versions before 1.20 for Perl generate seeds using rand Timothy Legge 15 May 2026 22:12 UTC

========================================================================
CVE-2026-8700                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-8700
   Distribution:  Crypt-DSA
       Versions:  before 1.20

       MetaCPAN:  https://metacpan.org/dist/Crypt-DSA
       VCS Repo:  https://github.com/perl-Crypt-OpenPGP/Crypt-DSA.git

Crypt::DSA versions before 1.20 for Perl generate seeds using rand

Description
-----------
Crypt::DSA versions before 1.20 for Perl generate seeds using rand.

Seeds were generated using Perl's built-in rand function, which is
predictable and unsuitable for security usage.

Problem types
-------------
- CWE-331 Insufficient Entropy

Solutions
---------
Upgrade to version 1.20 or later.

References
----------
https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.20/changes
https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.20/diff/TIMLEGGE/Crypt-DSA-1.19#lib/Crypt/DSA/KeyChain.pm

Timeline
--------
- 2026-05-15: CPANSec identified issue
- 2026-05-15: Author was notified
- 2026-05-15: Version 1.20 released.