ALAS2023-2026-1891

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1891
Advisory Released Date: 2026-06-22
Advisory Updated Date: 2026-06-22

Severity: Medium

References: CVE-2017-20240 CVE-2026-9638 CVE-2026-9641
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks.

These versions use Perl's built-in eq comparison. Discrepancies in timing could be used to guess the underlying derived-key. (CVE-2017-20240)

Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure random values for salts.

These versions use the built-in rand function, which is predictable and unsuitable for cryptography. (CVE-2026-9638)

Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations.

The default algorithm is HMAC-SHA1, which should only be used for legacy systems.

These versions default to using 1000 iterations.

Depending on the chosen algorithm, 220,000 to 1,400,000 iterations should be used. (CVE-2026-9641)

Affected Packages:

perl-Crypt-PBKDF2

Issue Correction:
Run dnf update perl-Crypt-PBKDF2 --releasever 2023.12.20260622 or dnf update --advisory ALAS2023-2026-1891 --releasever 2023.12.20260622 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

noarch:
    perl-Crypt-PBKDF2-0.261630-1.amzn2023.0.1.noarch

src:
    perl-Crypt-PBKDF2-0.261630-1.amzn2023.0.1.src

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2017-20240, CVE-2026-9638, CVE-2026-9641

Mitre: CVE-2017-20240, CVE-2026-9638, CVE-2026-9641