Source: libmojolicious-perl Version: 9.39+dfsg-1 Severity: important Tags: security upstream Forwarded: https://github.com/mojolicious/mojo/pull/2200 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for libmojolicious-perl. CVE-2024-58135[0]: | Mojolicious versions from 7.28 through 9.39 for Perl may generate | weak HMAC session secrets. When creating a default app with the | "mojo generate app" tool, a weak secret is written to the | application's configuration file using the insecure rand() function, | and used for authenticating and protecting the integrity of the | application's sessions. This may allow an attacker to brute force | the application's session keys. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-58135 https://www.cve.org/CVERecord?id=CVE-2024-58135 [1] https://github.com/mojolicious/mojo/pull/2200 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
