Source: libmojolicious-perl Version: 9.39+dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for libmojolicious-perl. CVE-2024-58134[0]: | Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard | coded string, or the application's class name, as a HMAC session | secret by default. These predictable default secrets can be | exploited to forge session cookies. An attacker who knows or guesses | the secret could compute valid HMAC signatures for the session | cookie, allowing them to tamper with or hijack another user’s | session. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-58134 https://www.cve.org/CVERecord?id=CVE-2024-58134 [1] https://lists.security.metacpan.org/cve-announce/msg/29247502/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
