Addressing Mojolicious CVE-2024-58134 and CVE-2024-58135 in sid
Hello recent Mojolicious uploaders,
I'm looking at Mojolicious's two recent CVEs for Freexian's LTS effort.
There are some open questions and I think that they are relevant to your
work in sid.
It seems that Mojolicious upstream take the view that application
authors are responsible for configuring a secure session secret and so
the fact these the defaults are not cryptographically secure is not
something to fix upstream.[1] Therefore, we probably can't expect a fix
for CVE-2024-58134 to arrive upstream.
What do you think should happen in Debian? It seems like we could patch
in secure key generation without too much difficulty. What do you think
about doing that?
Thank you for reading.
[1] https://github.com/mojolicious/mojo/pull/2200#issuecomment-2408248209
--
Sean Whitton
Reply to: