Addressing Mojolicious CVE-2024-58134 and CVE-2024-58135 in sid

To: gregor herrmann <gregoa@debian.org>, Philip Hands <phil@hands.com>,
Cc: debian-perl@lists.debian.org, debian-lts@lists.debian.org
Subject: Addressing Mojolicious CVE-2024-58134 and CVE-2024-58135 in sid
From: Sean Whitton <spwhitton@spwhitton.name>
Date: Thu, 22 May 2025 10:49:56 +0100
Message-id: <[🔎] 875xhtotyz.fsf@zephyr.silentflame.com>

Hello recent Mojolicious uploaders,

I'm looking at Mojolicious's two recent CVEs for Freexian's LTS effort.
There are some open questions and I think that they are relevant to your
work in sid.

It seems that Mojolicious upstream take the view that application
authors are responsible for configuring a secure session secret and so
the fact these the defaults are not cryptographically secure is not
something to fix upstream.[1]  Therefore, we probably can't expect a fix
for CVE-2024-58134 to arrive upstream.

What do you think should happen in Debian?  It seems like we could patch
in secure key generation without too much difficulty.  What do you think
about doing that?

Thank you for reading.

[1]  https://github.com/mojolicious/mojo/pull/2200#issuecomment-2408248209

-- 
Sean Whitton

Reply to:

Follow-Ups:
- Re: Addressing Mojolicious CVE-2024-58134 and CVE-2024-58135 in sid
  - From: Marc SCHAEFER <schaefer@alphanet.ch>
- Re: Addressing Mojolicious CVE-2024-58134 and CVE-2024-58135 in sid
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: Low-hanging fruits reminder for 2025-05-21, 17:00 UTC (tomorrow)
Next by Date: Re: Addressing Mojolicious CVE-2024-58134 and CVE-2024-58135 in sid
Previous by thread: LHF report (was: Low-hanging fruits reminder for 2025-05-21, 17:00 UTC (tomorrow))
Next by thread: Re: Addressing Mojolicious CVE-2024-58134 and CVE-2024-58135 in sid
Index(es):
- Date
- Thread