Re: Addressing Mojolicious CVE-2024-58134 and CVE-2024-58135 in sid

[Salvatore Bonaccorso <carnil@debian.org>]

Hi,

On Thu, May 22, 2025 at 10:49:56AM +0100, Sean Whitton wrote:
> Hello recent Mojolicious uploaders,
> 
> I'm looking at Mojolicious's two recent CVEs for Freexian's LTS effort.
> There are some open questions and I think that they are relevant to your
> work in sid.
> 
> It seems that Mojolicious upstream take the view that application
> authors are responsible for configuring a secure session secret and so
> the fact these the defaults are not cryptographically secure is not
> something to fix upstream.[1]  Therefore, we probably can't expect a fix
> for CVE-2024-58134 to arrive upstream.
> 
> What do you think should happen in Debian?  It seems like we could patch
> in secure key generation without too much difficulty.  What do you think
> about doing that?

Do "nothing" (for now) and mark the issue as <no-dsa> or its substate
<ignored> for your older suites. We keep the status as it is for
unstable and once/if things changes upstream align it with those.

The notes (and synced with people from CPAN security) sufficiently
describe the situation in my opinion. In particular for instance for
CVE-2024-58135 is specific to cover the default static/guessable secret
(and this does not change with having CryptX as optional dependency in
v3.39 for instance).

I'm though still Cc'in again Stig Palmquist <stig@cpansec.org> for
which I was in contact with to make his position on how those CVEs
should be treated.

Regards,
Salvatore