[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2024-58135

Sean Whitton (@spwhitton) spwhitton at debian.org
Tue May 27 15:24:33 BST 2025 


Sean Whitton pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a99c5251 by Sean Whitton at 2025-05-27T15:24:28+01:00
Update notes for CVE-2024-58135

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -7242,13 +7242,17 @@ CVE-2024-58135 (Mojolicious versions from 7.28 through 9.40 for Perl may generat
 	[bullseye] - libmojolicious-perl <postponed> (Minor issue)
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/29241187/
 	NOTE: https://github.com/mojolicious/mojo/commit/c82071556c569a251152892c8cc2fd0ad5a4be54 (v9.39)
-	NOTE: The problem does not occur if the user has configured a cryptographically
-	NOTE: secure HMAC session secret, and upstream expects users to already be doing
-	NOTE: that for production deployments. The fix automatically generates a secure
-	NOTE: session secret. This requires libcryptx-perl, checking >=0.080 though
-	NOTE: it might work with earlier versions.
-	NOTE: As per upstream mojolicious/v9.39 will still be considered vulnerable to the CVE
-	NOTE: since the CryptX is not a required dependency.
+	NOTE: The problem does not occur if the user has configured a
+	NOTE: cryptographically secure HMAC session secret, and upstream
+	NOTE: expects users to already be doing that for production
+	NOTE: deployments. The fix automatically generates a secure session
+	NOTE: secret.  It requires libcryptx-perl >=0.080, but they say this
+	NOTE: is only because that is the only release they tested.
+	NOTE: I.e., it is likely that the fix works fine with older CryptX:
+	NOTE: <https://github.com/mojolicious/mojo/discussions/2255>.
+	NOTE: As per upstream mojolicious/v9.39 will still be considered
+	NOTE: vulnerable to the CVE since the CryptX is not a required
+	NOTE: dependency.
 CVE-2024-58134 (Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard c ...)
 	- libmojolicious-perl <unfixed> (bug #1104648)
 	[bookworm] - libmojolicious-perl <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a99c52510a37435d64cb037c103539906128267a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a99c52510a37435d64cb037c103539906128267a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250527/ba1654bc/attachment.htm>

More information about the debian-security-tracker-commits mailing list