[Git][security-tracker-team/security-tracker][master] Make long note block wrap bit later to make it shorter

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2d2600f0 by Salvatore Bonaccorso at 2025-05-27T19:22:01+02:00
Make long note block wrap bit later to make it shorter

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -7290,17 +7290,14 @@ CVE-2024-58135 (Mojolicious versions from 7.28 through 9.40 for Perl may generat
 	[bullseye] - libmojolicious-perl <postponed> (Minor issue)
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/29241187/
 	NOTE: https://github.com/mojolicious/mojo/commit/c82071556c569a251152892c8cc2fd0ad5a4be54 (v9.39)
-	NOTE: The problem does not occur if the user has configured a
-	NOTE: cryptographically secure HMAC session secret, and upstream
-	NOTE: expects users to already be doing that for production
-	NOTE: deployments. The fix automatically generates a secure session
-	NOTE: secret.  It requires libcryptx-perl >=0.080, but they say this
-	NOTE: is only because that is the only release they tested.
-	NOTE: I.e., it is likely that the fix works fine with older CryptX:
-	NOTE: https://github.com/mojolicious/mojo/discussions/2255
-	NOTE: As per upstream mojolicious/v9.39 will still be considered
-	NOTE: vulnerable to the CVE since the CryptX is not a required
-	NOTE: dependency.
+	NOTE: The problem does not occur if the user has configured a cryptographically
+	NOTE: secure HMAC session secret, and upstream expects users to already be doing
+	NOTE: that for production deployments. The fix automatically generates a secure
+	NOTE: session secret.  It requires libcryptx-perl >=0.080, but they say this is
+	NOTE: only because that is the only release they tested. I.e., it is likely that
+	NOTE: the fix works fine with older CryptX: https://github.com/mojolicious/mojo/discussions/2255
+	NOTE: As per upstream mojolicious/v9.39 will still be considered vulnerable to the
+	NOTE: CVE since the CryptX is not a required dependency.
 CVE-2024-58134 (Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard c ...)
 	- libmojolicious-perl <unfixed> (bug #1104648)
 	[bookworm] - libmojolicious-perl <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d2600f00ebd9fad6ed2d78a4240964ce4da8f77

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d2600f00ebd9fad6ed2d78a4240964ce4da8f77
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250527/a341cdf3/attachment-0001.htm>