Bug#1104633: libmojolicious-perl: CVE-2024-58135: may generate weak HMAC session secrets
Salvatore Bonaccorso
carnil at debian.org
Sat May 3 12:59:11 BST 2025
Source: libmojolicious-perl
Version: 9.39+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/mojolicious/mojo/pull/2200
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for libmojolicious-perl.
CVE-2024-58135[0]:
| Mojolicious versions from 7.28 through 9.39 for Perl may generate
| weak HMAC session secrets. When creating a default app with the
| "mojo generate app" tool, a weak secret is written to the
| application's configuration file using the insecure rand() function,
| and used for authenticating and protecting the integrity of the
| application's sessions. This may allow an attacker to brute force
| the application's session keys.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-58135
https://www.cve.org/CVERecord?id=CVE-2024-58135
[1] https://github.com/mojolicious/mojo/pull/2200
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-perl-maintainers
mailing list