#1104633 libmojolicious-perl: CVE-2024-58135: may generate weak HMAC session secrets

Package:
src:libmojolicious-perl
Source:
src:libmojolicious-perl
Submitter:
Salvatore Bonaccorso
Date:
2025-05-20 08:57:02 UTC
Severity:
normal
Tags:
#1104633#5
Date:
2025-05-03 11:59:11 UTC
From:
To:
Hi,

The following vulnerability was published for libmojolicious-perl.

CVE-2024-58135[0]:
| Mojolicious versions from 7.28 through 9.39 for Perl may generate
| weak HMAC session secrets.  When creating a default app with the
| "mojo generate app" tool, a weak secret is written to the
| application's configuration file using the insecure rand() function,
| and used for authenticating and protecting the integrity of the
| application's sessions. This may allow an attacker to brute force
| the application's session keys.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-58135
https://www.cve.org/CVERecord?id=CVE-2024-58135
[1] https://github.com/mojolicious/mojo/pull/2200

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1104633#14
Date:
2025-05-19 10:50:26 UTC
From:
To:
tag 1104648 + fixed-upstream
tag 1104633 + fixed-upstream
thanks

Hello,

These are now fixed by upstream commit c82071556c569a251152892c8cc2fd0ad5a4be54.