#1104648 libmojolicious-perl: CVE-2024-58134: uses a hard coded string, or the application's class name, as a HMAC session secret by default

Package:
src:libmojolicious-perl
Source:
src:libmojolicious-perl
Submitter:
Salvatore Bonaccorso
Date:
2025-05-20 09:15:01 UTC
Severity:
normal
Tags:
#1104648#5
Date:
2025-05-03 20:14:18 UTC
From:
To:
Hi,

The following vulnerability was published for libmojolicious-perl.

CVE-2024-58134[0]:
| Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard
| coded string, or the application's class name, as a HMAC session
| secret by default.  These predictable default secrets can be
| exploited to forge session cookies. An attacker who knows or guesses
| the secret could compute valid HMAC signatures for the session
| cookie, allowing them to tamper with or hijack another user’s
| session.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-58134
https://www.cve.org/CVERecord?id=CVE-2024-58134
[1] https://lists.security.metacpan.org/cve-announce/msg/29247502/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1104648#10
Date:
2025-05-19 10:50:26 UTC
From:
To:
tag 1104648 + fixed-upstream
tag 1104633 + fixed-upstream
thanks

Hello,

These are now fixed by upstream commit c82071556c569a251152892c8cc2fd0ad5a4be54.
#1104648#15
Date:
2025-05-19 17:03:09 UTC
From:
To:
Control: tags 1104648 - fixed-upstream

CVE-2024-58134 covers the default static/guessable secret, and this
behavior is unchanged by the optional CryptX.

Thanks to Stig for noticing.

Regards,
Salvatore
#1104648#20
Date:
2025-05-20 09:11:35 UTC
From:
To:
Hello,

Looking again, I see what you mean.  Thanks.