libmojolicious-perl - Debian Package Tracker

general

source: libmojolicious-perl (main)
version: 9.39+dfsg-1
maintainer: Debian Perl Group (archive) (DMD) (LowNMU)
uploaders: CSILLAG Tamas [DMD] – Philip Hands [DMD] – gregor herrmann [DMD] – Nick Morrott [DMD] – Dominique Dumont [DMD] – Angel Abad [DMD]
arch: all
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 8.71+dfsg-1
oldstable: 9.31+dfsg-1
old-bpo: 9.37+dfsg-2~bpo12+1
stable: 9.39+dfsg-1
testing: 9.39+dfsg-1
unstable: 9.39+dfsg-1

versioned links

8.71+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.31+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.37+dfsg-2~bpo12+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.39+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libmojolicious-perl (1 bugs: 0, 1, 0, 0)

action needed

A new upstream version is available: 9.42 high

A new upstream version 9.42 is available, you should consider packaging it.

Created: 2025-10-12 Last update: 2025-10-29 14:00

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2024-58134: Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
CVE-2024-58135: Mojolicious versions from 7.28 for Perl will generate weak HMAC session cookie secrets via "mojo generate app" by default When creating a default app skeleton with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.

Created: 2025-05-03 Last update: 2025-10-21 04:01

2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:

CVE-2024-58134: Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
CVE-2024-58135: Mojolicious versions from 7.28 for Perl will generate weak HMAC session cookie secrets via "mojo generate app" by default When creating a default app skeleton with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.

Created: 2025-08-09 Last update: 2025-10-21 04:01

1 security issue in buster high

There is 1 open security issue in buster.

1 important issue:

CVE-2021-47208: The Mojolicious module before 9.11 for Perl has a bug in format detection that can potentially be exploited for denial of service.

Created: 2024-04-08 Last update: 2024-06-28 11:38

2 low-priority security issues in trixie low

There are 2 open security issues in trixie.

2 issues left for the package maintainer to handle:

CVE-2024-58134: (needs triaging) Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
CVE-2024-58135: (needs triaging) Mojolicious versions from 7.28 for Perl will generate weak HMAC session cookie secrets via "mojo generate app" by default When creating a default app skeleton with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-05-03 Last update: 2025-10-21 04:01

2 low-priority security issues in bookworm low

There are 2 open security issues in bookworm.

2 issues left for the package maintainer to handle:

CVE-2024-58134: (needs triaging) Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
CVE-2024-58135: (needs triaging) Mojolicious versions from 7.28 for Perl will generate weak HMAC session cookie secrets via "mojo generate app" by default When creating a default app skeleton with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-05-03 Last update: 2025-10-21 04:01

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).

Created: 2025-02-21 Last update: 2025-02-27 13:24

news

[rss feed]

[2024-12-10] libmojolicious-perl 9.39+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-12-07] Accepted libmojolicious-perl 9.39+dfsg-1 (source) into unstable (gregor herrmann)
[2024-08-20] libmojolicious-perl 9.38+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-08-17] Accepted libmojolicious-perl 9.38+dfsg-1 (source) into unstable (gregor herrmann)
[2024-08-13] Accepted libmojolicious-perl 9.37+dfsg-2~bpo12+1 (source) into stable-backports (Philip Hands)
[2024-08-03] libmojolicious-perl 9.37+dfsg-2 MIGRATED to testing (Debian testing watch)
[2024-07-31] Accepted libmojolicious-perl 9.37+dfsg-2 (source) into unstable (Philip Hands)
[2024-06-28] Accepted libmojolicious-perl 8.12+dfsg-1.1~deb10u1 (source) into oldoldstable (Arturo Borrero Gonzalez)
[2024-05-17] libmojolicious-perl 9.37+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-05-15] Accepted libmojolicious-perl 9.37+dfsg-1 (source) into unstable (gregor herrmann)
[2024-04-23] Accepted libmojolicious-perl 9.36+dfsg-1~bpo12+2 (all source) into stable-backports (Debian FTP Masters) (signed by: Philip Hands)
[2024-03-26] libmojolicious-perl 9.36+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-03-24] Accepted libmojolicious-perl 9.36+dfsg-1 (source) into unstable (gregor herrmann)
[2023-11-06] libmojolicious-perl 9.35+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-10-28] Accepted libmojolicious-perl 9.35+dfsg-1 (source) into unstable (gregor herrmann)
[2023-10-02] libmojolicious-perl 9.34+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-09-29] Accepted libmojolicious-perl 9.34+dfsg-1 (source) into unstable (gregor herrmann)
[2023-08-14] libmojolicious-perl 9.33+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-08-11] Accepted libmojolicious-perl 9.33+dfsg-1 (source) into unstable (gregor herrmann)
[2022-12-25] libmojolicious-perl 9.31+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-12-22] Accepted libmojolicious-perl 9.31+dfsg-1 (source) into unstable (gregor herrmann)
[2022-10-18] libmojolicious-perl 9.28+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-10-15] Accepted libmojolicious-perl 9.28+dfsg-1 (source) into unstable (gregor herrmann)
[2022-09-21] libmojolicious-perl 9.27+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-09-21] libmojolicious-perl 9.27+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-09-17] Accepted libmojolicious-perl 9.27+dfsg-1 (source) into unstable (gregor herrmann)
[2022-06-13] libmojolicious-perl 9.26+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-05-27] Accepted libmojolicious-perl 9.26+dfsg-1 (source) into unstable (gregor herrmann)
[2022-05-07] Accepted libmojolicious-perl 9.25+dfsg-1 (source) into unstable (gregor herrmann)
[2022-04-25] libmojolicious-perl 9.24+dfsg-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 3
RC: 0
I&N: 3
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 9.39+dfsg-1