Register | Log in

libmojolicious-perl

simple, yet powerful, Web Application Framework

Choose email to subscribe with

general

source: libmojolicious-perl (main)
version: 9.39+dfsg-1
maintainer: Debian Perl Group (archive) (DMD) (LowNMU)
uploaders: CSILLAG Tamas [DMD] – Philip Hands [DMD] – gregor herrmann [DMD] – Nick Morrott [DMD] – Dominique Dumont [DMD] – Angel Abad [DMD]
arch: all
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 8.12+dfsg-1
o-o-sec: 8.12+dfsg-1.1~deb10u1
oldstable: 8.71+dfsg-1
stable: 9.31+dfsg-1
stable-bpo: 9.37+dfsg-2~bpo12+1
testing: 9.39+dfsg-1
unstable: 9.39+dfsg-1

versioned links

8.12+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.12+dfsg-1.1~deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.71+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.31+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.37+dfsg-2~bpo12+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.39+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libmojolicious-perl (1 bugs: 0, 1, 0, 0)

action needed

A new upstream version is available: 9.40 high

A new upstream version 9.40 is available, you should consider packaging it.

Created: 2025-05-13 Last update: 2025-05-14 16:02

2 security issues in trixie high

There are 2 open security issues in trixie.

2 important issues:

CVE-2024-58134: Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
CVE-2024-58135: Mojolicious versions from 7.28 through 9.40 for Perl may generate weak HMAC session secrets. When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.

Created: 2025-05-03 Last update: 2025-05-13 16:30

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2024-58134: Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
CVE-2024-58135: Mojolicious versions from 7.28 through 9.40 for Perl may generate weak HMAC session secrets. When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.

Created: 2025-05-03 Last update: 2025-05-13 16:30

3 security issues in bullseye high

There are 3 open security issues in bullseye.

2 important issues:

CVE-2024-58134: Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
CVE-2024-58135: Mojolicious versions from 7.28 through 9.40 for Perl may generate weak HMAC session secrets. When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.

1 issue postponed or untriaged:

CVE-2021-47208: (postponed; to be fixed through a stable update) The Mojolicious module before 9.11 for Perl has a bug in format detection that can potentially be exploited for denial of service.

Created: 2025-05-03 Last update: 2025-05-13 16:30

1 security issue in buster high

There is 1 open security issue in buster.

1 important issue:

CVE-2021-47208: The Mojolicious module before 9.11 for Perl has a bug in format detection that can potentially be exploited for denial of service.

Created: 2024-04-08 Last update: 2024-06-28 11:38

2 low-priority security issues in bookworm low

There are 2 open security issues in bookworm.

2 issues left for the package maintainer to handle:

CVE-2024-58134: (needs triaging) Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
CVE-2024-58135: (needs triaging) Mojolicious versions from 7.28 through 9.40 for Perl may generate weak HMAC session secrets. When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-05-03 Last update: 2025-05-13 16:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).

Created: 2025-02-21 Last update: 2025-02-27 13:24

news

[2024-12-10] libmojolicious-perl 9.39+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-12-07] Accepted libmojolicious-perl 9.39+dfsg-1 (source) into unstable (gregor herrmann)
[2024-08-20] libmojolicious-perl 9.38+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-08-17] Accepted libmojolicious-perl 9.38+dfsg-1 (source) into unstable (gregor herrmann)
[2024-08-13] Accepted libmojolicious-perl 9.37+dfsg-2~bpo12+1 (source) into stable-backports (Philip Hands)
[2024-08-03] libmojolicious-perl 9.37+dfsg-2 MIGRATED to testing (Debian testing watch)
[2024-07-31] Accepted libmojolicious-perl 9.37+dfsg-2 (source) into unstable (Philip Hands)
[2024-06-28] Accepted libmojolicious-perl 8.12+dfsg-1.1~deb10u1 (source) into oldoldstable (Arturo Borrero Gonzalez)
[2024-05-17] libmojolicious-perl 9.37+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-05-15] Accepted libmojolicious-perl 9.37+dfsg-1 (source) into unstable (gregor herrmann)
[2024-04-23] Accepted libmojolicious-perl 9.36+dfsg-1~bpo12+2 (all source) into stable-backports (Debian FTP Masters) (signed by: Philip Hands)
[2024-03-26] libmojolicious-perl 9.36+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-03-24] Accepted libmojolicious-perl 9.36+dfsg-1 (source) into unstable (gregor herrmann)
[2023-11-06] libmojolicious-perl 9.35+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-10-28] Accepted libmojolicious-perl 9.35+dfsg-1 (source) into unstable (gregor herrmann)
[2023-10-02] libmojolicious-perl 9.34+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-09-29] Accepted libmojolicious-perl 9.34+dfsg-1 (source) into unstable (gregor herrmann)
[2023-08-14] libmojolicious-perl 9.33+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-08-11] Accepted libmojolicious-perl 9.33+dfsg-1 (source) into unstable (gregor herrmann)
[2022-12-25] libmojolicious-perl 9.31+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-12-22] Accepted libmojolicious-perl 9.31+dfsg-1 (source) into unstable (gregor herrmann)
[2022-10-18] libmojolicious-perl 9.28+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-10-15] Accepted libmojolicious-perl 9.28+dfsg-1 (source) into unstable (gregor herrmann)
[2022-09-21] libmojolicious-perl 9.27+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-09-21] libmojolicious-perl 9.27+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-09-17] Accepted libmojolicious-perl 9.27+dfsg-1 (source) into unstable (gregor herrmann)
[2022-06-13] libmojolicious-perl 9.26+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-05-27] Accepted libmojolicious-perl 9.26+dfsg-1 (source) into unstable (gregor herrmann)
[2022-05-07] Accepted libmojolicious-perl 9.25+dfsg-1 (source) into unstable (gregor herrmann)
[2022-04-25] libmojolicious-perl 9.24+dfsg-1 MIGRATED to testing (Debian testing watch)

1
2

bugs [bug history graph]

all: 3
RC: 0
I&N: 3
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 9.39+dfsg-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing