Debian Package Tracker
Register | Log in
Subscribe

libmojolicious-perl

simple, yet powerful, Web Application Framework

Choose email to subscribe with

general
  • source: libmojolicious-perl (main)
  • version: 9.48+dfsg-1
  • maintainer: Debian Perl Group (archive) (DMD) (LowNMU)
  • uploaders: Philip Hands [DMD] – gregor herrmann [DMD] – Angel Abad [DMD] – Dominique Dumont [DMD] – CSILLAG Tamas [DMD] – Nick Morrott [DMD]
  • arch: all
  • std-ver: 4.7.4
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 8.71+dfsg-1
  • oldstable: 9.31+dfsg-1
  • old-bpo: 9.37+dfsg-2~bpo12+1
  • stable: 9.39+dfsg-1
  • stable-bpo: 9.42+dfsg-1~bpo13+2
  • testing: 9.47+dfsg-1
  • unstable: 9.48+dfsg-1
versioned links
  • 8.71+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 9.31+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 9.37+dfsg-2~bpo12+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 9.39+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 9.42+dfsg-1~bpo13+2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 9.47+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 9.48+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • libmojolicious-perl (1 bugs: 0, 1, 0, 0)
action needed
4 security issues in trixie high

There are 4 open security issues in trixie.

1 important issue:
  • CVE-2026-15747: Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle. _csrf_token generates and caches one token per session and returns the same value on every call, and _csrf_field places that value in a hidden `csrf_token` input. When a response carrying the token also echoes attacker-controlled input and is gzip-compressed, the chosen values and the resulting compressed lengths form a BREACH oracle. An attacker able to query it can recover the token and pass csrf_protect validation.
3 issues left for the package maintainer to handle:
  • CVE-2024-58134: (needs triaging) Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies.  An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
  • CVE-2024-58135: (needs triaging) Mojolicious versions from 7.28 through 9.45 for Perl will generate weak HMAC session cookie secrets via "mojo generate app" by default. When creating a default app skeleton with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys. Release 9.46 fixes the issue by providing high quality randomness, even in absence of CryptX. Users should be aware that the update does not replace previously generated weak secrets. A secret generated with the previous version MUST be replaced to ensure the updated version is using a strong secret.
  • CVE-2026-14803: (needs triaging) Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder. The pure-Perl decode path (`_decode_value` dispatching to `_decode_array` and `_decode_object`) recurses with no depth limit, so a small deeply nested JSON document can consume excessive memory. This path is the default when Cpanel::JSON::XS is not installed or `MOJO_NO_JSON_XS=1` is set; the Cpanel::JSON::XS fast path is not affected. Any caller that decodes an untrusted JSON body, for example `Mojo::Message::json` reached through `$c->req->json`, can exhaust process memory and cause denial of service.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-05-03 Last update: 2026-07-15 22:00
2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:
  • CVE-2024-58134: Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies.  An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
  • CVE-2024-58135: Mojolicious versions from 7.28 through 9.45 for Perl will generate weak HMAC session cookie secrets via "mojo generate app" by default. When creating a default app skeleton with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys. Release 9.46 fixes the issue by providing high quality randomness, even in absence of CryptX. Users should be aware that the update does not replace previously generated weak secrets. A secret generated with the previous version MUST be replaced to ensure the updated version is using a strong secret.
Created: 2025-05-03 Last update: 2026-07-15 22:00
3 security issues in forky high

There are 3 open security issues in forky.

3 important issues:
  • CVE-2024-58134: Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies.  An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
  • CVE-2024-58135: Mojolicious versions from 7.28 through 9.45 for Perl will generate weak HMAC session cookie secrets via "mojo generate app" by default. When creating a default app skeleton with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys. Release 9.46 fixes the issue by providing high quality randomness, even in absence of CryptX. Users should be aware that the update does not replace previously generated weak secrets. A secret generated with the previous version MUST be replaced to ensure the updated version is using a strong secret.
  • CVE-2026-15747: Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle. _csrf_token generates and caches one token per session and returns the same value on every call, and _csrf_field places that value in a hidden `csrf_token` input. When a response carrying the token also echoes attacker-controlled input and is gzip-compressed, the chosen values and the resulting compressed lengths form a BREACH oracle. An attacker able to query it can recover the token and pass csrf_protect validation.
Created: 2025-08-09 Last update: 2026-07-15 22:00
5 security issues in bullseye high

There are 5 open security issues in bullseye.

1 important issue:
  • CVE-2026-15747: Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle. _csrf_token generates and caches one token per session and returns the same value on every call, and _csrf_field places that value in a hidden `csrf_token` input. When a response carrying the token also echoes attacker-controlled input and is gzip-compressed, the chosen values and the resulting compressed lengths form a BREACH oracle. An attacker able to query it can recover the token and pass csrf_protect validation.
2 issues postponed or untriaged:
  • CVE-2024-58135: (postponed; to be fixed through a stable update) Mojolicious versions from 7.28 through 9.45 for Perl will generate weak HMAC session cookie secrets via "mojo generate app" by default. When creating a default app skeleton with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys. Release 9.46 fixes the issue by providing high quality randomness, even in absence of CryptX. Users should be aware that the update does not replace previously generated weak secrets. A secret generated with the previous version MUST be replaced to ensure the updated version is using a strong secret.
  • CVE-2026-14803: (postponed; to be fixed through a stable update) Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder. The pure-Perl decode path (`_decode_value` dispatching to `_decode_array` and `_decode_object`) recurses with no depth limit, so a small deeply nested JSON document can consume excessive memory. This path is the default when Cpanel::JSON::XS is not installed or `MOJO_NO_JSON_XS=1` is set; the Cpanel::JSON::XS fast path is not affected. Any caller that decodes an untrusted JSON body, for example `Mojo::Message::json` reached through `$c->req->json`, can exhaust process memory and cause denial of service.
2 ignored issues:
  • CVE-2021-47208: The Mojolicious module before 9.11 for Perl has a bug in format detection that can potentially be exploited for denial of service.
  • CVE-2024-58134: Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies.  An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
Created: 2026-07-14 Last update: 2026-07-15 22:00
4 security issues in bookworm high

There are 4 open security issues in bookworm.

1 important issue:
  • CVE-2026-15747: Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle. _csrf_token generates and caches one token per session and returns the same value on every call, and _csrf_field places that value in a hidden `csrf_token` input. When a response carrying the token also echoes attacker-controlled input and is gzip-compressed, the chosen values and the resulting compressed lengths form a BREACH oracle. An attacker able to query it can recover the token and pass csrf_protect validation.
3 issues left for the package maintainer to handle:
  • CVE-2024-58134: (needs triaging) Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies.  An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
  • CVE-2024-58135: (needs triaging) Mojolicious versions from 7.28 through 9.45 for Perl will generate weak HMAC session cookie secrets via "mojo generate app" by default. When creating a default app skeleton with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys. Release 9.46 fixes the issue by providing high quality randomness, even in absence of CryptX. Users should be aware that the update does not replace previously generated weak secrets. A secret generated with the previous version MUST be replaced to ensure the updated version is using a strong secret.
  • CVE-2026-14803: (postponed; to be fixed through a stable update) Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder. The pure-Perl decode path (`_decode_value` dispatching to `_decode_array` and `_decode_object`) recurses with no depth limit, so a small deeply nested JSON document can consume excessive memory. This path is the default when Cpanel::JSON::XS is not installed or `MOJO_NO_JSON_XS=1` is set; the Cpanel::JSON::XS fast path is not affected. Any caller that decodes an untrusted JSON body, for example `Mojo::Message::json` reached through `$c->req->json`, can exhaust process memory and cause denial of service.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-05-03 Last update: 2026-07-15 22:00
1 security issue in buster high

There is 1 open security issue in buster.

1 important issue:
  • CVE-2021-47208: The Mojolicious module before 9.11 for Perl has a bug in format detection that can potentially be exploited for denial of service.
Created: 2024-04-08 Last update: 2024-06-28 11:38
testing migrations
  • excuses:
    • Migration status for libmojolicious-perl (9.47+dfsg-1 to 9.48+dfsg-1): BLOCKED: Rejected/violates migration policy/introduces a regression
    • Issues preventing migration:
    • ∙ ∙ Autopkgtest for libmojolicious-perl/9.48+dfsg-1: amd64: Pass, arm64: Pass, armhf: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
    • ∙ ∙ Autopkgtest for openqa/5.1782486535.1bf71ec48-8: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), armhf: Regression ♻ (reference ♻), i386: Regression ♻ (reference ♻), loong64: Regression ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), riscv64: Failed (not a regression) ♻ (reference ♻), s390x: Regression ♻ (reference ♻)
    • ∙ ∙ Too young, only 2 of 5 days old
    • Additional info (not blocking):
    • ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/libm/libmojolicious-perl.html
    • ∙ ∙ Reproduced on amd64 - info
    • ∙ ∙ Reproduced on arm64 - info
    • ∙ ∙ Reproduced on armhf - info
    • ∙ ∙ Reproduced on i386 - info
    • Not considered
news
[rss feed]
  • [2026-07-15] Accepted libmojolicious-perl 9.48+dfsg-1 (source) into unstable (gregor herrmann)
  • [2026-07-09] libmojolicious-perl 9.47+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2026-07-06] Accepted libmojolicious-perl 9.47+dfsg-1 (source) into unstable (gregor herrmann)
  • [2026-06-16] libmojolicious-perl 9.46+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2026-06-14] Accepted libmojolicious-perl 9.46+dfsg-1 (source) into unstable (gregor herrmann)
  • [2026-05-14] libmojolicious-perl 9.45+dfsg-2 MIGRATED to testing (Debian testing watch)
  • [2026-05-09] Accepted libmojolicious-perl 9.45+dfsg-2 (source) into unstable (gregor herrmann)
  • [2026-05-08] Accepted libmojolicious-perl 9.45+dfsg-1 (source) into unstable (gregor herrmann)
  • [2026-05-03] Accepted libmojolicious-perl 9.42+dfsg-1~bpo13+2 (all source) into stable-backports (Debian FTP Masters) (signed by: Philip Hands)
  • [2025-12-25] libmojolicious-perl 9.42+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2025-12-23] Accepted libmojolicious-perl 9.42+dfsg-1 (source) into unstable (gregor herrmann)
  • [2024-12-10] libmojolicious-perl 9.39+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2024-12-07] Accepted libmojolicious-perl 9.39+dfsg-1 (source) into unstable (gregor herrmann)
  • [2024-08-20] libmojolicious-perl 9.38+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2024-08-17] Accepted libmojolicious-perl 9.38+dfsg-1 (source) into unstable (gregor herrmann)
  • [2024-08-13] Accepted libmojolicious-perl 9.37+dfsg-2~bpo12+1 (source) into stable-backports (Philip Hands)
  • [2024-08-03] libmojolicious-perl 9.37+dfsg-2 MIGRATED to testing (Debian testing watch)
  • [2024-07-31] Accepted libmojolicious-perl 9.37+dfsg-2 (source) into unstable (Philip Hands)
  • [2024-06-28] Accepted libmojolicious-perl 8.12+dfsg-1.1~deb10u1 (source) into oldoldstable (Arturo Borrero Gonzalez)
  • [2024-05-17] libmojolicious-perl 9.37+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2024-05-15] Accepted libmojolicious-perl 9.37+dfsg-1 (source) into unstable (gregor herrmann)
  • [2024-04-23] Accepted libmojolicious-perl 9.36+dfsg-1~bpo12+2 (all source) into stable-backports (Debian FTP Masters) (signed by: Philip Hands)
  • [2024-03-26] libmojolicious-perl 9.36+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2024-03-24] Accepted libmojolicious-perl 9.36+dfsg-1 (source) into unstable (gregor herrmann)
  • [2023-11-06] libmojolicious-perl 9.35+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2023-10-28] Accepted libmojolicious-perl 9.35+dfsg-1 (source) into unstable (gregor herrmann)
  • [2023-10-02] libmojolicious-perl 9.34+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2023-09-29] Accepted libmojolicious-perl 9.34+dfsg-1 (source) into unstable (gregor herrmann)
  • [2023-08-14] libmojolicious-perl 9.33+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2023-08-11] Accepted libmojolicious-perl 9.33+dfsg-1 (source) into unstable (gregor herrmann)
  • 1
  • 2
bugs [bug history graph]
  • all: 3
  • RC: 0
  • I&N: 3
  • M&W: 0
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian
  • buildd: logs, reproducibility
  • popcon
  • browse source code
  • other distros
  • security tracker
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 9.46+dfsg-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing