Hi, On Thu, May 22, 2025 at 10:49:56AM +0100, Sean Whitton wrote: > Hello recent Mojolicious uploaders, > > I'm looking at Mojolicious's two recent CVEs for Freexian's LTS effort. > There are some open questions and I think that they are relevant to your > work in sid. > > It seems that Mojolicious upstream take the view that application > authors are responsible for configuring a secure session secret and so > the fact these the defaults are not cryptographically secure is not > something to fix upstream.[1] Therefore, we probably can't expect a fix > for CVE-2024-58134 to arrive upstream. > > What do you think should happen in Debian? It seems like we could patch > in secure key generation without too much difficulty. What do you think > about doing that?
Do "nothing" (for now) and mark the issue as <no-dsa> or its substate <ignored> for your older suites. We keep the status as it is for unstable and once/if things changes upstream align it with those. The notes (and synced with people from CPAN security) sufficiently describe the situation in my opinion. In particular for instance for CVE-2024-58135 is specific to cover the default static/guessable secret (and this does not change with having CryptX as optional dependency in v3.39 for instance). I'm though still Cc'in again Stig Palmquist <s...@cpansec.org> for which I was in contact with to make his position on how those CVEs should be treated. Regards, Salvatore
