Alerts This Week
Warning Icon 1 535
Alerts This Week
Warning Icon 1 535

Fedora 41: perl-Mojolicious 9.39 critical: HMAC secret issue

fedora
Calendar Grey May 21, 2025
Dist Fedora Esm H88
Mojolicious editions ranging from 0.999922 to 9.39 in Perl contain a built-in session key, with a fix accessible.
Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default

Summary

Back in the early days of the web there was this wonderful Perl library

called CGI, many people only learned Perl because of it. It was simple

enough to get started without knowing much about the language and powerful

enough to keep you going, learning by doing was much fun. While most of the

techniques used are outdated now, the idea behind it is not. Mojolicious is

a new attempt at implementing this idea using state of the art technology.

Update Information:

Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. Mojolicious 9.39 added EXPERIMENTAL support for encrypted session cookies. This feature is much more secure than signed cookies and can be enabled by installing CryptX and setting the encrypted attribute.

Topics%20covered

Topics Covered

security advisory Fedora web framework Mojolicious encrypted cookies hard coded secret

Change Log

* Sun Nov 24 2024 Emmanuel Seyman - 9.39-1 - Update to 9.39 * Sun Sep 1 2024 Emmanuel Seyman - 9.38-1 - Update to 9.38

References


[ 1 ] Bug #2364057 - CVE-2024-58134 perl-Mojolicious: Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default [fedora-40] https://bugzilla.redhat.com/show_bug.cgi?id=2364057 [ 2 ] Bug #2364058 - CVE-2024-58134 perl-Mojolicious: Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2364058

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-c38fd06bec' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
critical
Lowest
Low
Medium
High
Critical

Name: perl-Mojolicious
Product: Fedora 41
Version: 9.39
Release: 1.fc41
URL: https://metacpan.org/dist/Mojolicious
Summary: A next generation web framework for Perl

Topics%20covered

Topics Covered

security advisory Fedora web framework Mojolicious encrypted cookies hard coded secret

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here