Your message dated Mon, 06 Jul 2026 19:18:40 +0000
with message-id <[email protected]>
and subject line Bug#1141586: fixed in libmojolicious-perl 9.47+dfsg-1
has caused the Debian Bug report #1141586,
regarding libmojolicious-perl: CVE-2026-14803
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1141586: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141586
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libmojolicious-perl
Version: 9.46+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for libmojolicious-perl.

CVE-2026-14803[0]:
| Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via
| unbounded recursion in the pure-Perl decoder.  The pure-Perl decode
| path (`_decode_value` dispatching to `_decode_array` and
| `_decode_object`) recurses with no depth limit, so a small deeply
| nested JSON document can consume excessive memory.  This path is the
| default when Cpanel::JSON::XS is not installed or
| `MOJO_NO_JSON_XS=1` is set; the Cpanel::JSON::XS fast path is not
| affected.  Any caller that decodes an untrusted JSON body, for
| example `Mojo::Message::json` reached through `$c->req->json`, can
| exhaust process memory and cause denial of service.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-14803
    https://www.cve.org/CVERecord?id=CVE-2026-14803
[1] https://lists.security.metacpan.org/cve-announce/msg/41564627/
[2] 
https://github.com/mojolicious/mojo/commit/cc38b0554275c4d84f6b8b49bcbbc1bec2068fe1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: libmojolicious-perl
Source-Version: 9.47+dfsg-1
Done: gregor herrmann <[email protected]>

We believe that the bug you reported is fixed in the latest version of
libmojolicious-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated libmojolicious-perl 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 06 Jul 2026 20:57:50 +0200
Source: libmojolicious-perl
Architecture: source
Version: 9.47+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 1141586
Changes:
 libmojolicious-perl (9.47+dfsg-1) unstable; urgency=medium
 .
   * Import upstream version 9.47+dfsg.
     - Fixed a security issue where the pure-Perl implementation of Mojo::JSON
       could exhaust all available memory when decoding deeply nested data.
       Decoding is now limited to 512 levels of nesting, to match the default
       of Cpanel::JSON::XS.
       CVE-2026-14803
     Closes: #1141586
   * Update years of upstream copyright.
Checksums-Sha1:
 cff022e9ce1afefe1c27c16f159356d1aae9ec2a 2884 
libmojolicious-perl_9.47+dfsg-1.dsc
 1c716274e6c08a68ddfbf4beeb1e6a1ced1e5215 621588 
libmojolicious-perl_9.47+dfsg.orig.tar.xz
 90b735216b00c60bcc6c1326a63028b294550502 18504 
libmojolicious-perl_9.47+dfsg-1.debian.tar.xz
Checksums-Sha256:
 48551b31d447093e742be25bdab89975efec76320999dd253f2d186cd38d377c 2884 
libmojolicious-perl_9.47+dfsg-1.dsc
 dc9980820fb676f3b81a1a0ab143e280ee5efd7a129a62f8927c97e446cb724d 621588 
libmojolicious-perl_9.47+dfsg.orig.tar.xz
 4618ad0d4a32b86d57342611881afa85dbc39e4347c207348c87aebcefc909f5 18504 
libmojolicious-perl_9.47+dfsg-1.debian.tar.xz
Files:
 e80edaad4c328929ef82f0fa1a797aab 2884 perl optional 
libmojolicious-perl_9.47+dfsg-1.dsc
 24dca4e8e909b34831bd82ca28731b12 621588 perl optional 
libmojolicious-perl_9.47+dfsg.orig.tar.xz
 2f23328c1d633552007b22d48915763f 18504 perl optional 
libmojolicious-perl_9.47+dfsg-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmpL+9xfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgaBdw//b7DftdxHIt6BmxR8bLaOSZSlaWIR5ZfVKcTtSc/qztQjLaFN/hyeGU3P
ov7q+e5fXlFRzlHxdXp/gWrFinoHGgienIZcMMbf22SYY1Bw2QKb7JBlQtc2Ecwf
zMxAelKoV9DhiIYMGDR2hlFo5nzevVYjJWLW/XlS0ng5OvoAxlJJk1TE2dubm1Tv
g9Iq0VvLnnjTZ0TvDhjslk8FhJWD86bQ9idvWkO25BVsZ0zoc7/4Mi/6L4vUf0wE
W0JdgpzHl5gqkBeFH7sQIX4YeUH+34Z5e0QNyxselsiQmZGfF2q/GYs26pF/Ga5D
qrim4hsKbrzaTkOeLOc5MiP/Q4ZBRDD/cjMhQ1joVvUhBesV4yB6XOscmy5KpAPY
bmp0z2qBo8RYqmUX1ZsCJVvQ57Hs8HvDLrFHIU1Z916beQqrLMkQJVKAsq3H2xhK
rJFO2RzQMIaYb+Ofnn8A4Y4XRoxNfm8xL3HboN+aMOPlE91+OgUnWBaZh4ZdHn2M
03v0HshzhudHpz88TDkKu8fqY1QQ5XX9R+QJduSZbaThyrN9HeQULcS3oFDbNla9
Iec7CBgOn45oA9EyjrtDU7YyYOIBRvjksANOnIuNUZ44IqoeDCBlPDdYPIg7RzcP
ca87uYKQlrf0iUxocer35YTswJGsOS2Ec1jfNSsam0OJlBcRYWc=
=kGWp
-----END PGP SIGNATURE-----

Attachment: pgpdTPn610Wtv.pgp
Description: PGP signature


--- End Message ---

Reply via email to