Hello recent Mojolicious uploaders, I'm looking at Mojolicious's two recent CVEs for Freexian's LTS effort. There are some open questions and I think that they are relevant to your work in sid.
It seems that Mojolicious upstream take the view that application authors are responsible for configuring a secure session secret and so the fact these the defaults are not cryptographically secure is not something to fix upstream.[1] Therefore, we probably can't expect a fix for CVE-2024-58134 to arrive upstream. What do you think should happen in Debian? It seems like we could patch in secure key generation without too much difficulty. What do you think about doing that? Thank you for reading. [1] https://github.com/mojolicious/mojo/pull/2200#issuecomment-2408248209 -- Sean Whitton
