Fedora has issued an advisory on October 12:
There are no details on the issue, but I think this announcement for 5.48 is probably related:
Mageia 3 and Mageia 4 are also affected.
Steps to Reproduce:
I have no idea what to do about this bug. The second link describes breakage in other modules. Not something I'd suggest. If this is the security issue they fixed then I'm not sure what to do next. I don't want to break working modules, especially if we can't detect which one break and how bad :/
From the upstream discussion, it sounds like a serious issue. Fedora felt comfortable updating it. At the very least, Cauldron should be updated. If you want to give it some time to see how that goes before updating Mageia 4, we can do that. It just means we can't update Mageia 3. I can't imagine it'd have a huge impact though, especially as it's only required by perl-MojoX-Redis and perl-Test-WWW-Mechanize-Mojo and nothing requires those. Anyone using this module should be adapting to the upstream changes anyway to make sure they don't get unknowingly hit by this issue.
So, cauldron got updated to the latest version and I have uploaded 5.49 for Mageia 3 and 4.
For testing I found that they have "Getting Started" section on their homepage: http://mojolicio.us - as there is no POC it should be safe to just check that it still works.
David, maybe you can help with that :)
Updated packages in core/updates_testing:
MGA4TOO, MGA3TOO =>
Updated perl-Mojolicious package fixes security vulnerability:
An assumption in Mojolicious before 5.48 CGI parameter handling that can
result in parameter injection attacks.
Installed perl-Mojolicious-5.490.0-1.mga4.noarch on Mageia4-64.
I was able to do the test as referenced in Comment 3.
No problems encountered , apart from a warning to change the secret passphrase, which I didn't bother about.
Tested on Mageia3-64
Current package :
Update testing package :
using procedure mentionned in comment 3.
OK on mageia3-64 (same warning :[debug] Your secret passphrase needs to be changed!!! on both version)
MGA3TOO MGA4-64-OK =>
MGA3TOO MGA4-64-OK MGA3-64-OK
Validating for inclusion in mga3. Advisory uploaded.
Please push to updates
MGA3TOO MGA4-64-OK MGA3-64-OK =>
MGA3TOO advisory has_procedure MGA4-64-OK MGA3-64-OKCC:
An update for this issue has been pushed to Mageia Updates repository.