Now, there's CVE-2020-16156. If this bug had been fixed, the
vulnerability would have been avoided.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16156
http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html
--
Vincent Lefèvre - Web:
Control: tag -1 upstream
On Sat, Oct 26, 2019 at 03:23:43PM +0200, Vincent Lefevre wrote:
> On 2019-10-26 15:45:28 +0300, Niko Tyni wrote:
> > I understand the CHECKSUMS files are PGP signed by the CPAN archive.
> > I was referring to verifying these signatures. Whether the download
> > is https
On 2019-10-26 15:45:28 +0300, Niko Tyni wrote:
> I understand the CHECKSUMS files are PGP signed by the CPAN archive.
> I was referring to verifying these signatures. Whether the download
> is https or not is not relevant in for that verification.
This is not documented and the signature does not
On Thu, Oct 24, 2019 at 11:00:28AM +0200, Vincent Lefevre wrote:
> On 2019-10-23 22:20:04 +0300, Niko Tyni wrote:
> > So as I understand this, verifying CHECKSUMS would be the thing to do,
> > and setting 'check_sigs' wouldn't really help (only deployed partially
> > and no web of trust to the
Control: severity -1 important
On Wed, Oct 23, 2019 at 11:22:47PM +0200, Moritz Muehlenhoff wrote:
> On Wed, Oct 23, 2019 at 10:20:04PM +0300, Niko Tyni wrote:
> > Control: reassign -1 src:perl
> > Control: found -1 5.20.2-3
> >
> > On Tue, Oct 22, 2019 at 12:36:14PM +0200, Vincent Lefevre
Control: tags -1 + upstream
Control: forwarded -1 https://rt.cpan.org/Public/Bug/Display.html?id=130819
On 2019-10-24 11:00:28 +0200, Vincent Lefevre wrote:
> However, with the default urllist value, it is downloaded using http
> (not https). One needs to set urllist to
>
>
On 2019-10-23 22:20:04 +0300, Niko Tyni wrote:
> So as I understand this, verifying CHECKSUMS would be the thing to do,
> and setting 'check_sigs' wouldn't really help (only deployed partially
> and no web of trust to the module authors).
Indeed, and even if check_sigs is set, it is ignored if
On 2019-10-23 22:20:04 +0300, Niko Tyni wrote:
> FWIW this has been the case since forever.
Yes, but almost no-one knows about this security issue. Using the
CPAN client is generally recommended on the web, but I have never
seen any mention of this security issue, not even on the cpan website:
On Wed, Oct 23, 2019 at 10:20:04PM +0300, Niko Tyni wrote:
> Control: reassign -1 src:perl
> Control: found -1 5.20.2-3
>
> On Tue, Oct 22, 2019 at 12:36:14PM +0200, Vincent Lefevre wrote:
> > Package: perl-modules-5.30
> > Version: 5.30.0-8
> > Severity: grave
> > Tags: security
> >
Control: reassign -1 src:perl
Control: found -1 5.20.2-3
On Tue, Oct 22, 2019 at 12:36:14PM +0200, Vincent Lefevre wrote:
> Package: perl-modules-5.30
> Version: 5.30.0-8
> Severity: grave
> Tags: security
> Justification: user security hole
>
> I've just found that CPAN.pm does not check
Package: perl-modules-5.30
Version: 5.30.0-8
Severity: grave
Tags: security
Justification: user security hole
I've just found that CPAN.pm does not check signatures by default:
'check_sigs' => q[0],
Moreover, it downloads files using http, not https.
The combination of both issues makes it
11 matches
Mail list logo
