Processing control commands:
> severity -1 important
Bug #942851 [src:perl] perl: CPAN.pm is insecure by default, no warnings
Severity set to 'important' from 'grave'
--
942851: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942851
Debian Bug Tracking System
Contact ow...@bugs.debian.org
Control: severity -1 important
On Wed, Oct 23, 2019 at 11:22:47PM +0200, Moritz Muehlenhoff wrote:
> On Wed, Oct 23, 2019 at 10:20:04PM +0300, Niko Tyni wrote:
> > Control: reassign -1 src:perl
> > Control: found -1 5.20.2-3
> >
> > On Tue, Oct 22, 2019 at 12:36:14PM +0200, Vincent Lefevre
Control: tags -1 + upstream
Control: forwarded -1 https://rt.cpan.org/Public/Bug/Display.html?id=130819
On 2019-10-24 11:00:28 +0200, Vincent Lefevre wrote:
> However, with the default urllist value, it is downloaded using http
> (not https). One needs to set urllist to
>
>
Processing control commands:
> tags -1 + upstream
Bug #942851 [src:perl] perl: CPAN.pm is insecure by default, no warnings
Added tag(s) upstream.
> forwarded -1 https://rt.cpan.org/Public/Bug/Display.html?id=130819
Bug #942851 [src:perl] perl: CPAN.pm is insecure by default, no warnings
Set Bug
On 2019-10-23 22:20:04 +0300, Niko Tyni wrote:
> So as I understand this, verifying CHECKSUMS would be the thing to do,
> and setting 'check_sigs' wouldn't really help (only deployed partially
> and no web of trust to the module authors).
Indeed, and even if check_sigs is set, it is ignored if
On 2019-10-23 22:20:04 +0300, Niko Tyni wrote:
> FWIW this has been the case since forever.
Yes, but almost no-one knows about this security issue. Using the
CPAN client is generally recommended on the web, but I have never
seen any mention of this security issue, not even on the cpan website:
On Wed, Oct 23, 2019 at 10:20:04PM +0300, Niko Tyni wrote:
> Control: reassign -1 src:perl
> Control: found -1 5.20.2-3
>
> On Tue, Oct 22, 2019 at 12:36:14PM +0200, Vincent Lefevre wrote:
> > Package: perl-modules-5.30
> > Version: 5.30.0-8
> > Severity: grave
> > Tags: security
> >
Processing control commands:
> reassign -1 src:perl
Bug #942851 [perl-modules-5.30] perl-modules-5.30: CPAN.pm is insecure by
default, no warnings
Bug reassigned from package 'perl-modules-5.30' to 'src:perl'.
No longer marked as found in versions perl/5.30.0-8.
Ignoring request to alter fixed
Control: reassign -1 src:perl
Control: found -1 5.20.2-3
On Tue, Oct 22, 2019 at 12:36:14PM +0200, Vincent Lefevre wrote:
> Package: perl-modules-5.30
> Version: 5.30.0-8
> Severity: grave
> Tags: security
> Justification: user security hole
>
> I've just found that CPAN.pm does not check
Package: perl-modules-5.30
Version: 5.30.0-8
Severity: grave
Tags: security
Justification: user security hole
I've just found that CPAN.pm does not check signatures by default:
'check_sigs' => q[0],
Moreover, it downloads files using http, not https.
The combination of both issues makes it
10 matches
Mail list logo