Bug#942851: perl-modules-5.30: CPAN.pm is insecure by default, no warnings
Vincent Lefevre
vincent at vinc17.net
Tue Oct 22 11:36:14 BST 2019
Package: perl-modules-5.30
Version: 5.30.0-8
Severity: grave
Tags: security
Justification: user security hole
I've just found that CPAN.pm does not check signatures by default:
'check_sigs' => q[0],
Moreover, it downloads files using http, not https.
The combination of both issues makes it very insecure, with a possible
remote attack!
And there are no warnings about that.
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.3.0-1-amd64 (SMP w/12 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=POSIX (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages perl-modules-5.30 depends on:
ii dpkg 1.19.7
ii perl-base 5.30.0-8
Versions of packages perl-modules-5.30 recommends:
ii perl 5.30.0-8
perl-modules-5.30 suggests no packages.
-- no debconf information
--
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
More information about the Perl-maintainers
mailing list