Bug#942851: perl-modules-5.30: CPAN.pm is insecure by default, no warnings
Niko Tyni
ntyni at debian.org
Sat Oct 26 13:40:16 BST 2019
Control: severity -1 important
On Wed, Oct 23, 2019 at 11:22:47PM +0200, Moritz Muehlenhoff wrote:
> On Wed, Oct 23, 2019 at 10:20:04PM +0300, Niko Tyni wrote:
> > Control: reassign -1 src:perl
> > Control: found -1 5.20.2-3
> >
> > On Tue, Oct 22, 2019 at 12:36:14PM +0200, Vincent Lefevre wrote:
> > > Package: perl-modules-5.30
> > > Version: 5.30.0-8
> > > Severity: grave
> > > Tags: security
> > > Justification: user security hole
> > >
> > > I've just found that CPAN.pm does not check signatures by default:
> > >
> > > 'check_sigs' => q[0],
> > >
> > > Moreover, it downloads files using http, not https.
> > >
> > > The combination of both issues makes it very insecure, with a possible
> > > remote attack!
> > >
> > > And there are no warnings about that.
> From my PoV, people are free to work with upstream to get that fixed, but
> there's no I reason to treat this as an RC bug.
Thanks. I'm lowering the severity.
--
Niko Tyni ntyni at debian.org
More information about the Perl-maintainers
mailing list