CVE-2020-16155: The CPAN::Checksums package 2.12 for Perl does not uniquely define signed data. Not really sure about the impact of this, but also can't find a fixed version.
This is mostly an issue that affects CPAN (the archive) itself, not so much one that affects user-run software. I assume it's been fixed by the combination of 1) release 2.13 (introducing an additional path parameter) and 2) the way this is called on CPAN (something we can't verify without running the exploit). So, not much to do here. I'll bump the module now, but unless you're running a clone of CPAN (not a mirror, but the root database), this shouldnt matter to you.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=958aac2f4e591b7f67b712b3f1dee6469554610c commit 958aac2f4e591b7f67b712b3f1dee6469554610c Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2021-12-18 15:48:41 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2021-12-18 15:48:53 +0000 dev-perl/CPAN-Checksums: Version bump 2.14 Bug: https://bugs.gentoo.org/829118 Package-Manager: Portage-3.0.28, Repoman-3.0.3 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> .../CPAN-Checksums/CPAN-Checksums-2.140.0.ebuild | 41 ++++++++++++++++++++++ dev-perl/CPAN-Checksums/Manifest | 1 + 2 files changed, 42 insertions(+)
Please cleanup
