Summary: | dev-perl/App-cpanminus: signature verification bypass | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | CONFIRMED --- | ||
Severity: | normal | CC: | perl |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/ | ||
Whiteboard: | B2 [upstream] | ||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
2021-12-13 19:50:16 UTC
No motion upstream since 2018... 108 open bugs... That said, by default cpanm doesnt verify signatures at all anyway. https://metacpan.org/pod/App::cpanminus commit 03300f1d7970874eee8c3a14e1060de6036ce696 Author: Sam James <sam@gentoo.org> Date: Thu Jun 22 05:30:12 2023 +0100 dev-perl/App-cpanminus: add 1.704.600 Signed-off-by: Sam James <sam@gentoo.org> Not sure if it counts as a fix though.. Changes (https://metacpan.org/dist/App-cpanminus/changes) says: """ 1.7045 2022-01-26 19:03:44 PST [Security] - [CVE-2020-16154] remove the functionality to verify CHECKSUMS signature """ |