Control: severity -1 important On Wed, Oct 23, 2019 at 11:22:47PM +0200, Moritz Muehlenhoff wrote: > On Wed, Oct 23, 2019 at 10:20:04PM +0300, Niko Tyni wrote: > > Control: reassign -1 src:perl > > Control: found -1 5.20.2-3 > > > > On Tue, Oct 22, 2019 at 12:36:14PM +0200, Vincent Lefevre wrote: > > > Package: perl-modules-5.30 > > > Version: 5.30.0-8 > > > Severity: grave > > > Tags: security > > > Justification: user security hole > > > > > > I've just found that CPAN.pm does not check signatures by default: > > > > > > 'check_sigs' => q[0], > > > > > > Moreover, it downloads files using http, not https. > > > > > > The combination of both issues makes it very insecure, with a possible > > > remote attack! > > > > > > And there are no warnings about that.
> From my PoV, people are free to work with upstream to get that fixed, but > there's no I reason to treat this as an RC bug. Thanks. I'm lowering the severity. -- Niko Tyni nt...@debian.org