https://bugzilla.redhat.com/show_bug.cgi?id=2035273
--- Doc Text *updated* by Tomas Hoger <[email protected]> --- A flaw was found in the way the perl-CPAN performed verification of package signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by the user, or a man-in-the-middle attacker, could use this flaw to bypass signature verification. --- Comment #9 from Tomas Hoger <[email protected]> --- The mitigation recommended by upstream is to ensure that users are only using trusted CPAN mirrors (www.cpan.org or cpan.metacpan.org) and always use HTTPS when downloading packages. If you already have a cpan configured, the list of configured mirrors can be viewed by running the `cpan` command without any argument and entering the following command on the cpan command's prompt: o conf urllist Ensure that the URL list only includes trusted mirrors and that https:// scheme is used for all URLs. A different set of mirrors can be configured using the following commands (these examples show how to configure one or more mirrors, only one of the commands should be used): o conf urllist https://www.cpan.org o conf urllist https://www.cpan.org https://cpan.metacpan.org After changing configuration, the following command must be used to save the configuration: o conf commit -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2035273 _______________________________________________ perl-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
