[Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files
https://bugzilla.redhat.com/show_bug.cgi?id=2035341 Bug 2035341 depends on bug 2037408, which changed state. Bug 2037408 Summary: CVE-2020-16154 perl-App-cpanminus:1.7044/perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2037408 What|Removed |Added Status|NEW |CLOSED Resolution|--- |WONTFIX -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2035341 ___ perl-devel mailing list -- perl-devel@lists.fedoraproject.org To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files
https://bugzilla.redhat.com/show_bug.cgi?id=2035341 Bug 2035341 depends on bug 2035342, which changed state. Bug 2035342 Summary: CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2035342 What|Removed |Added Status|NEW |CLOSED Resolution|--- |WONTFIX -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2035341 ___ perl-devel mailing list -- perl-devel@lists.fedoraproject.org To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files
https://bugzilla.redhat.com/show_bug.cgi?id=2035341 Bug 2035341 depends on bug 2037407, which changed state. Bug 2037407 Summary: CVE-2020-16154 perl-Menlo-Legacy: perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2037407 What|Removed |Added Status|NEW |CLOSED Resolution|--- |EOL -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2035341 ___ perl-devel mailing list -- perl-devel@lists.fedoraproject.org To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files
https://bugzilla.redhat.com/show_bug.cgi?id=2035341 --- Doc Text *updated* by Eric Christensen --- A flaw was found in the way the perl-App-cpanminus performed verification of package signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by a user, or a man-in-the-middle attacker, could use this flaw to bypass signature verification. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2035341 ___ perl-devel mailing list -- perl-devel@lists.fedoraproject.org To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files
https://bugzilla.redhat.com/show_bug.cgi?id=2035341 --- Doc Text *updated* by Tomas Hoger --- A flaw was found in the way the perl-App-cpanminus performed verification of package signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by the user, or a man-in-the-middle attacker, could use this flaw to bypass signature verification. --- Comment #8 from Tomas Hoger --- The mitigation recommended by upstream is to ensure that users are only using trusted CPAN mirrors (www.cpan.org or cpan.metacpan.org) and always use HTTPS when downloading packages. The cpanm command can be configured to use the specific CPAN mirror using the --from command line option by running it as: cpanm --from https://www.cpan.org ... You can also set environment variable PERL_CPANM_OPT to include this command line option to avoid having to specify the URL for every cpanm invocation: export PERL_CPANM_OPT="--from https://www.cpan.org; -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2035341 ___ perl-devel mailing list -- perl-devel@lists.fedoraproject.org To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files
https://bugzilla.redhat.com/show_bug.cgi?id=2035341 --- Comment #7 from Tomas Hoger --- Additional details about these issues can be found in the following blog post: http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2035341 ___ perl-devel mailing list -- perl-devel@lists.fedoraproject.org To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files
https://bugzilla.redhat.com/show_bug.cgi?id=2035341 Tomas Hoger changed: What|Removed |Added Depends On||2038837, 2038835, 2038836, ||2038834 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2035341 ___ perl-devel mailing list -- perl-devel@lists.fedoraproject.org To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files
https://bugzilla.redhat.com/show_bug.cgi?id=2035341 --- Comment #5 from Tomas Hoger --- Upstream fixes linked in comment 2 do not completely address all issues - they still make it possible to include crafted $cksum data before the signed content of the CHECKSUMS file and have that accepted by App::cpanminus. This problem was reported upstream via: https://github.com/miyagawa/cpanminus/issues/639 Upstream responded that their decision was to not fix and rather remove signature verification completely: https://github.com/miyagawa/cpanminus/commit/1afe4a9cac56fa593e24bf5714c8992ba04b925e -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2035341 ___ perl-devel mailing list -- perl-devel@lists.fedoraproject.org To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files
https://bugzilla.redhat.com/show_bug.cgi?id=2035341 Tomas Hoger changed: What|Removed |Added Depends On||2037408, 2037407 Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=2037407 [Bug 2037407] CVE-2020-16154 perl-Menlo-Legacy: perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2037408 [Bug 2037408] CVE-2020-16154 perl-App-cpanminus:1.7044/perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files [fedora-all] -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2035341 ___ perl-devel mailing list -- perl-devel@lists.fedoraproject.org To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files
https://bugzilla.redhat.com/show_bug.cgi?id=2035341 --- Comment #3 from Tomas Hoger --- Created perl-App-cpanminus:1.7044/perl-App-cpanminus tracking bugs for this issue: Affects: fedora-all [bug 2037408] Created perl-Menlo-Legacy tracking bugs for this issue: Affects: fedora-all [bug 2037407] -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2035341 ___ perl-devel mailing list -- perl-devel@lists.fedoraproject.org To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files
https://bugzilla.redhat.com/show_bug.cgi?id=2035341 Tomas Hoger changed: What|Removed |Added Summary|CVE-2020-16154 |CVE-2020-16154 |perl-App-cpanminus: |perl-App-cpanminus: Bypass |signature verification |of verification of |bypass |signatures in CHECKSUMS ||files --- Comment #2 from Tomas Hoger --- Refer to bug 2035273 comment 2 for additional details about this issue. Bug 2035273 covers these problems in perl-CPAN / CPAN.pm, and App::cpanminus is affected in a similar way and hence the description of issues applies to both modules. The App::cpanminus module has not yet been fixed for this issue. Fixes were only applied to Menlo / Menlo-Legacy, which is a development version of the future cpanm version 2.0. Commit that corrects checking of the Module::Signature::_verify() return value: https://github.com/miyagawa/cpanminus/commit/98f43b64165a54e05ce25f9de09284ccb34f4776 Commit that adds support for the cpan_path attributed in CHECKSUMS files: https://github.com/miyagawa/cpanminus/commit/3c93db75ccbc75c813c7f12ea0301af20a265f65 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2035341 ___ perl-devel mailing list -- perl-devel@lists.fedoraproject.org To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure