Bug#1033109: libcpan-checksums-perl: CVE-2020-16155
gregor herrmann
gregoa at debian.org
Fri Mar 17 20:15:12 GMT 2023
On Fri, 17 Mar 2023 14:50:29 +0100, Moritz Mühlenhoff wrote:
> CVE-2020-16155[0]:
> | The CPAN::Checksums package 2.12 for Perl does not uniquely define
> | signed data.
>
> https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/
> http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html
After reading those webpages and looking at the diffs briefly, I
_think_ this is fixed upstream in 2.13 and in Debian with 2.13-1.
What do you think Salvatore?
Cheers,
gregor
--
.''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org
: :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06
`. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
`-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: Digital Signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20230317/b320c8c9/attachment.sig>
More information about the pkg-perl-maintainers
mailing list