Bug#1033109: libcpan-checksums-perl: CVE-2020-16155

gregor herrmann gregoa at debian.org
Fri Mar 17 20:15:12 GMT 2023


On Fri, 17 Mar 2023 14:50:29 +0100, Moritz Mühlenhoff wrote:

> CVE-2020-16155[0]:
> | The CPAN::Checksums package 2.12 for Perl does not uniquely define
> | signed data.
> 
> https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/
> http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html

After reading those webpages and looking at the diffs briefly, I
_think_ this is fixed upstream in 2.13 and in Debian with 2.13-1.
 		
What do you think Salvatore?


Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: Digital Signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20230317/b320c8c9/attachment.sig>


More information about the pkg-perl-maintainers mailing list