Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2020-16156

Published: 13 December 2021

CPAN 2.28 allows Signature Verification Bypass.

Notes

AuthorNote
rayveldkamp
Fix is in cpanpm 2.29
leosilva
using only ensured identified https mirrors
could be a solution, as even perl modules
if a trusted server is used its identity
will be verified even in the absense of
perl-module-signature.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
perl
Launchpad, Ubuntu, Debian
bionic
Released (5.26.1-6ubuntu0.6)
focal
Released (5.30.0-9ubuntu0.3)
hirsute Ignored
(reached end-of-life)
impish Ignored
(reached end-of-life)
jammy
Released (5.34.0-3ubuntu1.1)
kinetic
Released (5.34.0-5ubuntu1.1)
trusty
Released (5.18.2-2ubuntu1.7+esm4)
upstream Needed

xenial
Released (5.22.1-9ubuntu0.9+esm1)
Patches:
upstream: https://github.com/andk/cpanpm/commit/b27c51adf0fda25dee84cb72cb2b1bf7d832148c (2.29)
upstream: https://github.com/andk/cpanpm/commit/bcbf6d608e48d25306ecfd273118b4d6ba1c5df6 (2.29)
upstream: https://github.com/andk/cpanpm/commit/46fe910becd5746adca92e18660567c9e8d37eb5 (2.29)
upstream: https://github.com/andk/cpanpm/commit/7f9e5e8c52f535c1c13e177595a5ef4710c72058 (2.29)
upstream: https://github.com/andk/cpanpm/commit/c03257dbebccd4deeff1987d5efd98113643f717 (2.29)
upstream: https://github.com/andk/cpanpm/commit/7d4d5e32bcd9b75f7bf70a395938a48ca4a06d25 (2.33-TRIAL)
upstream: https://github.com/andk/cpanpm/commit/89b13baf1d46e4fb10023af30ef305efec4fd603 (2.33-TRIAL)