Описание
The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass.
A flaw was found in the way the perl-App-cpanminus performed verification of package signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by a user, or a man-in-the-middle attacker, could use this flaw to bypass signature verification.
Меры по смягчению последствий
This issue can be mitigated by instructing perl-App-cpanminus to only use trusted CPAN mirrors (www.cpan.org or cpan.metacpan.org) and use HTTPS for communication with CPAN servers. The cpanm command can be configured to use the specific CPAN mirror using the --from command line option by running it as:
You can also set environment variable PERL_CPANM_OPT to include this command line option to avoid having to specify the URL for every cpanm invocation:
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 7 | perl-App-cpanminus | Out of support scope | ||
| Red Hat Enterprise Linux 8 | perl-App-cpanminus:1.7044/perl-App-cpanminus | Will not fix | ||
| Red Hat Enterprise Linux 9 | perl-App-cpanminus | Will not fix | ||
| Red Hat Software Collections | rh-perl530-perl-App-cpanminus | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
7.8 High
CVSS3
Связанные уязвимости
The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass.
The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass.
The App::cpanminus package 1.7044 for Perl allows Signature Verificati ...
The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass.
EPSS
7.8 High
CVSS3