Debian 11 bullseye DLA-3926-1 critical: perl signature bypass and MITM
debian lts
October 21, 2024
Vulnerabilities were found in Perl's CPAN.pm, which could lead CPAN clients to install malicious modules
Topics Covered
Summary
CVE-2020-16156
Stig Palmquist discovered that an attacker can prepend checksums for
modified packages to the beginning of CHECKSUMS files, before the
cleartext PGP headers, resulting in signature verification bypass.
CPAN.pm has been updated so that when configured to validate the
signature on CHECKSUMS, it will refuse to install a tarball if the
associated CHECKSUMS file isn't signed. The gpg(1) executable is
required in order to validate signatures.
CVE-2023-31484
Stig Palmquist discovered that CPAN::HTTP::Client did not verify
X.509 certificates in the HTTP::Tiny call, which could allows an
attacker to MITM the connection with the CPAN mirror.
CPAN::HTTP::Client now enables the `verify_SSL` flag. HTTPS mirrors
therefore require a valid certificate. The identity of the default
mirror https://www.cpan.org/ can be verified after installing the
'ca-certificates' package.
For Debian 11 bullseye, these problems have been fixed in version
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: perl
Version: 5.32.1-4+deb11u4
CVE ID: CVE-2020-16156 CVE-2023-31484
Debian Bug: 1015985 1035109
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!