Bugzilla – Bug 1193771
VUL-0: CVE-2020-16156: perl: CPAN 2.28 allows Signature Verification Bypass.
Last modified: 2022-07-11 07:10:59 UTC
CPAN 2.28 allows Signature Verification Bypass.
SUSE:SLE-12:Update should be affected
Installing packages from cpan isn't supported anyway. So whoever does that is acting on their own risk, so I don't think releasing an update to sle12 is worth it.
but in any case, CPAN::Meta is not related to downloading from cpan, it's providing meta data for cpan authors. CPAN.pm is part of the perl package
Thank you very much Stephan for the clarifications. With perl affected, we would have more codestreams affected.
Stephan, how the fact that installing packages with cpan is not supported could affect us? Is it still possible for our customer to install packages in this way? If yes, that would be great to backport patches anyway, a signature verification bypass is quite severe...
Perl users downloaded random things from the internet for decades. So if they download crap or crap with backdoors - they hopefully have multiple lines of defense.
It's a bit like making "I used `curl XXX | sh` and got me in trouble a curl problem. our perl package offers a downloader, but we don't recommend using it.
We published a TID for this CVE. Applying the workaround as described in the TID is sufficient to be fix this vulnerability, and highly recommended to ensure only trusted mirrors are used. Closing as WONTFIX.