Bugzilla – Bug 1193811
VUL-0: CVE-2020-16155: perl: CPAN:Checksums package 2.12 for Perl does not uniquely define signed data
Last modified: 2022-08-29 13:56:08 UTC
CVE-2020-16155 The CPAN::Checksums package 2.12 for Perl does not uniquely define signed data. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16155 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16155 https://metacpan.org/pod/CPAN::Checksums https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/
I can't find signs of this module in perl5 source, or in other packages. I am actually not sure if we ship this cpan package.
Michael, can you please help us to find if we're affected or not?
I could not find the module in our products. It's used by the upstream CPAN server, so there's no need for us to ship it. So I don't think we're affected.
(In reply to Michael Schröder from comment #3) > I could not find the module in our products. It's used by the upstream CPAN > server, so there's no need for us to ship it. > > So I don't think we're affected. Thank you very much for your help Michael. Closing as not affected.