libmodule-signature-perl - security update

Multiple vulnerabilities were discovered in libmodule-signature-perl, a
Perl module to manipulate CPAN SIGNATURE files. The Common
Vulnerabilities and Exposures project identifies the following problems:

• CVE-2015-3406
  John Lightsey discovered that Module::Signature could parse the
  unsigned portion of the SIGNATURE file as the signed portion due to
  incorrect handling of PGP signature boundaries.
• CVE-2015-3407
  John Lightsey discovered that Module::Signature incorrectly handles
  files that are not listed in the SIGNATURE file. This includes some
  files in the t/ directory that would execute when tests are run.
• CVE-2015-3408
  John Lightsey discovered that Module::Signature uses two argument
  open() calls to read the files when generating checksums from the
  signed manifest. This allows to embed arbitrary shell commands into
  the SIGNATURE file that would execute during the signature
  verification process.
• CVE-2015-3409
  John Lightsey discovered that Module::Signature incorrectly handles
  module loading, allowing to load modules from relative paths in
  @INC. A remote attacker providing a malicious module could use this
  issue to execute arbitrary code during signature verification.

Note that libtest-signature-perl received an update for compatibility
with the fix for CVE-2015-3407
in libmodule-signature-perl.

For the oldstable distribution (wheezy), these problems have been fixed
in version 0.68-1+deb7u2.

For the stable distribution (jessie), these problems have been fixed in
version 0.73-1+deb8u1.

For the testing distribution (stretch), these problems have been fixed
in version 0.78-1.

For the unstable distribution (sid), these problems have been fixed in
version 0.78-1.

We recommend that you upgrade your libmodule-signature-perl packages.