CVE-2020-16156

A flaw was found in the way the perl-CPAN performed verification of package signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by a user, or a man-in-the-middle attacker, could use this flaw to bypass signature verification.

Mitigation

This issue can be mitigated by configuring perl-CPAN to only use trusted CPAN mirrors (www.cpan.org or cpan.metacpan.org) and use HTTPS for communication with CPAN servers. If you already have a cpan configured, the list of configured mirrors can be viewed by running the cpan command without any argument and entering the following command on the cpan command's prompt:

  o conf urllist  

Ensure that the URL list only includes trusted mirrors and that https:// scheme is used for all URLs. A different set of mirrors can be configured using the following commands (these examples show how to configure one or more mirrors, only one of the commands should be used):

  o conf urllist https://www.cpan.org  
  o conf urllist https://www.cpan.org https://cpan.metacpan.org  

After changing configuration, the following command must be used to save the configuration:

  o conf commit