CPAN.pm before 2.35 does not verify TLS certificates when downloading
distributions over HTTPS.
Author | Note |
---|---|
ccdm94 | the fix released to cpanpm (commit 9c98370) can be applied to the perl codebase to fix the issue. The perl upstream has fixed the issue through commit 96ea0b9b, which is actually an import of CPAN v2.36. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | perl | <Â 5.26.1-6ubuntu0.7 | UNKNOWN |
ubuntu | 20.04 | noarch | perl | <Â 5.30.0-9ubuntu0.4 | UNKNOWN |
ubuntu | 22.04 | noarch | perl | <Â 5.34.0-3ubuntu1.2 | UNKNOWN |
ubuntu | 22.10 | noarch | perl | <Â 5.34.0-5ubuntu1.2 | UNKNOWN |
ubuntu | 23.04 | noarch | perl | <Â 5.36.0-7ubuntu0.23.04.1 | UNKNOWN |
ubuntu | 14.04 | noarch | perl | <Â 5.18.2-2ubuntu1.7+esm5) Available with Ubuntu Pro or Ubuntu Pro (Infra-only | UNKNOWN |
ubuntu | 16.04 | noarch | perl | <Â 5.22.1-9ubuntu0.9+esm2) Available with Ubuntu Pro or Ubuntu Pro (Infra-only | UNKNOWN |
www.openwall.com/lists/oss-security/2023/04/29/1
www.openwall.com/lists/oss-security/2023/05/03/3
www.openwall.com/lists/oss-security/2023/05/03/5
blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0 (2.35-TRIAL)
github.com/andk/cpanpm/pull/175
launchpad.net/bugs/cve/CVE-2023-31484
metacpan.org/dist/CPAN/changes
nvd.nist.gov/vuln/detail/CVE-2023-31484
security-tracker.debian.org/tracker/CVE-2023-31484
ubuntu.com/security/notices/USN-6112-1
ubuntu.com/security/notices/USN-6112-2
www.cve.org/CVERecord?id=CVE-2023-31484
www.openwall.com/lists/oss-security/2023/04/18/14