| Summary: | cpanminus new security issue CVE-2020-16154 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | cpanminus-1.704.400-3.mga8.src.rpm | CVE: | CVE-2020-16154 |
| Status comment: | |||
|
Description
David Walser
2022-02-09 16:06:21 CET
David Walser
2022-02-09 16:06:33 CET
Whiteboard:
(none) =>
MGA8TOO 'cpanminus' has no maintainer, so having to assign this update globally. Assignee:
bugsquad =>
pkg-bugs Suggested advisory: ======================== The updated package fixes a security vulnerability: The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass. (CVE-2020-16154) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16154 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DENFY4CRTIZL5WYYUYUM4VKCJNXO4QIW/ ======================== Updated package in core/updates_testing: ======================== cpanminus-1.704.500-1.mga8 from SRPM: cpanminus-1.704.500-1.mga8.src.rpm Status comment:
Fixed upstream in 1.7045 =>
(none) MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues. No wiki, no previous updates. Googling I found https://mvp.kablamo.org/dependencies/cpanm/ (and noticed in the mean time, I've been fiddling around with cpan some tile before in other updates). So tried $ cpanm --help Usage: cpanm [options] Module [...] Options: -v,--verbose Turns on chatty output -q,--quiet Turns off the most output --interactive Turns on interactive configure (required for Task:: modules) -f,--force force install -n,--notest Do not run unit tests --test-only Run tests only, do not install -S,--sudo sudo to run install commands and more ..... from the site i took the example: $ cpanm URI ! ! Can't write to /usr/local/share/perl5/5.32 and /usr/local/bin: Installing modules to /home/tester8/perl5 ! To turn off this warning, you have to do one of the following: ! - run me as a root or with --sudo option (to install to /usr/local/share/perl5/5.32 and /usr/local/bin) ! - Configure local::lib in your existing shell to set PERL_MM_OPT etc. ! - Install local::lib by running the following commands ! ! cpanm --local-lib=~/perl5 local::lib && eval $(perl -I ~/perl5/lib/perl5/ -Mlocal::lib) ! --> Working on URI Fetching http://www.cpan.org/authors/id/O/OA/OALDERS/URI-5.10.tar.gz ... OK Configuring URI-5.10 ... OK ==> Found dependencies: Test::Needs --> Working on Test::Needs Fetching http://www.cpan.org/authors/id/H/HA/HAARG/Test-Needs-0.002009.tar.gz ... OK Configuring Test-Needs-0.002009 ... OK Building and testing Test-Needs-0.002009 ... OK Successfully installed Test-Needs-0.002009 Building and testing URI-5.10 ... OK Successfully installed URI-5.10 (upgraded from 5.05) 2 distributions installed And to me it looks as it works OK. CC:
(none) =>
herman.viaene Validating. Advisory in Comment 2. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2022-02-22 20:19:19 CET
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0078.html Resolution:
(none) =>
FIXED |