Bug 30994

Summary: perl new security issue CVE-2020-16156
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Thierry Vignaud <thierry.vignaud>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: nicolas.salguero
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: perl-5.32.1-1.1.mga8.src.rpm CVE:
Status comment:
Bug Depends on: 31852    
Bug Blocks:    

Description David Walser 2022-10-20 14:07:46 CEST 
+++ This bug was initially created as a clone of Bug #29878 +++

Fedora has issued an advisory today (January 12):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SZ32AJIV4RHJMLWLU5QULGKMMIHYOMDC/

The issue is fixed upstream in 2.29.

Ubuntu has issued an advisory for this on October 19:
https://ubuntu.com/security/notices/USN-5689-1

They patched the perl package itself.  Do we have a bundled copy of cpanpm in perl that we still need to fix?
David Walser 2023-05-01 16:27:15 CEST

Depends on: (none) => 31852

Comment 1 David Walser 2023-05-01 16:27:52 CEST 
To answer my own question, yes the perl package does appear to bundle cpanpm and probably needs to be fixed.  Another issue in CPAN.pm is in Bug 31852.
Comment 2 Nicolas Salguero 2024-01-12 10:28:32 CET 
Mageia 8 EOL

Resolution: (none) => OLD
CC: (none) => nicolas.salguero
Status: NEW => RESOLVED