Bug 31852

Summary: perl, perl-CPAN, perl-HTTP-Tiny new security issues CVE-2023-31484 and CVE-2023-31486
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Perl Stack Maintainers <perl>
Status: NEW --- QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9TOO
Source RPM: perl-5.36.0-1.mga9.src.rpm, perl-CPAN-2.340.0-1.mga9.src.rpm, perl-HTTP-Tiny-0.82.0-1.mga9.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 30994    

Description David Walser 2023-05-01 16:27:01 CEST 
CVE-2023-31484 has been issued for insecure usage of HTTP::Tiny by CPAN.pm (in the perl and perl-CPAN packages) where it doesn't validate SSL certificates when using HTTPS.

CVE-2023-31486 has been issued for HTTP::Tiny itself for not validating certificates by default.

CVE assignment announcement and discussion thread:
https://www.openwall.com/lists/oss-security/2023/04/29/1
David Walser 2023-05-01 16:27:15 CEST

Whiteboard: (none) => MGA8TOO
Blocks: (none) => 30994

Comment 1 Lewis Smith 2023-05-01 20:31:31 CEST 
Assigning to the Perl stack maintainers.

Assignee: bugsquad => perl

Comment 2 David Walser 2023-06-20 14:44:30 CEST 
Ubuntu advisory for CVE-2023-31484 for perl from May 29:
https://ubuntu.com/security/notices/USN-6112-1
Comment 3 David GEIGER 2024-06-15 11:02:13 CEST 
Removing Mageia 8 from whiteboard due to EOL!

CC: (none) => geiger.david68210
Whiteboard: MGA8TOO => MGA9TOO