30994 – perl new security issue CVE-2020-16156

Bug 30994 - perl new security issue CVE-2020-16156

Summary: perl new security issue CVE-2020-16156

Status:	RESOLVED OLD

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	Thierry Vignaud
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:	31852
Blocks:
	Show dependency tree / graph

Reported:	2022-10-20 14:07 CEST by David Walser
Modified:	2024-01-12 10:28 CET (History)
CC List:	1 user (show)

See Also:
Source RPM:	perl-5.32.1-1.1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-10-20 14:07:46 CEST

+++ This bug was initially created as a clone of Bug #29878 +++

Fedora has issued an advisory today (January 12):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SZ32AJIV4RHJMLWLU5QULGKMMIHYOMDC/

The issue is fixed upstream in 2.29.

Ubuntu has issued an advisory for this on October 19:
https://ubuntu.com/security/notices/USN-5689-1

They patched the perl package itself.  Do we have a bundled copy of cpanpm in perl that we still need to fix?

David Walser 2023-05-01 16:27:15 CEST

Depends on: (none) => 31852

Comment 1 David Walser 2023-05-01 16:27:52 CEST

To answer my own question, yes the perl package does appear to bundle cpanpm and probably needs to be fixed.  Another issue in CPAN.pm is in Bug 31852.

Comment 2 Nicolas Salguero 2024-01-12 10:28:32 CET

Mageia 8 EOL

Resolution: (none) => OLD
CC: (none) => nicolas.salguero
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.