31852 – perl, perl-CPAN, perl-HTTP-Tiny new security issues CVE-2023-31484 and CVE-2023-31486

Bug 31852 - perl, perl-CPAN, perl-HTTP-Tiny new security issues CVE-2023-31484 and CVE-2023-31486

Summary: perl, perl-CPAN, perl-HTTP-Tiny new security issues CVE-2023-31484 and CVE-20...

Status:	NEW

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Perl Stack Maintainers
QA Contact:	Sec team

URL:
Whiteboard:	MGA9TOO
Keywords:

Depends on:
Blocks:	30994
	Show dependency tree / graph

Reported:	2023-05-01 16:27 CEST by David Walser
Modified:	2024-06-15 11:02 CEST (History)
CC List:	1 user (show)

See Also:
Source RPM:	perl-5.36.0-1.mga9.src.rpm, perl-CPAN-2.340.0-1.mga9.src.rpm, perl-HTTP-Tiny-0.82.0-1.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-05-01 16:27:01 CEST

CVE-2023-31484 has been issued for insecure usage of HTTP::Tiny by CPAN.pm (in the perl and perl-CPAN packages) where it doesn't validate SSL certificates when using HTTPS.

CVE-2023-31486 has been issued for HTTP::Tiny itself for not validating certificates by default.

CVE assignment announcement and discussion thread:
https://www.openwall.com/lists/oss-security/2023/04/29/1

David Walser 2023-05-01 16:27:15 CEST

Whiteboard: (none) => MGA8TOO
Blocks: (none) => 30994

Comment 1 Lewis Smith 2023-05-01 20:31:31 CEST

Assigning to the Perl stack maintainers.

Assignee: bugsquad => perl

Comment 2 David Walser 2023-06-20 14:44:30 CEST

Ubuntu advisory for CVE-2023-31484 for perl from May 29:
https://ubuntu.com/security/notices/USN-6112-1

Comment 3 David GEIGER 2024-06-15 11:02:13 CEST

Removing Mageia 8 from whiteboard due to EOL!

CC: (none) => geiger.david68210
Whiteboard: MGA8TOO => MGA9TOO

Note You need to log in before you can comment on or make changes to this bug.