Bug 31852 - perl, perl-CPAN, perl-HTTP-Tiny new security issues CVE-2023-31484 and CVE-2023-31486
Summary: perl, perl-CPAN, perl-HTTP-Tiny new security issues CVE-2023-31484 and CVE-20...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on: 34209 34448
Blocks: 30994
  Show dependency treegraph
 
Reported: 2023-05-01 16:27 CEST by David Walser
Modified: 2025-11-12 22:33 CET (History)
4 users (show)

See Also:
Source RPM: perl-CPAN-2.340.0-1.mga9.src.rpm, perl-HTTP-Tiny-0.82.0-1.mga9.src.rpm
CVE: CVE-2023-31484, CVE-2023-31486
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-05-01 16:27:01 CEST 
CVE-2023-31484 has been issued for insecure usage of HTTP::Tiny by CPAN.pm (in the perl and perl-CPAN packages) where it doesn't validate SSL certificates when using HTTPS.

CVE-2023-31486 has been issued for HTTP::Tiny itself for not validating certificates by default.

CVE assignment announcement and discussion thread:
https://www.openwall.com/lists/oss-security/2023/04/29/1
David Walser 2023-05-01 16:27:15 CEST

Blocks: (none) => 30994
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-05-01 20:31:31 CEST 
Assigning to the Perl stack maintainers.

Assignee: bugsquad => perl

Comment 2 David Walser 2023-06-20 14:44:30 CEST 
Ubuntu advisory for CVE-2023-31484 for perl from May 29:
https://ubuntu.com/security/notices/USN-6112-1
Comment 3 David GEIGER 2024-06-15 11:02:13 CEST 
Removing Mageia 8 from whiteboard due to EOL!

Whiteboard: MGA8TOO => MGA9TOO
CC: (none) => geiger.david68210

Nicolas Salguero 2025-11-10 15:51:22 CET

Depends on: (none) => 34209

Nicolas Salguero 2025-11-10 15:51:32 CET

CC: (none) => nicolas.salguero
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)

Comment 4 Nicolas Salguero 2025-11-10 16:04:53 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. (CVE-2023-31484)

HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. (CVE-2023-31486)

References:
https://www.openwall.com/lists/oss-security/2023/04/29/1
========================

Updated packages in core/updates_testing:
========================
perl-CPAN-2.340.0-1.1.mga9
perl-HTTP-Tiny-0.82.0-1.1.mga9

from SRPM:
perl-CPAN-2.340.0-1.1.mga9.src.rpm
perl-HTTP-Tiny-0.82.0-1.1.mga9.src.rpm

CVE: (none) => CVE-2023-31484, CVE-2023-31486
Source RPM: perl-5.36.0-1.mga9.src.rpm, perl-CPAN-2.340.0-1.mga9.src.rpm, perl-HTTP-Tiny-0.82.0-1.mga9.src.rpm => perl-CPAN-2.340.0-1.mga9.src.rpm, perl-HTTP-Tiny-0.82.0-1.mga9.src.rpm
Assignee: perl => qa-bugs
Status: NEW => ASSIGNED

katnatek 2025-11-11 00:13:57 CET

Keywords: (none) => advisory

Comment 5 katnatek 2025-11-12 02:44:49 CET 
Tested with some other perl in testing

LC_ALL=C urpmi /home/katnatek/qa-testing/x86_64/perl*

installing perl-5.36.0-1.2.mga9.x86_64.rpm perl-base-5.36.0-1.2.mga9.x86_64.rpm perl-doc-5.36.0-1.2.mga9.noarch.rpm from /home/katnatek/qa-testing/x86_64
Preparing...                     ####################################################################################################
      1/3: perl-base             ####################################################################################################
      2/3: perl                  ####################################################################################################
      3/3: perl-doc              ####################################################################################################
      1/3: removing perl-doc-2:5.36.0-1.1.mga9.noarch
                                 ####################################################################################################
      2/3: removing perl-2:5.36.0-1.1.mga9.x86_64
                                 ####################################################################################################
      3/3: removing perl-base-2:5.36.0-1.1.mga9.x86_64
                                 ####################################################################################################
restarting urpmi
Packages perl-5.36.0-1.2.mga9.x86_64, perl-doc-5.36.0-1.2.mga9.noarch, perl-base-5.36.0-1.2.mga9.x86_64 are already installed
Marking perl as manually installed, it won't be auto-orphaned
Marking perl-doc as manually installed, it won't be auto-orphaned
Marking perl-base as manually installed, it won't be auto-orphaned
writing /var/lib/rpm/installed-through-deps.list
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release")
  perl-Archive-Zip               1.680.0      2.mga9        noarch  
  perl-CPAN-Checksums            2.140.0      2.mga9        noarch  
  perl-CPAN-Perl-Releases        5.202.302.2> 1.mga9        noarch  
  perl-Compress-Bzip2            2.280.0      4.mga9        x86_64  
  perl-Data-Compare              1.270.0      3.mga9        noarch  
  perl-Expect                    1.350.0      6.mga9        noarch  
  perl-File-Find-Rule            0.340.0      5.mga9        noarch  
  perl-File-HomeDir              1.6.0        2.mga9        noarch  
  perl-File-Which                1.270.0      2.mga9        noarch  
  perl-IO-Tty                    1.170.0      1.mga9        x86_64  
  perl-Log-Dispatch              2.700.0      2.mga9        noarch  
  perl-Log-Log4perl              1.570.0      1.mga9        noarch  
  perl-Mail-Sender               0.903.0      4.mga9        noarch  
  perl-Mail-Sendmail             0.800.0      5.mga9        noarch  
  perl-Module-Signature          0.880.0      2.mga9        noarch  
  perl-Number-Compare            0.30.0       10.mga9       noarch  
  perl-Text-Glob                 0.110.0      4.mga9        noarch  
  perl-XML-DOM                   1.460.0      4.mga9        noarch  
  perl-XML-RegExp                0.40.0       10.mga9       noarch  
  perl-YAML-Syck                 1.340.0      4.mga9        x86_64  
  perl-libxml-perl               0.80.0       11.mga9       noarch  
  systemtap-sdt-devel            4.8          2.mga9        x86_64  
(command line)
  perl-CPAN                      2.340.0      1.1.mga9      noarch  
  perl-HTTP-Tiny                 0.82.0       1.1.mga9      noarch  
  perl-YAML-LibYAML              0.860.0      1.1.mga9      x86_64  
  perl-devel                     5.36.0       1.2.mga9      x86_64  
7.2MB of additional disk space will be used.
2.2MB of packages will be retrieved.
Proceed with the installation of the 26 packages? (Y/n) y


    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/systemtap-sdt-devel-4.8-2.mga9.x86_64.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Mail-Sender-0.903.0-4.mga9.noarch.rpm       
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-CPAN-Checksums-2.140.0-2.mga9.noarch.rpm    
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-XML-RegExp-0.40.0-10.mga9.noarch.rpm        
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Expect-1.350.0-6.mga9.noarch.rpm            
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Number-Compare-0.30.0-10.mga9.noarch.rpm    
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-CPAN-Perl-Releases-5.202.302.200-1.mga9.noarch.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Module-Signature-0.880.0-2.mga9.noarch.rpm  
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Mail-Sendmail-0.800.0-5.mga9.noarch.rpm     
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Text-Glob-0.110.0-4.mga9.noarch.rpm         
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Archive-Zip-1.680.0-2.mga9.noarch.rpm       
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Data-Compare-1.270.0-3.mga9.noarch.rpm      
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-XML-DOM-1.460.0-4.mga9.noarch.rpm           
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-File-Find-Rule-0.340.0-5.mga9.noarch.rpm    
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Compress-Bzip2-2.280.0-4.mga9.x86_64.rpm    
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-libxml-perl-0.80.0-11.mga9.noarch.rpm       
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Log-Log4perl-1.570.0-1.mga9.noarch.rpm      
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Log-Dispatch-2.700.0-2.mga9.noarch.rpm      
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-IO-Tty-1.170.0-1.mga9.x86_64.rpm            
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-File-Which-1.270.0-2.mga9.noarch.rpm        
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-File-HomeDir-1.6.0-2.mga9.noarch.rpm        
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-YAML-Syck-1.340.0-4.mga9.x86_64.rpm         
installing /home/katnatek/qa-testing/x86_64/perl-devel-5.36.0-1.2.mga9.x86_64.rpm                                                     
/var/cache/urpmi/rpms/perl-CPAN-Perl-Releases-5.202.302.200-1.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-XML-RegExp-0.40.0-10.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-Expect-1.350.0-6.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-CPAN-Checksums-2.140.0-2.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-YAML-Syck-1.340.0-4.mga9.x86_64.rpm
/var/cache/urpmi/rpms/perl-libxml-perl-0.80.0-11.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-Log-Dispatch-2.700.0-2.mga9.noarch.rpm
/home/katnatek/qa-testing/x86_64/perl-YAML-LibYAML-0.860.0-1.1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/perl-Mail-Sendmail-0.800.0-5.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-Archive-Zip-1.680.0-2.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-Number-Compare-0.30.0-10.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-Module-Signature-0.880.0-2.mga9.noarch.rpm
/home/katnatek/qa-testing/x86_64/perl-HTTP-Tiny-0.82.0-1.1.mga9.noarch.rpm
/var/cache/urpmi/rpms/systemtap-sdt-devel-4.8-2.mga9.x86_64.rpm
/var/cache/urpmi/rpms/perl-Mail-Sender-0.903.0-4.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-IO-Tty-1.170.0-1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/perl-File-Which-1.270.0-2.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-File-HomeDir-1.6.0-2.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-Compress-Bzip2-2.280.0-4.mga9.x86_64.rpm
/var/cache/urpmi/rpms/perl-Log-Log4perl-1.570.0-1.mga9.noarch.rpm
/home/katnatek/qa-testing/x86_64/perl-CPAN-2.340.0-1.1.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-XML-DOM-1.460.0-4.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-File-Find-Rule-0.340.0-5.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-Text-Glob-0.110.0-4.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-Data-Compare-1.270.0-3.mga9.noarch.rpm
Preparing...                     ####################################################################################################
     1/26: perl-Text-Glob        ####################################################################################################
     2/26: perl-Compress-Bzip2   ####################################################################################################
     3/26: perl-File-Which       ####################################################################################################
     4/26: perl-Module-Signature ####################################################################################################
     5/26: perl-File-HomeDir     ####################################################################################################
     6/26: perl-IO-Tty           ####################################################################################################
     7/26: perl-Expect           ####################################################################################################
     8/26: perl-Mail-Sender      ####################################################################################################
     9/26: systemtap-sdt-devel   ####################################################################################################
    10/26: perl-HTTP-Tiny        ####################################################################################################
    11/26: perl-Number-Compare   ####################################################################################################
    12/26: perl-File-Find-Rule   ####################################################################################################
    13/26: perl-Data-Compare     ####################################################################################################
    14/26: perl-CPAN-Checksums   ####################################################################################################
    15/26: perl-Archive-Zip      ####################################################################################################
    16/26: perl-Mail-Sendmail    ####################################################################################################
    17/26: perl-Log-Dispatch     ####################################################################################################
    18/26: perl-YAML-LibYAML     ####################################################################################################
    19/26: perl-libxml-perl      ####################################################################################################
    20/26: perl-YAML-Syck        ####################################################################################################
    21/26: perl-XML-RegExp       ####################################################################################################
    22/26: perl-XML-DOM          ####################################################################################################
    23/26: perl-Log-Log4perl     ####################################################################################################
    24/26: perl-CPAN-Perl-Releases
                                 ####################################################################################################
    25/26: perl-CPAN             ####################################################################################################
    26/26: perl-devel            ####################################################################################################

The restart of urpmi and the end of installation without issues are good signal
mcc works OK after the update

As I nof find previous information give OK on clean install

Whiteboard: (none) => MGA9-64-OK
Depends on: (none) => 34448

Comment 6 Thomas Andrews 2025-11-12 19:16:22 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Mageia Robot 2025-11-12 22:33:30 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0276.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.