https://bugzilla.redhat.com/show_bug.cgi?id=2035341 --- Doc Text *updated* by Tomas Hoger <thoger@xxxxxxxxxx> --- A flaw was found in the way the perl-App-cpanminus performed verification of package signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by the user, or a man-in-the-middle attacker, could use this flaw to bypass signature verification. --- Comment #8 from Tomas Hoger <thoger@xxxxxxxxxx> --- The mitigation recommended by upstream is to ensure that users are only using trusted CPAN mirrors (www.cpan.org or cpan.metacpan.org) and always use HTTPS when downloading packages. The cpanm command can be configured to use the specific CPAN mirror using the --from command line option by running it as: cpanm --from https://www.cpan.org ... You can also set environment variable PERL_CPANM_OPT to include this command line option to avoid having to specify the URL for every cpanm invocation: export PERL_CPANM_OPT="--from https://www.cpan.org"; -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2035341 _______________________________________________ perl-devel mailing list -- perl-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to perl-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/perl-devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
