https://bugzilla.redhat.com/show_bug.cgi?id=2035341
--- Doc Text *updated* by Tomas Hoger <thoger(a)redhat.com> ---
A flaw was found in the way the perl-App-cpanminus performed verification of package
signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by the
user, or a man-in-the-middle attacker, could use this flaw to bypass signature
verification.
--- Comment #8 from Tomas Hoger <thoger(a)redhat.com> ---
The mitigation recommended by upstream is to ensure that users are only using
trusted CPAN mirrors (
www.cpan.org or
cpan.metacpan.org) and always use HTTPS
when downloading packages. The cpanm command can be configured to use the
specific CPAN mirror using the --from command line option by running it as:
cpanm --from
https://www.cpan.org ...
You can also set environment variable PERL_CPANM_OPT to include this command
line option to avoid having to specify the URL for every cpanm invocation:
export PERL_CPANM_OPT="--from
https://www.cpan.org"
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341