New Debian perl 5.28.1-6+deb10u2 fixes: This update addresses the following issues: 5.28.1-6+deb10u2 (Sun, 20 Oct 2024 17:24:24 +0000) * Non maintainer upload by the ELTS team * Fix CVE-2020-16156: An attacker can prepend checksums for modified packages to the beginning of CHECKSUMS files, before the cleartext PGP headers. This makes the Module::Signature::_verify() checks in both cpan and cpanm pass. Without the sigtext and plaintext arguments to _verify(), the _compare() check is bypassed. This results in _verify() only checking that valid signed cleartext is present somewhere in the file. * Fix CVE-2023-31484: CPAN.pm does not verify TLS certificates when downloading distributions over HTTPS.
--- mirror/ftp/pool/main/p/perl/perl_5.28.1-6+deb10u1.dsc +++ apt/ucs_5.0-0-errata5.0-9/source/perl_5.28.1-6+deb10u2.dsc @@ -1,3 +1,21 @@ +5.28.1-6+deb10u2 [Sun, 20 Oct 2024 17:24:24 +0000] Bastien Roucariès <rouca@debian.org>: + + * Non maintainer upload by the ELTS team + * Fix CVE-2020-16156: + An attacker can prepend checksums for modified + packages to the beginning of CHECKSUMS files, + before the cleartext PGP headers. This makes + the Module::Signature::_verify() checks + in both cpan and cpanm pass. + Without the sigtext and plaintext arguments + to _verify(), the _compare() check is bypassed. + This results in _verify() only checking that + valid signed cleartext is present somewhere + in the file. + * Fix CVE-2023-31484: + CPAN.pm does not verify TLS certificates + when downloading distributions over HTTPS. + 5.28.1-6+deb10u1 [Tue, 21 Jul 2020 20:27:00 +0100] Dominic Hargreaves <dom@earth.li>: * Multiple regexp security fixes (Closes: #962005) <http://piuparts.knut.univention.de/5.0-9/#6495825273536911697>
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-9] 3ad833e617 Bug #57716: perl 5.28.1-6+deb10u2 doc/errata/staging/perl.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x1157>