Skip Menu |
 

This queue is for tickets about the CPAN CPAN distribution.

Report information
The Basics
Id: 130819
Status: new
Priority: 0/
Queue: CPAN

People
Owner: Nobody in particular
Requestors: vincent [...] vinc17.net
Cc: gregoa [...] cpan.org
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: default urllist config is insecure
Date: Fri, 25 Oct 2019 14:39:00 +0200
To: bug-CPAN [...] rt.cpan.org
From: Vincent Lefevre <vincent [...] vinc17.net>
CPAN/FirstTime.pm 5.5314 from CPAN 2.27[*] contains: if ($auto_config) { if(@{ $CPAN::Config->{urllist} }) { $CPAN::Frontend->myprint( "Your 'urllist' is already configured. Type 'o conf init urllist' to change it.\n" ); } else { $CPAN::Config->{urllist} = [ 'http://www.cpan.org/' ]; } } [*] https://metacpan.org/source/ANDK/CPAN-2.27/lib/CPAN/FirstTime.pm http://www.cpan.org/ is insecure. https://www.cpan.org/ (i.e. with https) should be used instead. Note: This is important, as the only current way to ensure security is to check CHECKSUMS, but this file is downloaded via urllist. Using http instead of https allows MITM attacks. Note: my Debian bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942851 -- Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.