How to mitigate CVE-2020-16154 in perl-App-cpanminus and CVE-2020-16156 in perl-CPAN

A flaw was found in the way perl-CPAN CVE-2020-16156 and perl-App-cpanminus CVE-2020-16154 performed verification of package signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by a user, or a man-in-the-middle attacker, could use this flaw to bypass signature verification.


To mitigate these issues, use the official CPAN repositories.

perl-App-cpanminus

There is no upstream fix available. Follow the mitigation instructions described on the CVE-2020-16154 page.

perl-CPAN

All RHEL releases are affected, because signature verification is disabled by default in RHEL. To mitigate the issue, follow the mitigation instructions described on the CVE-2020-16156 page.

RHEL 9 provides an additional way to mitigate CVE-2020-16156. With the perl-CPAN 2.29 and perl-Module-Signature modules included in RHEL 9, you can enable signature checking for cpan.

To enable signature checking in cpan in RHEL 9:

1. Run the cpan command without any options:

   $ cpan
   

2. On the cpan command prompt, configure cpan to check signatures and save the configuration changes:

   o conf check_sigs 1
   o conf commit
   

3. Optional: On the cpan command prompt, verify that secure verification is enabled:

   o conf check_sigs
   

   If the secure verification is enabled, the output of the command is as follows:

   check_sigs [1]
   

Additional resources

• Addressing CPAN vulnerabilities related to checksums
• Signature Verification Vulnerabilities in CPAN.pm, cpanminus and CPAN::Checksums