How to mitigate CVE-2020-16154 in perl-App-cpanminus and CVE-2020-16156 in perl-CPAN

Updated -

A flaw was found in the way perl-CPAN CVE-2020-16156 and perl-App-cpanminus CVE-2020-16154 performed verification of package signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by a user, or a man-in-the-middle attacker, could use this flaw to bypass signature verification.

To mitigate these issues, use the official CPAN repositories.


There is no upstream fix available. Follow the mitigation instructions described on the CVE-2020-16154 page.


All RHEL releases are affected, because signature verification is disabled by default in RHEL. To mitigate the issue, follow the mitigation instructions described on the CVE-2020-16156 page.

RHEL 9 provides an additional way to mitigate CVE-2020-16156. With the perl-CPAN 2.29 and perl-Module-Signature modules included in RHEL 9, you can enable signature checking for cpan.

To enable signature checking in cpan in RHEL 9:

  1. Run the cpan command without any options:

    $ cpan
  2. On the cpan command prompt, configure cpan to check signatures and save the configuration changes:

    o conf check_sigs 1
    o conf commit
  3. Optional: On the cpan command prompt, verify that secure verification is enabled:

    o conf check_sigs

    If the secure verification is enabled, the output of the command is as follows:

    check_sigs [1]

Additional resources