Subject: | default urllist config is insecure |
Date: | Fri, 25 Oct 2019 14:39:00 +0200 |
To: | bug-CPAN [...] rt.cpan.org |
From: | Vincent Lefevre <vincent [...] vinc17.net> |
CPAN/FirstTime.pm 5.5314 from CPAN 2.27[*] contains:
if ($auto_config) {
if(@{ $CPAN::Config->{urllist} }) {
$CPAN::Frontend->myprint(
"Your 'urllist' is already configured. Type 'o conf init urllist' to change it.\n"
);
}
else {
$CPAN::Config->{urllist} = [ 'http://www.cpan.org/' ];
}
}
[*] https://metacpan.org/source/ANDK/CPAN-2.27/lib/CPAN/FirstTime.pm
http://www.cpan.org/ is insecure.
https://www.cpan.org/ (i.e. with https) should be used instead.
Note: This is important, as the only current way to ensure security
is to check CHECKSUMS, but this file is downloaded via urllist.
Using http instead of https allows MITM attacks.
Note: my Debian bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942851
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)