Skip Menu |

This queue is for tickets about the CPAN CPAN distribution.

Report information
The Basics
Id: 130819
Status: open
Priority: 0/
Queue: CPAN
People
Owner: Nobody in particular
Requestors: vincent [...] vinc17.net
Cc: gregoa [...] cpan.org
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Fri Oct 25 08:44:53 2019 vincent [...] vinc17.net - Ticket created
Subject: default urllist config is insecure
Date: Fri, 25 Oct 2019 14:39:00 +0200
To: bug-CPAN [...] rt.cpan.org
From: Vincent Lefevre <vincent [...] vinc17.net>
CPAN/FirstTime.pm 5.5314 from CPAN 2.27[*] contains: if ($auto_config) { if(@{ $CPAN::Config->{urllist} }) { $CPAN::Frontend->myprint( "Your 'urllist' is already configured. Type 'o conf init urllist' to change it.\n" ); } else { $CPAN::Config->{urllist} = [ 'http://www.cpan.org/' ]; } } [*] https://metacpan.org/source/ANDK/CPAN-2.27/lib/CPAN/FirstTime.pm http://www.cpan.org/ is insecure. https://www.cpan.org/ (i.e. with https) should be used instead. Note: This is important, as the only current way to ensure security is to check CHECKSUMS, but this file is downloaded via urllist. Using http instead of https allows MITM attacks. Note: my Debian bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942851 -- Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
  Fri Oct 25 14:21:01 2019 gregoa [...] cpan.org - Cc GREGOA added
  Mon May 18 14:40:45 2020 david [...] weekly.org - Correspondence added
On Fri Oct 25 08:44:53 2019, vincent@vinc17.net wrote: Show quoted text
> CPAN/FirstTime.pm 5.5314 from CPAN 2.27[*] contains: > > if ($auto_config) { > if(@{ $CPAN::Config->{urllist} }) { > $CPAN::Frontend->myprint( > "Your 'urllist' is already configured. Type 'o conf init > urllist' to change it.\n" > ); > } > else { > $CPAN::Config->{urllist} = [ 'http://www.cpan.org/' ]; > } > } > > [*] https://metacpan.org/source/ANDK/CPAN-2.27/lib/CPAN/FirstTime.pm > > http://www.cpan.org/ is insecure. > https://www.cpan.org/ (i.e. with https) should be used instead. > > Note: This is important, as the only current way to ensure security > is to check CHECKSUMS, but this file is downloaded via urllist. > Using http instead of https allows MITM attacks. > > Note: my Debian bug report: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942851
I'd love to see this happen. I've put together a pull request for CPAN that adds HTTPS support. It has languished for two years. https://github.com/andk/cpanpm/pull/119
  Mon May 18 14:40:46 2020 The RT System itself - Status changed from 'new' to 'open'