[ MDVSA-2015:207 ] perl-Module-Signature

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:207
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : perl-Module-Signature
 Date    : April 27, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated perl-Module-Signature package fixes the following security
 vulnerabilities reported by John Lightsey:
 
 Module::Signature could be tricked into interpreting the unsigned
 portion of a SIGNATURE file as the signed portion due to faulty
 parsing of the PGP signature boundaries.
 
 When verifying the contents of a CPAN module, Module::Signature
 ignored some files in the extracted tarball that were not listed in
 the signature file. This included some files in the t/ directory that
 would execute automaticall

Leave a Reply