Detections
Analytics

Debian dla-3926 : libperl-dev - security update

high Nessus Plugin ID 209443

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3926 advisory.

 ------------------------------------------------------------------------- Debian LTS Advisory DLA-3926-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin October 21, 2024 https://wiki.debian.org/LTS
 -------------------------------------------------------------------------

 Package : perl Version : 5.32.1-4+deb11u4 CVE ID : CVE-2020-16156 CVE-2023-31484 Debian Bug : 1015985 1035109

 Vulnerabilities were found in Perl's CPAN.pm, which could lead CPAN clients to install malicious modules.

 CVE-2020-16156

 Stig Palmquist discovered that an attacker can prepend checksums for modified packages to the beginning of CHECKSUMS files, before the cleartext PGP headers, resulting in signature verification bypass.

 CPAN.pm has been updated so that when configured to validate the signature on CHECKSUMS, it will refuse to install a tarball if the associated CHECKSUMS file isn't signed. The gpg(1) executable is required in order to validate signatures.

 CVE-2023-31484

 Stig Palmquist discovered that CPAN::HTTP::Client did not verify X.509 certificates in the HTTP::Tiny call, which could allows an attacker to MITM the connection with the CPAN mirror.

 CPAN::HTTP::Client now enables the `verify_SSL` flag. HTTPS mirrors therefore require a valid certificate. The identity of the default mirror https://cpan.org can be verified after installing the 'ca-certificates' package.

 For Debian 11 bullseye, these problems have been fixed in version 5.32.1-4+deb11u4.

 We recommend that you upgrade your perl packages.

 For the detailed security status of perl please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/perl

 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
 signature.asc Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the libperl-dev packages.

See Also

https://security-tracker.debian.org/tracker/source-package/perl

https://security-tracker.debian.org/tracker/CVE-2020-16156

https://security-tracker.debian.org/tracker/CVE-2023-31484

https://packages.debian.org/source/bullseye/perl

Plugin Details

Severity: High

ID: 209443

File Name: debian_DLA-3926.nasl

Version: 1.1

Type: local

Agent: unix

Published: 10/21/2024

Updated: 10/21/2024

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-16156

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2023-31484

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:perl-modules-5.32, p-cpe:/a:debian:debian_linux:perl-doc, cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:libperl-dev, p-cpe:/a:debian:debian_linux:perl-base, p-cpe:/a:debian:debian_linux:perl, p-cpe:/a:debian:debian_linux:libperl5.32, p-cpe:/a:debian:debian_linux:perl-debug

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/21/2024

Vulnerability Publication Date: 12/13/2021

Reference Information

CVE: CVE-2020-16156, CVE-2023-31484