Module::Signature before version 0.75 could be tricked into interpreting the unsigned portion of a SIGNATURE file as the signed portion due to faulty parsing of the PGP signature boundaries. Upstream fix: https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f CVE request: http://seclists.org/oss-sec/2015/q2/59
Created perl-Module-Signature tracking bugs for this issue: Affects: fedora-all [bug 1209920] Affects: epel-all [bug 1209922]
perl-Module-Signature-0.78-1.fc21, perl-Test-Signature-1.11-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
perl-Test-Signature-1.11-1.fc20, perl-Module-Signature-0.78-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
perl-Module-Signature-0.78-1.fc22, perl-Test-Signature-1.11-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
perl-Test-Signature-1.11-1.el6, perl-Module-Signature-0.78-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
perl-Test-Signature-1.11-1.el5, perl-Module-Signature-0.78-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Fixed in all current Fedora and EPEL releases. Still to be fixed in RHEL-7.