The Net::CIDR::Lite module before 0.22 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses. https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/ https://github.com/stigtsp/Net-CIDR-Lite/commit/23b6ff0590dc279521863a502e890ef19a5a76fc https://metacpan.org/dist/Net-CIDR-Lite/changes https://metacpan.org/pod/Net::CIDR::Lite
Created perl-Net-CIDR-Lite tracking bugs for this issue: Affects: epel-all [bug 2270059] Affects: fedora-all [bug 2270060]
This must be some kind of bug in tooling or something. Every reported distro is fixed already/having 0.22 version for a long time. This should be closed.
In reply to comment #3: > This must be some kind of bug in tooling or something. Every reported distro > is fixed already/having 0.22 version for a long time. > > This should be closed. Hey, this is not a tooling issue anyways. Those are just security notification trackers.