The App::cpanminus package through 1.7047 for Perl downloads code via insecure HTTP, enabling code execution for network attackers.
Indeed App-cpanminus-1.7047 uses HTTP. Relevant upstream bug reports: https://github.com/miyagawa/cpanminus/issues/603 https://github.com/miyagawa/cpanminus/issues/611 Relevant upstream pull requests: https://github.com/miyagawa/cpanminus/pull/674 https://github.com/miyagawa/cpanminus/pull/678