CVE-2026-8704: Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing existing files to be modified

CVE-2026-8704: Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing existing files to be modified Timothy Legge 15 May 2026 22:21 UTC

========================================================================
CVE-2026-8704                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-8704
   Distribution:  Crypt-DSA
       Versions:  through 1.19

       MetaCPAN:  https://metacpan.org/dist/Crypt-DSA
       VCS Repo:  https://github.com/perl-Crypt-OpenPGP/Crypt-DSA

Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing
existing files to be modified

Description
-----------
Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing
existing files to be modified.

Problem types
-------------
- CWE-552 Files or Directories Accessible to External Parties

Solutions
---------
Upgrade to version 1.20

References
----------
https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.20/changes
https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.20/diff/TIMLEGGE/Crypt-DSA-1.19#lib/Crypt/DSA/Key.pm

Timeline
--------
- 2026-05-15: CPANSec identified issue
- 2026-05-15: Author was notified
- 2026-05-15: Version 1.20 released.