Makefile.PL | 1 1 + 0 - 0 !
lib/Module/Signature.pm | 44 30 + 14 - 0 !
2 files changed, 31 insertions(+), 14 deletions(-)

 fix cve-2015-3406, cve-2015-3407 and cve-2015-3408
 CVE-2015-3406: Module::Signature parses the unsigned portion of the
 SIGNATURE file as the signed portion due to incorrect handling of PGP
 signature boundaries.
 .
 CVE-2015-3407: Module::Signature incorrectly handles files that are not
 listed in the SIGNATURE file. This includes some files in the t/
 directory that would execute when tests are run.
 .
 CVE-2015-3408: Module::Signature uses two argument open() calls to read
 the files when generating checksums from the signed manifest, allowing
 to embed arbitrary shell commands into the SIGNATURE file that would
 execute during the signature verification process.

lib/Module/Signature.pm | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 fix cve-2015-3409
 CVE-2015-3409: Module::Signature incorrectly handles module loading
 allowing to load modules from relative paths in @INC. A remote attacker
 providing a malicious module could use this issue to execute arbitrary
 code during signature verification.
    Closes: #783451

lib/Module/Signature.pm | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 fix signature tests
 Fix signature tests by defaulting to verify(skip=>1) when
 $ENV{TEST_SIGNATURE} is true.

script/cpansign | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] make --skip work again

8a91645 removed 'skip => 1' from verify() but missed to change the logic
in the cpansign script for the skip option parsing.