Skip to content

Commit

Permalink
Issue #2923: Update CPAN::Audit to 20240117.001
Browse files Browse the repository at this point in the history
  • Loading branch information
bschmalhofer committed Feb 4, 2024
1 parent 6bd15b6 commit e05b7c7
Showing 6 changed files with 107 additions and 24 deletions.
2 changes: 1 addition & 1 deletion Kernel/System/Environment.pm
Original file line number Diff line number Diff line change
@@ -311,7 +311,7 @@ sub BundleModulesDeclarationGet {
{
'Module' => 'CPAN::Audit',
'Required' => 1,
'VersionRequired' => '== 20240103.002',
'VersionRequired' => '== 20240117.001',
},
{
'Comment' => 'needed by CPAN::Audit',
2 changes: 1 addition & 1 deletion Kernel/cpan-lib/CPAN/Audit.pm
Original file line number Diff line number Diff line change
@@ -14,7 +14,7 @@ use CPAN::Audit::Version;
use CPAN::Audit::Query;
use CPAN::Audit::DB;

our $VERSION = '20240103.002';
our $VERSION = '20240117.001';

sub new {
my( $class, %params ) = @_;
98 changes: 90 additions & 8 deletions Kernel/cpan-lib/CPAN/Audit/DB.pm
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
# created by util/generate at Wed Jan 3 21:54:50 2024
# cpan-security-advisory bdc3863dd33276fe8343e89da2006905c0cdc130
# created by util/generate at Wed Jan 17 12:58:13 2024
# cpan-security-advisory ddb1f55cc6e68fac82c8f55852c8459ecb859416
#
package CPAN::Audit::DB;

use strict;
use warnings;

our $VERSION = '20240103.004';
our $VERSION = '20240117.001';

sub db {
{
@@ -4690,6 +4690,10 @@ sub db {
{
'date' => '2023-11-01T07:57:12',
'version' => '4.60'
},
{
'date' => '2024-01-08T15:17:04',
'version' => '4.61'
}
]
},
@@ -22889,6 +22893,10 @@ sub db {
{
'date' => '2019-05-24T18:54:07',
'version' => '2.04'
},
{
'date' => '2024-01-08T04:48:56',
'version' => '2.05'
}
]
},
@@ -38650,6 +38658,10 @@ sub db {
{
'date' => '2024-01-02T15:38:07',
'version' => '5.503'
},
{
'date' => '2024-01-08T18:22:18',
'version' => '5.503'
}
]
},
@@ -46429,6 +46441,22 @@ sub db {
{
'date' => '2023-12-24T15:48:59',
'version' => '1.42'
},
{
'date' => '2024-01-04T11:21:08',
'version' => '1.42_01'
},
{
'date' => '2024-01-08T09:38:46',
'version' => '1.42_02'
},
{
'date' => '2024-01-10T15:04:01',
'version' => '1.42_03'
},
{
'date' => '2024-01-17T09:07:40',
'version' => '1.42_04'
}
]
},
@@ -47509,6 +47537,18 @@ sub db {
{
'date' => '2024-01-02T14:34:40',
'version' => '1.93_03'
},
{
'date' => '2024-01-05T00:45:35',
'version' => '1.93_04'
},
{
'date' => '2024-01-06T18:39:23',
'version' => '1.93_05'
},
{
'date' => '2024-01-08T01:22:27',
'version' => '1.94'
}
]
},
@@ -50756,6 +50796,14 @@ sub db {
{
'date' => '2015-11-21T06:05:48',
'version' => '1.013_03'
},
{
'date' => '2024-01-04T15:11:21',
'version' => '1.015'
},
{
'date' => '2024-01-05T13:57:01',
'version' => '1.016'
}
]
},
@@ -52296,6 +52344,10 @@ sub db {
{
'date' => '2022-09-05T15:48:11',
'version' => '1.0050'
},
{
'date' => '2024-01-05T23:11:02',
'version' => '1.0051'
}
]
},
@@ -55534,17 +55586,39 @@ sub db {
'advisories' => [
{
'affected_versions' => '<0.28',
'cves' => [],
'description' => 'ParseXLSX also handles with merged cells, but the memoize implementation allows attacker to allocate an arbitrary memory size.
'cves' => [
'CVE-2024-22368'
],
'description' => 'The Spreadsheet::ParseXLSX package before 0.28 for Perl can encounter an out-of-memory condition during parsing of a crafted XLSX document. This occurs because the memoize implementation does not have appropriate constraints on merged cells.
',
'distribution' => 'Spreadsheet-ParseXLSX',
'fixed_versions' => '>=0.28',
'id' => 'CPANSA-Spreadsheet-ParseXLSX-2024-01',
'id' => 'CPANSA-Spreadsheet-ParseXLSX-2024-22368',
'references' => [
'https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md',
'https://github.com/briandfoy/cpan-security-advisory/issues/131'
'https://github.com/briandfoy/cpan-security-advisory/issues/131',
'https://nvd.nist.gov/vuln/detail/CVE-2024-22368',
'https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md',
'https://metacpan.org/dist/Spreadsheet-ParseXLSX/changes',
'https://github.com/advisories/GHSA-x2hg-844v-frvh'
],
'reported' => '2024-01-03'
},
{
'affected_versions' => '<0.30',
'cves' => [],
'description' => 'In default configuration of Spreadsheet::ParseXLSX, whenever we call Spreadsheet::ParseXLSX->new()->parse(\'user_input_file.xlsx\'), we\'d be vulnerable for XXE vulnerability if the XLSX file that we are parsing is from user input.
',
'distribution' => 'Spreadsheet-ParseXLSX',
'fixed_versions' => '>=0.30',
'id' => 'CPANSA-Spreadsheet-ParseXLSX-2024-02',
'references' => [
'https://metacpan.org/release/NUDDLEGG/Spreadsheet-ParseXLSX-0.30/changes',
'https://gist.github.com/phvietan/d1c95a88ab6e17047b0248d6bf9eac4a',
'https://github.com/briandfoy/cpan-security-advisory/issues/134',
'https://github.com/MichaelDaum/spreadsheet-parsexlsx/issues/10'
],
'reported' => '2024-01-17'
}
],
'main_module' => 'Spreadsheet::ParseXLSX',
@@ -55664,6 +55738,10 @@ sub db {
{
'date' => '2024-01-02T17:49:11',
'version' => '0.29'
},
{
'date' => '2024-01-17T11:34:43',
'version' => '0.30'
}
]
},
@@ -61657,6 +61735,10 @@ sub db {
{
'date' => '2023-07-17T22:02:15',
'version' => '6.72'
},
{
'date' => '2024-01-13T20:26:02',
'version' => '6.73'
}
]
},
@@ -63404,7 +63486,7 @@ sub db {
'severity' => undef
},
{
'affected_versions' => '>=5.30.0,<5.38.2',
'affected_versions' => '>=5.30.0,<5.36.3,>=5.38.0,<5.38.2',
'cves' => [
'CVE-2023-47100'
],
26 changes: 13 additions & 13 deletions Kernel/cpan-lib/CPAN/Audit/DB.pm.gpg
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEdaq0LLoNfzfw1oht+D+NXoeLYEEFAmWWHfoACgkQ+D+NXoeL
YEEJmQ//Y2Bxkajm4LDUFVkDmWNgbHfQ7F0rXHLnrHMXrOCZwMRD759bRadZcGZ0
pgUoL9K634MGoID0KCwD1gP7m2WPWziodXPTLEQILEb/7DyNq6lgWU3dRMW3j7r1
VDK/TTpHw6FXTLOgEM7MXwRDXbCm9gI67DrIem12fUuptAMJSrzEI1NUbmfKZtgY
S8zwXZijHx3qlrLX64atqwpdkb8ZASqnb8pBWzmCFMGXH3H5/pvgQNgyYtksi2qV
+FKAJ3gKyU+rgvn91lBNLaqzXtvVRUl0q7xDHhMZu8qjQWTlRUzqwk65alCKlELx
hGv6iFCx93oT6GEDPCLhAgJvf6VBs+CxcY8LvQeruw7NSEosVU4B4SZp3QPeyGlY
Lo7wkycEKVyrz6ILMCdMYbNNsKfUHwgVOrFSG1fn6yJnocbrb1Rn+h6veJLkiuW+
lJalNMQwtLzlU6besUnxzk2HBFy8yRO7sVtZs99YkJkLQyfZOb+RjZaqZPlJuWkS
a6OaCQDNbyA/Lk4/O51/bFSEXR+L6ZLHAhQHkPVSJg5jjWbxsX5oF2cTZSAlGBAe
qczAVeOtCmHWKl7LH8IDFznL6r7ufOKXym2GBpx0v0aUxCGUKOclADxyoPWFX/Or
u1+UppxsFCF46Xlv98SEp9aVsG4aJJQZUThj0AotigZeBaBqvpc=
=+bH0
iQIzBAABCAAdFiEEdaq0LLoNfzfw1oht+D+NXoeLYEEFAmWoFTUACgkQ+D+NXoeL
YEFeJw//YNSKVBZ8ibx286HRuZZUmXTIlcVmM1GzjaL5eJ5B+3JJgON7UInNnbDQ
Tlv1/AfdgGKGR5JfLYkgriE+ixfKtMTnpGSz4opV6hMF2CXm2+U2+Rqk/TC/4mUK
y/HSWaCQAzGHQt+BRRUFT8SpaCBVLpwoMeG5kvDV/J0CdTwyUmh5gUVZ+fQIKKk6
8TduyqPwbDPf2Dexz/cq97UfEDvhecnFC73Umo46KlEFshfImQ9t2Rp63PWvVZ3Q
oD4AGDvqQUCUnT+Fank/g4/+lFmDyaBVXkLt6VEh5aXMWQvl98Be2tD/5Fxjyym0
WsEYbtNzE5pcgJ6cyeVEzGzoqqwETHPDosuXOJMjcKjrIBRCWDMpVNtXefmJY9ah
Ip4oYJE3DPkkFdC42FqdsPUtWM7QFhzASHG78Lmd1hAstaUEeHEbOCVlxQhOANeb
Ps2/lW1AkZkfw0RGlPc1zRSkKNCrEW50R8eg59oLoUbKmJBDsvv24aSj5X/S8U6K
4nLU+XsJvhkoMORVfTWKl8COUb8kGHZae2hL+ufet0qnKDNaD2KwMmp4sFT3Y0cp
WtnPiqpN+xOJzdZwhvZjLcyM93YfLk9FOAw9AmMiIfE/MT+HnE9wXxHTcKHFHpOE
dAYN/gmDM7mdvp9TmJGdx8cgO5IwrYVVgftprIy+OPK15xZT9Zc=
=mlRh
-----END PGP SIGNATURE-----
1 change: 1 addition & 0 deletions Kernel/cpan-lib/README.md
Original file line number Diff line number Diff line change
@@ -28,6 +28,7 @@ Only install modules where the version was updated in F<cpanfile>.
rm -rf local
PERL5LIB=. cpanm --notest --installdeps . --local-lib local # install into local/lib/perl5
PERL5LIB=. cpanm --notest --installdeps . --local-lib local # again, to see that the install was complete
cp -r local/lib/perl5/* . # copy to actual destination

### Remove files and directories that should not be bundled with OTOBO

2 changes: 1 addition & 1 deletion Kernel/cpan-lib/cpanfile
Original file line number Diff line number Diff line change
@@ -19,7 +19,7 @@ requires 'Class::Inspector', '== 1.31';
# needed by Data::ICal
requires 'Class::ReturnValue', '== 0.55';

requires 'CPAN::Audit', '== 20240103.002';
requires 'CPAN::Audit', '== 20240117.001';

# needed by CPAN::Audit
requires 'CPAN::DistnameInfo', '== 0.12';

0 comments on commit e05b7c7

Please sign in to comment.