diff --git a/Kernel/System/Environment.pm b/Kernel/System/Environment.pm index c22ddf07e..2dd958cd7 100644 --- a/Kernel/System/Environment.pm +++ b/Kernel/System/Environment.pm @@ -311,7 +311,7 @@ sub BundleModulesDeclarationGet { { 'Module' => 'CPAN::Audit', 'Required' => 1, - 'VersionRequired' => '== 20240103.002', + 'VersionRequired' => '== 20240117.001', }, { 'Comment' => 'needed by CPAN::Audit', diff --git a/Kernel/cpan-lib/CPAN/Audit.pm b/Kernel/cpan-lib/CPAN/Audit.pm index 704eea912..011080919 100644 --- a/Kernel/cpan-lib/CPAN/Audit.pm +++ b/Kernel/cpan-lib/CPAN/Audit.pm @@ -14,7 +14,7 @@ use CPAN::Audit::Version; use CPAN::Audit::Query; use CPAN::Audit::DB; -our $VERSION = '20240103.002'; +our $VERSION = '20240117.001'; sub new { my( $class, %params ) = @_; diff --git a/Kernel/cpan-lib/CPAN/Audit/DB.pm b/Kernel/cpan-lib/CPAN/Audit/DB.pm index 53ef80dc9..50f84bb1c 100644 --- a/Kernel/cpan-lib/CPAN/Audit/DB.pm +++ b/Kernel/cpan-lib/CPAN/Audit/DB.pm @@ -1,12 +1,12 @@ -# created by util/generate at Wed Jan 3 21:54:50 2024 -# cpan-security-advisory bdc3863dd33276fe8343e89da2006905c0cdc130 +# created by util/generate at Wed Jan 17 12:58:13 2024 +# cpan-security-advisory ddb1f55cc6e68fac82c8f55852c8459ecb859416 # package CPAN::Audit::DB; use strict; use warnings; -our $VERSION = '20240103.004'; +our $VERSION = '20240117.001'; sub db { { @@ -4690,6 +4690,10 @@ sub db { { 'date' => '2023-11-01T07:57:12', 'version' => '4.60' + }, + { + 'date' => '2024-01-08T15:17:04', + 'version' => '4.61' } ] }, @@ -22889,6 +22893,10 @@ sub db { { 'date' => '2019-05-24T18:54:07', 'version' => '2.04' + }, + { + 'date' => '2024-01-08T04:48:56', + 'version' => '2.05' } ] }, @@ -38650,6 +38658,10 @@ sub db { { 'date' => '2024-01-02T15:38:07', 'version' => '5.503' + }, + { + 'date' => '2024-01-08T18:22:18', + 'version' => '5.503' } ] }, @@ -46429,6 +46441,22 @@ sub db { { 'date' => '2023-12-24T15:48:59', 'version' => '1.42' + }, + { + 'date' => '2024-01-04T11:21:08', + 'version' => '1.42_01' + }, + { + 'date' => '2024-01-08T09:38:46', + 'version' => '1.42_02' + }, + { + 'date' => '2024-01-10T15:04:01', + 'version' => '1.42_03' + }, + { + 'date' => '2024-01-17T09:07:40', + 'version' => '1.42_04' } ] }, @@ -47509,6 +47537,18 @@ sub db { { 'date' => '2024-01-02T14:34:40', 'version' => '1.93_03' + }, + { + 'date' => '2024-01-05T00:45:35', + 'version' => '1.93_04' + }, + { + 'date' => '2024-01-06T18:39:23', + 'version' => '1.93_05' + }, + { + 'date' => '2024-01-08T01:22:27', + 'version' => '1.94' } ] }, @@ -50756,6 +50796,14 @@ sub db { { 'date' => '2015-11-21T06:05:48', 'version' => '1.013_03' + }, + { + 'date' => '2024-01-04T15:11:21', + 'version' => '1.015' + }, + { + 'date' => '2024-01-05T13:57:01', + 'version' => '1.016' } ] }, @@ -52296,6 +52344,10 @@ sub db { { 'date' => '2022-09-05T15:48:11', 'version' => '1.0050' + }, + { + 'date' => '2024-01-05T23:11:02', + 'version' => '1.0051' } ] }, @@ -55534,17 +55586,39 @@ sub db { 'advisories' => [ { 'affected_versions' => '<0.28', - 'cves' => [], - 'description' => 'ParseXLSX also handles with merged cells, but the memoize implementation allows attacker to allocate an arbitrary memory size. + 'cves' => [ + 'CVE-2024-22368' + ], + 'description' => 'The Spreadsheet::ParseXLSX package before 0.28 for Perl can encounter an out-of-memory condition during parsing of a crafted XLSX document. This occurs because the memoize implementation does not have appropriate constraints on merged cells. ', 'distribution' => 'Spreadsheet-ParseXLSX', 'fixed_versions' => '>=0.28', - 'id' => 'CPANSA-Spreadsheet-ParseXLSX-2024-01', + 'id' => 'CPANSA-Spreadsheet-ParseXLSX-2024-22368', 'references' => [ 'https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md', - 'https://github.com/briandfoy/cpan-security-advisory/issues/131' + 'https://github.com/briandfoy/cpan-security-advisory/issues/131', + 'https://nvd.nist.gov/vuln/detail/CVE-2024-22368', + 'https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md', + 'https://metacpan.org/dist/Spreadsheet-ParseXLSX/changes', + 'https://github.com/advisories/GHSA-x2hg-844v-frvh' ], 'reported' => '2024-01-03' + }, + { + 'affected_versions' => '<0.30', + 'cves' => [], + 'description' => 'In default configuration of Spreadsheet::ParseXLSX, whenever we call Spreadsheet::ParseXLSX->new()->parse(\'user_input_file.xlsx\'), we\'d be vulnerable for XXE vulnerability if the XLSX file that we are parsing is from user input. +', + 'distribution' => 'Spreadsheet-ParseXLSX', + 'fixed_versions' => '>=0.30', + 'id' => 'CPANSA-Spreadsheet-ParseXLSX-2024-02', + 'references' => [ + 'https://metacpan.org/release/NUDDLEGG/Spreadsheet-ParseXLSX-0.30/changes', + 'https://gist.github.com/phvietan/d1c95a88ab6e17047b0248d6bf9eac4a', + 'https://github.com/briandfoy/cpan-security-advisory/issues/134', + 'https://github.com/MichaelDaum/spreadsheet-parsexlsx/issues/10' + ], + 'reported' => '2024-01-17' } ], 'main_module' => 'Spreadsheet::ParseXLSX', @@ -55664,6 +55738,10 @@ sub db { { 'date' => '2024-01-02T17:49:11', 'version' => '0.29' + }, + { + 'date' => '2024-01-17T11:34:43', + 'version' => '0.30' } ] }, @@ -61657,6 +61735,10 @@ sub db { { 'date' => '2023-07-17T22:02:15', 'version' => '6.72' + }, + { + 'date' => '2024-01-13T20:26:02', + 'version' => '6.73' } ] }, @@ -63404,7 +63486,7 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '>=5.30.0,<5.38.2', + 'affected_versions' => '>=5.30.0,<5.36.3,>=5.38.0,<5.38.2', 'cves' => [ 'CVE-2023-47100' ], diff --git a/Kernel/cpan-lib/CPAN/Audit/DB.pm.gpg b/Kernel/cpan-lib/CPAN/Audit/DB.pm.gpg index c4f2ba735..d15f482eb 100644 --- a/Kernel/cpan-lib/CPAN/Audit/DB.pm.gpg +++ b/Kernel/cpan-lib/CPAN/Audit/DB.pm.gpg @@ -1,16 +1,16 @@ -----BEGIN PGP SIGNATURE----- -iQIzBAABCAAdFiEEdaq0LLoNfzfw1oht+D+NXoeLYEEFAmWWHfoACgkQ+D+NXoeL -YEEJmQ//Y2Bxkajm4LDUFVkDmWNgbHfQ7F0rXHLnrHMXrOCZwMRD759bRadZcGZ0 -pgUoL9K634MGoID0KCwD1gP7m2WPWziodXPTLEQILEb/7DyNq6lgWU3dRMW3j7r1 -VDK/TTpHw6FXTLOgEM7MXwRDXbCm9gI67DrIem12fUuptAMJSrzEI1NUbmfKZtgY -S8zwXZijHx3qlrLX64atqwpdkb8ZASqnb8pBWzmCFMGXH3H5/pvgQNgyYtksi2qV -+FKAJ3gKyU+rgvn91lBNLaqzXtvVRUl0q7xDHhMZu8qjQWTlRUzqwk65alCKlELx -hGv6iFCx93oT6GEDPCLhAgJvf6VBs+CxcY8LvQeruw7NSEosVU4B4SZp3QPeyGlY -Lo7wkycEKVyrz6ILMCdMYbNNsKfUHwgVOrFSG1fn6yJnocbrb1Rn+h6veJLkiuW+ -lJalNMQwtLzlU6besUnxzk2HBFy8yRO7sVtZs99YkJkLQyfZOb+RjZaqZPlJuWkS -a6OaCQDNbyA/Lk4/O51/bFSEXR+L6ZLHAhQHkPVSJg5jjWbxsX5oF2cTZSAlGBAe -qczAVeOtCmHWKl7LH8IDFznL6r7ufOKXym2GBpx0v0aUxCGUKOclADxyoPWFX/Or -u1+UppxsFCF46Xlv98SEp9aVsG4aJJQZUThj0AotigZeBaBqvpc= -=+bH0 +iQIzBAABCAAdFiEEdaq0LLoNfzfw1oht+D+NXoeLYEEFAmWoFTUACgkQ+D+NXoeL +YEFeJw//YNSKVBZ8ibx286HRuZZUmXTIlcVmM1GzjaL5eJ5B+3JJgON7UInNnbDQ +Tlv1/AfdgGKGR5JfLYkgriE+ixfKtMTnpGSz4opV6hMF2CXm2+U2+Rqk/TC/4mUK +y/HSWaCQAzGHQt+BRRUFT8SpaCBVLpwoMeG5kvDV/J0CdTwyUmh5gUVZ+fQIKKk6 +8TduyqPwbDPf2Dexz/cq97UfEDvhecnFC73Umo46KlEFshfImQ9t2Rp63PWvVZ3Q +oD4AGDvqQUCUnT+Fank/g4/+lFmDyaBVXkLt6VEh5aXMWQvl98Be2tD/5Fxjyym0 +WsEYbtNzE5pcgJ6cyeVEzGzoqqwETHPDosuXOJMjcKjrIBRCWDMpVNtXefmJY9ah +Ip4oYJE3DPkkFdC42FqdsPUtWM7QFhzASHG78Lmd1hAstaUEeHEbOCVlxQhOANeb +Ps2/lW1AkZkfw0RGlPc1zRSkKNCrEW50R8eg59oLoUbKmJBDsvv24aSj5X/S8U6K +4nLU+XsJvhkoMORVfTWKl8COUb8kGHZae2hL+ufet0qnKDNaD2KwMmp4sFT3Y0cp +WtnPiqpN+xOJzdZwhvZjLcyM93YfLk9FOAw9AmMiIfE/MT+HnE9wXxHTcKHFHpOE +dAYN/gmDM7mdvp9TmJGdx8cgO5IwrYVVgftprIy+OPK15xZT9Zc= +=mlRh -----END PGP SIGNATURE----- diff --git a/Kernel/cpan-lib/README.md b/Kernel/cpan-lib/README.md index eca48bc38..70fa87226 100644 --- a/Kernel/cpan-lib/README.md +++ b/Kernel/cpan-lib/README.md @@ -28,6 +28,7 @@ Only install modules where the version was updated in F. rm -rf local PERL5LIB=. cpanm --notest --installdeps . --local-lib local # install into local/lib/perl5 PERL5LIB=. cpanm --notest --installdeps . --local-lib local # again, to see that the install was complete + cp -r local/lib/perl5/* . # copy to actual destination ### Remove files and directories that should not be bundled with OTOBO diff --git a/Kernel/cpan-lib/cpanfile b/Kernel/cpan-lib/cpanfile index 9f7860310..8752b28f1 100644 --- a/Kernel/cpan-lib/cpanfile +++ b/Kernel/cpan-lib/cpanfile @@ -19,7 +19,7 @@ requires 'Class::Inspector', '== 1.31'; # needed by Data::ICal requires 'Class::ReturnValue', '== 0.55'; -requires 'CPAN::Audit', '== 20240103.002'; +requires 'CPAN::Audit', '== 20240117.001'; # needed by CPAN::Audit requires 'CPAN::DistnameInfo', '== 0.12';