From d2b1e7794edfe0d556bb0ded7afbf987aa6f66c0 Mon Sep 17 00:00:00 2001 From: brian d foy Date: Wed, 26 Jun 2024 10:19:50 -0400 Subject: [PATCH] data update, especially for CVE-2024-38526 (polyfill.io) (briandfoy/cpan-security-advisory#155) --- cpan-security-advisory | 2 +- lib/CPAN/Audit.pm | 2 +- lib/CPAN/Audit/DB.pm | 167 ++++++++++++++++++++++++++++++++++++++- lib/CPAN/Audit/DB.pm.gpg | 26 +++--- 4 files changed, 179 insertions(+), 18 deletions(-) diff --git a/cpan-security-advisory b/cpan-security-advisory index 9e85f92..387ef53 160000 --- a/cpan-security-advisory +++ b/cpan-security-advisory @@ -1 +1 @@ -Subproject commit 9e85f92e6030f0dd38e068cf1eba5b9ae1492f75 +Subproject commit 387ef538c13f8fb4bb67a801639aaa7c1ab7c8b3 diff --git a/lib/CPAN/Audit.pm b/lib/CPAN/Audit.pm index 10aceb3..9aa76b9 100644 --- a/lib/CPAN/Audit.pm +++ b/lib/CPAN/Audit.pm @@ -14,7 +14,7 @@ use CPAN::Audit::Version; use CPAN::Audit::Query; use CPAN::Audit::DB; -our $VERSION = '20240615.002'; +our $VERSION = '20240626.001'; sub new { my( $class, %params ) = @_; diff --git a/lib/CPAN/Audit/DB.pm b/lib/CPAN/Audit/DB.pm index 48c814c..0477bac 100644 --- a/lib/CPAN/Audit/DB.pm +++ b/lib/CPAN/Audit/DB.pm @@ -1,12 +1,12 @@ -# created by util/generate at Sat Jun 15 11:27:18 2024 -# cpan-security-advisory +9e85f92e6030f0dd38e068cf1eba5b9ae1492f75 +# created by util/generate at Wed Jun 26 10:12:12 2024 +# cpan-security-advisory +387ef538c13f8fb4bb67a801639aaa7c1ab7c8b3 # package CPAN::Audit::DB; use strict; use warnings; -our $VERSION = '20240615.002'; +our $VERSION = '20240626.001'; sub db { { @@ -4714,6 +4714,10 @@ sub db { { 'date' => '2024-06-04T15:15:17', 'version' => '4.65' + }, + { + 'date' => '2024-06-19T08:59:52', + 'version' => '4.66' } ] }, @@ -9386,6 +9390,10 @@ sub db { { 'date' => '2024-04-07T03:11:57', 'version' => '0.29' + }, + { + 'date' => '2024-06-16T12:03:21', + 'version' => '0.30' } ] }, @@ -27986,6 +27994,10 @@ sub db { { 'date' => '2023-03-26T13:29:08', 'version' => '7.70' + }, + { + 'date' => '2024-06-24T19:34:30', + 'version' => '7.71_01' } ] }, @@ -30578,6 +30590,10 @@ sub db { { 'date' => '2024-05-27T10:31:38', 'version' => '2.82' + }, + { + 'date' => '2024-06-23T15:46:01', + 'version' => '2.83' } ] }, @@ -37388,6 +37404,38 @@ sub db { { 'date' => '2024-06-15T11:55:22', 'version' => '2.01_01' + }, + { + 'date' => '2024-06-18T16:33:19', + 'version' => '2.01_02' + }, + { + 'date' => '2024-06-19T19:26:30', + 'version' => '2.01_03' + }, + { + 'date' => '2024-06-20T06:26:12', + 'version' => '2.01_04' + }, + { + 'date' => '2024-06-20T20:43:31', + 'version' => '2.01_05' + }, + { + 'date' => '2024-06-23T19:25:33', + 'version' => '2.10_01' + }, + { + 'date' => '2024-06-24T05:14:31', + 'version' => '2.10' + }, + { + 'date' => '2024-06-25T04:15:52', + 'version' => '2.11' + }, + { + 'date' => '2024-06-26T06:15:21', + 'version' => '2.12' } ] }, @@ -41705,6 +41753,74 @@ sub db { } ] }, + 'Mojo-DOM-Role-Analyzer' => { + 'advisories' => [ + { + 'affected_versions' => '<=0.015', + 'cves' => [ + 'CVE-2024-38526' + ], + 'description' => 'pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1. +', + 'distribution' => 'Mojo-DOM-Role-Analyzer', + 'embedded_vulnerability' => { + 'distributed_version' => undef, + 'name' => 'polyfill.io' + }, + 'fixed_versions' => undef, + 'id' => 'CPANSA-Mojo-DOM-Role-Analyzer-2024-38526', + 'references' => [ + 'https://github.com/mitmproxy/pdoc/pull/703', + 'https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62', + 'https://sansec.io/research/polyfill-supply-chain-attack', + 'https://github.com/briandfoy/cpan-security-advisory/issues/155', + 'https://github.com/sdondley/Mojo-DOM-Role-Analyzer/issues/10', + 'https://stackdiary.com/polyfill-compromise-hits-100000-sites-in-a-supply-chain-attack/' + ], + 'reported' => '2024-06-26', + 'severity' => undef + } + ], + 'main_module' => 'Mojo::DOM::Role::Analyzer', + 'versions' => [ + { + 'date' => '2020-08-04T22:48:59', + 'version' => '0.007' + }, + { + 'date' => '2020-08-05T13:43:47', + 'version' => '0.008' + }, + { + 'date' => '2020-08-06T02:47:29', + 'version' => '0.009' + }, + { + 'date' => '2020-08-08T13:39:18', + 'version' => '0.010' + }, + { + 'date' => '2020-08-09T13:43:20', + 'version' => '0.011' + }, + { + 'date' => '2020-08-09T23:37:24', + 'version' => '0.012' + }, + { + 'date' => '2020-08-12T03:21:57', + 'version' => '0.013' + }, + { + 'date' => '2020-08-13T21:09:19', + 'version' => '0.014' + }, + { + 'date' => '2020-08-16T15:39:17', + 'version' => '0.015' + } + ] + }, 'MojoMojo' => { 'advisories' => [ { @@ -45137,6 +45253,41 @@ sub db { } ] }, + 'Mojolicious-Plugin-LazyImage' => { + 'advisories' => [ + { + 'affected_versions' => '<=0.01', + 'cves' => [ + 'CVE-2024-38526' + ], + 'description' => 'pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1. +', + 'distribution' => 'Mojolicious-Plugin-LazyImage', + 'embedded_vulnerability' => { + 'distributed_version' => undef, + 'name' => 'polyfill.io' + }, + 'fixed_versions' => undef, + 'id' => 'CPANSA-Mojolicious-Plugin-LazyImage-2024-38526', + 'references' => [ + 'https://github.com/mitmproxy/pdoc/pull/703', + 'https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62', + 'https://sansec.io/research/polyfill-supply-chain-attack', + 'https://github.com/briandfoy/cpan-security-advisory/issues/155', + 'https://stackdiary.com/polyfill-compromise-hits-100000-sites-in-a-supply-chain-attack/' + ], + 'reported' => '2024-06-26', + 'severity' => undef + } + ], + 'main_module' => 'Mojolicious::Plugin::LazyImage', + 'versions' => [ + { + 'date' => '2017-12-28T10:40:31', + 'version' => '0.01' + } + ] + }, 'Mojolicious-Plugin-OAuth2' => { 'advisories' => [ { @@ -50200,6 +50351,10 @@ sub db { { 'date' => '2024-03-15T12:57:23', 'version' => '1.063' + }, + { + 'date' => '2024-06-24T09:05:18', + 'version' => '1.063_001' } ] }, @@ -68137,6 +68292,7 @@ sub db { 'Clipboard' => 'Clipboard', 'Clipboard::MacPasteboard' => 'Clipboard', 'Clipboard::Pb' => 'Clipboard', + 'Clipboard::WaylandClipboard' => 'Clipboard', 'Clipboard::Win32' => 'Clipboard', 'Clipboard::Xclip' => 'Clipboard', 'Clipboard::Xsel' => 'Clipboard', @@ -69623,6 +69779,7 @@ sub db { 'Jifty::YAML' => 'Jifty', 'Kelp' => 'Kelp', 'Kelp::Base' => 'Kelp', + 'Kelp::Context' => 'Kelp', 'Kelp::Exception' => 'Kelp', 'Kelp::Generator' => 'Kelp', 'Kelp::Less' => 'Kelp', @@ -69631,6 +69788,7 @@ sub db { 'Kelp::Module::Config::Less' => 'Kelp', 'Kelp::Module::Config::Null' => 'Kelp', 'Kelp::Module::Config::Sandbox' => 'Kelp', + 'Kelp::Module::Encoder' => 'Kelp', 'Kelp::Module::JSON' => 'Kelp', 'Kelp::Module::Logger' => 'Kelp', 'Kelp::Module::Logger::Simple' => 'Kelp', @@ -69646,6 +69804,7 @@ sub db { 'Kelp::Routes::Pattern' => 'Kelp', 'Kelp::Template' => 'Kelp', 'Kelp::Test' => 'Kelp', + 'Kelp::Test::CookieJar' => 'Kelp', 'Kelp::Util' => 'Kelp', 'Kossy' => 'Kossy', 'Kossy::Assets' => 'Kossy', @@ -70148,6 +70307,7 @@ sub db { 'Mojo::ByteStream' => 'Mojolicious', 'Mojo::Cache' => 'Mojolicious', 'Mojo::Collection' => 'Mojolicious', + 'Mojo::Collection::Role::Extra' => 'Mojo-DOM-Role-Analyzer', 'Mojo::Content' => 'Mojolicious', 'Mojo::Content::MultiPart' => 'Mojolicious', 'Mojo::Content::Single' => 'Mojolicious', @@ -70157,6 +70317,7 @@ sub db { 'Mojo::DOM' => 'Mojolicious', 'Mojo::DOM::CSS' => 'Mojolicious', 'Mojo::DOM::HTML' => 'Mojolicious', + 'Mojo::DOM::Role::Analyzer' => 'Mojo-DOM-Role-Analyzer', 'Mojo::Date' => 'Mojolicious', 'Mojo::DynamicMethods' => 'Mojolicious', 'Mojo::EventEmitter' => 'Mojolicious', diff --git a/lib/CPAN/Audit/DB.pm.gpg b/lib/CPAN/Audit/DB.pm.gpg index 8c3c169..25de657 100644 --- a/lib/CPAN/Audit/DB.pm.gpg +++ b/lib/CPAN/Audit/DB.pm.gpg @@ -1,16 +1,16 @@ -----BEGIN PGP SIGNATURE----- -iQIzBAABCAAdFiEEdaq0LLoNfzfw1oht+D+NXoeLYEEFAmZttR4ACgkQ+D+NXoeL -YEE6OBAAjkVW5FiKjL7j5YdNBtvNzamPie/4YFjXWrJffExsbdPNsx88p+hw70Jn -eHeBmIWv/BEf+SW6NfpYFqvOvbzSUke0S2p8dDSn0NALCAL4Y/Ww4I+VbUXfxwUb -/tfWcdZY2lcx89h3InCOfw46SUTsj8dKCSLFzaJM0WoHXT6eeWMRbrwBuGKrQRbX -EXoirm0aGw8K8BQvqPxs8PV1ubEb3j9QyMfIzrLOVIU05fNA1JE9+82eoknEAUZl -z0FH69buSjV3m2lKYv6wp1GZAfqPHYBDX1lub6dQgRGICXaOHfAEjgOlpSBMcuCG -iVlsxnUTB1kpeXkLPgvB5rMBnxN3c+siUtmP5h+riui3Cg7CbyMQgK6MZFnTpYxp -XnMDpWljQx1E1j38ur7TDx4r1tLZr2FD4TR5lXGUTdDlc07SSj4xMqBAOArNUhFo -0oBhUzdPUKI4dRsBnjuR5tQWjUltbgFnVNAMR77f881U7UbW1yyE1GEUzjh4eomm -1dtWnozVUv+yKsv8CXt0RURQ8nWBE//vHXY+mJM7W6BuHr0Hk4qe+bVQ7d7jKUzz -Li0wP2q/3014S8cPFMj2/FhIKBSi5hXQSsETserDZpKSBEFVBgYC7cqWnQ9NwLyQ -NjgJxBhsYPFZndhyn8UMbHFlZqfNtWuGx3hFdIeG8jF4lPnEegg= -=JfJf +iQIzBAABCAAdFiEEdaq0LLoNfzfw1oht+D+NXoeLYEEFAmZ8IbwACgkQ+D+NXoeL +YEEUPQ/8CCS5G43TpeJsz4yUuWUYjLQOeR6+MBl4sqmDfeBMSaCwGOjP1V0m9j5a +KevHZzCjxItLJZxt5EYGzTllFIyf6OeiafXYUMUmnpYzdFqqZIzB/waR0LqTZ6eC +h3z4xHm8jygl8HWUJeuNZcFAIbO234E4vkG1pozE1IctrI8QjYcZ/dw45MvyzQ0F ++WUCE32sY+kaOTmkTsBOJNViEyfOYdgJx5sjvEMI+Lls2oBD4wJvpXOlyQR2070g +G2AX3UZRuR/EmCEj7hz7Cb5pVcugafU0PnT7/crymxc09qOH+i7m8KW4QtIbMa1/ +0Ky8kQK+cNTG4wgOiiFwvppjOJU8jqa0fPhgDWc9fVlNVrDrka5bIVKDqhM2H5yc +N56JvhGWvoBMU8YYQuXHI94nsy6Zin7EmDTTGHFhKfQ0bprt4INE6qYmcVKQo7VV +PgER6zIADy6J1F5zXFb6KO28Fxsd4ErE71jvPYIpOfRQ18M0TgegSDl5xVjgaiIl +rk57s5u5hF16nQzMuiA6+7fvxnbHxE3Np7DTBhpMGFyhmCi1lubcNSSqjkoYGICe +JM8EEve9x7lSDjc6qrKYcZSUOe0rdGIXDwYC+NP5wmUIoIXjKmjTbci9WHy23u6P +GvuHSTrEyj9bIycDbL4q2tcunSPOUzDVlgTSR7OrUbJrLF4YBtA= +=yQ6l -----END PGP SIGNATURE-----