From 7c5c42b3b895a3044c3b50c408eafe172ff8ba8d Mon Sep 17 00:00:00 2001 From: bernhard Date: Sun, 22 Mar 2026 10:05:09 +0100 Subject: [PATCH] Update CPANSA::DB to 20260318.001 --- Kernel/System/Environment.pm | 2 +- Kernel/cpan-lib/CPAN/Audit/DB.pm | 8 ++++---- Kernel/cpan-lib/CPANSA/DB.pm | 8 ++++---- Kernel/cpan-lib/cpanfile | 2 +- scripts/test/Console/Command/Dev/Code/CPANAudit.t | 2 +- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/Kernel/System/Environment.pm b/Kernel/System/Environment.pm index 7289dc6b5..2c9300caa 100644 --- a/Kernel/System/Environment.pm +++ b/Kernel/System/Environment.pm @@ -334,7 +334,7 @@ sub BundleModulesDeclarationGet { 'Comment' => 'database of adbisories used by CPAN::Audit', 'Module' => 'CPANSA::DB', 'Required' => 1, - 'VersionRequired' => '== 20260311.002', + 'VersionRequired' => '== 20260318.001', }, { 'Comment' => 'needed by CPAN::Audit', diff --git a/Kernel/cpan-lib/CPAN/Audit/DB.pm b/Kernel/cpan-lib/CPAN/Audit/DB.pm index 9c5ab72cb..c15ec9549 100644 --- a/Kernel/cpan-lib/CPAN/Audit/DB.pm +++ b/Kernel/cpan-lib/CPAN/Audit/DB.pm @@ -1,5 +1,5 @@ -# created by util/generate at Wed Mar 11 13:03:16 2026 -# https://github.com/briandfoy/cpan-security-advisory.git a9f8afbc36f0047a2a60bd8a66160f7ac2facb25 +# created by util/generate at Wed Mar 18 13:36:03 2026 +# https://github.com/briandfoy/cpan-security-advisory.git 0d05b0bcff541d0e5a25d50cd664f22548fea57f =encoding utf8 @@ -82,10 +82,10 @@ package CPAN::Audit::DB; use strict; use warnings; -our $VERSION = '20260311.002'; +our $VERSION = '20260318.001'; sub db { - {"dists" => {"ActivePerl" => {"advisories" => [{"affected_versions" => ["==5.16.1.1601"],"cves" => ["CVE-2012-5377"],"description" => "Untrusted search path vulnerability in the installation functionality in ActivePerl 5.16.1.1601, when installed in the top-level C:\\ directory, allows local users to gain privileges via a Trojan horse DLL in the C:\\Perl\\Site\\bin directory, which is added to the PATH system environment variable, as demonstrated by a Trojan horse wlbsctrl.dll file used by the \"IKE and AuthIP IPsec Keying Modules\" system service in Windows Vista SP1, Windows Server 2008 SP2, Windows 7 SP1, and Windows 8 Release Preview.\n","distribution" => "ActivePerl","fixed_versions" => [],"id" => "CPANSA-ActivePerl-2012-5377","references" => ["https://www.htbridge.com/advisory/HTB23108","http://osvdb.org/86177"],"reported" => "2012-10-11","severity" => undef},{"affected_versions" => ["==5.8.8.817"],"cves" => ["CVE-2006-2856"],"description" => "ActiveState ActivePerl 5.8.8.817 for Windows configures the site/lib directory with \"Users\" group permissions for changing files, which allows local users to gain privileges by creating a malicious sitecustomize.pl file in that directory. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.\n","distribution" => "ActivePerl","fixed_versions" => [],"id" => "CPANSA-ActivePerl-2006-2856","references" => ["http://secunia.com/advisories/20328","http://www.securityfocus.com/bid/18269","http://www.osvdb.org/25974","http://www.vupen.com/english/advisories/2006/2140","https://exchange.xforce.ibmcloud.com/vulnerabilities/26915"],"reported" => "2006-06-06","severity" => undef},{"affected_versions" => ["<=5.8.1"],"cves" => ["CVE-2004-2286"],"description" => "Integer overflow in the duplication operator in ActivePerl allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large multiplier, which may trigger a buffer overflow.\n","distribution" => "ActivePerl","fixed_versions" => [],"id" => "CPANSA-ActivePerl-2004-2286","references" => ["http://archives.neohapsis.com/archives/fulldisclosure/2004-05/0878.html","http://www.securityfocus.com/bid/10380","https://exchange.xforce.ibmcloud.com/vulnerabilities/16224"],"reported" => "2004-12-31","severity" => undef},{"affected_versions" => ["<5.10"],"cves" => ["CVE-2004-2022"],"description" => "ActivePerl 5.8.x and others, and Larry Wall's Perl 5.6.1 and others, when running on Windows systems, allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long argument to the system command, which leads to a stack-based buffer overflow. NOTE: it is unclear whether this bug is in Perl or the OS API that is used by Perl.\n","distribution" => "ActivePerl","fixed_versions" => [],"id" => "CPANSA-ActivePerl-2004-2022","references" => ["http://www.oliverkarow.de/research/ActivePerlSystemBOF.txt","http://www.perlmonks.org/index.pl?node_id=354145","http://www.securityfocus.com/bid/10375","http://archives.neohapsis.com/archives/fulldisclosure/2004-05/0905.html","http://marc.info/?l=full-disclosure&m=108489112131099&w=2","http://marc.info/?l=full-disclosure&m=108482796105922&w=2","http://marc.info/?l=full-disclosure&m=108483058514596&w=2","http://marc.info/?l=bugtraq&m=108489894009025&w=2","https://exchange.xforce.ibmcloud.com/vulnerabilities/16169"],"reported" => "2004-12-31","severity" => undef},{"affected_versions" => [],"cves" => ["CVE-2004-0377"],"description" => "Buffer overflow in the win32_stat function for (1) ActiveState's ActivePerl and (2) Larry Wall's Perl before 5.8.3 allows local or remote attackers to execute arbitrary commands via filenames that end in a backslash character.\n","distribution" => "ActivePerl","fixed_versions" => [],"id" => "CPANSA-ActivePerl-2004-0377","references" => ["http://www.kb.cert.org/vuls/id/722414","http://lists.grok.org.uk/pipermail/full-disclosure/2004-April/019794.html","http://public.activestate.com/cgi-bin/perlbrowse?patch=22552","http://www.idefense.com/application/poi/display?id=93&type=vulnerabilities","http://marc.info/?l=bugtraq&m=108118694327979&w=2","https://exchange.xforce.ibmcloud.com/vulnerabilities/15732"],"reported" => "2004-05-04","severity" => undef},{"affected_versions" => ["<=5.6.1.629"],"cves" => ["CVE-2001-0815"],"description" => "Buffer overflow in PerlIS.dll in Activestate ActivePerl 5.6.1.629 and earlier allows remote attackers to execute arbitrary code via an HTTP request for a long filename that ends in a .pl extension.\n","distribution" => "ActivePerl","fixed_versions" => [],"id" => "CPANSA-ActivePerl-2001-0815","references" => ["http://bugs.activestate.com/show_bug.cgi?id=18062","http://www.securityfocus.com/bid/3526","http://www.osvdb.org/678","http://marc.info/?l=bugtraq&m=100583978302585&w=2","https://exchange.xforce.ibmcloud.com/vulnerabilities/7539"],"reported" => "2001-12-06","severity" => undef}],"main_module" => "","versions" => []},"Alien-FreeImage" => {"advisories" => [{"affected_versions" => [">=0.001,<=0.011"],"cves" => ["CVE-2015-0852"],"description" => "Multiple integer underflows in PluginPCX.cpp in FreeImage 3.17.0 and earlier allow remote attackers to cause a denial of service (heap memory corruption) via vectors related to the height and width of a window.\n","distribution" => "Alien-FreeImage","fixed_versions" => [],"id" => "CPANSA-Alien-FreeImage-2015-0852-freeimage","references" => ["https://github.com/kmx/alien-freeimage/issues/5","http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167766.html","http://www.openwall.com/lists/oss-security/2015/08/28/1","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797165","http://www.debian.org/security/2015/dsa-3392","http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172491.html","http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172583.html","http://www.securitytracker.com/id/1034077","http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168000.html","http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168023.html","https://security.gentoo.org/glsa/201701-68","https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"],"reported" => "2015-09-29","severity" => undef},{"affected_versions" => [">=1.000_1,<=1.001"],"cves" => ["CVE-2015-0852"],"description" => "Multiple integer underflows in PluginPCX.cpp in FreeImage 3.17.0 and earlier allow remote attackers to cause a denial of service (heap memory corruption) via vectors related to the height and width of a window.\n","distribution" => "Alien-FreeImage","fixed_versions" => [],"id" => "CPANSA-Alien-FreeImage-2015-0852-freeimage","references" => ["https://github.com/kmx/alien-freeimage/issues/5","http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167766.html","http://www.openwall.com/lists/oss-security/2015/08/28/1","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797165","http://www.debian.org/security/2015/dsa-3392","http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172491.html","http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172583.html","http://www.securitytracker.com/id/1034077","http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168000.html","http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168023.html","https://security.gentoo.org/glsa/201701-68","https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"],"reported" => "2015-09-29","severity" => undef}],"main_module" => "Alien::FreeImage","versions" => [{"date" => "2014-11-27T21:33:19","version" => "0.001"},{"date" => "2014-11-27T23:23:17","version" => "0.002"},{"date" => "2014-11-28T06:50:21","version" => "0.003"},{"date" => "2014-11-28T08:16:43","version" => "0.004"},{"date" => "2014-11-28T09:42:55","version" => "0.005"},{"date" => "2014-11-29T17:54:12","version" => "0.006"},{"date" => "2014-11-29T22:00:16","version" => "0.007"},{"date" => "2014-11-29T22:04:22","version" => "0.008"},{"date" => "2014-11-30T21:50:53","version" => "0.009"},{"date" => "2014-12-08T22:22:02","version" => "0.010"},{"date" => "2014-12-09T21:26:56","version" => "0.011"},{"date" => "2017-06-25T21:05:55","version" => "1.000_1"},{"date" => "2017-06-26T17:54:11","version" => "1.000_2"},{"date" => "2017-06-27T08:30:16","version" => "1.000_3"},{"date" => "2017-07-11T11:46:10","version" => "1.001"}]},"Alien-GCrypt" => {"advisories" => [{"affected_versions" => [">=1.6.2.0,<=1.6.2.1"],"cves" => ["CVE-2018-0495"],"description" => "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.\n","distribution" => "Alien-GCrypt","fixed_versions" => [],"id" => "CPANSA-Alien-GCrypt-2018-0495-libgcrypt","references" => ["https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/","https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html","https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965","https://dev.gnupg.org/T4011","https://www.debian.org/security/2018/dsa-4231","https://usn.ubuntu.com/3689-2/","https://usn.ubuntu.com/3689-1/","http://www.securitytracker.com/id/1041147","http://www.securitytracker.com/id/1041144","https://usn.ubuntu.com/3692-2/","https://usn.ubuntu.com/3692-1/","https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html","https://access.redhat.com/errata/RHSA-2018:3221","https://access.redhat.com/errata/RHSA-2018:3505","https://usn.ubuntu.com/3850-1/","https://usn.ubuntu.com/3850-2/","https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","https://access.redhat.com/errata/RHSA-2019:1297","https://access.redhat.com/errata/RHSA-2019:1296","https://access.redhat.com/errata/RHSA-2019:1543","https://access.redhat.com/errata/RHSA-2019:2237"],"reported" => "2018-06-13","severity" => "medium"},{"affected_versions" => ["==1.6.5.0"],"cves" => ["CVE-2018-0495"],"description" => "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.\n","distribution" => "Alien-GCrypt","fixed_versions" => [],"id" => "CPANSA-Alien-GCrypt-2018-0495-libgcrypt","references" => ["https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/","https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html","https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965","https://dev.gnupg.org/T4011","https://www.debian.org/security/2018/dsa-4231","https://usn.ubuntu.com/3689-2/","https://usn.ubuntu.com/3689-1/","http://www.securitytracker.com/id/1041147","http://www.securitytracker.com/id/1041144","https://usn.ubuntu.com/3692-2/","https://usn.ubuntu.com/3692-1/","https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html","https://access.redhat.com/errata/RHSA-2018:3221","https://access.redhat.com/errata/RHSA-2018:3505","https://usn.ubuntu.com/3850-1/","https://usn.ubuntu.com/3850-2/","https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","https://access.redhat.com/errata/RHSA-2019:1297","https://access.redhat.com/errata/RHSA-2019:1296","https://access.redhat.com/errata/RHSA-2019:1543","https://access.redhat.com/errata/RHSA-2019:2237"],"reported" => "2018-06-13","severity" => "medium"}],"main_module" => "Alien::GCrypt","versions" => [{"date" => "2014-11-19T00:20:20","version" => "1.6.2.0"},{"date" => "2014-11-21T22:25:49","version" => "1.6.2.1"},{"date" => "2016-03-11T00:00:36","version" => "1.6.5.0"}]},"Alien-OTR" => {"advisories" => [{"affected_versions" => [">=4.0.0.0,<=4.0.0.1"],"cves" => ["CVE-2016-2851"],"description" => "Integer overflow in proto.c in libotr before 4.1.1 on 64-bit platforms allows remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via a series of large OTR messages, which triggers a heap-based buffer overflow.\n","distribution" => "Alien-OTR","fixed_versions" => [],"id" => "CPANSA-Alien-OTR-2016-2851-libotr","references" => ["https://www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/","http://www.debian.org/security/2016/dsa-3512","http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00021.html","https://lists.cypherpunks.ca/pipermail/otr-users/2016-March/002581.html","http://seclists.org/fulldisclosure/2016/Mar/21","http://www.securityfocus.com/bid/84285","http://www.ubuntu.com/usn/USN-2926-1","http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00030.html","https://security.gentoo.org/glsa/201701-10","https://www.exploit-db.com/exploits/39550/","http://www.securityfocus.com/archive/1/537745/100/0/threaded"],"reported" => "2016-04-07","severity" => "critical"},{"affected_versions" => ["==4.1.0.0"],"cves" => ["CVE-2016-2851"],"description" => "Integer overflow in proto.c in libotr before 4.1.1 on 64-bit platforms allows remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via a series of large OTR messages, which triggers a heap-based buffer overflow.\n","distribution" => "Alien-OTR","fixed_versions" => [],"id" => "CPANSA-Alien-OTR-2016-2851-libotr","references" => ["https://www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/","http://www.debian.org/security/2016/dsa-3512","http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00021.html","https://lists.cypherpunks.ca/pipermail/otr-users/2016-March/002581.html","http://seclists.org/fulldisclosure/2016/Mar/21","http://www.securityfocus.com/bid/84285","http://www.ubuntu.com/usn/USN-2926-1","http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00030.html","https://security.gentoo.org/glsa/201701-10","https://www.exploit-db.com/exploits/39550/","http://www.securityfocus.com/archive/1/537745/100/0/threaded"],"reported" => "2016-04-07","severity" => "critical"}],"main_module" => "Alien::OTR","versions" => [{"date" => "2014-02-04T00:25:37","version" => "4.0.0.0"},{"date" => "2014-06-16T00:29:25","version" => "4.0.0.1"},{"date" => "2014-11-19T00:30:34","version" => "4.1.0.0"},{"date" => "2016-03-10T23:38:55","version" => "4.1.1.0"}]},"Alien-PCRE2" => {"advisories" => [{"affected_versions" => ["<0.016000"],"comment" => "This Alien module fetches libpcre2 sources from the network. It tries to get the latest unless you set environment variables to get a different version.\n","cves" => ["CVE-2019-20454"],"description" => "An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \\X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c.\n","distribution" => "Alien-PCRE2","fixed_versions" => [">=0.016000"],"id" => "CPANSA-Alien-PCRE2-2019-20454","references" => ["https://bugs.php.net/bug.php?id=78338","https://bugs.exim.org/show_bug.cgi?id=2421","https://bugzilla.redhat.com/show_bug.cgi?id=1735494","https://vcs.pcre.org/pcre2?view=revision&revision=1092","https://security.gentoo.org/glsa/202006-16","https://lists.fedoraproject.org/archives/list/package-announce\@lists.fedoraproject.org/message/OQRAHYHLRNMBTPR3KXVM27NSZP3KTOPI/"],"reported" => "2020-02-14","severity" => "high"}],"main_module" => "Alien::PCRE2","versions" => [{"date" => "2017-06-30T23:18:21","version" => "0.001000"},{"date" => "2017-07-01T02:48:02","version" => "0.002000"},{"date" => "2017-07-02T04:51:35","version" => "0.003000"},{"date" => "2017-07-02T06:53:29","version" => "0.004000"},{"date" => "2017-07-02T09:21:41","version" => "0.005000"},{"date" => "2017-07-03T01:03:23","version" => "0.006000"},{"date" => "2017-07-12T17:40:07","version" => "0.007000"},{"date" => "2017-07-13T07:43:28","version" => "0.008000"},{"date" => "2017-07-15T10:31:20","version" => "0.009000"},{"date" => "2017-07-17T04:44:54","version" => "0.010000"},{"date" => "2017-07-18T18:30:06","version" => "0.011000"},{"date" => "2017-07-19T05:07:21","version" => "0.012000"},{"date" => "2017-07-23T04:43:01","version" => "0.013000"},{"date" => "2017-11-01T02:50:14","version" => "0.014000"},{"date" => "2017-11-08T00:42:33","version" => "0.015000"},{"date" => "2022-05-08T20:22:53","version" => "0.016000"},{"date" => "2023-02-04T00:21:59","version" => "0.017000"}]},"Alien-SVN" => {"advisories" => [{"affected_versions" => [">=1.4.5.0,<=1.4.5.3"],"cves" => ["CVE-2015-3187"],"description" => "The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a hidden path.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2015-3187-subversion","references" => ["http://www.securitytracker.com/id/1033215","http://subversion.apache.org/security/CVE-2015-3187-advisory.txt","http://www.debian.org/security/2015/dsa-3331","http://lists.opensuse.org/opensuse-updates/2015-08/msg00022.html","http://rhn.redhat.com/errata/RHSA-2015-1633.html","https://support.apple.com/HT206172","http://lists.apple.com/archives/security-announce/2016/Mar/msg00003.html","http://www.securityfocus.com/bid/76273","http://rhn.redhat.com/errata/RHSA-2015-1742.html","http://www.ubuntu.com/usn/USN-2721-1","https://security.gentoo.org/glsa/201610-05"],"reported" => "2015-08-12","severity" => undef},{"affected_versions" => [">=1.4.6.0,<=1.4.6.0"],"cves" => ["CVE-2015-3187"],"description" => "The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a hidden path.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2015-3187-subversion","references" => ["http://www.securitytracker.com/id/1033215","http://subversion.apache.org/security/CVE-2015-3187-advisory.txt","http://www.debian.org/security/2015/dsa-3331","http://lists.opensuse.org/opensuse-updates/2015-08/msg00022.html","http://rhn.redhat.com/errata/RHSA-2015-1633.html","https://support.apple.com/HT206172","http://lists.apple.com/archives/security-announce/2016/Mar/msg00003.html","http://www.securityfocus.com/bid/76273","http://rhn.redhat.com/errata/RHSA-2015-1742.html","http://www.ubuntu.com/usn/USN-2721-1","https://security.gentoo.org/glsa/201610-05"],"reported" => "2015-08-12","severity" => undef},{"affected_versions" => [">=1.6.12.0,<=1.6.12.1"],"cves" => ["CVE-2015-3187"],"description" => "The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a hidden path.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2015-3187-subversion","references" => ["http://www.securitytracker.com/id/1033215","http://subversion.apache.org/security/CVE-2015-3187-advisory.txt","http://www.debian.org/security/2015/dsa-3331","http://lists.opensuse.org/opensuse-updates/2015-08/msg00022.html","http://rhn.redhat.com/errata/RHSA-2015-1633.html","https://support.apple.com/HT206172","http://lists.apple.com/archives/security-announce/2016/Mar/msg00003.html","http://www.securityfocus.com/bid/76273","http://rhn.redhat.com/errata/RHSA-2015-1742.html","http://www.ubuntu.com/usn/USN-2721-1","https://security.gentoo.org/glsa/201610-05"],"reported" => "2015-08-12","severity" => undef},{"affected_versions" => [">=1.7.3.0,<=1.17.3.0"],"cves" => ["CVE-2015-3187"],"description" => "The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a hidden path.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2015-3187-subversion","references" => ["http://www.securitytracker.com/id/1033215","http://subversion.apache.org/security/CVE-2015-3187-advisory.txt","http://www.debian.org/security/2015/dsa-3331","http://lists.opensuse.org/opensuse-updates/2015-08/msg00022.html","http://rhn.redhat.com/errata/RHSA-2015-1633.html","https://support.apple.com/HT206172","http://lists.apple.com/archives/security-announce/2016/Mar/msg00003.html","http://www.securityfocus.com/bid/76273","http://rhn.redhat.com/errata/RHSA-2015-1742.html","http://www.ubuntu.com/usn/USN-2721-1","https://security.gentoo.org/glsa/201610-05"],"reported" => "2015-08-12","severity" => undef},{"affected_versions" => [">=1.7.17.0,<=1.17.1.0"],"cves" => ["CVE-2015-3187"],"description" => "The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a hidden path.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2015-3187-subversion","references" => ["http://www.securitytracker.com/id/1033215","http://subversion.apache.org/security/CVE-2015-3187-advisory.txt","http://www.debian.org/security/2015/dsa-3331","http://lists.opensuse.org/opensuse-updates/2015-08/msg00022.html","http://rhn.redhat.com/errata/RHSA-2015-1633.html","https://support.apple.com/HT206172","http://lists.apple.com/archives/security-announce/2016/Mar/msg00003.html","http://www.securityfocus.com/bid/76273","http://rhn.redhat.com/errata/RHSA-2015-1742.html","http://www.ubuntu.com/usn/USN-2721-1","https://security.gentoo.org/glsa/201610-05"],"reported" => "2015-08-12","severity" => undef},{"affected_versions" => ["==1.7.19.0"],"cves" => ["CVE-2015-3187"],"description" => "The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a hidden path.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2015-3187-subversion","references" => ["http://www.securitytracker.com/id/1033215","http://subversion.apache.org/security/CVE-2015-3187-advisory.txt","http://www.debian.org/security/2015/dsa-3331","http://lists.opensuse.org/opensuse-updates/2015-08/msg00022.html","http://rhn.redhat.com/errata/RHSA-2015-1633.html","https://support.apple.com/HT206172","http://lists.apple.com/archives/security-announce/2016/Mar/msg00003.html","http://www.securityfocus.com/bid/76273","http://rhn.redhat.com/errata/RHSA-2015-1742.html","http://www.ubuntu.com/usn/USN-2721-1","https://security.gentoo.org/glsa/201610-05"],"reported" => "2015-08-12","severity" => undef},{"affected_versions" => ["==1.8.11.0"],"cves" => ["CVE-2018-11782"],"description" => "In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12.0, Subversion's svnserve server process may exit when a well-formed read-only request produces a particular answer. This can lead to disruption for users of the server.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2018-11782-subversion","references" => ["http://subversion.apache.org/security/CVE-2018-11782-advisory.txt"],"reported" => "2019-09-26","severity" => "medium"},{"affected_versions" => ["==1.8.11.0"],"cves" => ["CVE-2019-0203"],"description" => "In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12.0, Subversion's svnserve server process may exit when a client sends certain sequences of protocol commands. This can lead to disruption for users of the server.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2019-0203-subversion","references" => ["http://subversion.apache.org/security/CVE-2019-0203-advisory.txt"],"reported" => "2019-09-26","severity" => "high"},{"affected_versions" => [">=1.4.5.0,<=1.4.5.3"],"cves" => ["CVE-2015-3187"],"description" => "The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a hidden path.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2015-3187-svn","references" => ["http://www.securitytracker.com/id/1033215","http://subversion.apache.org/security/CVE-2015-3187-advisory.txt","http://www.debian.org/security/2015/dsa-3331","http://lists.opensuse.org/opensuse-updates/2015-08/msg00022.html","http://rhn.redhat.com/errata/RHSA-2015-1633.html","https://support.apple.com/HT206172","http://lists.apple.com/archives/security-announce/2016/Mar/msg00003.html","http://www.securityfocus.com/bid/76273","http://rhn.redhat.com/errata/RHSA-2015-1742.html","http://www.ubuntu.com/usn/USN-2721-1","https://security.gentoo.org/glsa/201610-05"],"reported" => "2015-08-12","severity" => undef},{"affected_versions" => ["==1.4.6.0"],"cves" => ["CVE-2015-3187"],"description" => "The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a hidden path.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2015-3187-svn","references" => ["http://www.securitytracker.com/id/1033215","http://subversion.apache.org/security/CVE-2015-3187-advisory.txt","http://www.debian.org/security/2015/dsa-3331","http://lists.opensuse.org/opensuse-updates/2015-08/msg00022.html","http://rhn.redhat.com/errata/RHSA-2015-1633.html","https://support.apple.com/HT206172","http://lists.apple.com/archives/security-announce/2016/Mar/msg00003.html","http://www.securityfocus.com/bid/76273","http://rhn.redhat.com/errata/RHSA-2015-1742.html","http://www.ubuntu.com/usn/USN-2721-1","https://security.gentoo.org/glsa/201610-05"],"reported" => "2015-08-12","severity" => undef},{"affected_versions" => [">=1.6.12.0,<=1.6.12.1"],"cves" => ["CVE-2015-3187"],"description" => "The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a hidden path.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2015-3187-svn","references" => ["http://www.securitytracker.com/id/1033215","http://subversion.apache.org/security/CVE-2015-3187-advisory.txt","http://www.debian.org/security/2015/dsa-3331","http://lists.opensuse.org/opensuse-updates/2015-08/msg00022.html","http://rhn.redhat.com/errata/RHSA-2015-1633.html","https://support.apple.com/HT206172","http://lists.apple.com/archives/security-announce/2016/Mar/msg00003.html","http://www.securityfocus.com/bid/76273","http://rhn.redhat.com/errata/RHSA-2015-1742.html","http://www.ubuntu.com/usn/USN-2721-1","https://security.gentoo.org/glsa/201610-05"],"reported" => "2015-08-12","severity" => undef},{"affected_versions" => [">=1.7.17.0,<=1.7.17.1"],"cves" => ["CVE-2015-3187"],"description" => "The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a hidden path.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2015-3187-svn","references" => ["http://www.securitytracker.com/id/1033215","http://subversion.apache.org/security/CVE-2015-3187-advisory.txt","http://www.debian.org/security/2015/dsa-3331","http://lists.opensuse.org/opensuse-updates/2015-08/msg00022.html","http://rhn.redhat.com/errata/RHSA-2015-1633.html","https://support.apple.com/HT206172","http://lists.apple.com/archives/security-announce/2016/Mar/msg00003.html","http://www.securityfocus.com/bid/76273","http://rhn.redhat.com/errata/RHSA-2015-1742.html","http://www.ubuntu.com/usn/USN-2721-1","https://security.gentoo.org/glsa/201610-05"],"reported" => "2015-08-12","severity" => undef},{"affected_versions" => ["==1.7.19.0"],"cves" => ["CVE-2015-3187"],"description" => "The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a hidden path.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2015-3187-svn","references" => ["http://www.securitytracker.com/id/1033215","http://subversion.apache.org/security/CVE-2015-3187-advisory.txt","http://www.debian.org/security/2015/dsa-3331","http://lists.opensuse.org/opensuse-updates/2015-08/msg00022.html","http://rhn.redhat.com/errata/RHSA-2015-1633.html","https://support.apple.com/HT206172","http://lists.apple.com/archives/security-announce/2016/Mar/msg00003.html","http://www.securityfocus.com/bid/76273","http://rhn.redhat.com/errata/RHSA-2015-1742.html","http://www.ubuntu.com/usn/USN-2721-1","https://security.gentoo.org/glsa/201610-05"],"reported" => "2015-08-12","severity" => undef},{"affected_versions" => [">=1.7.3.0,<=1.7.3.1"],"cves" => ["CVE-2015-3187"],"description" => "The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a hidden path.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2015-3187-svn","references" => ["http://www.securitytracker.com/id/1033215","http://subversion.apache.org/security/CVE-2015-3187-advisory.txt","http://www.debian.org/security/2015/dsa-3331","http://lists.opensuse.org/opensuse-updates/2015-08/msg00022.html","http://rhn.redhat.com/errata/RHSA-2015-1633.html","https://support.apple.com/HT206172","http://lists.apple.com/archives/security-announce/2016/Mar/msg00003.html","http://www.securityfocus.com/bid/76273","http://rhn.redhat.com/errata/RHSA-2015-1742.html","http://www.ubuntu.com/usn/USN-2721-1","https://security.gentoo.org/glsa/201610-05"],"reported" => "2015-08-12","severity" => undef},{"affected_versions" => ["==1.8.11.0"],"cves" => ["CVE-2015-3187"],"description" => "The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a hidden path.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2015-3187-svn","references" => ["http://www.securitytracker.com/id/1033215","http://subversion.apache.org/security/CVE-2015-3187-advisory.txt","http://www.debian.org/security/2015/dsa-3331","http://lists.opensuse.org/opensuse-updates/2015-08/msg00022.html","http://rhn.redhat.com/errata/RHSA-2015-1633.html","https://support.apple.com/HT206172","http://lists.apple.com/archives/security-announce/2016/Mar/msg00003.html","http://www.securityfocus.com/bid/76273","http://rhn.redhat.com/errata/RHSA-2015-1742.html","http://www.ubuntu.com/usn/USN-2721-1","https://security.gentoo.org/glsa/201610-05"],"reported" => "2015-08-12","severity" => undef}],"main_module" => "Alien::SVN","versions" => [{"date" => "2007-09-12T10:21:02","version" => "1.4.5.0"},{"date" => "2007-09-21T01:13:48","version" => "1.4.5.1"},{"date" => "2007-09-21T11:45:13","version" => "1.4.5.2"},{"date" => "2007-12-26T09:04:20","version" => "1.4.5.3"},{"date" => "2007-12-27T05:34:26","version" => "1.4.6.0"},{"date" => "2010-08-18T07:45:18","version" => "v1.6.12.0"},{"date" => "2011-02-23T00:51:22","version" => "v1.6.12.1"},{"date" => "2012-03-02T00:57:20","version" => "v1.7.3.0"},{"date" => "2012-03-18T22:14:33","version" => "v1.7.3.1"},{"date" => "2014-06-12T04:08:38","version" => "v1.7.17.0"},{"date" => "2014-06-12T17:19:44","version" => "v1.7.17.1"},{"date" => "2015-01-12T23:26:41","version" => "v1.7.19.0"},{"date" => "2015-01-13T00:12:19","version" => "v1.8.11.0"}]},"Amon2-Auth-Site-LINE" => {"advisories" => [{"affected_versions" => ["<0.05"],"cves" => ["CVE-2024-57835"],"description" => "Amon2::Auth::Site::LINE uses the String::Random module\x{a0}to generate nonce values.\x{a0}String::Random\x{a0}defaults to Perl's built-in predictable\x{a0}random number generator,\x{a0}the rand() function, which is not cryptographically secure\n","distribution" => "Amon2-Auth-Site-LINE","fixed_versions" => [">=0.05"],"id" => "CPANSA-Amon2-Auth-Site-LINE-2024-57835","references" => ["https://metacpan.org/release/SHLOMIF/String-Random-0.32/source/lib/String/Random.pm#L377","https://metacpan.org/release/TANIGUCHI/Amon2-Auth-Site-LINE-0.04/source/lib/Amon2/Auth/Site/LINE.pm#L235","https://metacpan.org/release/TANIGUCHI/Amon2-Auth-Site-LINE-0.04/source/lib/Amon2/Auth/Site/LINE.pm#L255","https://security.metacpan.org/docs/guides/random-data-for-security.html","https://jvndb.jvn.jp/ja/contents/2025/JVNDB-2025-003449.html"],"reported" => "2025-04-05","severity" => "moderate"}],"main_module" => "Amon2::Auth::Site::LINE","versions" => [{"date" => "2020-11-21T06:34:32","version" => "0.01"},{"date" => "2020-11-23T00:05:03","version" => "0.02"},{"date" => "2020-11-25T01:33:35","version" => "0.03"},{"date" => "2020-11-26T07:04:40","version" => "0.04"},{"date" => "2025-05-20T12:14:56","version" => "0.05"}]},"Apache-ASP" => {"advisories" => [{"affected_versions" => ["<1.95"],"cves" => [],"description" => "A bug would allow a malicious user possible writing of files in the same directory as the source.asp script.\n","distribution" => "Apache-ASP","fixed_versions" => [">=1.95"],"id" => "CPANSA-Apache-ASP-2000-01","references" => ["https://metacpan.org/release/CHAMAS/Apache-ASP-2.63/source/README"],"reported" => "2000-07-10","severity" => undef}],"main_module" => "Apache::ASP","versions" => [{"date" => "1998-06-24T02:10:51","version" => "0.01"},{"date" => "1998-07-11T01:48:14","version" => "0.02"},{"date" => "1998-09-14T11:13:32","version" => "0.03"},{"date" => "1998-10-12T07:50:56","version" => "0.04"},{"date" => "1998-10-18T21:29:19","version" => "0.05"},{"date" => "1999-02-06T06:04:50","version" => "0.08"},{"date" => "1999-04-22T08:30:57","version" => "0.09"},{"date" => "1999-06-24T20:04:52","version" => "0.11"},{"date" => "1999-07-02T07:05:05","version" => "0.12"},{"date" => "1999-07-29T10:58:20","version" => "0.14"},{"date" => "1999-08-25T02:02:31","version" => "0.15"},{"date" => "1999-09-22T20:54:01","version" => "0.16"},{"date" => "1999-11-16T04:44:48","version" => "0.17"},{"date" => "2000-02-04T02:14:14","version" => "0.18"},{"date" => "2000-07-03T13:08:54","version" => "1.91"},{"date" => "2000-07-03T22:43:45","version" => "1.93"},{"date" => "2000-07-11T01:44:02","version" => "1.95"},{"date" => "2000-07-16T07:17:39","version" => "2.00"},{"date" => "2000-07-22T23:31:36","version" => "2.01"},{"date" => "2000-08-02T00:11:15","version" => "2.03"},{"date" => "2000-11-26T19:15:48","version" => "2.07"},{"date" => "2001-01-31T04:03:17","version" => "2.09"},{"date" => "2001-05-30T01:37:39","version" => "2.11"},{"date" => "2001-06-12T00:41:33","version" => "2.15"},{"date" => "2001-06-18T02:35:48","version" => "2.17"},{"date" => "2001-07-11T05:27:22","version" => "2.19"},{"date" => "2001-08-05T23:01:50","version" => "2.21"},{"date" => "2001-10-11T07:54:39","version" => "2.23"},{"date" => "2001-10-11T23:34:01","version" => "2.25"},{"date" => "2001-11-01T01:11:12","version" => "2.27"},{"date" => "2001-11-19T21:41:12","version" => "2.29"},{"date" => "2002-01-22T09:52:49","version" => "2.31"},{"date" => "2002-04-30T09:12:20","version" => "2.33"},{"date" => "2002-05-30T19:47:22","version" => "2.35"},{"date" => "2002-07-03T21:11:15","version" => "2.37"},{"date" => "2002-09-12T08:16:20","version" => "2.39"},{"date" => "2002-09-30T06:35:47","version" => "2.41"},{"date" => "2002-10-14T04:01:36","version" => "2.45"},{"date" => "2002-11-07T02:03:41","version" => "2.47"},{"date" => "2002-11-11T07:15:21","version" => "2.49"},{"date" => "2003-02-10T21:11:34","version" => "2.51"},{"date" => "2003-04-10T16:27:14","version" => "2.53"},{"date" => "2003-08-10T07:39:57","version" => "2.55"},{"date" => "2004-01-29T08:30:48","version" => "2.57"},{"date" => "2005-05-24T05:52:39","version" => "2.59"},{"date" => "2008-05-25T23:07:57","version" => "2.61"},{"date" => "2011-10-02T19:18:10","version" => "2.62"},{"date" => "2012-02-13T23:15:04","version" => "2.62"},{"date" => "2018-03-15T05:28:37","version" => "2.63"}]},"Apache-AuthCAS" => {"advisories" => [{"affected_versions" => ["<0.5"],"cves" => ["CVE-2007-6342"],"description" => "A tainted cookie could be sent by a malicious user and it would be used in an SQL query without protection against SQL injection.\n","distribution" => "Apache-AuthCAS","fixed_versions" => [">=0.5"],"id" => "CPANSA-Apache-AuthCAS-2007-01","references" => ["https://metacpan.org/changes/distribution/Apache-AuthCAS","https://cxsecurity.com/issue/WLB-2007120031"],"reported" => "2007-12-13","severity" => "high"}],"main_module" => "Apache::AuthCAS","versions" => [{"date" => "2004-09-15T19:17:43","version" => "0.1"},{"date" => "2004-09-15T20:11:40","version" => "0.2"},{"date" => "2004-10-05T22:51:50","version" => "0.3"},{"date" => "2004-10-13T00:45:52","version" => "0.4"},{"date" => "2008-03-23T23:03:16","version" => "0.5"}]},"Apache-AuthenHook" => {"advisories" => [{"affected_versions" => [">=2.00_04"],"cves" => ["CVE-2010-3845"],"description" => "libapache-authenhook-perl 2.00-04 stores usernames and passwords in plaintext in the vhost error log.\n","distribution" => "Apache-AuthenHook","fixed_versions" => [],"id" => "CPANSA-Apache-AuthenHook-2010-3845","references" => ["https://rt.cpan.org/Public/Bug/Display.html?id=62040","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599712","http://seclists.org/oss-sec/2010/q4/63"],"reported" => "2017-08-08","severity" => "critical"}],"main_module" => "Apache::AuthenHook","versions" => [{"date" => "2003-06-20T19:05:21","version" => "2.00_01"},{"date" => "2004-04-06T01:20:10","version" => "2.00_03"},{"date" => "2005-04-14T12:57:55","version" => "2.00_04"}]},"Apache-MP3" => {"advisories" => [{"affected_versions" => ["<2.15"],"cves" => [],"description" => "A security bug allowed people to bypass the AllowDownload setting.\n","distribution" => "Apache-MP3","fixed_versions" => [">=2.15"],"id" => "CPANSA-Apache-MP3-2001-01","references" => ["https://metacpan.org/dist/Apache-MP3/changes"],"reported" => "2001-01-01","severity" => undef}],"main_module" => "Apache::MP3","versions" => [{"date" => "2000-03-20T13:00:07","version" => "1.00"},{"date" => "2000-05-27T04:19:21","version" => "2.00"},{"date" => "2000-05-27T04:34:42","version" => "2.01"},{"date" => "2000-05-28T16:17:59","version" => "2.02"},{"date" => "2000-08-23T13:46:23","version" => "2.04"},{"date" => "2000-08-25T14:45:54","version" => "2.05"},{"date" => "2000-08-26T03:41:07","version" => "2.06"},{"date" => "2000-08-31T20:28:28","version" => "2.08"},{"date" => "2000-09-03T18:31:17","version" => "2.10"},{"date" => "2000-09-09T22:12:04","version" => "2.11"},{"date" => "2000-11-21T22:15:07","version" => "2.12"},{"date" => "2000-12-31T04:29:03","version" => "2.14"},{"date" => "2001-01-02T03:37:33","version" => "2.15"},{"date" => "2001-05-01T02:43:47","version" => "2.16"},{"date" => "2001-06-10T22:02:46","version" => "2.18"},{"date" => "2001-07-17T01:39:59","version" => "2.19"},{"date" => "2001-09-26T01:14:42","version" => "2.20"},{"date" => "2002-01-06T20:38:33","version" => "2.22"},{"date" => "2002-05-31T01:12:04","version" => "2.26"},{"date" => "2002-08-16T04:18:25","version" => "3.00"},{"date" => "2002-08-18T17:41:46","version" => "3.01"},{"date" => "2002-10-14T03:26:03","version" => "3.03"},{"date" => "2003-02-15T00:51:19","version" => "3.04"},{"date" => "2003-10-06T14:12:34","version" => "3.05"},{"date" => "2006-04-15T01:26:38","version" => "4.00"}]},"Apache-Session" => {"advisories" => [{"affected_versions" => [">0"],"cves" => ["CVE-2025-40931"],"description" => "Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.","distribution" => "Apache-Session","fixed_versions" => [],"id" => "CPANSA-Apache-Session-2025-40931","references" => ["https://metacpan.org/dist/Apache-Session/source/lib/Apache/Session/Generate/MD5.pm#L27","https://security.metacpan.org/docs/guides/random-data-for-security.html"],"reported" => "2026-03-05","severity" => undef}],"main_module" => "Apache::Session","versions" => [{"date" => "1998-05-20T21:03:28","version" => "0.10"},{"date" => "1998-06-26T23:12:16","version" => "0.12"},{"date" => "1998-07-08T11:14:44","version" => "0.13"},{"date" => "1998-07-20T07:21:32","version" => "0.14"},{"date" => "1998-09-15T21:29:50","version" => "0.16"},{"date" => "1998-09-29T05:20:47","version" => "v0.16.1"},{"date" => "1998-11-14T20:39:57","version" => "0.17"},{"date" => "1998-12-09T18:17:21","version" => "v0.17.1"},{"date" => "1999-01-28T19:45:49","version" => "v0.99.0"},{"date" => "1999-02-14T21:44:23","version" => "v0.99.3"},{"date" => "1999-02-16T05:47:59","version" => "v0.99.5"},{"date" => "1999-03-01T05:57:39","version" => "v0.99.6"},{"date" => "1999-03-03T23:57:45","version" => "v0.99.7"},{"date" => "1999-04-05T04:51:55","version" => "v0.99.8"},{"date" => "1999-08-16T02:06:04","version" => "1.00"},{"date" => "1999-09-12T04:35:00","version" => "1.03"},{"date" => "2000-05-26T16:31:41","version" => "1.50"},{"date" => "2000-05-26T22:31:44","version" => "1.51"},{"date" => "2000-07-24T03:48:07","version" => "1.52"},{"date" => "2000-09-01T22:43:07","version" => "1.53"},{"date" => "2001-10-11T18:37:18","version" => "1.54"},{"date" => "2004-02-24T19:58:32","version" => "1.6"},{"date" => "2004-09-01T18:55:04","version" => "1.70_01"},{"date" => "2005-10-06T22:17:32","version" => "1.80"},{"date" => "2006-05-23T16:03:15","version" => "1.81"},{"date" => "2007-02-12T17:53:50","version" => "1.81_01"},{"date" => "2007-02-21T13:35:35","version" => "1.82"},{"date" => "2007-03-10T11:45:09","version" => "1.82_01"},{"date" => "2007-03-11T15:30:47","version" => "1.82_02"},{"date" => "2007-03-12T22:00:28","version" => "1.82_03"},{"date" => "2007-04-27T20:08:58","version" => "1.82_04"},{"date" => "2007-05-14T09:03:50","version" => "1.82_05"},{"date" => "2007-05-25T11:28:49","version" => "1.83"},{"date" => "2007-08-03T21:02:51","version" => "1.83_01"},{"date" => "2007-10-02T12:53:28","version" => "1.84"},{"date" => "2007-11-26T22:09:17","version" => "1.84_01"},{"date" => "2007-12-21T22:28:51","version" => "1.85"},{"date" => "2008-01-24T15:00:36","version" => "1.85_01"},{"date" => "2008-02-01T12:14:19","version" => "1.86"},{"date" => "2008-06-20T09:48:31","version" => "1.86_01"},{"date" => "2008-06-27T20:54:45","version" => "1.86_02"},{"date" => "2008-08-03T11:34:12","version" => "1.86_03"},{"date" => "2008-08-08T09:28:24","version" => "1.87"},{"date" => "2008-12-20T21:04:01","version" => "1.88"},{"date" => "2010-09-21T22:56:17","version" => "1.89"},{"date" => "2013-01-27T13:38:31","version" => "1.90"},{"date" => "2014-01-06T22:44:40","version" => "1.91"},{"date" => "2014-03-08T23:03:33","version" => "1.92"},{"date" => "2014-04-12T19:35:25","version" => "1.93"},{"date" => "2020-09-18T22:00:45","version" => "1.94"}]},"Apache-Session-Browseable" => {"advisories" => [{"affected_versions" => ["<1.3.6"],"cves" => ["CVE-2020-36659"],"description" => "In Apache::Session::Browseable before 1.3.6, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix.\n","distribution" => "Apache-Session-Browseable","fixed_versions" => [">=1.3.6"],"id" => "CPANSA-Apache-Session-Browseable-2020-36659","references" => ["https://github.com/LemonLDAPNG/Apache-Session-Browseable/commit/fdf393235140b293cae5578ef136055a78f3574f","https://lists.debian.org/debian-lts-announce/2023/01/msg00025.html"],"reported" => "2023-01-27","severity" => undef}],"main_module" => "Apache::Session::Browseable","versions" => [{"date" => "2009-10-31T08:09:42","version" => "0.1"},{"date" => "2009-11-01T09:10:13","version" => "0.2"},{"date" => "2009-11-01T16:21:16","version" => "0.3"},{"date" => "2010-08-16T15:26:19","version" => "0.4"},{"date" => "2010-12-06T21:08:25","version" => "0.5"},{"date" => "2010-12-08T15:45:21","version" => "0.6"},{"date" => "2012-06-24T07:14:37","version" => "0.7"},{"date" => "2012-10-13T16:15:41","version" => "0.8"},{"date" => "2013-02-28T06:05:09","version" => "0.9"},{"date" => "2013-08-28T04:42:23","version" => "1.0"},{"date" => "2013-08-30T04:47:02","version" => "1.0"},{"date" => "2013-10-20T05:39:14","version" => "v1.0.2"},{"date" => "2015-06-12T15:56:45","version" => "1.1"},{"date" => "2016-03-09T05:31:13","version" => "1.2"},{"date" => "2016-03-10T06:30:41","version" => "v1.2.1"},{"date" => "2016-04-01T11:34:51","version" => "v1.2.2"},{"date" => "2016-06-07T13:59:19","version" => "v1.2.3"},{"date" => "2017-02-19T07:34:18","version" => "v1.2.4"},{"date" => "2017-04-04T05:18:26","version" => "v1.2.5"},{"date" => "2017-09-12T09:35:30","version" => "v1.2.5"},{"date" => "2017-10-03T05:00:07","version" => "v1.2.7"},{"date" => "2017-10-03T10:42:35","version" => "v1.2.8"},{"date" => "2019-02-08T06:29:20","version" => "v1.2.9"},{"date" => "2019-02-08T09:31:22","version" => "v1.3.0"},{"date" => "2019-05-04T10:55:48","version" => "v1.3.1"},{"date" => "2019-07-04T18:30:30","version" => "v1.3.2"},{"date" => "2019-09-19T20:44:43","version" => "v1.3.3"},{"date" => "2019-11-20T19:43:04","version" => "v1.3.4"},{"date" => "2020-01-21T10:20:26","version" => "v1.3.5"},{"date" => "2020-09-04T13:23:31","version" => "v1.3.6"},{"date" => "2020-09-04T13:39:40","version" => "v1.3.7"},{"date" => "2020-09-06T21:03:06","version" => "v1.3.8"},{"date" => "2021-08-10T04:44:06","version" => "v1.3.9"},{"date" => "2022-03-08T13:51:31","version" => "v1.3.10"},{"date" => "2022-09-26T16:41:24","version" => "v1.3.11"},{"date" => "2023-07-06T10:43:25","version" => "v1.3.12"},{"date" => "2023-07-06T11:38:32","version" => "v1.3.13"},{"date" => "2024-12-19T07:59:19","version" => "v1.3.13"},{"date" => "2025-04-10T19:24:48","version" => "v1.3.15"},{"date" => "2025-04-12T10:31:56","version" => "v1.3.16"},{"date" => "2025-06-18T12:49:41","version" => "v1.3.17"},{"date" => "2025-09-23T10:46:46","version" => "v1.3.18"}]},"Apache-Session-LDAP" => {"advisories" => [{"affected_versions" => ["<0.5"],"cves" => ["CVE-2020-36658"],"description" => "In Apache::Session::LDAP before 0.5, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix.\n","distribution" => "Apache-Session-LDAP","fixed_versions" => [">=0.5"],"id" => "CPANSA-Apache-Session-LDAP-2020-36658","references" => ["https://github.com/LemonLDAPNG/Apache-Session-LDAP/commit/490722b71eed1ed1ab33d58c78578f23e043561f","https://lists.debian.org/debian-lts-announce/2023/01/msg00024.html"],"reported" => "2023-01-27","severity" => undef}],"main_module" => "Apache::Session::LDAP","versions" => [{"date" => "2009-04-18T17:09:10","version" => "0.01"},{"date" => "2009-04-18T19:43:50","version" => "0.02"},{"date" => "2010-12-08T15:30:51","version" => "0.1"},{"date" => "2012-06-26T04:22:47","version" => "0.2"},{"date" => "2014-10-24T12:21:07","version" => "0.2"},{"date" => "2015-06-12T15:47:40","version" => "0.4"},{"date" => "2020-09-06T13:13:20","version" => "0.2"}]},"Apache-SessionX" => {"advisories" => [{"affected_versions" => [">0"],"cves" => ["CVE-2025-40932"],"description" => "Apache::SessionX versions through 2.01 for Perl create insecure session id. Apache::SessionX generates session ids insecurely. The default session id generator in Apache::SessionX::Generate::MD5 returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.","distribution" => "Apache-SessionX","fixed_versions" => [],"id" => "CPANSA-Apache-SessionX-2005-01","references" => ["https://metacpan.org/release/GRICHTER/Apache-SessionX-2.01/source/SessionX/Generate/MD5.pm#L29","https://metacpan.org/changes/distribution/Apache-SessionX"],"reported" => "2005-11-15","severity" => undef}],"main_module" => "Apache::SessionX","versions" => [{"date" => "2001-11-20T15:36:53","version" => "2.00"},{"date" => "2003-03-02T14:18:57","version" => "2.00"},{"date" => "2005-11-15T05:21:49","version" => "2.01"}]},"Apache-Wyrd" => {"advisories" => [{"affected_versions" => ["<0.97"],"cves" => [],"description" => "User-submitted data cab be executed if it is displayed on a page, if the data contains a string that can be interpreted as a Wyrd.\n","distribution" => "Apache-Wyrd","fixed_versions" => [">=0.97"],"id" => "CPANSA-Apache-Wyrd-2008-01","references" => ["https://metacpan.org/dist/Apache-Wyrd/changes"],"reported" => "2008-04-14","severity" => undef}],"main_module" => "Apache::Wyrd","versions" => [{"date" => "2004-03-17T21:36:52","version" => "0.8"},{"date" => "2004-03-18T22:52:04","version" => "0.81"},{"date" => "2004-03-25T23:52:49","version" => "0.82"},{"date" => "2004-08-19T15:42:55","version" => "0.83"},{"date" => "2004-09-03T19:44:01","version" => "0.84"},{"date" => "2004-09-22T16:08:23","version" => "0.85"},{"date" => "2004-09-23T02:04:43","version" => "0.86"},{"date" => "2004-10-31T20:59:42","version" => "0.87"},{"date" => "2004-12-16T20:56:33","version" => "0.90"},{"date" => "2005-01-09T21:52:49","version" => "0.91"},{"date" => "2005-01-13T17:42:18","version" => "0.92"},{"date" => "2005-03-25T21:22:56","version" => "0.93"},{"date" => "2006-10-22T22:57:04","version" => "0.94"},{"date" => "2007-04-30T23:02:05","version" => "0.95"},{"date" => "2007-05-01T15:20:02","version" => "0.96"},{"date" => "2008-04-14T18:49:14","version" => "0.97"},{"date" => "2008-04-15T21:32:47","version" => "0.98"}]},"Apache2-AuthAny" => {"advisories" => [{"affected_versions" => [">0"],"cves" => ["CVE-2025-40933"],"description" => "Apache::AuthAny::Cookie v0.201 or earlier for Perl generates session ids insecurely. Session ids are generated using an MD5 hash of the epoch time and a call to the built-in rand function. The epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.","distribution" => "Apache2-AuthAny","fixed_versions" => [],"id" => "CPANSA-Apache2-AuthAny-2025-40933","references" => ["https://metacpan.org/release/KGOLDOV/Apache2-AuthAny-0.201/source/lib/Apache2/AuthAny/Cookie.pm"],"reported" => "2025-09-17","severity" => undef}],"main_module" => "Apache2::AuthAny","versions" => [{"date" => "2011-05-09T22:32:29","version" => "0.20"},{"date" => "2011-05-16T18:32:03","version" => "0.201"}]},"App-Context" => {"advisories" => [{"affected_versions" => [">=0.01,<=0.968"],"cves" => ["CVE-2012-6141"],"description" => "The App::Context module 0.01 through 0.968 for Perl does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via a crafted request to (1) App::Session::Cookie or (2) App::Session::HTMLHidden, which is not properly handled when it is deserialized.\n","distribution" => "App-Context","fixed_versions" => [">0.968"],"id" => "CPANSA-App-Context-2012-6141","references" => ["http://seclists.org/oss-sec/2013/q2/318","https://exchange.xforce.ibmcloud.com/vulnerabilities/84198"],"reported" => "2014-06-04","severity" => undef}],"main_module" => "App::Context","versions" => [{"date" => "2002-10-10T21:31:39","version" => "0.01"},{"date" => "2004-09-02T21:17:44","version" => "0.90"},{"date" => "2005-01-07T14:02:06","version" => "0.93"},{"date" => "2005-08-09T20:05:02","version" => "0.95"},{"date" => "2006-03-10T04:24:13","version" => "0.96"},{"date" => "2006-03-12T01:30:11","version" => "0.962"},{"date" => "2006-07-25T02:30:21","version" => "0.963"},{"date" => "2006-09-04T19:41:12","version" => "0.964"},{"date" => "2007-04-17T13:33:24","version" => "0.965"},{"date" => "2008-02-27T03:13:41","version" => "0.966"},{"date" => "2008-02-27T14:19:23","version" => "0.9661"},{"date" => "2009-09-11T14:31:52","version" => "0.967"},{"date" => "2010-06-09T21:33:19","version" => "0.968"}]},"App-Genpass" => {"advisories" => [{"affected_versions" => ["<0.2400"],"cves" => [],"description" => "App-genpass before v0.2400 generated passwords using build in rand()\n","distribution" => "App-Genpass","fixed_versions" => [">=0.2400"],"id" => "CPANSA-App-Genpass-2024-001","references" => ["https://metacpan.org/dist/App-Genpass/changes","https://github.com/xsawyerx/app-genpass/pull/5","https://github.com/briandfoy/cpan-security-advisory/issues/178"],"reported" => undef,"severity" => undef}],"main_module" => "App::Genpass","versions" => [{"date" => "2009-12-14T22:15:31","version" => "0.03"},{"date" => "2010-01-01T18:06:50","version" => "0.04"},{"date" => "2010-01-02T07:45:49","version" => "0.05"},{"date" => "2010-05-28T21:46:01","version" => "0.06"},{"date" => "2010-05-29T21:37:11","version" => "0.07"},{"date" => "2010-05-30T08:35:54","version" => "0.08"},{"date" => "2010-05-31T18:39:55","version" => "0.09"},{"date" => "2010-06-07T10:16:54","version" => "0.10"},{"date" => "2010-07-16T21:15:53","version" => "0.11"},{"date" => "2010-07-16T22:36:16","version" => "1.00"},{"date" => "2010-07-18T15:20:18","version" => "1.01"},{"date" => "2011-02-17T10:52:08","version" => "2.00"},{"date" => "2011-03-10T12:26:49","version" => "2.01"},{"date" => "2011-08-03T11:58:46","version" => "2.02"},{"date" => "2011-08-03T16:05:37","version" => "2.03"},{"date" => "2011-08-06T07:36:59","version" => "2.04"},{"date" => "2011-08-08T12:51:57","version" => "2.10"},{"date" => "2011-11-27T17:45:15","version" => "2.20"},{"date" => "2012-03-26T19:55:19","version" => "2.30"},{"date" => "2012-06-26T08:16:36","version" => "2.31"},{"date" => "2012-06-30T23:12:23","version" => "2.32"},{"date" => "2012-11-20T08:48:46","version" => "2.33"},{"date" => "2014-08-04T20:00:26","version" => "2.34"},{"date" => "2016-10-12T08:56:56","version" => "2.400"},{"date" => "2016-10-14T21:27:13","version" => "2.401"}]},"App-Github-Email" => {"advisories" => [{"affected_versions" => ["<0.3.3"],"cves" => ["CVE-2015-7686"],"description" => "Insecure dependency on Email::Address.\n","distribution" => "App-Github-Email","fixed_versions" => [">=0.3.3"],"id" => "CPANSA-App-Github-Email-2018-01","references" => ["https://metacpan.org/changes/distribution/App-Github-Email","https://github.com/faraco/App-Github-Email/commit/b7f052280d1c8ae97bdefc106ca3cbba4aea7213"],"reported" => "2018-01-20"}],"main_module" => "App::Github::Email","versions" => [{"date" => "2017-01-16T08:03:02","version" => "0.0.1"},{"date" => "2017-01-16T12:56:51","version" => "0.0.2"},{"date" => "2017-01-16T17:38:16","version" => "0.0.3"},{"date" => "2017-03-11T10:45:23","version" => "0.0.4"},{"date" => "2017-04-05T11:19:02","version" => "0.0.5"},{"date" => "2017-04-15T17:35:18","version" => "0.0.6"},{"date" => "2017-05-19T05:05:24","version" => "0.0.7"},{"date" => "2017-12-18T14:11:19","version" => "0.1.0"},{"date" => "2017-12-21T08:24:12","version" => "0.1.1"},{"date" => "2018-01-15T03:18:05","version" => "0.2.0"},{"date" => "2018-01-20T12:55:34","version" => "0.2.1"},{"date" => "2018-08-30T16:07:18","version" => "0.3.1"},{"date" => "2018-08-30T16:13:54","version" => "0.3.2"},{"date" => "2018-08-31T03:49:31","version" => "0.3.3"}]},"App-Netdisco" => {"advisories" => [{"affected_versions" => [">=2.001000_001,<=2.007000_001"],"cves" => ["CVE-2020-11022"],"description" => "In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.\n","distribution" => "App-Netdisco","fixed_versions" => [],"id" => "CPANSA-App-Netdisco-2020-11022-jquery","references" => ["https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2","https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/","https://jquery.com/upgrade-guide/3.5/","https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77","https://security.netapp.com/advisory/ntap-20200511-0006/","https://www.drupal.org/sa-core-2020-002","https://www.debian.org/security/2020/dsa-4693","https://lists.fedoraproject.org/archives/list/package-announce\@lists.fedoraproject.org/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W/","https://lists.fedoraproject.org/archives/list/package-announce\@lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K/","https://www.oracle.com/security-alerts/cpujul2020.html","http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html","https://security.gentoo.org/glsa/202007-03","http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html","https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133\@%3Ccommits.airflow.apache.org%3E","https://lists.fedoraproject.org/archives/list/package-announce\@lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY/","https://lists.fedoraproject.org/archives/list/package-announce\@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B/","https://lists.fedoraproject.org/archives/list/package-announce\@lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4/","https://www.oracle.com/security-alerts/cpuoct2020.html","https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67\@%3Cdev.flink.apache.org%3E","https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d\@%3Cissues.flink.apache.org%3E","http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html","https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48\@%3Cissues.flink.apache.org%3E","https://www.tenable.com/security/tns-2020-10","https://www.tenable.com/security/tns-2020-11","https://www.oracle.com/security-alerts/cpujan2021.html","https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c\@%3Cissues.flink.apache.org%3E","https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760\@%3Cissues.flink.apache.org%3E","https://www.tenable.com/security/tns-2021-02","https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html","http://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html","https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2\@%3Cissues.flink.apache.org%3E","https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4\@%3Cissues.flink.apache.org%3E","https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108\@%3Cissues.flink.apache.org%3E","https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae\@%3Cissues.flink.apache.org%3E","https://www.tenable.com/security/tns-2021-10","https://www.oracle.com/security-alerts/cpuApr2021.html","https://www.oracle.com//security-alerts/cpujul2021.html","https://www.oracle.com/security-alerts/cpuoct2021.html","https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36\@%3Cissues.flink.apache.org%3E","https://www.oracle.com/security-alerts/cpujan2022.html","https://www.oracle.com/security-alerts/cpuapr2022.html"],"reported" => "2020-04-29","severity" => "medium"},{"affected_versions" => [">=2.001000_001,<=2.007000_001"],"cves" => ["CVE-2020-11023"],"description" => "In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing