Add Rx validation, and fix lots of incosistencies

briandfoy · Feb 17, 2024 · 4cd010b · 4cd010b
1 parent 9bf646d
commit 4cd010b
Show file tree

Hide file tree

Showing 15 changed files with 264 additions and 114 deletions.
diff --git a/cpansa/CPANSA-Cpanel-JSON-XS.yml b/cpansa/CPANSA-Cpanel-JSON-XS.yml
@@ -29,7 +29,6 @@ advisories:
   description: |
     Wrong error messages/sometimes crashes or endless loops with invalid JSON in relaxed mode
   fixed_versions: '>=4.033'
-  github_advisory_database: https://github.com/advisories/GHSA-44qr-8pf6-6q33
   github_security_advisory:
   - GHSA-44qr-8pf6-6q33
   id: CPANSA-Cpanel-JSON-XS-2023-01

diff --git a/cpansa/CPANSA-DBD-SQLite.yml b/cpansa/CPANSA-DBD-SQLite.yml
@@ -697,9 +697,7 @@ advisories:
   - https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
   reported: 2018-03-17
   severity: high
-- affected_versions:
-  - =1.55_06
-  - <=1.55_03
+- affected_versions: "=1.55_06,<=1.55_03"
   cves:
   - CVE-2017-10989
   description: |

diff --git a/cpansa/CPANSA-Encode.yml b/cpansa/CPANSA-Encode.yml
@@ -58,8 +58,6 @@ advisories:
   - http://search.cpan.org/~flora/perl-5.14.2/pod/perldelta.pod#Encode_decode_xs_n-byte_heap-overflow_(CVE-2011-2939)
   reported: 2012-01-13
   severity: ~
-  x-commit: 'Encode CVE-2011-2939 GitHub #13'
-  x-file: cpansa/CPANSA-Encode.yml
 cpansa_version: 2
 distribution: Encode
 last_checked: 1708150846

diff --git a/cpansa/CPANSA-File-Path.yml b/cpansa/CPANSA-File-Path.yml
@@ -46,9 +46,7 @@ advisories:
   - http://www.securityfocus.com/archive/1/500210/100/0/threaded
   reported: 2008-12-01
   severity: ~
-- affected_versions:
-  - =1.08
-  - =2.07
+- affected_versions: "=1.08,=2.07"
   cves:
   - CVE-2008-5302
   description: |

diff --git a/cpansa/CPANSA-HTTP-Daemon.yml b/cpansa/CPANSA-HTTP-Daemon.yml
@@ -6,8 +6,7 @@ advisories:
   description: |
     HTTP::Daemon is a simple http server class written in perl. Versions prior to 6.15 are subject to a vulnerability which could potentially be exploited to gain privileged access to APIs or poison intermediate caches. It is uncertain how large the risks are, most Perl based applications are served on top of Nginx or Apache, not on the `HTTP::Daemon`. This library is commonly used for local development and tests. Users are advised to update to resolve this issue. Users unable to upgrade may add additional request handling logic as a mitigation. After calling `my $rqst = $conn->get_request()` one could inspect the returned `HTTP::Request` object. Querying the 'Content-Length' (`my $cl = $rqst->header('Content-Length')`) will show any abnormalities that should be dealt with by a `400` response. Expected strings of 'Content-Length' SHOULD consist of either a single non-negative integer, or, a comma separated repetition of that number. (that is `42` or `42, 42, 42`). Anything else MUST be rejected.
   fixed_versions: '>=6.15'
-  github_security_advisory:
-  - ''
+  github_security_advisory: []
   id: CPANSA-HTTP-Daemon-2022-31081
   references:
   - https://github.com/libwww-perl/HTTP-Daemon/commit/e84475de51d6fd7b29354a997413472a99db70b2

diff --git a/cpansa/CPANSA-IPC-Run.yml b/cpansa/CPANSA-IPC-Run.yml
@@ -1,9 +1,6 @@
 ---
 advisories:
-- affected_versions:
-  - <0.90
-  - =0.90_01
-  - =0.90_02
+- affected_versions: "<0.90,=0.90_01,=0.90_02"
   cves: []
   description: |
     INADDR_ANY can be your external ip, IPC::Run should only listen on localhost.

diff --git a/cpansa/CPANSA-MDK-Common.yml b/cpansa/CPANSA-MDK-Common.yml
@@ -1,9 +1,6 @@
 ---
 advisories:
-- affected_versions:
-  - =1.1.11
-  - =1.1.24
-  - '>=1.2.9,<=1.2.14'
+- affected_versions: '=1.1.11,=1.1.24,>=1.2.9,<=1.2.14'
   cves:
   - CVE-2009-0912
   description: |

diff --git a/cpansa/CPANSA-MT.yml b/cpansa/CPANSA-MT.yml
@@ -16,17 +16,12 @@ advisories:
   - http://www.sec-1.com/blog/?p=402
   reported: 2013-01-23
   severity: ~
-- affected_versions:
-  - '>=7,<=7.9.4'
-  - '>=6,<=6.8.6'
-  - '>=4,<=5'
+- affected_versions: '>=7,<=7.9.4,>=6,<=6.8.6,>=4,<=5'
   cves:
   - CVE-2022-38078
   description: |
     Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability. Sending a specially crafted message by POST method to Movable Type XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. Affected products and versions are as follows: Movable Type 7 r.5202 and earlier, Movable Type Advanced 7 r.5202 and earlier, Movable Type 6.8.6 and earlier, Movable Type Advanced 6.8.6 and earlier, Movable Type Premium 1.52 and earlier, and Movable Type Premium Advanced 1.52 and earlier. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability.
-  fixed_versions:
-  - 7.9.5
-  - 6.8.7
+  fixed_versions: '7.9.5,6.8.7'
   github_security_advisory:
   - GHSA-f342-4q2c-v2q2
   id: CPANSA-MT-2022-38078
@@ -35,10 +30,7 @@ advisories:
   - https://jvn.jp/en/jp/JVN57728859/index.html
   reported: 2022-08-24
   severity: critical
-- affected_versions:
-  - '>=7,<=7.8.1'
-  - '>=6,<=6.8.2'
-  - <6
+- affected_versions: '>=7,<=7.8.1,>=6,<=6.8.2,<6'
   cves:
   - CVE-2021-20837
   description: |
@@ -54,8 +46,7 @@ advisories:
   - http://packetstormsecurity.com/files/164705/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.html
   reported: 2021-10-26
   severity: critical
-- affected_versions:
-  - '>=7,<7.8.0'
+- affected_versions: '>=7,<7.8.0'
   cves:
   - CVE-2021-20814
   description: |
@@ -69,8 +60,7 @@ advisories:
   - https://jvn.jp/en/jp/JVN97545738/index.html
   reported: 2021-08-26
   severity: medium
-- affected_versions:
-  - '>=7,<7.8.0'
+- affected_versions: '>=7,<7.8.0'
   cves:
   - CVE-2021-20813
   description: |
@@ -84,9 +74,7 @@ advisories:
   - https://jvn.jp/en/jp/JVN97545738/index.html
   reported: 2021-08-26
   severity: medium
-- affected_versions:
-  - '>=7,<7.8.0'
-  - '>=6,<=6.8.0'
+- affected_versions: '>=7,<7.8.0,>=6,<=6.8.0'
   cves:
   - CVE-2021-20815
   description: |
@@ -100,9 +88,7 @@ advisories:
   - https://jvn.jp/en/jp/JVN97545738/index.html
   reported: 2021-08-26
   severity: medium
-- affected_versions:
-  - '>=7,<7.8.0'
-  - '>=6,<=6.8.0'
+- affected_versions: '>=7,<7.8.0,>=6,<=6.8.0'
   cves:
   - CVE-2021-20811
   description: |
@@ -116,9 +102,7 @@ advisories:
   - https://jvn.jp/en/jp/JVN97545738/index.html
   reported: 2021-08-26
   severity: medium
-- affected_versions:
-  - '>=7,<7.8.0'
-  - '>=6,<=6.8.0'
+- affected_versions: '>=7,<7.8.0,>=6,<=6.8.0'
   cves:
   - CVE-2021-20810
   description: |
@@ -132,9 +116,7 @@ advisories:
   - https://jvn.jp/en/jp/JVN97545738/index.html
   reported: 2021-08-26
   severity: medium
-- affected_versions:
-  - '>=7,<7.8.0'
-  - '>=6,<=6.8.0'
+- affected_versions: '>=7,<7.8.0,>=6,<=6.8.0'
   cves:
   - CVE-2021-20809
   description: |
@@ -148,9 +130,7 @@ advisories:
   - https://jvn.jp/en/jp/JVN97545738/index.html
   reported: 2021-08-26
   severity: medium
-- affected_versions:
-  - '>=7,<7.8.0'
-  - '>=6,<=6.8.0'
+- affected_versions: '>=7,<7.8.0,>=6,<=6.8.0'
   cves:
   - CVE-2021-20808
   description: |
@@ -178,9 +158,7 @@ advisories:
   - https://jvn.jp/en/jp/JVN94245475/index.html
   reported: 2021-10-26
   severity: medium
-- affected_versions:
-  - '>=7,<7.2.1'
-  - '>=6,<=6.5.3'
+- affected_versions: '>=7,<7.2.1,>=6,<=6.5.3'
   cves:
   - CVE-2020-5577
   description: |
@@ -194,9 +172,7 @@ advisories:
   - https://movabletype.org/news/2020/05/mt-730-660-6312-released.html
   reported: 2020-05-14
   severity: high
-- affected_versions:
-  - '>=7,<7.2.1'
-  - '>=6,<=6.5.3'
+- affected_versions: '>=7,<7.2.1,>=6,<=6.5.3'
   cves:
   - CVE-2020-5576
   description: |
@@ -210,9 +186,7 @@ advisories:
   - https://movabletype.org/news/2020/05/mt-730-660-6312-released.html
   reported: 2020-05-14
   severity: high
-- affected_versions:
-  - '>=7,<7.2.1'
-  - '>=6,<=6.5.3'
+- affected_versions: '>=7,<7.2.1,>=6,<=6.5.3'
   cves:
   - CVE-2020-5575
   description: |
@@ -226,9 +200,7 @@ advisories:
   - https://movabletype.org/news/2020/05/mt-730-660-6312-released.html
   reported: 2020-05-14
   severity: medium
-- affected_versions:
-  - '>=7,<7.2.1'
-  - '>=6,<=6.5.3'
+- affected_versions: '>=7,<7.2.1,>=6,<=6.5.3'
   cves:
   - CVE-2020-5574
   description: |
@@ -242,9 +214,7 @@ advisories:
   - https://movabletype.org/news/2020/05/mt-730-660-6312-released.html
   reported: 2020-05-14
   severity: medium
-- affected_versions:
-  - '>=7,<7.1.4'
-  - '>=6,<=6.5.2'
+- affected_versions: '>=7,<7.1.4,>=6,<=6.5.2'
   cves:
   - CVE-2020-5528
   description: |
@@ -258,10 +228,7 @@ advisories:
   - http://jvn.jp/en/jp/JVN94435544/index.html
   reported: 2020-02-06
   severity: medium
-- affected_versions:
-  - '>=7,<7.1.3'
-  - '>=6.5.0,<=6.5.1'
-  - '>=6,<=6.3.9'
+- affected_versions: '>=7,<7.1.3,>=6.5.0,<=6.5.1,>=6,<=6.3.9'
   cves:
   - CVE-2019-6025
   description: |
@@ -288,10 +255,7 @@ advisories:
   - http://jvn.jp/en/jp/JVN89550319/index.html
   reported: 2018-09-04
   severity: medium
-- affected_versions:
-  - '>=6.0.0,<6.1.3'
-  - '>=6.2.0,<6.2.6'
-  - <5.2.13
+- affected_versions: '>=6.0.0,<6.1.3,>=6.2.0,<6.2.6,<5.2.13'
   cves:
   - CVE-2016-5742
   description: |
@@ -308,9 +272,7 @@ advisories:
   - http://www.securitytracker.com/id/1036160
   reported: 2017-01-23
   severity: critical
-- affected_versions:
-  - <5.2.12
-  - '>=6.0.0,<=6.0.7'
+- affected_versions: '<5.2.12,>=6.0.0,<=6.0.7'
   cves:
   - CVE-2015-1592
   description: |
@@ -329,10 +291,7 @@ advisories:
   - https://exchange.xforce.ibmcloud.com/vulnerabilities/100912
   reported: 2015-02-19
   severity: ~
-- affected_versions:
-  - <5.18
-  - '>=5.2.0,<5.2.11'
-  - '>=6,<6.0.6'
+- affected_versions: '<5.18,>=5.2.0,<5.2.11,>=6,<6.0.6'
   cves:
   - CVE-2014-9057
   description: |
@@ -364,8 +323,7 @@ advisories:
   - http://seclists.org/oss-sec/2013/q2/560
   reported: 2015-03-27
   severity: ~
-- affected_versions:
-  - '>=4.20,<4.38'
+- affected_versions: '>=4.20,<4.38'
   cves:
   - CVE-2013-0209
   description: |
@@ -399,10 +357,7 @@ advisories:
   - https://exchange.xforce.ibmcloud.com/vulnerabilities/79521
   reported: 2014-08-29
   severity: ~
-- affected_versions:
-  - <4.38
-  - '>=5,<5.07'
-  - '>=5.10,<5.13'
+- affected_versions: '<4.38,>=5,<5.07,>=5.10,<5.13'
   cves:
   - CVE-2012-0320
   description: |
@@ -421,10 +376,7 @@ advisories:
   - http://www.debian.org/security/2012/dsa-2423
   reported: 2012-03-03
   severity: ~
-- affected_versions:
-  - <4.38
-  - '>=5,<5.07'
-  - '>=5.10,<5.13'
+- affected_versions: '<4.38,>=5,<5.07,>=5.10,<5.13'
   cves:
   - CVE-2012-0317
   description: |
@@ -443,9 +395,7 @@ advisories:
   - http://www.debian.org/security/2012/dsa-2423
   reported: 2012-03-03
   severity: ~
-- affected_versions:
-  - '>=4,<4.36'
-  - '>=5,<5.05'
+- affected_versions: '>=4,<4.36,>=5,<5.05'
   cves:
   - CVE-2011-5085
   description: |
@@ -459,9 +409,7 @@ advisories:
   - http://www.debian.org/security/2012/dsa-2423
   reported: 2012-04-02
   severity: ~
-- affected_versions:
-  - '>=4,<4.36'
-  - '>=5,<5.05'
+- affected_versions: '>=4,<4.36,>=5,<5.05'
   cves:
   - CVE-2011-5084
   description: |
@@ -571,9 +519,7 @@ advisories:
   - http://jvn.jp/en/jp/JVN45658190/index.html
   reported: 2009-01-05
   severity: ~
-- affected_versions:
-  - '>=3,<=3.38'
-  - '>=4,<4.23'
+- affected_versions: '>=3,<=3.38,>=4,<4.23'
   cves:
   - CVE-2008-5808
   description: |

diff --git a/cpansa/CPANSA-Net-Dropbear.yml b/cpansa/CPANSA-Net-Dropbear.yml
@@ -1,7 +1,7 @@
 ---
 advisories:
-- affected_versions: <0
-  comments: |
+- affected_versions: '<0'
+  comment: |
     From the author: "I have reviewed Dropbear's usage of libtomcrypt, and the function in question for CVE-2019-17362, der_decode_utf8_string, is not used in Dropbear. None of the DER parsing from libtomcrypt is used in Dropbear at all, I have confirmed that the flag to include it is not set, and confirmed that the resultant Dropbear.so that is built by Net::Dropbear does not include any of the der_* symbols."
   cves:
   - CVE-2019-17362

diff --git a/cpansa/CPANSA-Net-LDAPS.yml b/cpansa/CPANSA-Net-LDAPS.yml
@@ -9,7 +9,6 @@ advisories:
   github_security_advisory:
   - GHSA-9c48-27fx-7952
   id: CPANSA-Net-LDAPS-2020-16093
-  main_module: Net::LDAP
   references:
   - https://lemonldap-ng.org/download
   - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2250
@@ -22,3 +21,4 @@ last_checked: 1708150860
 latest_version: '0.68'
 metacpan: https://metacpan.org/pod/perl::ldap
 repo: git://github.com/perl-ldap/perl-ldap.git
+main_module: Net::LDAP
diff --git a/cpansa/CPANSA-Plack-Middleware-XSRFBlock.yml b/cpansa/CPANSA-Plack-Middleware-XSRFBlock.yml
@@ -15,10 +15,10 @@ advisories:
   - https://nvd.nist.gov/vuln/detail/CVE-2023-52431
   reported: 2023-07-14
   severity: ~
-  url: ~
 cpansa_version: 2
 distribution: Plack-Middleware-XSRFBlock
 last_checked: 1708150864
 latest_version: 0.0.19
 metacpan: https://metacpan.org/pod/Plack::Middleware::XSRFBlock
 repo: git://github.com/chiselwright/plack-middleware-xsrfblock.git
+url: ~
diff --git a/cpansa/CPANSA-Term-ReadLine-Gnu.yml b/cpansa/CPANSA-Term-ReadLine-Gnu.yml
@@ -1,7 +1,7 @@
 ---
 advisories:
 - affected_versions: <1.27
-  comments: |
+  comment: |
     The presense of affected versions of Term-ReadLine-Gnu suggests that a vulnerable version of the readline linrary is installed on the host system.
   cves:
   - CVE-2014-2524