$ cpan-audit installed Collecting all installed modules. This can take a while... Module-ScanDeps (have ==1.35) has 1 advisory * CPANSA-Module-ScanDeps-2024-10224
Qualys discovered that if unsanitized input was used with the library Modules::ScanDeps, before version 1.36 a local attacker could possibly execute arbitrary shell commands by open()ing a "pesky pipe" (such as passing "commands|" as a filename) or by passing arbitrary strings to eval().
Affected range: <1.36
Fixed range: >=1.36
CVEs: CVE-2024-10224
References:
https://github.com/rschupp/Module-ScanDeps/security/advisories/GHSA-g597-359q-v529
https://www.cve.org/CVERecord?id=CVE-2024-10224
https://www.qualys.com/2024/11/19/needrestart/needrestart.txt
https://lists.debian.org/debian-lts-announce/2024/11/msg00015.html
https://ubuntu.com/security/CVE-2024-10224
Net-OAuth (have ==0.28) has 1 advisory
* CPANSA-Net-OAuth-2025-22376
In Net::OAuth::Client in the Net::OAuth package before 0.29 for Perl, the default nonce is a 32-bit integer generated from the built-in rand() function, which is not cryptographically strong.
Affected range: <0.29
Fixed range: >=0.29
CVEs: CVE-2025-22376
References:
https://metacpan.org/release/KGRENNAN/Net-OAuth-0.28/source/lib/Net/OAuth/Client.pm#L260
https://metacpan.org/release/RRWO/Net-OAuth-0.29/changes
Mozilla-CA (have ==20240313) has 1 advisory
* CPANSA-Mozilla-CA-2024-39689
ECM GlobalTrust 2000 root certificates have been distrusted
Affected range: <20240730
Fixed range: >=20240730
CVEs: CVE-2024-39689
References:
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI
https://groups.google.com/a/ccadb.org/g/public/c/wRs-zec8w7k/m/G_9QprJ2AQAJ
https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc
https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463
perl (have 5.040000) has 2 advisories
* CPANSA-perl-2024-56406
A heap buffer overflow vulnerability was discovered in Perl.
When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.
$ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;
Segmentation fault (core dumped)
It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.
Affected range: >0,<5.38.4
>=5.40.0,<5.40.2
Fixed range: >=5.40.1
>=5.38.4,<5.40.0
CVEs: CVE-2024-56406
References:
https://github.com/Perl/perl5/commit/87f42aa0e0096e9a346c9672aa3a0bd3bef8c1dd.patch
https://metacpan.org/release/SHAY/perl-5.38.4/changes
https://metacpan.org/release/SHAY/perl-5.40.2/changes
http://www.openwall.com/lists/oss-security/2025/04/13/3
http://www.openwall.com/lists/oss-security/2025/04/13/4
* CPANSA-perl-2025-40909
Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6
Affected range: >=5.16.3,<5.38.5
>=5.40.0,<5.40.3
>=5.41.0,<5.41.13
Fixed range: >=5.41.13
>=5.38.5,<5.40.0
>=5.40.3
CVEs: CVE-2025-40909
References:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098226
https://github.com/Perl/perl5/commit/11a11ecf4bea72b17d250cfb43c897be1341861e
https://github.com/Perl/perl5/commit/918bfff86ca8d6d4e4ec5b30994451e0bd74aba9.patch
https://github.com/Perl/perl5/issues/10387
https://github.com/Perl/perl5/issues/23010
https://perldoc.perl.org/5.14.0/perl5136delta#Directory-handles-not-copied-to-threads
https://www.openwall.com/lists/oss-security/2025/05/22/2
http://www.openwall.com/lists/oss-security/2025/05/23/1
http://www.openwall.com/lists/oss-security/2025/05/30/4
File-Temp (have ==0.2311) has 1 advisory
* CPANSA-File-Temp-2011-4116
_is_safe in the File::Temp module for Perl does not properly handle symlinks.
Affected range: >0
Fixed range:
CVEs: CVE-2011-4116
References:
http://www.openwall.com/lists/oss-security/2011/11/04/2
https://rt.cpan.org/Public/Bug/Display.html?id=69106
https://github.com/Perl-Toolchain-Gang/File-Temp/issues/14
http://www.openwall.com/lists/oss-security/2011/11/04/4
https://seclists.org/oss-sec/2011/q4/238
FCGI (have ==0.82) has 1 advisory
* CPANSA-FCGI-2025-40907
FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library. The included FastCGI library is affected by CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.
Affected range: >=0.44
Fixed range:
CVEs: CVE-2025-40907
References:
http://www.openwall.com/lists/oss-security/2025/04/23/4
https://github.com/FastCGI-Archives/fcgi2/issues/67
https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.5
https://github.com/perl-catalyst/FCGI/issues/14
https://patch-diff.githubusercontent.com/raw/FastCGI-Archives/fcgi2/pull/74.patch
https://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library
App-cpanminus (have ==1.7047) has 1 advisory
* CPANSA-App-cpanminus-2024-45321
The App::cpanminus package through 1.7047 for Perl downloads code via insecure HTTP, enabling code execution for network attackers.
Affected range: <=1.7047
Fixed range:
CVEs: CVE-2024-45321
References:
https://github.com/miyagawa/cpanminus/issues/611
https://github.com/miyagawa/cpanminus/pull/674
https://security.metacpan.org/2024/08/26/cpanminus-downloads-code-using-insecure-http.html
Imager (have ==1.024) has 1 advisory
* CPANSA-Imager-2024-001
"invalid next size" backtrace on use of trim on certain images
Affected range: <=1.024
Fixed range: >1.024
CVEs: CVE-2024-53901
References:
https://metacpan.org/dist/Imager/changes
https://github.com/tonycoz/imager/issues/534
Tk (have ==804.036) has 3 advisories
* CPANSA-Tk-2007-4769-tcl
The regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, and 7.4 before 7.4.19, allows remote authenticated users to cause a denial of service (backend crash) via an out-of-bounds backref number.
Affected range: >0
Fixed range:
CVEs: CVE-2007-4769
References:
http://www.postgresql.org/about/news.905
http://www.securityfocus.com/bid/27163
http://securitytracker.com/id?1019157
http://secunia.com/advisories/28359
http://sourceforge.net/project/shownotes.php?release_id=565440&group_id=10894
http://sourceforge.net/tracker/index.php?func=detail&aid=1810264&group_id=10894&atid=110894
http://www.mandriva.com/security/advisories?name=MDVSA-2008:004
https://issues.rpath.com/browse/RPL-1768
http://www.debian.org/security/2008/dsa-1460
http://www.debian.org/security/2008/dsa-1463
https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00397.html
https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00469.html
http://www.redhat.com/support/errata/RHSA-2008-0038.html
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103197-1
http://secunia.com/advisories/28376
http://secunia.com/advisories/28438
http://secunia.com/advisories/28437
http://secunia.com/advisories/28454
http://secunia.com/advisories/28464
http://secunia.com/advisories/28477
http://secunia.com/advisories/28479
http://secunia.com/advisories/28455
http://security.gentoo.org/glsa/glsa-200801-15.xml
http://secunia.com/advisories/28679
http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00000.html
http://secunia.com/advisories/28698
http://www.redhat.com/support/errata/RHSA-2008-0040.html
http://sunsolve.sun.com/search/document.do?assetkey=1-66-200559-1
http://secunia.com/advisories/29638
http://www.vupen.com/english/advisories/2008/1071/references
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01420154
http://www.vupen.com/english/advisories/2008/0109
http://www.vupen.com/english/advisories/2008/0061
https://exchange.xforce.ibmcloud.com/vulnerabilities/39499
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9804
https://usn.ubuntu.com/568-1/
http://www.securityfocus.com/archive/1/486407/100/0/threaded
http://www.securityfocus.com/archive/1/485864/100/0/threaded
* CPANSA-Tk-2018-25032-zlib
zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
Affected range: >=804.027_500,<=804.036
Fixed range:
CVEs: CVE-2018-25032
References:
https://rt.cpan.org/Ticket/Display.html?id=143579
https://www.openwall.com/lists/oss-security/2022/03/24/1
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
http://www.openwall.com/lists/oss-security/2022/03/25/2
http://www.openwall.com/lists/oss-security/2022/03/26/1
https://www.openwall.com/lists/oss-security/2022/03/28/1
https://github.com/madler/zlib/compare/v1.2.11...v1.2.12
https://www.openwall.com/lists/oss-security/2022/03/28/3
https://github.com/madler/zlib/issues/605
https://www.debian.org/security/2022/dsa-5111
https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/
https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html
https://support.apple.com/kb/HT213255
https://support.apple.com/kb/HT213256
https://support.apple.com/kb/HT213257
http://seclists.org/fulldisclosure/2022/May/33
http://seclists.org/fulldisclosure/2022/May/35
http://seclists.org/fulldisclosure/2022/May/38
https://security.netapp.com/advisory/ntap-20220526-0009/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/
* CPANSA-Tk-2011-3045-libpng
Integer signedness error in the png_inflate function in pngrutil.c in libpng before 1.4.10beta01, as used in Google Chrome before 17.0.963.83 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file, a different vulnerability than CVE-2011-3026.
Affected range: >804.027_500,<=804.036
Fixed range:
CVEs: CVE-2011-3045
References:
http://googlechromereleases.blogspot.com/2012/03/stable-channel-update_21.html
http://code.google.com/p/chromium/issues/detail?id=116162
http://src.chromium.org/viewvc/chrome?view=rev&revision=125311
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commit;h=a8c319a2b281af68f7ca0e2f9a28ca57b44ceb2b
https://bugzilla.redhat.com/show_bug.cgi?id=799000
http://secunia.com/advisories/48485
http://secunia.com/advisories/48512
http://secunia.com/advisories/48554
http://lists.fedoraproject.org/pipermail/package-announce/2012-March/076731.html
http://secunia.com/advisories/48320
http://lists.opensuse.org/opensuse-updates/2012-03/msg00051.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-March/076461.html
http://secunia.com/advisories/49660
http://security.gentoo.org/glsa/glsa-201206-15.xml
http://www.securitytracker.com/id?1026823
http://rhn.redhat.com/errata/RHSA-2012-0488.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14763
http://www.mandriva.com/security/advisories?name=MDVSA-2012:033
http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075987.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075981.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075619.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075424.html
http://www.debian.org/security/2012/dsa-2439
http://rhn.redhat.com/errata/RHSA-2012-0407.html
http://lists.opensuse.org/opensuse-security-announce/2012-04/msg00000.html