| Summary: | php-ZendFramework new security issues ZF2014-05 and ZF2014-06 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | olchal, rverschelde, sysadmin-bugs, thomas |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/616444/ | ||
| Whiteboard: | MGA3TOO has_procedure MGA3-64-OK advisory MGA4-64-OK | ||
| Source RPM: | php-ZendFramework-1.12.7-4.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-10-08 23:54:45 CEST
David Walser
2014-10-08 23:54:50 CEST
Whiteboard:
(none) =>
MGA4TOO, MGA3TOO CVE-2014-8088 and CVE-2014-8089 have been assigned today (October 10): http://openwall.com/lists/oss-security/2014/10/10/5
David Walser
2014-10-16 18:10:25 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/616444/ Fedora has issued an advisory for this on October 8: https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141106.html
Thomas Spuhler
2014-10-24 19:44:36 CEST
Status:
NEW =>
ASSIGNED (In reply to David Walser from comment #0) > Upstream has announced version 1.12.9 on September 17: > http://framework.zend.com/blog/zend-framework-1-12-9-2-2-8-and-2-3-3- > released.html > > It fixes two security issues: > http://framework.zend.com/security/advisory/ZF2014-05 > http://framework.zend.com/security/advisory/ZF2014-06 > > Mageia 3 and Mageia 4 are also affected. > > As a side note, Guillaume Rousse just imported php-ZendFramework2 2.3.3 into > Cauldron. Do we need to keep the older one there? I don't think we should replace it this late in the development cycle. Even as upstream claims version 2 fully replaces version 1. > > Reproducible: > > Steps to Reproduce: update o version 1.12.9 in svn. Will ask for Freeze push. (In reply to Thomas Spuhler from comment #3) > (In reply to David Walser from comment #0) > > As a side note, Guillaume Rousse just imported php-ZendFramework2 2.3.3 into > > Cauldron. Do we need to keep the older one there? > I don't think we should replace it this late in the development cycle. Even > as upstream claims version 2 fully replaces version 1. Guillaume already imported version 2. The real question is, can the packages currently using version 1 be made to work with version 2? If so, then let's do it. https://ml.mageia.org/l/arc/dev/2014-10/msg00413.html This bug has been fixed by upgrading to version 1.12.9. The following packages are now in upgrade_testing, ready to be validated. php-ZendFramework-1.12.9-1.mga3.src.rpm php-ZendFramework-1.12.9-1.mga3.noarch.rpm php-ZendFramework-demos-1.12.9-1.mga3.noarch.rpm php-ZendFramework-tests-1.12.9-1.mga3.noarch.rpm php-ZendFramework-extras-1.12.9-1.mga3.noarch.rpm php-ZendFramework-Cache-Backend-Apc-1.12.9-1.mga3.noarch.rpm php-ZendFramework-Cache-Backend-Memcached-1.12.9-1.mga3.noarch.rpm php-ZendFramework-Captcha-1.12.9-1.mga3.noarch.rpm php-ZendFramework-Dojo-1.12.9-1.mga3.noarch.rpm php-ZendFramework-Feed-1.12.9-1.mga3.noarch.rpm php-ZendFramework-Gdata-1.12.9-1.mga3.noarch.rpm php-ZendFramework-Pdf-1.12.9-1.mga3.noarch.rpm php-ZendFramework-Search-Lucene-1.12.9-1.mga3.noarch.rpm php-ZendFramework-Services-1.12.9-1.mga3.noarch.rpm Same for mga4 Assigning to QA Assignee:
thomas =>
qa-bugs (In reply to David Walser from comment #5) > (In reply to Thomas Spuhler from comment #3) > > (In reply to David Walser from comment #0) > > > As a side note, Guillaume Rousse just imported php-ZendFramework2 2.3.3 into > > > Cauldron. Do we need to keep the older one there? > > I don't think we should replace it this late in the development cycle. Even > > as upstream claims version 2 fully replaces version 1. > > Guillaume already imported version 2. The real question is, can the > packages currently using version 1 be made to work with version 2? If so, > then let's do it. > > https://ml.mageia.org/l/arc/dev/2014-10/msg00413.html I read those threads. There is more than one question: Are there any of our packages that don't work with version 2? I don't know. Who wants to test them all. It's not just php-ZendFramework. It's all of them above. Second, how many users of Mageia have there own software based on using ZendFramework that may not work with version 2? There must be a good reason why upstream (a for profit company) still maintains both. Importing version2 was a good idea, so our clients can start testing it. Basically, I cannot comprehend why we have a version freeze, when we continue to do major upgrades such as moving from version 1 to version 2, or upgrading the RPM and creating hundreds of deps issues. CC:
(none) =>
thomas Well, obviously my concern is that we've just now doubled the work for maintaining these packages for Mageia 5, but importing version 2 at the last minute. Thanks for the update Thomas!
Advisory:
========================
Updated php-ZendFramework packages fix security vulnerabilities:
Due to a bug in PHP's LDAP extension, when ZendFramework's Zend_ldap class is
used for logins, an attacker can login as any user by using a null byte to
bypass the empty password check and perform an unauthenticated LDAP bind
(CVE-2014-8088).
The sqlsrv PHP extension, which provides the ability to connect to Microsoft
SQL Server from PHP, does not provide a built-in quoting mechanism for
manually quoting values to pass via SQL queries; developers are encouraged to
use prepared statements. Zend Framework provides quoting mechanisms via
Zend_Db_Adapter_Sqlsrv which uses the recommended "double single quote" ('')
as quoting delimiters. SQL Server treats null bytes in a query as a string
terminator, allowing an attacker to add arbitrary SQL following a null byte,
and thus create a SQL injection (CVE-2014-8089).
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8088
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8089
http://framework.zend.com/security/advisory/ZF2014-05
http://framework.zend.com/security/advisory/ZF2014-06
http://framework.zend.com/blog/zend-framework-1-12-9-2-2-8-and-2-3-3-released.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141106.htmlWhiteboard:
MGA4TOO, MGA3TOO =>
MGA3TOO Procedure in https://bugs.mageia.org/show_bug.cgi?id=13708#c3 Whiteboard:
MGA3TOO =>
MGA3TOO has_procedure Advisory uploaded. Whiteboard:
MGA3TOO has_procedure =>
MGA3TOO has_procedure advisory Testing complete on Mageia 3 64bit. Whiteboard:
MGA3TOO has_procedure advisory =>
MGA3TOO has_procedure MGA3-64-OK advisory Testing on Mageia 4-64 Followed procedure mentionned in comment 10. On current package, proceeded with installation, in a browser went to : http://127.0.0.1/Zend/public/index.php browsed in and signed the guest-book (olier@gmail.com) Installed updated-testing packages : - php-ZendFramework-1.12.9-1.mga4.noarch - php-ZendFramework-Cache-Backend-Apc-1.12.9-1.mga4.noarch - php-ZendFramework-Cache-Backend-Memcached-1.12.9-1.mga4.noarch - php-ZendFramework-Captcha-1.12.9-1.mga4.noarch - php-ZendFramework-demos-1.12.9-1.mga4.noarch - php-ZendFramework-Dojo-1.12.9-1.mga4.noarch - php-ZendFramework-extras-1.12.9-1.mga4.noarch - php-ZendFramework-Feed-1.12.9-1.mga4.noarch - php-ZendFramework-Gdata-1.12.9-1.mga4.noarch - php-ZendFramework-Pdf-1.12.9-1.mga4.noarch - php-ZendFramework-Search-Lucene-1.12.9-1.mga4.noarch - php-ZendFramework-Services-1.12.9-1.mga4.noarch - php-ZendFramework-tests-1.12.9-1.mga4.noarch In a browser went to http://127.0.0.1/Zend/public/index.php Signed the guest-book a second time (olivier_cc@gmail.com) All OK CC:
(none) =>
olchal Validating. Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0434.html Status:
ASSIGNED =>
RESOLVED |