| Summary: | php-ZendFramework, php-ZendFramework2 new security issue ZF2015-06 (CVE-2015-5161) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | brtians1, guillomovitch, sysadmin-bugs, thomas, wilcal.int |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/655118/ | ||
| Whiteboard: | MGA4TOO has_procedure advisory MGA5-32-OK mga4-32-ok | ||
| Source RPM: | php-ZendFramework-1.12.13-1.mga4.src.rpm, php-ZendFramework2-2.3.9-1.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-08-20 20:21:04 CEST
David Walser
2015-08-20 20:21:10 CEST
Whiteboard:
(none) =>
MGA5TOO, MGA4TOO I take php-ZendFramework (amintainer nobody) but we have a maintainer for php-ZendFramework2 (guillomovitch) Assignee:
thomas =>
guillomovitch We may better upgrade to version 1.12.15 http://framework.zend.com/blog/zend-framework-1-12-15-and-2-4-7-released.html CC:
(none) =>
thomas php-ZendFramework2 updated to 2.4.7 in cauldron. resolved by upgrading to maintenance release 1.12.15. This solves some bugs that were added in 1.12.14 The following files are now in mga4, upgrades testing php-ZendFramework-1.12.15-1.mga4.src.rpm php-ZendFramework-1.12.15-1.mga4.noarch.rpm php-ZendFramework-demos-1.12.15-1.mga4.noarch.rpm php-ZendFramework-tests-1.12.15-1.mga4.noarch.rpm php-ZendFramework-extras-1.12.15-1.mga4.noarch.rpm php-ZendFramework-Cache-Backend-Apc-1.12.15-1.mga4.noarch.rpm php-ZendFramework-Cache-Backend-Memcached-1.12.15-1.mga5.noarch.rpm php-ZendFramework-Captcha-1.12.15-1.mga4.noarch.rpm php-ZendFramework-Dojo-1.12.15-1.mga4.noarch.rpm php-ZendFramework-Feed-1.12.15-1.mga4.noarch.rpm php-ZendFramework-Gdata-1.12.15-1.mga4.noarch.rpm php-ZendFramework-Pdf-1.12.15-1.mga4.noarch.rpm php-ZendFramework-Search-Lucene-1.12.15-1.mga4.noarch.rpm php-ZendFramework-Services-1.12.15-1.mga4.noarch.rpm The following files are now in mga5, upgrades testing php-ZendFramework-1.12.15-1.mga5.src.rpm php-ZendFramework-1.12.15-1.mga5.noarch.rpm php-ZendFramework-demos-1.12.15-1.mga5.noarch.rpm php-ZendFramework-tests-1.12.15-1.mga5.noarch.rpm php-ZendFramework-extras-1.12.15-1.mga5.noarch.rpm php-ZendFramework-Cache-Backend-Apc-1.12.15-1.mga5.noarch.rpm php-ZendFramework-Cache-Backend-Memcached-1.12.15-1.mga5.noarch.rpm php-ZendFramework-Captcha-1.12.15-1.mga5.noarch.rpm php-ZendFramework-Dojo-1.12.15-1.mga5.noarch.rpm php-ZendFramework-Feed-1.12.15-1.mga5.noarch.rpm php-ZendFramework-Gdata-1.12.15-1.mga5.noarch.rpm php-ZendFramework-Pdf-1.12.15-1.mga5.noarch.rpm php-ZendFramework-Search-Lucene-1.12.15-1.mga5.noarch.rpm php-ZendFramework-Services-1.12.15-1.mga5.noarch.rpm I am checking if we can obsolete this package in cauldron but right now I fixed it by upgrading (In reply to Guillaume Rousse from comment #3) > php-ZendFramework2 updated to 2.4.7 in cauldron. I guess we should do the same for Mageia 5? Version:
Cauldron =>
5 Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron. See Comment 4 for the php-ZendFramework package list. php-ZendFramework2 (Mageia 5 only) package list: php-ZendFramework2-2.4.7-1.mga5 php-ZendFramework2-Authentication-2.4.7-1.mga5 php-ZendFramework2-Barcode-2.4.7-1.mga5 php-ZendFramework2-Cache-2.4.7-1.mga5 php-ZendFramework2-Captcha-2.4.7-1.mga5 php-ZendFramework2-Code-2.4.7-1.mga5 php-ZendFramework2-Config-2.4.7-1.mga5 php-ZendFramework2-Console-2.4.7-1.mga5 php-ZendFramework2-Crypt-2.4.7-1.mga5 php-ZendFramework2-Db-2.4.7-1.mga5 php-ZendFramework2-Debug-2.4.7-1.mga5 php-ZendFramework2-Di-2.4.7-1.mga5 php-ZendFramework2-Dom-2.4.7-1.mga5 php-ZendFramework2-Escaper-2.4.7-1.mga5 php-ZendFramework2-EventManager-2.4.7-1.mga5 php-ZendFramework2-Feed-2.4.7-1.mga5 php-ZendFramework2-File-2.4.7-1.mga5 php-ZendFramework2-Filter-2.4.7-1.mga5 php-ZendFramework2-Form-2.4.7-1.mga5 php-ZendFramework2-Http-2.4.7-1.mga5 php-ZendFramework2-I18n-2.4.7-1.mga5 php-ZendFramework2-InputFilter-2.4.7-1.mga5 php-ZendFramework2-Json-2.4.7-1.mga5 php-ZendFramework2-Ldap-2.4.7-1.mga5 php-ZendFramework2-Loader-2.4.7-1.mga5 php-ZendFramework2-Log-2.4.7-1.mga5 php-ZendFramework2-Mail-2.4.7-1.mga5 php-ZendFramework2-Math-2.4.7-1.mga5 php-ZendFramework2-Memory-2.4.7-1.mga5 php-ZendFramework2-Mime-2.4.7-1.mga5 php-ZendFramework2-ModuleManager-2.4.7-1.mga5 php-ZendFramework2-Mvc-2.4.7-1.mga5 php-ZendFramework2-Navigation-2.4.7-1.mga5 php-ZendFramework2-Paginator-2.4.7-1.mga5 php-ZendFramework2-Permissions-Acl-2.4.7-1.mga5 php-ZendFramework2-Permissions-Rbac-2.4.7-1.mga5 php-ZendFramework2-ProgressBar-2.4.7-1.mga5 php-ZendFramework2-Serializer-2.4.7-1.mga5 php-ZendFramework2-Server-2.4.7-1.mga5 php-ZendFramework2-ServiceManager-2.4.7-1.mga5 php-ZendFramework2-Session-2.4.7-1.mga5 php-ZendFramework2-Soap-2.4.7-1.mga5 php-ZendFramework2-Stdlib-2.4.7-1.mga5 php-ZendFramework2-Tag-2.4.7-1.mga5 php-ZendFramework2-Test-2.4.7-1.mga5 php-ZendFramework2-Text-2.4.7-1.mga5 php-ZendFramework2-Uri-2.4.7-1.mga5 php-ZendFramework2-Validator-2.4.7-1.mga5 php-ZendFramework2-Version-2.4.7-1.mga5 php-ZendFramework2-View-2.4.7-1.mga5 php-ZendFramework2-XmlRpc-2.4.7-1.mga5 php-ZendFramework2-ZendXml-2.4.7-1.mga5 from php-ZendFramework2-2.4.7-1.mga5.src.rpm CC:
(none) =>
guillomovitch Advisory (Mageia 4): ======================== Updated php-ZendFramework packages fix security vulnerability: Dawid Golunski discovered that when running under PHP-FPM in a threaded environment, Zend Framework, a PHP framework, did not properly handle XML data in multibyte encoding. This could be used by remote attackers to perform an XML External Entity attack via crafted XML data (CVE-2015-5161). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5161 http://framework.zend.com/blog/zend-framework-1-12-14-2-4-6-and-2-5-2-released.html http://framework.zend.com/blog/zend-framework-1-12-15-and-2-4-7-released.html http://framework.zend.com/security/advisory/ZF2015-06 https://www.debian.org/security/2015/dsa-3340 Advisory (Mageia 5): ======================== Updated php-ZendFramework and php-ZendFramework2 packages fix security vulnerability: Dawid Golunski discovered that when running under PHP-FPM in a threaded environment, Zend Framework, a PHP framework, did not properly handle XML data in multibyte encoding. This could be used by remote attackers to perform an XML External Entity attack via crafted XML data (CVE-2015-5161). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5161 http://framework.zend.com/blog/zend-framework-1-12-14-2-4-6-and-2-5-2-released.html http://framework.zend.com/blog/zend-framework-1-12-15-and-2-4-7-released.html http://framework.zend.com/security/advisory/ZF2015-06 https://www.debian.org/security/2015/dsa-3340 Testing procedure (php-ZendFramework): https://bugs.mageia.org/show_bug.cgi?id=13708#c3 php-ZendFramework2 is used by glpi and galette. Whiteboard:
MGA4TOO =>
MGA4TOO has_procedure In VirtualBox, M4, KDE, 32-bit Set up per testing procedure (php-ZendFramework): https://bugs.mageia.org/show_bug.cgi?id=13708#c3 Package(s) under test: php-ZendFramework default install of php-ZendFramework [root@localhost wilcal]# urpmi php-ZendFramework Package php-ZendFramework-1.12.13-1.mga4.noarch is already installed When I attempt to sign in on the guestbook the follow error is displayed: ZF Quickstart Application An error occurred Application error CC:
(none) =>
wilcal.int Someone asked somewhere (not here) if their testing of galette was OK since it wasn't easy to understand. As long as it doesn't error out fatally or have serious visual regressions vs. when the previous Zend is installed, that's sufficient to give this the OK. You don't need to get galette fully configured and operational. System: MGA5-32 I installed OwnCloud. Instructions work as they are. Instructions are here: https://wiki.mageia.org/en/OwnCloud The documentation is thorough. Do note you can use sqllite too by default in owncloud. Note also OwnCloud will default to /var. I found you can have more control by creating another folder in home owned by apache. This is a good idea on a small instance, or you can create a separate drive. The configuration file is: /usr/share/owncloud/config/config.php Installation of Galette, I found the instructions here: http://galette.eu/documentation/fr/installation/galette.html You'll find the php.ini file in /etc. You'll need to manually set up timezone. Per note at 2015-0914 23:04:07 - no screen rendering issues during installation process. It all seems to work for me. CC:
(none) =>
brtians1 Testing complete mga4 32 Followed https://bugs.mageia.org/show_bug.cgi?id=13708#c3 Whiteboard:
MGA4TOO has_procedure MGA5-32-OK =>
MGA4TOO has_procedure MGA5-32-OK mga4-32-ok Validating. Separate advisories uploaded combining comment 4 comment 6 & comment 7. Please push to 4 & 5 updates Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0370.html Status:
NEW =>
RESOLVED An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0371.html |