Bug 18258

Summary: php-ZendFramework new security issues ZF2015-09 and ZF2016-01
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/685886/
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK advisory
Source RPM: php-ZendFramework-1.12.16-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-04-25 11:51:24 CEST 
Upstream has issued advisories on November 23 and April 13:
http://framework.zend.com/security/advisory/ZF2015-09
http://framework.zend.com/security/advisory/ZF2016-01

The issues are fixed in versions 1.12.17 and 1.12.18, respectively.
Comment 1 Thomas Spuhler 2016-04-25 17:35:19 CEST 
These issues have been by upgrading to vesr. 1.12.18
The following packages are in updates_testing:
php-ZendFramework-1.12.18-1.mga5.src.rpm
php-ZendFramework-1.12.18-1.mga5.noarch.rpm
php-ZendFramework-demos-1.12.18-1.mga5.noarch.rpm
php-ZendFramework-tests-1.12.18-1.mga5.noarch.rpm
php-ZendFramework-extras-1.12.18-1.mga5.noarch.rpm
php-ZendFramework-Cache-Backend-Apc-1.12.18-1.mga5.noarch.rpm
php-ZendFramework-Cache-Backend-Memcached-1.12.18-1.mga5.noarch.rpm
php-ZendFramework-Captcha-1.12.18-1.mga5.noarch.rpm
php-ZendFramework-Dojo-1.12.18-1.mga5.noarch.rpm
php-ZendFramework-Feed-1.12.18-1.mga5.noarch.rpm
php-ZendFramework-Gdata-1.12.18-1.mga5.noarch.rpm
php-ZendFramework-Pdf-1.12.18-1.mga5.noarch.rpm
php-ZendFramework-Search-Lucene-1.12.18-1.mga5.noarch.rpm
php-ZendFramework-Services-1.12.18-1.mga5.noarch.rpm

assigning it to qa

Status: NEW => ASSIGNED
Assignee: thomas => qa-bugs

Comment 2 David Walser 2016-04-25 18:59:52 CEST 
Procedure in https://bugs.mageia.org/show_bug.cgi?id=13708#c3

Advisory:
========================

Updated php-ZendFramework packages fix security vulnerabilities:

The php-ZendFramework package has been updated to version 1.12.18 to fix a
potential information disclosure and insufficient entropy vulnerability in
the word CAPTCHA (ZF2015-09) and several other functions (ZF2016-01).

References:
http://framework.zend.com/security/advisory/ZF2015-09
http://framework.zend.com/security/advisory/ZF2016-01
http://framework.zend.com/blog/zend-framework-1-12-17-and-2-4-9-released.html
http://framework.zend.com/blog/zend-framework-1-12-18-released.html

Whiteboard: (none) => has_procedure

Comment 3 Dave Hodgins 2016-04-28 20:03:34 CEST 
Testing complete, replacing urpmi -ya php-ZendFramework with urpmi -ya php-ZendFramework- to exclude php-ZendFramework2

Advisory committed to svn.

Keywords: (none) => validated_update
Whiteboard: has_procedure => has_procedure MGA5-64-OK MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 4 Mageia Robot 2016-04-29 19:22:19 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0156.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-05-04 19:50:25 CEST

URL: (none) => http://lwn.net/Vulnerabilities/685886/