Bug 19548

Summary:	php-ZendFramework new security issue ZF2016-03 (CVE-2016-4861)
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	brtians1, davidwhodgins, mageia, sysadmin-bugs, tarazed25
Version:	5	Keywords:	validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/702787/
Whiteboard:	has_procedure advisory mga5-32-ok
Source RPM:	php-ZendFramework-1.12.19-1.mga5.src.rpm	CVE:
Status comment:

Description David Walser 2016-10-06 20:13:39 CEST

Upstream has issued an advisory on September 8:
https://framework.zend.com/security/advisory/ZF2016-03

This issue is CVE-2016-4861:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4861

Debian-LTS has issued an advisory for this October 5:
http://lwn.net/Alerts/702773/

The issue is fixed in 1.12.20:
https://framework.zend.com/blog/2016-09-08-ZF-1.12.20-Released.html

Updated package uploaded for Mageia 5.

Advisory:
========================

Updated php-ZendFramework packages fix security vulnerability:

The implementation of ORDER BY and GROUP BY in Zend_Db_Select remained prone
to SQL injection when a combination of SQL expressions and comments were used.
This security patch provides a comprehensive solution that identifies and
removes comments prior to checking validity of the statement to ensure no SQLi
vectors occur (CVE-2016-4861).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4861
https://framework.zend.com/security/advisory/ZF2016-03
https://framework.zend.com/blog/2016-09-08-ZF-1.12.20-Released.html
========================

Updated packages in core/updates_testing:
========================
php-ZendFramework-1.12.20-1.mga5
php-ZendFramework-demos-1.12.20-1.mga5
php-ZendFramework-tests-1.12.20-1.mga5
php-ZendFramework-extras-1.12.20-1.mga5
php-ZendFramework-Cache-Backend-Apc-1.12.20-1.mga5
php-ZendFramework-Cache-Backend-Memcached-1.12.20-1.mga5
php-ZendFramework-Captcha-1.12.20-1.mga5
php-ZendFramework-Dojo-1.12.20-1.mga5
php-ZendFramework-Feed-1.12.20-1.mga5
php-ZendFramework-Gdata-1.12.20-1.mga5
php-ZendFramework-Pdf-1.12.20-1.mga5
php-ZendFramework-Search-Lucene-1.12.20-1.mga5
php-ZendFramework-Services-1.12.20-1.mga5

from php-ZendFramework-1.12.20-1.mga5.src.rpm

Comment 1 David Walser 2016-10-06 20:13:50 CEST

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=13708#c3

Whiteboard: (none) => has_procedure

Comment 2 Nicolas Lécureuil 2016-10-09 09:49:13 CEST

using https://bugs.mageia.org/show_bug.cgi?id=13708#c3  i obtain ( with default mga5 rpms )

403 Forbidden: Execute Access Forbidden

The server is currently not serving php scripts.

This could mean the server administrator is doing maintenance or has orphan php files laying around, please contact the server administrator or come back later. Thank you.

CC: (none) => mageia

Nicolas Lécureuil 2016-10-12 11:18:40 CEST

Whiteboard: has_procedure => has_procedure advisory

Comment 3 Len Lawrence 2016-10-12 18:27:53 CEST

With the Core rpms I get a blank page.  I believe that that is what happened last time I tried this.

Also, the attachment https://bugs.mageia.org/attachment.cgi?id=2605 does not seem to exist.  It was supposed to contain Zend.tar.gz.

I still have the unzipped contents though.

CC: (none) => tarazed25

Comment 4 Brian Rockwell 2016-10-14 13:58:22 CEST

Hi Nicolas - install apache-mod_php and restart your server or reboot.  That will enable PHP to run in apache web server.

# uname -a
Linux localhost 4.4.16-desktop-1.mga5 #1 SMP Tue Jul 26 10:34:04 UTC 2016 i686 i686 i686 GNU/Linux


Installed the following:

The following 80 packages are going to be installed:

- cyrus-sasl-2.1.26-10.mga5.i586
- fonts-ttf-bitstream-vera-1.10-15.mga5.noarch
- libmbfl1-1.2.0-12.mga5.i586
- libonig2-5.9.5-3.mga5.i586
- libphp5_common5-5.6.26-1.mga5.i586
- libsasl2-plug-anonymous-2.1.26-10.mga5.i586
- libsasl2-plug-crammd5-2.1.26-10.mga5.i586
- libsasl2-plug-login-2.1.26-10.mga5.i586
- libsasl2-plug-plain-2.1.26-10.mga5.i586
- libt1lib5-5.1.2-18.mga5.i586
- memcached-1.4.17-3.mga5.i586
- php-apcu-4.0.7-1.mga5.i586
- php-bcmath-5.6.26-1.mga5.i586
- php-bitset-2.0-9.mga5.i586
- php-channel-phpunit-1.3-14.mga5.noarch
- php-cli-5.6.26-1.mga5.i586
- php-ctype-5.6.26-1.mga5.i586
- php-curl-5.6.26-1.mga5.i586
- php-dom-5.6.26-1.mga5.i586
- php-fileinfo-5.6.26-1.mga5.i586
- php-filter-5.6.26-1.mga5.i586
- php-ftp-5.6.26-1.mga5.i586
- php-gd-5.6.26-1.mga5.i586
- php-gettext-5.6.26-1.mga5.i586
- php-hash-5.6.26-1.mga5.i586
- php-iconv-5.6.26-1.mga5.i586
- php-ini-5.6.26-1.mga5.i586
- php-json-5.6.26-1.mga5.i586
- php-mbstring-5.6.26-1.mga5.i586
- php-memcache-3.0.8-7.mga5.i586
- php-mysql-5.6.26-1.mga5.i586
- php-mysqlnd-5.6.26-1.mga5.i586
- php-openssl-5.6.26-1.mga5.i586
- php-pdo-5.6.26-1.mga5.i586
- php-pear-1.9.5-8.mga5.noarch
- php-pear-channel-horde-1.0-19.mga5.noarch
- php-pear-channel-symfony2-1.0-5.mga5.noarch
- php-pear-Console_ProgressBar-0.5.2beta-8.mga5.noarch
- php-pear-Crypt_HMAC-1.0.1-16.mga5.noarch
- php-pear-DbUnit-1.3.1-4.mga5.noarch
- php-pear-File_Iterator-1.3.4-4.mga5.noarch
- php-pear-HTTP_Request-1.4.4-9.mga5.noarch
- php-pear-Net_Socket-1.0.14-4.mga5.noarch
- php-pear-Net_URL-1.0.15-9.mga5.noarch
- php-pear-PHPUnit-3.7.34-2.mga5.noarch
- php-pear-PHPUnit_MockObject-1.2.3-4.mga5.noarch
- php-pear-PHPUnit_Selenium-1.3.3-4.mga5.noarch
- php-pear-PHPUnit_Story-1.0.2-4.mga5.noarch
- php-pear-PHP_CodeCoverage-1.2.17-3.mga5.noarch
- php-pear-PHP_Invoker-1.1.3-4.mga5.noarch
- php-pear-PHP_Timer-1.0.5-4.mga5.noarch
- php-pear-PHP_TokenStream-1.2.2-3.mga5.noarch
- php-pear-Symfony2_Yaml-2.4.4-3.mga5.noarch
- php-pear-Text_Template-1.2.0-3.mga5.noarch
- php-posix-5.6.26-1.mga5.i586
- php-session-5.6.26-1.mga5.i586
- php-suhosin-0.9.37.1-1.mga5.i586
- php-sysvsem-5.6.26-1.mga5.i586
- php-sysvshm-5.6.26-1.mga5.i586
- php-timezonedb-2016.6-1.mga5.i586
- php-tokenizer-5.6.26-1.mga5.i586
- php-xml-5.6.26-1.mga5.i586
- php-xmlreader-5.6.26-1.mga5.i586
- php-xmlwriter-5.6.26-1.mga5.i586
- php-ZendFramework-1.12.20-1.mga5.noarch
- php-ZendFramework-Cache-Backend-Apc-1.12.20-1.mga5.noarch
- php-ZendFramework-Cache-Backend-Memcached-1.12.20-1.mga5.noarch
- php-ZendFramework-Captcha-1.12.20-1.mga5.noarch
- php-ZendFramework-demos-1.12.20-1.mga5.noarch
- php-ZendFramework-Dojo-1.12.20-1.mga5.noarch
- php-ZendFramework-extras-1.12.20-1.mga5.noarch
- php-ZendFramework-Feed-1.12.20-1.mga5.noarch
- php-ZendFramework-Gdata-1.12.20-1.mga5.noarch
- php-ZendFramework-Pdf-1.12.20-1.mga5.noarch
- php-ZendFramework-Search-Lucene-1.12.20-1.mga5.noarch
- php-ZendFramework-Services-1.12.20-1.mga5.noarch
- php-ZendFramework-tests-1.12.20-1.mga5.noarch
- php-zlib-5.6.26-1.mga5.i586
- t1lib-config-5.1.2-18.mga5.i586
- webserver-base-2.0-8.mga5.i586

115MB of additional disk space will be used.

25MB of packages will be retrieved.
----------

followed directions in 

https://bugs.mageia.org/show_bug.cgi?id=13708#c3

I was able to sign the guestbook and see the other registered folks.
----

Works as designed.

CC: (none) => brtians1
Whiteboard: has_procedure advisory => has_procedure advisory mga5-32-ok

Dave Hodgins 2016-10-21 05:25:58 CEST

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Mageia Robot 2016-10-21 16:49:10 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0352.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED