Upstream has issued two advisories: http://framework.zend.com/security/advisory/ZF2014-01 http://framework.zend.com/security/advisory/ZF2014-02 The issues are fixed upstream in 1.12.4. CVEs have been requested for these issues: http://openwall.com/lists/oss-security/2014/03/27/1 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Fixed in Cauldron by upgarding to 1.12.5 (from 1.12.3) Fedora did the same The following packages require: urpmq --whatrequires php-ZendFramework galette kolab-syncroton owncloud webacula mga3 and mga4, the following pacakges are in updates-testing: php-ZendFramework-1.12.5-1.mgax.src.rpm php-ZendFramework-1.12.5-1.mgax.noarch.rpm php-ZendFramework-demos-1.12.5-1.mgax.noarch.rpm php-ZendFramework-tests-1.12.5-1.mgax.noarch.rpm php-ZendFramework-extras-1.12.5-1.mgax.noarch.rpm php-ZendFramework-Cache-Backend-Apc-1.12.5-1.mgax.noarch.rpm php-ZendFramework-Cache-Backend-Memcached-1.12.5-1.mgax.noarch.rpm php-ZendFramework-Captcha-1.12.5-1.mgax.noarch.rpm php-ZendFramework-Dojo-1.12.5-1.mgax.noarch.rpm php-ZendFramework-Feed-1.12.5-1.mgax.noarch.rpm php-ZendFramework-Gdata-1.12.5-1.mgax.noarch.rpm php-ZendFramework-Pdf-1.12.5-1.mgax.noarch.rpm php-ZendFramework-Search-Lucene-1.12.5-1.mgax.noarch.rpm php-ZendFramework-Services-1.12.5-1.mgax.noarch.rpm
Status: NEW => ASSIGNED
CC: (none) => thomasAssignee: thomas => qa-bugs
Thanks Thomas! CVEs don't seem to be forthcoming for this. Advisory: ======================== Updated php-ZendFramework packages fix security vulnerabilities: XML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws were discovered in the Zend Framework. An attacker could use these flaws to cause a denial of service, access files accessible to the server process, or possibly perform other more advanced XML External Entity (XXE) attacks (ZF2014-01). Using the Consumer component of Zend_OpenId, it is possible to login using an arbitrary OpenID account (without knowing any secret information) by using a malicious OpenID Provider. That means OpenID it is possible to login using arbitrary OpenID Identity (MyOpenID, Google, etc), which are not under the control of our own OpenID Provider. Thus, we are able to impersonate any OpenID Identity against the framework (ZF2014-02). References: http://framework.zend.com/security/advisory/ZF2014-01 http://framework.zend.com/security/advisory/ZF2014-02 https://bugzilla.redhat.com/show_bug.cgi?id=1081287 https://bugzilla.redhat.com/show_bug.cgi?id=1081288 https://secunia.com/advisories/57276/
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOOSeverity: normal => critical
CVEs have finally been assigned for this. Updating the advisory: http://openwall.com/lists/oss-security/2014/04/01/1 Advisory: ======================== Updated php-ZendFramework packages fix security vulnerabilities: XML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws were discovered in the Zend Framework. An attacker could use these flaws to cause a denial of service, access files accessible to the server process, or possibly perform other more advanced XML External Entity (XXE) attacks (CVE-2014-2681, CVE-2014-2682, CVE-2014-2683). Using the Consumer component of Zend_OpenId, it is possible to login using an arbitrary OpenID account (without knowing any secret information) by using a malicious OpenID Provider. That means OpenID it is possible to login using arbitrary OpenID Identity (MyOpenID, Google, etc), which are not under the control of our own OpenID Provider. Thus, we are able to impersonate any OpenID Identity against the framework (CVE-2014-2684, CVE-2014-2685). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2681 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2682 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2683 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2684 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2685 http://framework.zend.com/security/advisory/ZF2014-01 http://framework.zend.com/security/advisory/ZF2014-02 https://bugzilla.redhat.com/show_bug.cgi?id=1081287 https://bugzilla.redhat.com/show_bug.cgi?id=1081288 https://secunia.com/advisories/57276/
OK, tested on a Mageia 4 x86-64 VBox VM based on the test procedure from https://bugs.mageia.org/show_bug.cgi?id=6666 and the guestbook app works fine there after I installed the php-ZendFramework-Captcha package. I'll try MGA4-i586 next.
URL: (none) => https://bugs.mageia.org/show_bug.cgi?id=6666CC: (none) => shlomifWhiteboard: MGA3TOO => MGA3TOO mga4-64-ok
URL: https://bugs.mageia.org/show_bug.cgi?id=6666 => (none)See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=6666
(In reply to Shlomi Fish from comment #4) > OK, tested on a Mageia 4 x86-64 VBox VM based on the test procedure from > https://bugs.mageia.org/show_bug.cgi?id=6666 and the guestbook app works > fine there after I installed the php-ZendFramework-Captcha package. I'll try > MGA4-i586 next. Tested on MGA4-i586 now as well. It works fine there. Now I'm going to test mga3-x86-64. Regards, -- Shlomi Fish
Whiteboard: MGA3TOO mga4-64-ok => MGA3TOO mga4-64-ok mga4-32-ok
Tested on Mageia 3 x86-64. Works fine.
Whiteboard: MGA3TOO mga4-64-ok mga4-32-ok => MGA3TOO mga4-64-ok mga4-32-ok mga3-64-ok
Tested on MGA-3-i586. Works fine.
Whiteboard: MGA3TOO mga4-64-ok mga4-32-ok mga3-64-ok => MGA3TOO mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok
Advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok => MGA3TOO advisory has_procedure mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-okCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2014-0151.html
Status: ASSIGNED => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/592961/