Upstream has posted an advisory: http://framework.zend.com/security/advisory/ZF2014-04 The issue is fixed upstream in 1.12.7. CVE request: http://openwall.com/lists/oss-security/2014/07/08/18 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Status: NEW => ASSIGNED
This bug has been resolved by upgrading to ver. 1.12.7 The following pacakges are now in upgrade_testing: php-ZendFramework-1.12.7-1.mga4.src.rpm php-ZendFramework-1.12.7-1.mga4.noarch.rpm php-ZendFramework-demos-1.12.7-1.mga4.noarch.rpm php-ZendFramework-tests-1.12.7-1.mga4.noarch.rpm php-ZendFramework-extras-1.12.7-1.mga4.noarch.rpm php-ZendFramework-Cache-Backend-Apc-1.12.7-1.mga4.noarch.rpm php-ZendFramework-Cache-Backend-Memcached-1.12.7-1.mga4.noarch.rpm php-ZendFramework-Captcha-1.12.7-1.mga4.noarch.rpm php-ZendFramework-Dojo-1.12.7-1.mga4.noarch.rpm php-ZendFramework-Feed-1.12.7-1.mga4.noarch.rpm php-ZendFramework-Gdata-1.12.7-1.mga4.noarch.rpm php-ZendFramework-Pdf-1.12.7-1.mga4.noarch.rpm php-ZendFramework-Search-Lucene-1.12.7-1.mga4.noarch.rpm php-ZendFramework-Services-1.12.7-1.mga4.noarch.rpm and the same packages for mga3 Assigning to to qa
CC: (none) => thomasAssignee: thomas => qa-bugs
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Some info for testing in bug 6666
Testing complete mga4 64 Needs an advisory David please. No PoC's so just testing zend is still functional. Followed the procedure here https://bugs.mageia.org/show_bug.cgi?id=6666#c16 It's changed a little so find it updated below. php-eaccelerator is no longer used so ignore that bit. If you don't have task-lamp installed already you'll need this first # urpmi task-lamp then # urpmi php-pdo_sqlite # Required for sample app, not Zend-Framework itself # urpmi -ya php-ZendFramework # wget https://bugs.mageia.org/attachment.cgi?id=2605 -O Zend.tar.gz # tar -xf Zend.tar.gz # cp -r css /var/www/html # cp -r Zend /var/www/html # chown -R apache:apache /var/www/html/Zend/data/db # service httpd start # or restart Then go to http://127.0.0.1/Zend/public/index.php Click on guestbook in the top right, and sign the guestbook.
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok
(In reply to claire robinson from comment #3) > Needs an advisory David please. Yep, I know. I'm waiting for CVE assignments. For now, refer to the upstream advisory: http://framework.zend.com/security/advisory/ZF2014-04
CVE assignment: http://www.openwall.com/lists/oss-security/2014/07/11/4 Advisory: ======================== Updated php-ZendFramework packages fix security vulnerability: The implementation of the ORDER BY SQL statement in Zend_Db_Select of Zend Framework 1 contains a potential SQL injection when the query string passed contains parentheses (CVE-2014-4914). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914 http://framework.zend.com/security/advisory/ZF2014-04 http://www.openwall.com/lists/oss-security/2014/07/11/4
Summary: php-ZendFramework new security issue ZF2014-04 => php-ZendFramework new security issue ZF2014-04 (CVE-2014-4914)
Testing complete mga4 32 using the procedure in comment 3
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok
Fedora has issued an advisory for this on July 13: https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135671.html Adding that link to the advisory. Advisory: ======================== Updated php-ZendFramework packages fix security vulnerability: The implementation of the ORDER BY SQL statement in Zend_Db_Select of Zend Framework 1 contains a potential SQL injection when the query string passed contains parentheses (CVE-2014-4914). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914 http://framework.zend.com/security/advisory/ZF2014-04 https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135671.html
URL: (none) => http://lwn.net/Vulnerabilities/606172/
Advisory uploaded. This still needs to be tested on mga3 before it can be validated.
CC: (none) => remiWhiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok advisory
Validating this. See the discussion in the QA meeting: http://meetbot.mageia.org/mageia-qa/2014/mageia-qa.2014-07-31-19.02.log.html#l-30 Please push this to core/updates for Mageia 3 and Mageia 4.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Made sure it installs in Mageia 3 32bit.
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok advisory => MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok advisory
Update pushed. http://advisories.mageia.org/MGASA-2014-0311.html
Status: ASSIGNED => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED