Upstream has announced version 1.12.9 on September 17: http://framework.zend.com/blog/zend-framework-1-12-9-2-2-8-and-2-3-3-released.html It fixes two security issues: http://framework.zend.com/security/advisory/ZF2014-05 http://framework.zend.com/security/advisory/ZF2014-06 Mageia 3 and Mageia 4 are also affected. As a side note, Guillaume Rousse just imported php-ZendFramework2 2.3.3 into Cauldron. Do we need to keep the older one there? Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
CVE-2014-8088 and CVE-2014-8089 have been assigned today (October 10): http://openwall.com/lists/oss-security/2014/10/10/5
URL: (none) => http://lwn.net/Vulnerabilities/616444/
Fedora has issued an advisory for this on October 8: https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141106.html
Status: NEW => ASSIGNED
(In reply to David Walser from comment #0) > Upstream has announced version 1.12.9 on September 17: > http://framework.zend.com/blog/zend-framework-1-12-9-2-2-8-and-2-3-3- > released.html > > It fixes two security issues: > http://framework.zend.com/security/advisory/ZF2014-05 > http://framework.zend.com/security/advisory/ZF2014-06 > > Mageia 3 and Mageia 4 are also affected. > > As a side note, Guillaume Rousse just imported php-ZendFramework2 2.3.3 into > Cauldron. Do we need to keep the older one there? I don't think we should replace it this late in the development cycle. Even as upstream claims version 2 fully replaces version 1. > > Reproducible: > > Steps to Reproduce:
update o version 1.12.9 in svn. Will ask for Freeze push.
(In reply to Thomas Spuhler from comment #3) > (In reply to David Walser from comment #0) > > As a side note, Guillaume Rousse just imported php-ZendFramework2 2.3.3 into > > Cauldron. Do we need to keep the older one there? > I don't think we should replace it this late in the development cycle. Even > as upstream claims version 2 fully replaces version 1. Guillaume already imported version 2. The real question is, can the packages currently using version 1 be made to work with version 2? If so, then let's do it. https://ml.mageia.org/l/arc/dev/2014-10/msg00413.html
This bug has been fixed by upgrading to version 1.12.9. The following packages are now in upgrade_testing, ready to be validated. php-ZendFramework-1.12.9-1.mga3.src.rpm php-ZendFramework-1.12.9-1.mga3.noarch.rpm php-ZendFramework-demos-1.12.9-1.mga3.noarch.rpm php-ZendFramework-tests-1.12.9-1.mga3.noarch.rpm php-ZendFramework-extras-1.12.9-1.mga3.noarch.rpm php-ZendFramework-Cache-Backend-Apc-1.12.9-1.mga3.noarch.rpm php-ZendFramework-Cache-Backend-Memcached-1.12.9-1.mga3.noarch.rpm php-ZendFramework-Captcha-1.12.9-1.mga3.noarch.rpm php-ZendFramework-Dojo-1.12.9-1.mga3.noarch.rpm php-ZendFramework-Feed-1.12.9-1.mga3.noarch.rpm php-ZendFramework-Gdata-1.12.9-1.mga3.noarch.rpm php-ZendFramework-Pdf-1.12.9-1.mga3.noarch.rpm php-ZendFramework-Search-Lucene-1.12.9-1.mga3.noarch.rpm php-ZendFramework-Services-1.12.9-1.mga3.noarch.rpm Same for mga4 Assigning to QA
Assignee: thomas => qa-bugs
(In reply to David Walser from comment #5) > (In reply to Thomas Spuhler from comment #3) > > (In reply to David Walser from comment #0) > > > As a side note, Guillaume Rousse just imported php-ZendFramework2 2.3.3 into > > > Cauldron. Do we need to keep the older one there? > > I don't think we should replace it this late in the development cycle. Even > > as upstream claims version 2 fully replaces version 1. > > Guillaume already imported version 2. The real question is, can the > packages currently using version 1 be made to work with version 2? If so, > then let's do it. > > https://ml.mageia.org/l/arc/dev/2014-10/msg00413.html I read those threads. There is more than one question: Are there any of our packages that don't work with version 2? I don't know. Who wants to test them all. It's not just php-ZendFramework. It's all of them above. Second, how many users of Mageia have there own software based on using ZendFramework that may not work with version 2? There must be a good reason why upstream (a for profit company) still maintains both. Importing version2 was a good idea, so our clients can start testing it. Basically, I cannot comprehend why we have a version freeze, when we continue to do major upgrades such as moving from version 1 to version 2, or upgrading the RPM and creating hundreds of deps issues.
CC: (none) => thomas
Well, obviously my concern is that we've just now doubled the work for maintaining these packages for Mageia 5, but importing version 2 at the last minute.
Thanks for the update Thomas! Advisory: ======================== Updated php-ZendFramework packages fix security vulnerabilities: Due to a bug in PHP's LDAP extension, when ZendFramework's Zend_ldap class is used for logins, an attacker can login as any user by using a null byte to bypass the empty password check and perform an unauthenticated LDAP bind (CVE-2014-8088). The sqlsrv PHP extension, which provides the ability to connect to Microsoft SQL Server from PHP, does not provide a built-in quoting mechanism for manually quoting values to pass via SQL queries; developers are encouraged to use prepared statements. Zend Framework provides quoting mechanisms via Zend_Db_Adapter_Sqlsrv which uses the recommended "double single quote" ('') as quoting delimiters. SQL Server treats null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection (CVE-2014-8089). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8088 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8089 http://framework.zend.com/security/advisory/ZF2014-05 http://framework.zend.com/security/advisory/ZF2014-06 http://framework.zend.com/blog/zend-framework-1-12-9-2-2-8-and-2-3-3-released.html https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141106.html
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOOVersion: Cauldron => 4
Procedure in https://bugs.mageia.org/show_bug.cgi?id=13708#c3
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Advisory uploaded.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure advisoryCC: (none) => remi
Testing complete on Mageia 3 64bit.
Whiteboard: MGA3TOO has_procedure advisory => MGA3TOO has_procedure MGA3-64-OK advisory
Testing on Mageia 4-64 Followed procedure mentionned in comment 10. On current package, proceeded with installation, in a browser went to : http://127.0.0.1/Zend/public/index.php browsed in and signed the guest-book (olier@gmail.com) Installed updated-testing packages : - php-ZendFramework-1.12.9-1.mga4.noarch - php-ZendFramework-Cache-Backend-Apc-1.12.9-1.mga4.noarch - php-ZendFramework-Cache-Backend-Memcached-1.12.9-1.mga4.noarch - php-ZendFramework-Captcha-1.12.9-1.mga4.noarch - php-ZendFramework-demos-1.12.9-1.mga4.noarch - php-ZendFramework-Dojo-1.12.9-1.mga4.noarch - php-ZendFramework-extras-1.12.9-1.mga4.noarch - php-ZendFramework-Feed-1.12.9-1.mga4.noarch - php-ZendFramework-Gdata-1.12.9-1.mga4.noarch - php-ZendFramework-Pdf-1.12.9-1.mga4.noarch - php-ZendFramework-Search-Lucene-1.12.9-1.mga4.noarch - php-ZendFramework-Services-1.12.9-1.mga4.noarch - php-ZendFramework-tests-1.12.9-1.mga4.noarch In a browser went to http://127.0.0.1/Zend/public/index.php Signed the guest-book a second time (olivier_cc@gmail.com) All OK
CC: (none) => olchalWhiteboard: MGA3TOO has_procedure MGA3-64-OK advisory => MGA3TOO has_procedure MGA3-64-OK advisory MGA4-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0434.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED