Bug 14253 - php-ZendFramework new security issues ZF2014-05 and ZF2014-06
Summary: php-ZendFramework new security issues ZF2014-05 and ZF2014-06
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/616444/
Whiteboard: MGA3TOO has_procedure MGA3-64-OK advi...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-10-08 23:54 CEST by David Walser
Modified: 2014-10-29 12:31 CET (History)
4 users (show)

See Also:
Source RPM: php-ZendFramework-1.12.7-4.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-10-08 23:54:45 CEST
Upstream has announced version 1.12.9 on September 17:
http://framework.zend.com/blog/zend-framework-1-12-9-2-2-8-and-2-3-3-released.html

It fixes two security issues:
http://framework.zend.com/security/advisory/ZF2014-05
http://framework.zend.com/security/advisory/ZF2014-06

Mageia 3 and Mageia 4 are also affected.

As a side note, Guillaume Rousse just imported php-ZendFramework2 2.3.3 into Cauldron.  Do we need to keep the older one there?

Reproducible: 

Steps to Reproduce:
David Walser 2014-10-08 23:54:50 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-10-10 17:48:37 CEST
CVE-2014-8088 and CVE-2014-8089 have been assigned today (October 10):
http://openwall.com/lists/oss-security/2014/10/10/5
David Walser 2014-10-16 18:10:25 CEST

URL: (none) => http://lwn.net/Vulnerabilities/616444/

Comment 2 David Walser 2014-10-17 14:18:35 CEST
Fedora has issued an advisory for this on October 8:
https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141106.html
Thomas Spuhler 2014-10-24 19:44:36 CEST

Status: NEW => ASSIGNED

Comment 3 Thomas Spuhler 2014-10-24 20:04:15 CEST
(In reply to David Walser from comment #0)
> Upstream has announced version 1.12.9 on September 17:
> http://framework.zend.com/blog/zend-framework-1-12-9-2-2-8-and-2-3-3-
> released.html
> 
> It fixes two security issues:
> http://framework.zend.com/security/advisory/ZF2014-05
> http://framework.zend.com/security/advisory/ZF2014-06
> 
> Mageia 3 and Mageia 4 are also affected.
> 
> As a side note, Guillaume Rousse just imported php-ZendFramework2 2.3.3 into
> Cauldron.  Do we need to keep the older one there?
I don't think we should replace it this late in the development cycle. Even as upstream claims version 2 fully replaces version 1.

> 
> Reproducible: 
> 
> Steps to Reproduce:
Comment 4 Thomas Spuhler 2014-10-24 20:05:16 CEST
update o version 1.12.9 in svn. Will ask for Freeze push.
Comment 5 David Walser 2014-10-24 20:14:32 CEST
(In reply to Thomas Spuhler from comment #3)
> (In reply to David Walser from comment #0)
> > As a side note, Guillaume Rousse just imported php-ZendFramework2 2.3.3 into
> > Cauldron.  Do we need to keep the older one there?
> I don't think we should replace it this late in the development cycle. Even
> as upstream claims version 2 fully replaces version 1.

Guillaume already imported version 2.  The real question is, can the packages currently using version 1 be made to work with version 2?  If so, then let's do it.

https://ml.mageia.org/l/arc/dev/2014-10/msg00413.html
Comment 6 Thomas Spuhler 2014-10-25 00:01:51 CEST
This bug has been fixed by upgrading to version 1.12.9. The following packages are now in upgrade_testing, ready to be validated.

php-ZendFramework-1.12.9-1.mga3.src.rpm
php-ZendFramework-1.12.9-1.mga3.noarch.rpm
php-ZendFramework-demos-1.12.9-1.mga3.noarch.rpm
php-ZendFramework-tests-1.12.9-1.mga3.noarch.rpm
php-ZendFramework-extras-1.12.9-1.mga3.noarch.rpm
php-ZendFramework-Cache-Backend-Apc-1.12.9-1.mga3.noarch.rpm
php-ZendFramework-Cache-Backend-Memcached-1.12.9-1.mga3.noarch.rpm
php-ZendFramework-Captcha-1.12.9-1.mga3.noarch.rpm
php-ZendFramework-Dojo-1.12.9-1.mga3.noarch.rpm
php-ZendFramework-Feed-1.12.9-1.mga3.noarch.rpm
php-ZendFramework-Gdata-1.12.9-1.mga3.noarch.rpm
php-ZendFramework-Pdf-1.12.9-1.mga3.noarch.rpm
php-ZendFramework-Search-Lucene-1.12.9-1.mga3.noarch.rpm
php-ZendFramework-Services-1.12.9-1.mga3.noarch.rpm

Same for mga4

Assigning to QA

Assignee: thomas => qa-bugs

Comment 7 Thomas Spuhler 2014-10-25 00:18:21 CEST
(In reply to David Walser from comment #5)
> (In reply to Thomas Spuhler from comment #3)
> > (In reply to David Walser from comment #0)
> > > As a side note, Guillaume Rousse just imported php-ZendFramework2 2.3.3 into
> > > Cauldron.  Do we need to keep the older one there?
> > I don't think we should replace it this late in the development cycle. Even
> > as upstream claims version 2 fully replaces version 1.
> 
> Guillaume already imported version 2.  The real question is, can the
> packages currently using version 1 be made to work with version 2?  If so,
> then let's do it.
> 
> https://ml.mageia.org/l/arc/dev/2014-10/msg00413.html
I read those threads.
There is more than one question:
Are there any of our packages that don't work with version 2?
I don't know. Who wants to test them all. It's not just php-ZendFramework. It's all of them above.

Second, how many users of Mageia have there own software based on using ZendFramework that may not work with version 2?

There must be a good reason why upstream (a for profit company) still maintains both.
Importing version2 was a good idea, so our clients can start testing it.

Basically, I cannot comprehend why we have a version freeze, when we continue to do major upgrades such as moving from version 1 to version 2, or upgrading the RPM and creating hundreds of deps issues.

CC: (none) => thomas

Comment 8 David Walser 2014-10-25 00:42:36 CEST
Well, obviously my concern is that we've just now doubled the work for maintaining these packages for Mageia 5, but importing version 2 at the last minute.
Comment 9 David Walser 2014-10-25 00:49:54 CEST
Thanks for the update Thomas!

Advisory:
========================

Updated php-ZendFramework packages fix security vulnerabilities:

Due to a bug in PHP's LDAP extension, when ZendFramework's Zend_ldap class is
used for logins, an attacker can login as any user by using a null byte to
bypass the empty password check and perform an unauthenticated LDAP bind
(CVE-2014-8088).

The sqlsrv PHP extension, which provides the ability to connect to Microsoft
SQL Server from PHP, does not provide a built-in quoting mechanism for
manually quoting values to pass via SQL queries; developers are encouraged to
use prepared statements. Zend Framework provides quoting mechanisms via
Zend_Db_Adapter_Sqlsrv which uses the recommended "double single quote" ('')
as quoting delimiters. SQL Server treats null bytes in a query as a string
terminator, allowing an attacker to add arbitrary SQL following a null byte,
and thus create a SQL injection (CVE-2014-8089).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8088
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8089
http://framework.zend.com/security/advisory/ZF2014-05
http://framework.zend.com/security/advisory/ZF2014-06
http://framework.zend.com/blog/zend-framework-1-12-9-2-2-8-and-2-3-3-released.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141106.html

Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Version: Cauldron => 4

Comment 10 Rémi Verschelde 2014-10-27 19:07:13 CET
Procedure in https://bugs.mageia.org/show_bug.cgi?id=13708#c3

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 11 Rémi Verschelde 2014-10-28 13:51:36 CET
Advisory uploaded.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure advisory
CC: (none) => remi

Comment 12 Rémi Verschelde 2014-10-28 13:58:26 CET
Testing complete on Mageia 3 64bit.

Whiteboard: MGA3TOO has_procedure advisory => MGA3TOO has_procedure MGA3-64-OK advisory

Comment 13 olivier charles 2014-10-28 16:40:25 CET
Testing on Mageia 4-64

Followed procedure mentionned in comment 10.


On current package, proceeded with installation, in a browser went to :
http://127.0.0.1/Zend/public/index.php
browsed in and signed the guest-book (olier@gmail.com)

Installed updated-testing packages :
- php-ZendFramework-1.12.9-1.mga4.noarch
- php-ZendFramework-Cache-Backend-Apc-1.12.9-1.mga4.noarch
- php-ZendFramework-Cache-Backend-Memcached-1.12.9-1.mga4.noarch
- php-ZendFramework-Captcha-1.12.9-1.mga4.noarch
- php-ZendFramework-demos-1.12.9-1.mga4.noarch
- php-ZendFramework-Dojo-1.12.9-1.mga4.noarch
- php-ZendFramework-extras-1.12.9-1.mga4.noarch
- php-ZendFramework-Feed-1.12.9-1.mga4.noarch
- php-ZendFramework-Gdata-1.12.9-1.mga4.noarch
- php-ZendFramework-Pdf-1.12.9-1.mga4.noarch
- php-ZendFramework-Search-Lucene-1.12.9-1.mga4.noarch
- php-ZendFramework-Services-1.12.9-1.mga4.noarch
- php-ZendFramework-tests-1.12.9-1.mga4.noarch

In a browser went to http://127.0.0.1/Zend/public/index.php
Signed the guest-book a second time (olivier_cc@gmail.com)

All OK

CC: (none) => olchal
Whiteboard: MGA3TOO has_procedure MGA3-64-OK advisory => MGA3TOO has_procedure MGA3-64-OK advisory MGA4-64-OK

Comment 14 Rémi Verschelde 2014-10-29 09:53:05 CET
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 15 Mageia Robot 2014-10-29 12:31:24 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0434.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.