Upstream has issued an advisory on May 7: http://framework.zend.com/security/advisory/ZF2015-04 The issue is fixed upstream in 1.2.12 and 2.3.8. 2.3.9 fixed a regression: http://framework.zend.com/blog/zend-framework-1-12-12-released.html http://framework.zend.com/blog/zend-framework-2-3-8-and-2-4-1-released.html http://framework.zend.com/blog/zend-framework-2-3-9-and-2-4-2-released.html Reproducible: Steps to Reproduce:
CC: (none) => guillomovitch, oeWhiteboard: (none) => MGA5TOO, MGA4TOO
Fedora has issued an advisory for this on May 10: https://lists.fedoraproject.org/pipermail/package-announce/2015-May/158262.html
Debian has also issued an advisory for this (for ZF1) today: https://lists.debian.org/debian-security-announce/2015/msg00155.html The DSA will be posted here: https://www.debian.org/security/2015/dsa-3265 Only the CVE-2015-3154 is still relevant for us; we fixed the others in previous updates.
URL: (none) => http://lwn.net/Vulnerabilities/645240/
1.2.13 has also been released fixing a regression: http://framework.zend.com/blog/zend-framework-1-12-13-released.html
Checked into Cauldron SVN. Freeze push requested.
Updated packages uploaded for Mageia 4 and Cauldron. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13708#c3 Advisory: ======================== Updated php-ZendFramework packages fix security vulnerability: Filippo Tessarotto and Maks3w reported potential CRLF injection attacks in mail and HTTP headers in ZendFramework before 1.2.12 (CVE-2015-3154). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3154 http://framework.zend.com/security/advisory/ZF2015-04 http://framework.zend.com/blog/zend-framework-1-12-10-released.html http://framework.zend.com/blog/zend-framework-1-12-11-released.html http://framework.zend.com/blog/zend-framework-1-12-12-released.html http://framework.zend.com/blog/zend-framework-1-12-13-released.html https://www.debian.org/security/2015/dsa-3265 ======================== Updated packages in core/updates_testing: ======================== php-ZendFramework-1.12.13-1.mga4 php-ZendFramework-demos-1.12.13-1.mga4 php-ZendFramework-tests-1.12.13-1.mga4 php-ZendFramework-extras-1.12.13-1.mga4 php-ZendFramework-Cache-Backend-Apc-1.12.13-1.mga4 php-ZendFramework-Cache-Backend-Memcached-1.12.13-1.mga4 php-ZendFramework-Captcha-1.12.13-1.mga4 php-ZendFramework-Dojo-1.12.13-1.mga4 php-ZendFramework-Feed-1.12.13-1.mga4 php-ZendFramework-Gdata-1.12.13-1.mga4 php-ZendFramework-Pdf-1.12.13-1.mga4 php-ZendFramework-Search-Lucene-1.12.13-1.mga4 php-ZendFramework-Services-1.12.13-1.mga4 from php-ZendFramework-1.12.13-1.mga4.src.rpm
CC: guillomovitch => thomasVersion: Cauldron => 4Assignee: thomas => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => has_procedure
MGA4-32 on AcerD620 Xfce No installation issues. Followed procedure as per bug6666 Comment16, works OK
CC: (none) => herman.viaeneWhiteboard: has_procedure => has_procedure MGA4-32-OK
MGA4-64 on HP-Probook 6555b No installation issues. Followed exactly the same as above. Got into http://127.0.0.1/Zend/public/index.php OK, but cliking on the Guestbook link gives: An error occurred Application error At least the packages install well, and the application starts, is the rest an issue for us?
Tested again on MGA4-64 on HP-Probook 6555b with older version 1.12.3, that works OK.
Now installed 1.12.13 over existing 1.12.3, and now the testcase does not throw any errors anymore.
from /var/log/httpd/error_log: [Fri Jun 05 15:27:43.143967 2015] [:error] [pid 25683] [client 127.0.0.1:55209] PHP Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/html/Zend/application/models/GuestbookMapper.php on line 32, referer: http://127.0.0.1/Zend/public/index.php/guestbook/sign That is th etime the first test failed. No errors from test of previous version or from second test of the update.
You need to set date.timezone in /etc/php.ini.
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0241.html
Status: NEW => RESOLVEDResolution: (none) => FIXED