Upstream has issued an advisory on August 3: http://framework.zend.com/security/advisory/ZF2015-06 The issue was fixed in versions 1.12.14 and 2.4.6: http://framework.zend.com/blog/zend-framework-1-12-14-2-4-6-and-2-5-2-released.html The current versions are bugfix releases 1.12.15 and 2.4.7 (released August 11): http://framework.zend.com/blog/zend-framework-1-12-15-and-2-4-7-released.html Debian has issued an advisory for this on August 19: https://lists.debian.org/debian-security-announce/2015/msg00239.html https://www.debian.org/security/2015/dsa-3340 Mageia 4 and Mageia 5 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
I take php-ZendFramework (amintainer nobody) but we have a maintainer for php-ZendFramework2 (guillomovitch)
Assignee: thomas => guillomovitch
We may better upgrade to version 1.12.15 http://framework.zend.com/blog/zend-framework-1-12-15-and-2-4-7-released.html
CC: (none) => thomas
php-ZendFramework2 updated to 2.4.7 in cauldron.
resolved by upgrading to maintenance release 1.12.15. This solves some bugs that were added in 1.12.14 The following files are now in mga4, upgrades testing php-ZendFramework-1.12.15-1.mga4.src.rpm php-ZendFramework-1.12.15-1.mga4.noarch.rpm php-ZendFramework-demos-1.12.15-1.mga4.noarch.rpm php-ZendFramework-tests-1.12.15-1.mga4.noarch.rpm php-ZendFramework-extras-1.12.15-1.mga4.noarch.rpm php-ZendFramework-Cache-Backend-Apc-1.12.15-1.mga4.noarch.rpm php-ZendFramework-Cache-Backend-Memcached-1.12.15-1.mga5.noarch.rpm php-ZendFramework-Captcha-1.12.15-1.mga4.noarch.rpm php-ZendFramework-Dojo-1.12.15-1.mga4.noarch.rpm php-ZendFramework-Feed-1.12.15-1.mga4.noarch.rpm php-ZendFramework-Gdata-1.12.15-1.mga4.noarch.rpm php-ZendFramework-Pdf-1.12.15-1.mga4.noarch.rpm php-ZendFramework-Search-Lucene-1.12.15-1.mga4.noarch.rpm php-ZendFramework-Services-1.12.15-1.mga4.noarch.rpm The following files are now in mga5, upgrades testing php-ZendFramework-1.12.15-1.mga5.src.rpm php-ZendFramework-1.12.15-1.mga5.noarch.rpm php-ZendFramework-demos-1.12.15-1.mga5.noarch.rpm php-ZendFramework-tests-1.12.15-1.mga5.noarch.rpm php-ZendFramework-extras-1.12.15-1.mga5.noarch.rpm php-ZendFramework-Cache-Backend-Apc-1.12.15-1.mga5.noarch.rpm php-ZendFramework-Cache-Backend-Memcached-1.12.15-1.mga5.noarch.rpm php-ZendFramework-Captcha-1.12.15-1.mga5.noarch.rpm php-ZendFramework-Dojo-1.12.15-1.mga5.noarch.rpm php-ZendFramework-Feed-1.12.15-1.mga5.noarch.rpm php-ZendFramework-Gdata-1.12.15-1.mga5.noarch.rpm php-ZendFramework-Pdf-1.12.15-1.mga5.noarch.rpm php-ZendFramework-Search-Lucene-1.12.15-1.mga5.noarch.rpm php-ZendFramework-Services-1.12.15-1.mga5.noarch.rpm I am checking if we can obsolete this package in cauldron but right now I fixed it by upgrading
(In reply to Guillaume Rousse from comment #3) > php-ZendFramework2 updated to 2.4.7 in cauldron. I guess we should do the same for Mageia 5?
Version: Cauldron => 5Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO
Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron. See Comment 4 for the php-ZendFramework package list. php-ZendFramework2 (Mageia 5 only) package list: php-ZendFramework2-2.4.7-1.mga5 php-ZendFramework2-Authentication-2.4.7-1.mga5 php-ZendFramework2-Barcode-2.4.7-1.mga5 php-ZendFramework2-Cache-2.4.7-1.mga5 php-ZendFramework2-Captcha-2.4.7-1.mga5 php-ZendFramework2-Code-2.4.7-1.mga5 php-ZendFramework2-Config-2.4.7-1.mga5 php-ZendFramework2-Console-2.4.7-1.mga5 php-ZendFramework2-Crypt-2.4.7-1.mga5 php-ZendFramework2-Db-2.4.7-1.mga5 php-ZendFramework2-Debug-2.4.7-1.mga5 php-ZendFramework2-Di-2.4.7-1.mga5 php-ZendFramework2-Dom-2.4.7-1.mga5 php-ZendFramework2-Escaper-2.4.7-1.mga5 php-ZendFramework2-EventManager-2.4.7-1.mga5 php-ZendFramework2-Feed-2.4.7-1.mga5 php-ZendFramework2-File-2.4.7-1.mga5 php-ZendFramework2-Filter-2.4.7-1.mga5 php-ZendFramework2-Form-2.4.7-1.mga5 php-ZendFramework2-Http-2.4.7-1.mga5 php-ZendFramework2-I18n-2.4.7-1.mga5 php-ZendFramework2-InputFilter-2.4.7-1.mga5 php-ZendFramework2-Json-2.4.7-1.mga5 php-ZendFramework2-Ldap-2.4.7-1.mga5 php-ZendFramework2-Loader-2.4.7-1.mga5 php-ZendFramework2-Log-2.4.7-1.mga5 php-ZendFramework2-Mail-2.4.7-1.mga5 php-ZendFramework2-Math-2.4.7-1.mga5 php-ZendFramework2-Memory-2.4.7-1.mga5 php-ZendFramework2-Mime-2.4.7-1.mga5 php-ZendFramework2-ModuleManager-2.4.7-1.mga5 php-ZendFramework2-Mvc-2.4.7-1.mga5 php-ZendFramework2-Navigation-2.4.7-1.mga5 php-ZendFramework2-Paginator-2.4.7-1.mga5 php-ZendFramework2-Permissions-Acl-2.4.7-1.mga5 php-ZendFramework2-Permissions-Rbac-2.4.7-1.mga5 php-ZendFramework2-ProgressBar-2.4.7-1.mga5 php-ZendFramework2-Serializer-2.4.7-1.mga5 php-ZendFramework2-Server-2.4.7-1.mga5 php-ZendFramework2-ServiceManager-2.4.7-1.mga5 php-ZendFramework2-Session-2.4.7-1.mga5 php-ZendFramework2-Soap-2.4.7-1.mga5 php-ZendFramework2-Stdlib-2.4.7-1.mga5 php-ZendFramework2-Tag-2.4.7-1.mga5 php-ZendFramework2-Test-2.4.7-1.mga5 php-ZendFramework2-Text-2.4.7-1.mga5 php-ZendFramework2-Uri-2.4.7-1.mga5 php-ZendFramework2-Validator-2.4.7-1.mga5 php-ZendFramework2-Version-2.4.7-1.mga5 php-ZendFramework2-View-2.4.7-1.mga5 php-ZendFramework2-XmlRpc-2.4.7-1.mga5 php-ZendFramework2-ZendXml-2.4.7-1.mga5 from php-ZendFramework2-2.4.7-1.mga5.src.rpm
CC: (none) => guillomovitchAssignee: guillomovitch => qa-bugs
Advisory (Mageia 4): ======================== Updated php-ZendFramework packages fix security vulnerability: Dawid Golunski discovered that when running under PHP-FPM in a threaded environment, Zend Framework, a PHP framework, did not properly handle XML data in multibyte encoding. This could be used by remote attackers to perform an XML External Entity attack via crafted XML data (CVE-2015-5161). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5161 http://framework.zend.com/blog/zend-framework-1-12-14-2-4-6-and-2-5-2-released.html http://framework.zend.com/blog/zend-framework-1-12-15-and-2-4-7-released.html http://framework.zend.com/security/advisory/ZF2015-06 https://www.debian.org/security/2015/dsa-3340 Advisory (Mageia 5): ======================== Updated php-ZendFramework and php-ZendFramework2 packages fix security vulnerability: Dawid Golunski discovered that when running under PHP-FPM in a threaded environment, Zend Framework, a PHP framework, did not properly handle XML data in multibyte encoding. This could be used by remote attackers to perform an XML External Entity attack via crafted XML data (CVE-2015-5161). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5161 http://framework.zend.com/blog/zend-framework-1-12-14-2-4-6-and-2-5-2-released.html http://framework.zend.com/blog/zend-framework-1-12-15-and-2-4-7-released.html http://framework.zend.com/security/advisory/ZF2015-06 https://www.debian.org/security/2015/dsa-3340
Testing procedure (php-ZendFramework): https://bugs.mageia.org/show_bug.cgi?id=13708#c3 php-ZendFramework2 is used by glpi and galette.
Whiteboard: MGA4TOO => MGA4TOO has_procedure
In VirtualBox, M4, KDE, 32-bit Set up per testing procedure (php-ZendFramework): https://bugs.mageia.org/show_bug.cgi?id=13708#c3 Package(s) under test: php-ZendFramework default install of php-ZendFramework [root@localhost wilcal]# urpmi php-ZendFramework Package php-ZendFramework-1.12.13-1.mga4.noarch is already installed When I attempt to sign in on the guestbook the follow error is displayed: ZF Quickstart Application An error occurred Application error
CC: (none) => wilcal.int
Someone asked somewhere (not here) if their testing of galette was OK since it wasn't easy to understand. As long as it doesn't error out fatally or have serious visual regressions vs. when the previous Zend is installed, that's sufficient to give this the OK. You don't need to get galette fully configured and operational.
System: MGA5-32 I installed OwnCloud. Instructions work as they are. Instructions are here: https://wiki.mageia.org/en/OwnCloud The documentation is thorough. Do note you can use sqllite too by default in owncloud. Note also OwnCloud will default to /var. I found you can have more control by creating another folder in home owned by apache. This is a good idea on a small instance, or you can create a separate drive. The configuration file is: /usr/share/owncloud/config/config.php Installation of Galette, I found the instructions here: http://galette.eu/documentation/fr/installation/galette.html You'll find the php.ini file in /etc. You'll need to manually set up timezone. Per note at 2015-0914 23:04:07 - no screen rendering issues during installation process. It all seems to work for me.
CC: (none) => brtians1Whiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure MGA5-32-OK
Testing complete mga4 32 Followed https://bugs.mageia.org/show_bug.cgi?id=13708#c3
Whiteboard: MGA4TOO has_procedure MGA5-32-OK => MGA4TOO has_procedure MGA5-32-OK mga4-32-ok
Validating. Separate advisories uploaded combining comment 4 comment 6 & comment 7. Please push to 4 & 5 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4TOO has_procedure MGA5-32-OK mga4-32-ok => MGA4TOO has_procedure advisory MGA5-32-OK mga4-32-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0370.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0371.html