Upstream has issued advisories on September 15: http://framework.zend.com/security/advisory/ZF2015-07 http://framework.zend.com/security/advisory/ZF2015-08 The issues are fixed in 1.12.16 and 2.4.8. Fedora has issued an advisory for this today (September 25): https://lists.fedoraproject.org/pipermail/package-announce/2015-September/167698.html Mageia 5 is also affected. Reproducible: Steps to Reproduce:
CC: (none) => guillomovitchWhiteboard: (none) => MGA5TOO
Zendframework has been obsoleted in cauldron. Only needs fix in mga5
Resolved for mga5. These updated packages are now in updates_testing php-ZendFramework-1.12.16-1.mga5.src.rpm php-ZendFramework-1.12.16-1.mga5.noarch.rpm php-ZendFramework-demos-1.12.16-1.mga5.noarch.rpm php-ZendFramework-tests-1.12.16-1.mga5.noarch.rpm php-ZendFramework-extras-1.12.16-1.mga5.noarch.rpm php-ZendFramework-Cache-Backend-Apc-1.12.16-1.mga5.noarch.rpm php-ZendFramework-Cache-Backend-Memcached-1.12.16-1.mga5.noarch.rpm php-ZendFramework-Captcha-1.12.16-1.mga5.noarch.rpm php-ZendFramework-Dojo-1.12.16-1.mga5.noarch.rpm php-ZendFramework-Feed-1.12.16-1.mga5.noarch.rpm php-ZendFramework-Gdata-1.12.16-1.mga5.noarch.rpm php-ZendFramework-Pdf-1.12.16-1.mga5.noarch.rpm php-ZendFramework-Search-Lucene-1.12.16-1.mga5.noarch.rpm php-ZendFramework-Services-1.12.16-1.mga5.noarch.rpm maintainer of php-ZendFramework2 please assign to QA when done
Status: NEW => ASSIGNED
Re-assigning to maintainer of ZendFramework2
Assignee: thomas => guillomovitch
CVE request fo rZF2015-08: http://openwall.com/lists/oss-security/2015/09/30/6
Updated packages uploaded for Mageia 5 and Cauldron. Testing procedures in Bug 16624. Advisory: ======================== Updated php-ZendFramework and php-ZendFramework2 packages fix security vulnerabilities: Zend Framework contained several instances where it was using incorrect permissions masks, which could lead to local privilege escalation issues (CVE-2015-5723). The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection (ZF2015-08). Note that the ZF2015-08 issue did not affect Zend Framework 2. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5723 http://framework.zend.com/security/advisory/ZF2015-07 http://framework.zend.com/security/advisory/ZF2015-08 https://lists.fedoraproject.org/pipermail/package-announce/2015-September/167698.html ======================== Updated packages in core/updates_testing: ======================== php-ZendFramework-1.12.16-1.mga5 php-ZendFramework-demos-1.12.16-1.mga5 php-ZendFramework-tests-1.12.16-1.mga5 php-ZendFramework-extras-1.12.16-1.mga5 php-ZendFramework-Cache-Backend-Apc-1.12.16-1.mga5 php-ZendFramework-Cache-Backend-Memcached-1.12.16-1.mga5 php-ZendFramework-Captcha-1.12.16-1.mga5 php-ZendFramework-Dojo-1.12.16-1.mga5 php-ZendFramework-Feed-1.12.16-1.mga5 php-ZendFramework-Gdata-1.12.16-1.mga5 php-ZendFramework-Pdf-1.12.16-1.mga5 php-ZendFramework-Search-Lucene-1.12.16-1.mga5 php-ZendFramework-Services-1.12.16-1.mga5 php-ZendFramework2-2.4.8-1.mga5 php-ZendFramework2-Authentication-2.4.8-1.mga5 php-ZendFramework2-Barcode-2.4.8-1.mga5 php-ZendFramework2-Cache-2.4.8-1.mga5 php-ZendFramework2-Captcha-2.4.8-1.mga5 php-ZendFramework2-Code-2.4.8-1.mga5 php-ZendFramework2-Config-2.4.8-1.mga5 php-ZendFramework2-Console-2.4.8-1.mga5 php-ZendFramework2-Crypt-2.4.8-1.mga5 php-ZendFramework2-Db-2.4.8-1.mga5 php-ZendFramework2-Debug-2.4.8-1.mga5 php-ZendFramework2-Di-2.4.8-1.mga5 php-ZendFramework2-Dom-2.4.8-1.mga5 php-ZendFramework2-Escaper-2.4.8-1.mga5 php-ZendFramework2-EventManager-2.4.8-1.mga5 php-ZendFramework2-Feed-2.4.8-1.mga5 php-ZendFramework2-File-2.4.8-1.mga5 php-ZendFramework2-Filter-2.4.8-1.mga5 php-ZendFramework2-Form-2.4.8-1.mga5 php-ZendFramework2-Http-2.4.8-1.mga5 php-ZendFramework2-I18n-2.4.8-1.mga5 php-ZendFramework2-InputFilter-2.4.8-1.mga5 php-ZendFramework2-Json-2.4.8-1.mga5 php-ZendFramework2-Ldap-2.4.8-1.mga5 php-ZendFramework2-Loader-2.4.8-1.mga5 php-ZendFramework2-Log-2.4.8-1.mga5 php-ZendFramework2-Mail-2.4.8-1.mga5 php-ZendFramework2-Math-2.4.8-1.mga5 php-ZendFramework2-Memory-2.4.8-1.mga5 php-ZendFramework2-Mime-2.4.8-1.mga5 php-ZendFramework2-ModuleManager-2.4.8-1.mga5 php-ZendFramework2-Mvc-2.4.8-1.mga5 php-ZendFramework2-Navigation-2.4.8-1.mga5 php-ZendFramework2-Paginator-2.4.8-1.mga5 php-ZendFramework2-Permissions-Acl-2.4.8-1.mga5 php-ZendFramework2-Permissions-Rbac-2.4.8-1.mga5 php-ZendFramework2-ProgressBar-2.4.8-1.mga5 php-ZendFramework2-Serializer-2.4.8-1.mga5 php-ZendFramework2-Server-2.4.8-1.mga5 php-ZendFramework2-ServiceManager-2.4.8-1.mga5 php-ZendFramework2-Session-2.4.8-1.mga5 php-ZendFramework2-Soap-2.4.8-1.mga5 php-ZendFramework2-Stdlib-2.4.8-1.mga5 php-ZendFramework2-Tag-2.4.8-1.mga5 php-ZendFramework2-Test-2.4.8-1.mga5 php-ZendFramework2-Text-2.4.8-1.mga5 php-ZendFramework2-Uri-2.4.8-1.mga5 php-ZendFramework2-Validator-2.4.8-1.mga5 php-ZendFramework2-Version-2.4.8-1.mga5 php-ZendFramework2-View-2.4.8-1.mga5 php-ZendFramework2-XmlRpc-2.4.8-1.mga5 php-ZendFramework2-ZendXml-2.4.8-1.mga5 from SRPMS php-ZendFramework-1.12.16-1.mga5.src.rpm php-ZendFramework2-2.4.8-1.mga5.src.rpm
Version: Cauldron => 5Assignee: guillomovitch => qa-bugsWhiteboard: MGA5TOO => has_procedure
CC: (none) => davidwhodginsWhiteboard: has_procedure => has_procedure advisory
LWN reference for ZF2015-08: http://lwn.net/Vulnerabilities/659755/ Debian has issued an advisory for this on October 6: https://www.debian.org/security/2015/dsa-3369
installed php-zendFramework2-2.4.8.1 series. All installed properly. Ran Galette installation again, seemed to install most of the way as usual and the screens all worked.
CC: (none) => brtians1Whiteboard: has_procedure advisory => has_procedure advisory MGA5-32-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0391.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
(In reply to David Walser from comment #6) > LWN reference for ZF2015-08: > http://lwn.net/Vulnerabilities/659755/ > > Debian has issued an advisory for this on October 6: > https://www.debian.org/security/2015/dsa-3369 CVE-2015-7695 has been assigned for this: http://openwall.com/lists/oss-security/2015/10/11/3
Summary: php-ZendFramework, php-ZendFramework2 new security issues ZF2015-07 (CVE-2015-5723) and ZF2015-08 => php-ZendFramework, php-ZendFramework2 new security issues ZF2015-07 (CVE-2015-5723) and ZF2015-08 (CVE-2015-7695)