Zendframework has been obsoleted in cauldron. Only needs fix in mga5

Resolved for mga5.
These updated packages are now in updates_testing 
php-ZendFramework-1.12.16-1.mga5.src.rpm
php-ZendFramework-1.12.16-1.mga5.noarch.rpm
php-ZendFramework-demos-1.12.16-1.mga5.noarch.rpm
php-ZendFramework-tests-1.12.16-1.mga5.noarch.rpm
php-ZendFramework-extras-1.12.16-1.mga5.noarch.rpm
php-ZendFramework-Cache-Backend-Apc-1.12.16-1.mga5.noarch.rpm
php-ZendFramework-Cache-Backend-Memcached-1.12.16-1.mga5.noarch.rpm
php-ZendFramework-Captcha-1.12.16-1.mga5.noarch.rpm
php-ZendFramework-Dojo-1.12.16-1.mga5.noarch.rpm
php-ZendFramework-Feed-1.12.16-1.mga5.noarch.rpm
php-ZendFramework-Gdata-1.12.16-1.mga5.noarch.rpm
php-ZendFramework-Pdf-1.12.16-1.mga5.noarch.rpm
php-ZendFramework-Search-Lucene-1.12.16-1.mga5.noarch.rpm
php-ZendFramework-Services-1.12.16-1.mga5.noarch.rpm

maintainer of php-ZendFramework2 please assign to QA when done

Status: NEW => ASSIGNED

Re-assigning to maintainer of ZendFramework2

Assignee: thomas => guillomovitch

CVE request fo rZF2015-08:
http://openwall.com/lists/oss-security/2015/09/30/6

Updated packages uploaded for Mageia 5 and Cauldron.

Testing procedures in Bug 16624.

Advisory:
========================

Updated php-ZendFramework and php-ZendFramework2 packages fix security
vulnerabilities:

Zend Framework contained several instances where it was using incorrect
permissions masks, which could lead to local privilege escalation issues
(CVE-2015-5723).

The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL
statements. A PDO adapter can treat null bytes in a query as a string
terminator, allowing an attacker to add arbitrary SQL following a null byte,
and thus create a SQL injection (ZF2015-08).

Note that the ZF2015-08 issue did not affect Zend Framework 2.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5723
http://framework.zend.com/security/advisory/ZF2015-07
http://framework.zend.com/security/advisory/ZF2015-08
https://lists.fedoraproject.org/pipermail/package-announce/2015-September/167698.html
========================

Updated packages in core/updates_testing:
========================
php-ZendFramework-1.12.16-1.mga5
php-ZendFramework-demos-1.12.16-1.mga5
php-ZendFramework-tests-1.12.16-1.mga5
php-ZendFramework-extras-1.12.16-1.mga5
php-ZendFramework-Cache-Backend-Apc-1.12.16-1.mga5
php-ZendFramework-Cache-Backend-Memcached-1.12.16-1.mga5
php-ZendFramework-Captcha-1.12.16-1.mga5
php-ZendFramework-Dojo-1.12.16-1.mga5
php-ZendFramework-Feed-1.12.16-1.mga5
php-ZendFramework-Gdata-1.12.16-1.mga5
php-ZendFramework-Pdf-1.12.16-1.mga5
php-ZendFramework-Search-Lucene-1.12.16-1.mga5
php-ZendFramework-Services-1.12.16-1.mga5
php-ZendFramework2-2.4.8-1.mga5
php-ZendFramework2-Authentication-2.4.8-1.mga5
php-ZendFramework2-Barcode-2.4.8-1.mga5
php-ZendFramework2-Cache-2.4.8-1.mga5
php-ZendFramework2-Captcha-2.4.8-1.mga5
php-ZendFramework2-Code-2.4.8-1.mga5
php-ZendFramework2-Config-2.4.8-1.mga5
php-ZendFramework2-Console-2.4.8-1.mga5
php-ZendFramework2-Crypt-2.4.8-1.mga5
php-ZendFramework2-Db-2.4.8-1.mga5
php-ZendFramework2-Debug-2.4.8-1.mga5
php-ZendFramework2-Di-2.4.8-1.mga5
php-ZendFramework2-Dom-2.4.8-1.mga5
php-ZendFramework2-Escaper-2.4.8-1.mga5
php-ZendFramework2-EventManager-2.4.8-1.mga5
php-ZendFramework2-Feed-2.4.8-1.mga5
php-ZendFramework2-File-2.4.8-1.mga5
php-ZendFramework2-Filter-2.4.8-1.mga5
php-ZendFramework2-Form-2.4.8-1.mga5
php-ZendFramework2-Http-2.4.8-1.mga5
php-ZendFramework2-I18n-2.4.8-1.mga5
php-ZendFramework2-InputFilter-2.4.8-1.mga5
php-ZendFramework2-Json-2.4.8-1.mga5
php-ZendFramework2-Ldap-2.4.8-1.mga5
php-ZendFramework2-Loader-2.4.8-1.mga5
php-ZendFramework2-Log-2.4.8-1.mga5
php-ZendFramework2-Mail-2.4.8-1.mga5
php-ZendFramework2-Math-2.4.8-1.mga5
php-ZendFramework2-Memory-2.4.8-1.mga5
php-ZendFramework2-Mime-2.4.8-1.mga5
php-ZendFramework2-ModuleManager-2.4.8-1.mga5
php-ZendFramework2-Mvc-2.4.8-1.mga5
php-ZendFramework2-Navigation-2.4.8-1.mga5
php-ZendFramework2-Paginator-2.4.8-1.mga5
php-ZendFramework2-Permissions-Acl-2.4.8-1.mga5
php-ZendFramework2-Permissions-Rbac-2.4.8-1.mga5
php-ZendFramework2-ProgressBar-2.4.8-1.mga5
php-ZendFramework2-Serializer-2.4.8-1.mga5
php-ZendFramework2-Server-2.4.8-1.mga5
php-ZendFramework2-ServiceManager-2.4.8-1.mga5
php-ZendFramework2-Session-2.4.8-1.mga5
php-ZendFramework2-Soap-2.4.8-1.mga5
php-ZendFramework2-Stdlib-2.4.8-1.mga5
php-ZendFramework2-Tag-2.4.8-1.mga5
php-ZendFramework2-Test-2.4.8-1.mga5
php-ZendFramework2-Text-2.4.8-1.mga5
php-ZendFramework2-Uri-2.4.8-1.mga5
php-ZendFramework2-Validator-2.4.8-1.mga5
php-ZendFramework2-Version-2.4.8-1.mga5
php-ZendFramework2-View-2.4.8-1.mga5
php-ZendFramework2-XmlRpc-2.4.8-1.mga5
php-ZendFramework2-ZendXml-2.4.8-1.mga5

from SRPMS
php-ZendFramework-1.12.16-1.mga5.src.rpm
php-ZendFramework2-2.4.8-1.mga5.src.rpm

Version: Cauldron => 5
Assignee: guillomovitch => qa-bugs
Whiteboard: MGA5TOO => has_procedure

LWN reference for ZF2015-08:
http://lwn.net/Vulnerabilities/659755/

Debian has issued an advisory for this on October 6:
https://www.debian.org/security/2015/dsa-3369

installed php-zendFramework2-2.4.8.1 series.  All installed properly.

Ran Galette installation again, seemed to install most of the way as usual and the screens all worked.

CC: (none) => brtians1
Whiteboard: has_procedure advisory => has_procedure advisory MGA5-32-OK

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0391.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

(In reply to David Walser from comment #6)
> LWN reference for ZF2015-08:
> http://lwn.net/Vulnerabilities/659755/
> 
> Debian has issued an advisory for this on October 6:
> https://www.debian.org/security/2015/dsa-3369

CVE-2015-7695 has been assigned for this:
http://openwall.com/lists/oss-security/2015/10/11/3

Summary: php-ZendFramework, php-ZendFramework2 new security issues ZF2015-07 (CVE-2015-5723) and ZF2015-08 => php-ZendFramework, php-ZendFramework2 new security issues ZF2015-07 (CVE-2015-5723) and ZF2015-08 (CVE-2015-7695)