Upstream has issued advisories on November 23 and April 13: http://framework.zend.com/security/advisory/ZF2015-09 http://framework.zend.com/security/advisory/ZF2016-01 The issues are fixed in versions 1.12.17 and 1.12.18, respectively.
These issues have been by upgrading to vesr. 1.12.18 The following packages are in updates_testing: php-ZendFramework-1.12.18-1.mga5.src.rpm php-ZendFramework-1.12.18-1.mga5.noarch.rpm php-ZendFramework-demos-1.12.18-1.mga5.noarch.rpm php-ZendFramework-tests-1.12.18-1.mga5.noarch.rpm php-ZendFramework-extras-1.12.18-1.mga5.noarch.rpm php-ZendFramework-Cache-Backend-Apc-1.12.18-1.mga5.noarch.rpm php-ZendFramework-Cache-Backend-Memcached-1.12.18-1.mga5.noarch.rpm php-ZendFramework-Captcha-1.12.18-1.mga5.noarch.rpm php-ZendFramework-Dojo-1.12.18-1.mga5.noarch.rpm php-ZendFramework-Feed-1.12.18-1.mga5.noarch.rpm php-ZendFramework-Gdata-1.12.18-1.mga5.noarch.rpm php-ZendFramework-Pdf-1.12.18-1.mga5.noarch.rpm php-ZendFramework-Search-Lucene-1.12.18-1.mga5.noarch.rpm php-ZendFramework-Services-1.12.18-1.mga5.noarch.rpm assigning it to qa
Status: NEW => ASSIGNEDAssignee: thomas => qa-bugs
Procedure in https://bugs.mageia.org/show_bug.cgi?id=13708#c3 Advisory: ======================== Updated php-ZendFramework packages fix security vulnerabilities: The php-ZendFramework package has been updated to version 1.12.18 to fix a potential information disclosure and insufficient entropy vulnerability in the word CAPTCHA (ZF2015-09) and several other functions (ZF2016-01). References: http://framework.zend.com/security/advisory/ZF2015-09 http://framework.zend.com/security/advisory/ZF2016-01 http://framework.zend.com/blog/zend-framework-1-12-17-and-2-4-9-released.html http://framework.zend.com/blog/zend-framework-1-12-18-released.html
Whiteboard: (none) => has_procedure
Testing complete, replacing urpmi -ya php-ZendFramework with urpmi -ya php-ZendFramework- to exclude php-ZendFramework2 Advisory committed to svn.
Keywords: (none) => validated_updateWhiteboard: has_procedure => has_procedure MGA5-64-OK MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0156.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/685886/