Upstream has issued an advisory on November 23: http://framework.zend.com/security/advisory/ZF2015-10 The issue is fixed in version 2.4.9. Mageia 5 is also affected.
CC: (none) => thomasWhiteboard: (none) => MGA5TOO
ZF2015-09 also applies to ZF2: http://framework.zend.com/security/advisory/ZF2015-09
Fixed in cauldron.
Status: NEW => ASSIGNED
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Testing procedures in Bug 16624. Advisory: ======================== Updated php-ZendFramework2 packages fix security vulnerability: Zend\Crypt\PublicKey\Rsa\PublicKey has a call to openssl_public_encrypt() which uses PHP's default $padding argument, which specifies OPENSSL_PKCS1_PADDING, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, which can be used to decrypt arbitrary ciphertexts (CVE-2015-7503). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7503 http://framework.zend.com/security/advisory/ZF2015-10 ======================== Updated packages in core/updates_testing: ======================== php-ZendFramework2-2.4.9-1.mga5 php-ZendFramework2-Authentication-2.4.9-1.mga5 php-ZendFramework2-Barcode-2.4.9-1.mga5 php-ZendFramework2-Cache-2.4.9-1.mga5 php-ZendFramework2-Captcha-2.4.9-1.mga5 php-ZendFramework2-Code-2.4.9-1.mga5 php-ZendFramework2-Config-2.4.9-1.mga5 php-ZendFramework2-Console-2.4.9-1.mga5 php-ZendFramework2-Crypt-2.4.9-1.mga5 php-ZendFramework2-Db-2.4.9-1.mga5 php-ZendFramework2-Debug-2.4.9-1.mga5 php-ZendFramework2-Di-2.4.9-1.mga5 php-ZendFramework2-Dom-2.4.9-1.mga5 php-ZendFramework2-Escaper-2.4.9-1.mga5 php-ZendFramework2-EventManager-2.4.9-1.mga5 php-ZendFramework2-Feed-2.4.9-1.mga5 php-ZendFramework2-File-2.4.9-1.mga5 php-ZendFramework2-Filter-2.4.9-1.mga5 php-ZendFramework2-Form-2.4.9-1.mga5 php-ZendFramework2-Http-2.4.9-1.mga5 php-ZendFramework2-I18n-2.4.9-1.mga5 php-ZendFramework2-InputFilter-2.4.9-1.mga5 php-ZendFramework2-Json-2.4.9-1.mga5 php-ZendFramework2-Ldap-2.4.9-1.mga5 php-ZendFramework2-Loader-2.4.9-1.mga5 php-ZendFramework2-Log-2.4.9-1.mga5 php-ZendFramework2-Mail-2.4.9-1.mga5 php-ZendFramework2-Math-2.4.9-1.mga5 php-ZendFramework2-Memory-2.4.9-1.mga5 php-ZendFramework2-Mime-2.4.9-1.mga5 php-ZendFramework2-ModuleManager-2.4.9-1.mga5 php-ZendFramework2-Mvc-2.4.9-1.mga5 php-ZendFramework2-Navigation-2.4.9-1.mga5 php-ZendFramework2-Paginator-2.4.9-1.mga5 php-ZendFramework2-Permissions-Acl-2.4.9-1.mga5 php-ZendFramework2-Permissions-Rbac-2.4.9-1.mga5 php-ZendFramework2-ProgressBar-2.4.9-1.mga5 php-ZendFramework2-Serializer-2.4.9-1.mga5 php-ZendFramework2-Server-2.4.9-1.mga5 php-ZendFramework2-ServiceManager-2.4.9-1.mga5 php-ZendFramework2-Session-2.4.9-1.mga5 php-ZendFramework2-Soap-2.4.9-1.mga5 php-ZendFramework2-Stdlib-2.4.9-1.mga5 php-ZendFramework2-Tag-2.4.9-1.mga5 php-ZendFramework2-Test-2.4.9-1.mga5 php-ZendFramework2-Text-2.4.9-1.mga5 php-ZendFramework2-Uri-2.4.9-1.mga5 php-ZendFramework2-Validator-2.4.9-1.mga5 php-ZendFramework2-Version-2.4.9-1.mga5 php-ZendFramework2-View-2.4.9-1.mga5 php-ZendFramework2-XmlRpc-2.4.9-1.mga5 php-ZendFramework2-ZendXml-2.4.9-1.mga5 from php-ZendFramework2-2.4.9-1.mga5.src.rpm
Assignee: guillomovitch => qa-bugsWhiteboard: (none) => has_procedure
Running this update on x86_64 Installed the packages before enabling Updates Testing. Updated all the packages. $ sudo urpmi task-lamp Package task-lamp-3-4.mga5.noarch is already installed # rpm -e --nodeps php-eaccelerator-admin php-eaccelerator error: package php-eaccelerator-admin is not installed error: package php-eaccelerator is not installed # urpmi php-pdo_sqlite installing php-pdo_sqlite-5.6.21-1.mga5 # urpmi -a php-Zend No package named php-Zend # wget https://bugs.mageia.org/attachment.cgi?id=2605 -O Zend.tar.gz # ls css/ install list report update* Zend/ Zend.tar.gz # ls css global.css # ls Zend application/ data/ library/ public/ scripts/ tests/ # chown -R apache:apache /var/www/html/Zend/data/db # systemctl start httpd.service # systemctl status httpd.service â httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) Active: active (running) since Fri 2016-05-06 08:23:16 BST; 1 weeks 3 days ago Pointed browser at localhost:/Zend/public/index.php and, nothing. Blank page. I guess this has something to do with missing package php-Zend.
CC: (none) => tarazed25
Earlier comments mention this link, which has been taken care of. [lcl@vega Zend]$ ls -l library total 0 lrwxrwxrwx 1 root root 19 Aug 3 2012 Zend -> /usr/share/php/Zend # ls /var/www/html/Zend/data/db guestbook.db guestbook-dev.db guestbook-testing.db The index.php file in public refers to Zend/Application.php but the only file of that name is in /usr/share/php/Zend/Mvc. With no knowledge of php I am stumped.
I tried a direct link: http://127.0.0.1:/var/www/html/Zend/public/index.php and raised a 404 error - Object not found .../Zend contains an application folder which holds Bootstrap.php, no Application.php in the Zend tree.
It turns out that # urpmi -a php-Zend was a red herring - it came from an earlier version of the test. The later version of the command was # urpmi -ya php-ZendFramework which I think was meant to install all the components, which I did by another method. So the question remains, why does the procedure not work? And what path does the link localhost:/Zend.... actually refer to? y assumption was that it meant: /var/www/html/ + /Zend/data/db which points to guestbook.db et alii.
Be careful that you get the correct packages here. There's a php-ZendFramework which is a different package, and this one which is php-ZendFramework2.
Good point. Just checked and it is php-ZendFramework2-2.4.9-1.mga5.noarch which is installed and all the other components are Framework2. Have started examining various configs and php files to see if everything fits together.
With my extremely limited understanding of how PHP actually works, all the references look OK but for one. In index.php, before the application is created and bootstrapped the line /** Zend_Application */ require_once 'Zend/Application.php'; refers to something which does not exist, in neither /usr/share/php/Zend nor /var/www/html/Zend.
It exists in php-ZendFramework, which I guess your test application was written for. In the php-ZendFramework2-Mvc package there's a Zend/Mvc/Application.php. I don't know if it's compatible.
Yes, that is the one I noticed. Zend framework installs cleanly: $ ls /usr/share/php/Zend Authentication Di InputFilter Mvc Stdlib Barcode Dom Json Navigation Tag Cache Escaper Ldap Paginator Test Captcha EventManager Loader Permissions Text Code Feed Log ProgressBar Uri Config File Mail Serializer Validator Console Filter Math Server Version Crypt Form Memory ServiceManager View Db Http Mime Session XmlRpc Debug I18n ModuleManager Soap I have copied the Application.php from Mvc to .. About to try it.
Tried copying it to the application and public directories in the /var... tree, to no avail. Do php scripts need execute permission? The Application.php file looks innocuous; it asks for configuration data and seems to deal with implementing the application interface and event management and triggering a bootstrap so it does look like the beginning of the chain, or a chain.
The endpoint of all this is the guestbook interface which is described by a database so I checked the status of mysqld and found that it was already running.
http://php.net/manual/en/ref.pdo-sqlite.connection.php No database server needed; pdo-sqlite provides a driver for accessing the database. AFAICS it is an extension to PHP.
$ ls -c1 /usr/lib64/php/extensions/*pdo* /usr/lib64/php/extensions/pdo_sqlite.so /usr/lib64/php/extensions/pdo_mysql.so /usr/lib64/php/extensions/pdo.so
This can be tested with galette Len. $ urpmq --requires galette | grep -i zend galette: php-ZendFramework2-Db galette: php-ZendFramework2-Stdlib
Thanks for the pointer Claire but it does not help. Installed galette and galette-plugin-admintools but can find no documentation or man pages. The web returns lots of Galette recipes and references to RPMs but no tutorials or documentation. All I have discovered is "Online tool to manage membership and fees". No idea how to launch it.
I haven't looked into it yet, but it is a webapp so it's likely to be http://localhost/galette
There you go. I did not know that. I always assumed that something had to be set up beforehand before you could run a webapp. Off to try it.
Yes. The galette installation page comes up and shows that all the checks have been passed except date settings - something about mandatory timezone in later versions of PHP. Ignoring that and marking this as OK. Thanks again Claire.
Whiteboard: has_procedure => has_procedure MGA5-64-OK
They typically drop a conf file to set that up into /etc/httpd/conf/sites.d/ which is symlinked from webapps.d and another one too IIRC. With galette.. $ urpmf galette: | grep \.conf$ galette:/etc/httpd/conf/sites.d/galette.conf
Found that but it does not have any way of configuring PHP parameters. I tried editing /etc/php.ini : date.timezone = "UT", or "BST" and restarted galette and it still complained. I downloaded tons of php documentation without finding any indication of what PHP expects there. Maybe "TZ+1"? Who knows?
(In reply to Len Lawrence from comment #23) > Found that but it does not have any way of configuring PHP parameters. > I tried editing /etc/php.ini : > > date.timezone = "UT", > or "BST" > and restarted galette and it still complained. I downloaded tons of php > documentation without finding any indication of what PHP expects there. > Maybe "TZ+1"? Who knows? It's a standard time code. Something like date.timezone = America/New_York;
And I was using UT then BST then TZ+1. Ta.
I looked up the codes and chose "British Summer Time". Still no go. It must want the other date parameters as well.
(In reply to Len Lawrence from comment #26) > I looked up the codes and chose "British Summer Time". Still no go. It > must want the other date parameters as well. That's not even close to a correct format. Look under /usr/share/zoneinfo for names. I'm guess "GB" is what you want.
Europe/London is probably what you want Len.
That is what I figured. Looked up http://php.net/manual/en/timezones.europe.php and used "Europe/London". Pretty sure that is correct now but the check screen still complains. Strings like GB, GB/GMT were not accepted either. All the date parameters are enabled. Quote from php.ini: [Date] ; Defines the default timezone used by the date functions ; http://php.net/date.timezone date.timezone = "Europe/London" ; http://php.net/date.default-latitude date.default_latitude = 52.0 ; http://php.net/date.default-longitude date.default_longitude = 0.0 ; http://php.net/date.sunrise-zenith date.sunrise_zenith = 90.583333 ; http://php.net/date.sunset-zenith date.sunset_zenith = 90.583333 Need sleep. Either that or put my fist through the screen. Even if it gets past this stage there are nasty things coming up in the installation dialogue, like Database and Database access/permissions and Admin parameters. Knowing my luck with these kinds of things it will fail at some point further along the route.
Whiteboard: has_procedure MGA5-64-OK => has_procedure
This bug is still open for testing. I have to drop it because it is apparent that it needs somebody with the right skills. Any takers?
Testing mga5 64
Tip, to get all the packages for updates like this without lots of typing. # urpmq -ya php-ZendFramework2 | tr '\n' ' ' php-ZendFramework2 php-ZendFramework2-Authentication php-ZendFramework2-Barcode php-ZendFramework2-Cache php-ZendFramework2-Captcha php-ZendFramework2-Code php-ZendFramework2-Config php-ZendFramework2-Console php-ZendFramework2-Crypt php-ZendFramework2-Db php-ZendFramework2-Debug php-ZendFramework2-Di php-ZendFramework2-Dom php-ZendFramework2-Escaper php-ZendFramework2-EventManager php-ZendFramework2-Feed php-ZendFramework2-File php-ZendFramework2-Filter php-ZendFramework2-Form php-ZendFramework2-Http php-ZendFramework2-I18n php-ZendFramework2-InputFilter php-ZendFramework2-Json php-ZendFramework2-Ldap php-ZendFramework2-Loader php-ZendFramework2-Log php-ZendFramework2-Mail php-ZendFramework2-Math php-ZendFramework2-Memory php-ZendFramework2-Mime php-ZendFramework2-ModuleManager php-ZendFramework2-Mvc php-ZendFramework2-Navigation php-ZendFramework2-Paginator php-ZendFramework2-Permissions-Acl php-ZendFramework2-Permissions-Rbac php-ZendFramework2-ProgressBar php-ZendFramework2-Serializer php-ZendFramework2-Server php-ZendFramework2-ServiceManager php-ZendFramework2-Session php-ZendFramework2-Soap php-ZendFramework2-Stdlib php-ZendFramework2-Tag php-ZendFramework2-Test php-ZendFramework2-Text php-ZendFramework2-Uri php-ZendFramework2-Validator php-ZendFramework2-Version php-ZendFramework2-View php-ZendFramework2-XmlRpc php-ZendFramework2-ZendXml # urpmi php-ZendFramework2 php-ZendFramework2-Authentication php-ZendFramework2-Barcode php-ZendFramework2-Cache php-ZendFramework2-Captcha php-ZendFramework2-Code php-ZendFramework2-Config php-ZendFramework2-Console php-ZendFramework2-Crypt php-ZendFramework2-Db php-ZendFramework2-Debug php-ZendFramework2-Di php-ZendFramework2-Dom php-ZendFramework2-Escaper php-ZendFramework2-EventManager php-ZendFramework2-Feed php-ZendFramework2-File php-ZendFramework2-Filter php-ZendFramework2-Form php-ZendFramework2-Http php-ZendFramework2-I18n php-ZendFramework2-InputFilter php-ZendFramework2-Json php-ZendFramework2-Ldap php-ZendFramework2-Loader php-ZendFramework2-Log php-ZendFramework2-Mail php-ZendFramework2-Math php-ZendFramework2-Memory php-ZendFramework2-Mime php-ZendFramework2-ModuleManager php-ZendFramework2-Mvc php-ZendFramework2-Navigation php-ZendFramework2-Paginator php-ZendFramework2-Permissions-Acl php-ZendFramework2-Permissions-Rbac php-ZendFramework2-ProgressBar php-ZendFramework2-Serializer php-ZendFramework2-Server php-ZendFramework2-ServiceManager php-ZendFramework2-Session php-ZendFramework2-Soap php-ZendFramework2-Stdlib php-ZendFramework2-Tag php-ZendFramework2-Test php-ZendFramework2-Text php-ZendFramework2-Uri php-ZendFramework2-Validator php-ZendFramework2-Version php-ZendFramework2-View php-ZendFramework2-XmlRpc php-ZendFramework2-ZendXml # urpmi galette Working remotely so just checking for permissions to access it remotely. # less /etc/httpd/conf/sites.d/galette.conf Noted alias to /usr/share/galette and that directory is "Require all granted" meaning accessible from any IP. # galette configuration Alias /galette /usr/share/galette <Directory /usr/share/galette> Require all granted Options FollowSymLinks </Directory> Start httpd if not already running.. # systemctl start httpd.service # systemctl status httpd.service â httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled) Active: active (running) ...etc. Browse to http://<server ip>/galette brings up the installer. Used phpmyadmin to create a temporary mysql database/user for galette. ie. Log in as mysql root user, add a user gallette with host localhost and password galette. Tick to "Create db with same name and grant all privileges", click Go. Before entering DB details into galette installer. Note galette seems to access mysql through a port rather than path so need to enable mysql networking. Edit /etc/my.cnf and comment out "skip-networking" then restart mysqld. # nano /etc/my.cnf # systemctl restart mysqld # systemctl status mysqld â mysqld.service - MySQL database server Loaded: loaded (/usr/lib/systemd/system/mysqld.service; enabled) Active: active (running)... etc Click through the rest of galette installer and it fails at the last stage with "Contributions types" and "Status". Appears to be a bug with galette. Browsing away and back again shows a log in page though and it allows you to log in. One of the news posts mentioned in galette says that it no longer supports mysql. http://galette.eu/dc/index.php/post/2015/04/01/Fin-du-support-MySQL Update php-ZendFramework2 packages and log in again.Sufficient to show php-ZendFramework2 is working. Remember to drop galette database when done.
Whiteboard: has_procedure => has_procedure mga5-64-ok
Keywords: (none) => validated_updateWhiteboard: has_procedure mga5-64-ok => has_procedure advisory mga5-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0196.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/688457/