Upstream has issued an advisory on December 20: https://framework.zend.com/security/advisory/ZF2016-04 The issue is fixed in 2.4.11: https://framework.zend.com/blog/2016-12-20-zf-2-4-11-released.html It was assigned CVE-2016-10034: http://openwall.com/lists/oss-security/2016/12/30/2 Freeze push requested for Cauldron; update checked into Mageia 5 SVN. Advisory for future update below. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=18259#c32 Advisory: ======================== Updated php-ZendFramework2 packages fix security vulnerability: When using the zend-mail component to send email via the Zend\Mail\Transport\Sendmail transport, a malicious user may be able to inject arbitrary parameters to the system sendmail program. The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability (CVE-2016-10034). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10034 https://framework.zend.com/security/advisory/ZF2016-04 https://framework.zend.com/blog/2016-12-20-zf-2-4-11-released.html http://openwall.com/lists/oss-security/2016/12/30/2 ======================== Updated packages in core/updates_testing: ======================== php-ZendFramework2-2.4.11-1.mga5 php-ZendFramework2-Authentication-2.4.11-1.mga5 php-ZendFramework2-Barcode-2.4.11-1.mga5 php-ZendFramework2-Cache-2.4.11-1.mga5 php-ZendFramework2-Captcha-2.4.11-1.mga5 php-ZendFramework2-Code-2.4.11-1.mga5 php-ZendFramework2-Config-2.4.11-1.mga5 php-ZendFramework2-Console-2.4.11-1.mga5 php-ZendFramework2-Crypt-2.4.11-1.mga5 php-ZendFramework2-Db-2.4.11-1.mga5 php-ZendFramework2-Debug-2.4.11-1.mga5 php-ZendFramework2-Di-2.4.11-1.mga5 php-ZendFramework2-Dom-2.4.11-1.mga5 php-ZendFramework2-Escaper-2.4.11-1.mga5 php-ZendFramework2-EventManager-2.4.11-1.mga5 php-ZendFramework2-Feed-2.4.11-1.mga5 php-ZendFramework2-File-2.4.11-1.mga5 php-ZendFramework2-Filter-2.4.11-1.mga5 php-ZendFramework2-Form-2.4.11-1.mga5 php-ZendFramework2-Http-2.4.11-1.mga5 php-ZendFramework2-I18n-2.4.11-1.mga5 php-ZendFramework2-InputFilter-2.4.11-1.mga5 php-ZendFramework2-Json-2.4.11-1.mga5 php-ZendFramework2-Ldap-2.4.11-1.mga5 php-ZendFramework2-Loader-2.4.11-1.mga5 php-ZendFramework2-Log-2.4.11-1.mga5 php-ZendFramework2-Mail-2.4.11-1.mga5 php-ZendFramework2-Math-2.4.11-1.mga5 php-ZendFramework2-Memory-2.4.11-1.mga5 php-ZendFramework2-Mime-2.4.11-1.mga5 php-ZendFramework2-ModuleManager-2.4.11-1.mga5 php-ZendFramework2-Mvc-2.4.11-1.mga5 php-ZendFramework2-Navigation-2.4.11-1.mga5 php-ZendFramework2-Paginator-2.4.11-1.mga5 php-ZendFramework2-Permissions-Acl-2.4.11-1.mga5 php-ZendFramework2-Permissions-Rbac-2.4.11-1.mga5 php-ZendFramework2-ProgressBar-2.4.11-1.mga5 php-ZendFramework2-Serializer-2.4.11-1.mga5 php-ZendFramework2-Server-2.4.11-1.mga5 php-ZendFramework2-ServiceManager-2.4.11-1.mga5 php-ZendFramework2-Session-2.4.11-1.mga5 php-ZendFramework2-Soap-2.4.11-1.mga5 php-ZendFramework2-Stdlib-2.4.11-1.mga5 php-ZendFramework2-Tag-2.4.11-1.mga5 php-ZendFramework2-Test-2.4.11-1.mga5 php-ZendFramework2-Text-2.4.11-1.mga5 php-ZendFramework2-Uri-2.4.11-1.mga5 php-ZendFramework2-Validator-2.4.11-1.mga5 php-ZendFramework2-Version-2.4.11-1.mga5 php-ZendFramework2-View-2.4.11-1.mga5 php-ZendFramework2-XmlRpc-2.4.11-1.mga5 php-ZendFramework2-ZendXml-2.4.11-1.mga5 from php-ZendFramework2-2.4.11-1.mga5.src.rpm
Updated packages uploaded for Mageia 5 and Cauldron. Advisory, package list, and test procedure in Comment 0.
Assignee: bugsquad => qa-bugsWhiteboard: (none) => has_procedure
URL: (none) => https://lwn.net/Vulnerabilities/710482/
$ uname -a Linux localhost 4.4.39-desktop-1.mga5 #1 SMP Fri Dec 16 18:52:20 UTC 2016 i686 i686 i686 GNU/Linux The following 74 packages are going to be installed: - apache-mod_php-5.6.29-1.mga5.i586 - galette-0.8.1-1.1.mga5.noarch - php-analog-1.0.4-4.mga5.noarch - php-channel-phpunit-1.3-14.mga5.noarch - php-pear-1.9.5-8.mga5.noarch - php-pear-channel-horde-1.0-19.mga5.noarch - php-pear-channel-symfony2-1.0-5.mga5.noarch - php-pear-DbUnit-1.3.1-4.mga5.noarch - php-pear-File_Iterator-1.3.4-4.mga5.noarch - php-pear-PHPUnit-3.7.34-2.mga5.noarch - php-pear-PHPUnit_MockObject-1.2.3-4.mga5.noarch - php-pear-PHPUnit_Selenium-1.3.3-4.mga5.noarch - php-pear-PHPUnit_Story-1.0.2-4.mga5.noarch - php-pear-PHP_CodeCoverage-1.2.17-3.mga5.noarch - php-pear-PHP_Invoker-1.1.3-4.mga5.noarch - php-pear-PHP_Timer-1.0.5-4.mga5.noarch - php-pear-PHP_TokenStream-1.2.2-3.mga5.noarch - php-pear-Symfony2_Yaml-2.4.4-3.mga5.noarch - php-pear-Text_Template-1.2.0-3.mga5.noarch - php-phpmailer-5.2.14-1.1.mga5.noarch - php-smarty-3.1.21-1.mga5.noarch - php-tcpdf-6.0.098-1.mga5.noarch - php-ZendFramework2-2.4.11-1.mga5.noarch - php-ZendFramework2-Authentication-2.4.11-1.mga5.noarch - php-ZendFramework2-Barcode-2.4.11-1.mga5.noarch - php-ZendFramework2-Cache-2.4.11-1.mga5.noarch - php-ZendFramework2-Captcha-2.4.11-1.mga5.noarch - php-ZendFramework2-Code-2.4.11-1.mga5.noarch - php-ZendFramework2-Config-2.4.11-1.mga5.noarch - php-ZendFramework2-Console-2.4.11-1.mga5.noarch - php-ZendFramework2-Crypt-2.4.11-1.mga5.noarch - php-ZendFramework2-Db-2.4.11-1.mga5.noarch - php-ZendFramework2-Debug-2.4.11-1.mga5.noarch - php-ZendFramework2-Di-2.4.11-1.mga5.noarch - php-ZendFramework2-Dom-2.4.11-1.mga5.noarch - php-ZendFramework2-Escaper-2.4.11-1.mga5.noarch - php-ZendFramework2-EventManager-2.4.11-1.mga5.noarch - php-ZendFramework2-Feed-2.4.11-1.mga5.noarch - php-ZendFramework2-File-2.4.11-1.mga5.noarch - php-ZendFramework2-Filter-2.4.11-1.mga5.noarch - php-ZendFramework2-Form-2.4.11-1.mga5.noarch - php-ZendFramework2-Http-2.4.11-1.mga5.noarch - php-ZendFramework2-I18n-2.4.11-1.mga5.noarch - php-ZendFramework2-InputFilter-2.4.11-1.mga5.noarch - php-ZendFramework2-Json-2.4.11-1.mga5.noarch - php-ZendFramework2-Ldap-2.4.11-1.mga5.noarch - php-ZendFramework2-Loader-2.4.11-1.mga5.noarch - php-ZendFramework2-Log-2.4.11-1.mga5.noarch - php-ZendFramework2-Mail-2.4.11-1.mga5.noarch - php-ZendFramework2-Math-2.4.11-1.mga5.noarch - php-ZendFramework2-Memory-2.4.11-1.mga5.noarch - php-ZendFramework2-Mime-2.4.11-1.mga5.noarch - php-ZendFramework2-ModuleManager-2.4.11-1.mga5.noarch - php-ZendFramework2-Mvc-2.4.11-1.mga5.noarch - php-ZendFramework2-Navigation-2.4.11-1.mga5.noarch - php-ZendFramework2-Paginator-2.4.11-1.mga5.noarch - php-ZendFramework2-Permissions-Acl-2.4.11-1.mga5.noarch - php-ZendFramework2-Permissions-Rbac-2.4.11-1.mga5.noarch - php-ZendFramework2-ProgressBar-2.4.11-1.mga5.noarch - php-ZendFramework2-Serializer-2.4.11-1.mga5.noarch - php-ZendFramework2-Server-2.4.11-1.mga5.noarch - php-ZendFramework2-ServiceManager-2.4.11-1.mga5.noarch - php-ZendFramework2-Session-2.4.11-1.mga5.noarch - php-ZendFramework2-Soap-2.4.11-1.mga5.noarch - php-ZendFramework2-Stdlib-2.4.11-1.mga5.noarch - php-ZendFramework2-Tag-2.4.11-1.mga5.noarch - php-ZendFramework2-Test-2.4.11-1.mga5.noarch - php-ZendFramework2-Text-2.4.11-1.mga5.noarch - php-ZendFramework2-Uri-2.4.11-1.mga5.noarch - php-ZendFramework2-Validator-2.4.11-1.mga5.noarch - php-ZendFramework2-Version-2.4.11-1.mga5.noarch - php-ZendFramework2-View-2.4.11-1.mga5.noarch - php-ZendFramework2-XmlRpc-2.4.11-1.mga5.noarch - php-ZendFramework2-ZendXml-2.4.11-1.mga5.noarch 53MB of additional disk space will be used. 18MB of packages will be retrieved. Is it ok to continue? Installed modules set up date/timezone in /etc/php.ini 127.0.0.1/galette It works through the setup process (I used SQLITE) I do get an error, but not related to PHP but as part of the Galette configuration process. either way the setup routine validated the PHP modules and we happy.
CC: (none) => brtians1Whiteboard: has_procedure => has_procedure mga5-32-ok
CC: (none) => lewyssmithWhiteboard: has_procedure mga5-32-ok => has_procedure mga5-32-ok advisory
$ uname -a Linux localhost 4.4.39-server-1.mga5 #1 SMP Fri Dec 16 19:07:42 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux The following 68 packages are going to be installed: - php-channel-phpunit-1.3-14.mga5.noarch - php-pear-1.9.5-8.mga5.noarch - php-pear-channel-horde-1.0-19.mga5.noarch - php-pear-channel-symfony2-1.0-5.mga5.noarch - php-pear-DbUnit-1.3.1-4.mga5.noarch - php-pear-File_Iterator-1.3.4-4.mga5.noarch - php-pear-PHPUnit-3.7.34-2.mga5.noarch - php-pear-PHPUnit_MockObject-1.2.3-4.mga5.noarch - php-pear-PHPUnit_Selenium-1.3.3-4.mga5.noarch - php-pear-PHPUnit_Story-1.0.2-4.mga5.noarch - php-pear-PHP_CodeCoverage-1.2.17-3.mga5.noarch - php-pear-PHP_Invoker-1.1.3-4.mga5.noarch - php-pear-PHP_Timer-1.0.5-4.mga5.noarch - php-pear-PHP_TokenStream-1.2.2-3.mga5.noarch - php-pear-Symfony2_Yaml-2.4.4-3.mga5.noarch - php-pear-Text_Template-1.2.0-3.mga5.noarch - php-ZendFramework2-2.4.11-1.mga5.noarch - php-ZendFramework2-Authentication-2.4.11-1.mga5.noarch - php-ZendFramework2-Barcode-2.4.11-1.mga5.noarch - php-ZendFramework2-Cache-2.4.11-1.mga5.noarch - php-ZendFramework2-Captcha-2.4.11-1.mga5.noarch - php-ZendFramework2-Code-2.4.11-1.mga5.noarch - php-ZendFramework2-Config-2.4.11-1.mga5.noarch - php-ZendFramework2-Console-2.4.11-1.mga5.noarch - php-ZendFramework2-Crypt-2.4.11-1.mga5.noarch - php-ZendFramework2-Db-2.4.11-1.mga5.noarch - php-ZendFramework2-Debug-2.4.11-1.mga5.noarch - php-ZendFramework2-Di-2.4.11-1.mga5.noarch - php-ZendFramework2-Dom-2.4.11-1.mga5.noarch - php-ZendFramework2-Escaper-2.4.11-1.mga5.noarch - php-ZendFramework2-EventManager-2.4.11-1.mga5.noarch - php-ZendFramework2-Feed-2.4.11-1.mga5.noarch - php-ZendFramework2-File-2.4.11-1.mga5.noarch - php-ZendFramework2-Filter-2.4.11-1.mga5.noarch - php-ZendFramework2-Form-2.4.11-1.mga5.noarch - php-ZendFramework2-Http-2.4.11-1.mga5.noarch - php-ZendFramework2-I18n-2.4.11-1.mga5.noarch - php-ZendFramework2-InputFilter-2.4.11-1.mga5.noarch - php-ZendFramework2-Json-2.4.11-1.mga5.noarch - php-ZendFramework2-Ldap-2.4.11-1.mga5.noarch - php-ZendFramework2-Loader-2.4.11-1.mga5.noarch - php-ZendFramework2-Log-2.4.11-1.mga5.noarch - php-ZendFramework2-Mail-2.4.11-1.mga5.noarch - php-ZendFramework2-Math-2.4.11-1.mga5.noarch - php-ZendFramework2-Memory-2.4.11-1.mga5.noarch - php-ZendFramework2-Mime-2.4.11-1.mga5.noarch - php-ZendFramework2-ModuleManager-2.4.11-1.mga5.noarch - php-ZendFramework2-Mvc-2.4.11-1.mga5.noarch - php-ZendFramework2-Navigation-2.4.11-1.mga5.noarch - php-ZendFramework2-Paginator-2.4.11-1.mga5.noarch - php-ZendFramework2-Permissions-Acl-2.4.11-1.mga5.noarch - php-ZendFramework2-Permissions-Rbac-2.4.11-1.mga5.noarch - php-ZendFramework2-ProgressBar-2.4.11-1.mga5.noarch - php-ZendFramework2-Serializer-2.4.11-1.mga5.noarch - php-ZendFramework2-Server-2.4.11-1.mga5.noarch - php-ZendFramework2-ServiceManager-2.4.11-1.mga5.noarch - php-ZendFramework2-Session-2.4.11-1.mga5.noarch - php-ZendFramework2-Soap-2.4.11-1.mga5.noarch - php-ZendFramework2-Stdlib-2.4.11-1.mga5.noarch - php-ZendFramework2-Tag-2.4.11-1.mga5.noarch - php-ZendFramework2-Test-2.4.11-1.mga5.noarch - php-ZendFramework2-Text-2.4.11-1.mga5.noarch - php-ZendFramework2-Uri-2.4.11-1.mga5.noarch - php-ZendFramework2-Validator-2.4.11-1.mga5.noarch - php-ZendFramework2-Version-2.4.11-1.mga5.noarch - php-ZendFramework2-View-2.4.11-1.mga5.noarch - php-ZendFramework2-XmlRpc-2.4.11-1.mga5.noarch - php-ZendFramework2-ZendXml-2.4.11-1.mga5.noarch 14MB of additional disk space will be used. 2.7MB of packages will be retrieved. Is it ok to continue? Installing Gallete The following 5 packages are going to be installed: - galette-0.8.1-1.1.mga5.noarch - php-analog-1.0.4-4.mga5.noarch - php-phpmailer-5.2.14-1.1.mga5.noarch - php-smarty-3.1.21-1.mga5.noarch - php-tcpdf-6.0.098-1.mga5.noarch 39MB of additional disk space will be used. 16MB of packages will be retrieved. Did the same above.
Whiteboard: has_procedure mga5-32-ok advisory => has_procedure mga5-32-ok advisory mga5-64-ok
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0016.html
Status: NEW => RESOLVEDResolution: (none) => FIXED