Debian has issued an advisory on June 29: http://www.debian.org/security/2012/dsa-2505 Mageia 1 and Mageia 2 are also affected.
CC: (none) => thomasWhiteboard: (none) => MGA2TOO, MGA1TOO
Updated package uploaded for Cauldron. Patched packages uploaded for Mageia 1 and Mageia 2. Advisory: ======================== Updated php-ZendFramework packages fix security vulnerability: A file disclosure flaw was found in the way SimpleXMLElement class of Zend Framework, a PHP framework, processed XML data provided within certain XML-RPC requests (external XML entities were previously possible to specify by adding a specific DOCTYPE element to particular XML-RPC request). A remote attacker could use this flaw to obtain sensitive information by issuing a specially-crafted XML-RPC request to the Zend Framework based PHP application (CVE-2012-3363). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3363 http://framework.zend.com/security/advisory/ZF2012-01 https://bugzilla.redhat.com/show_bug.cgi?id=835560 http://www.debian.org/security/2012/dsa-2505 ======================== Updated packages in core/updates_testing: ======================== php-ZendFramework-1.11.0-1.1.mga1 php-ZendFramework-demos-1.11.0-1.1.mga1 php-ZendFramework-tests-1.11.0-1.1.mga1 php-ZendFramework-extras-1.11.0-1.1.mga1 php-ZendFramework-Cache-Backend-Apc-1.11.0-1.1.mga1 php-ZendFramework-Cache-Backend-Memcached-1.11.0-1.1.mga1 php-ZendFramework-Captcha-1.11.0-1.1.mga1 php-ZendFramework-Dojo-1.11.0-1.1.mga1 php-ZendFramework-Feed-1.11.0-1.1.mga1 php-ZendFramework-Gdata-1.11.0-1.1.mga1 php-ZendFramework-Pdf-1.11.0-1.1.mga1 php-ZendFramework-Search-Lucene-1.11.0-1.1.mga1 php-ZendFramework-Services-1.11.0-1.1.mga1 php-ZendFramework-1.11.11-1.1.mga2 php-ZendFramework-demos-1.11.11-1.1.mga2 php-ZendFramework-tests-1.11.11-1.1.mga2 php-ZendFramework-extras-1.11.11-1.1.mga2 php-ZendFramework-Cache-Backend-Apc-1.11.11-1.1.mga2 php-ZendFramework-Cache-Backend-Memcached-1.11.11-1.1.mga2 php-ZendFramework-Captcha-1.11.11-1.1.mga2 php-ZendFramework-Dojo-1.11.11-1.1.mga2 php-ZendFramework-Feed-1.11.11-1.1.mga2 php-ZendFramework-Gdata-1.11.11-1.1.mga2 php-ZendFramework-Pdf-1.11.11-1.1.mga2 php-ZendFramework-Search-Lucene-1.11.11-1.1.mga2 php-ZendFramework-Services-1.11.11-1.1.mga2 from SRPMS: php-ZendFramework-1.11.0-1.1.mga1.src.rpm php-ZendFramework-1.11.11-1.1.mga2.src.rpm
Version: Cauldron => 2Assignee: bugsquad => qa-bugsWhiteboard: MGA2TOO, MGA1TOO => MGA1TOO
Seems php-eaccelerator has to be uninstalled first, as it conflicts with php-apc. I'm looking into how to test this one on Mageia 2 i586 now.
CC: (none) => davidwhodgins
# pwd /usr/share/php/Zend/tests # phpunit --list-groups AllTests.php This verison of PHPUnit is not supported in Zend Framework 1.x unit tests. Is there a compatibility problem, or do I need to set some environment variables first?
Dave, let me look into this. I have a kolab package for cauldron that doesn't build because of tests
Status: NEW => ASSIGNED
Hi Thomas. Have you made progress? We are waiting for your input to continue validating this security update :)
CC: (none) => stormi
Whiteboard: MGA1TOO => MGA1TOO feedback
Severity: normal => major
I get: # phpunit --list-groups AllTests.php PHPUnit 3.3.17 by Sebastian Bergmann. File "AllTests.php" does not exist. What packages do you have installed? I suggest to push it as it isn't a regression. I have similar results in cauldron, but I need to rebuild some php packages for php-5.4
Whiteboard: MGA1TOO feedback => MGA1TOO
rpm -q -f /usr/share/php/Zend/tests/AllTests.php php-ZendFramework-tests-1.11.11-1.1.mga2 Testing complete on Mageia 2 x86-64 using http://framework.zend.com/manual/en/learning.quickstart.create-project.html putting the quickstart under /var/www/html/Zend, creating the symlink in the library directory to /usr/share/php/Zend/, and then using http://127.0.0.1/Zend/public/index.php to access the welcome page. I'll test Mageia 2 i586 shortly.
Whiteboard: MGA1TOO => MGA1TOO has_procedure MGA2-64-OK
I am still getting $ phpunit --list-groups AllTests.php PHPUnit 3.3.17 by Sebastian Bergmann. File "AllTests.php" does not exist. after installation of php-ZendFramework-tests in mga1, so no regression. BTW a lot of these test have a problem. This is why we have to put so many % _define_exceptions into the spec files. I will test mga2 tomorrow morning.
(In reply to comment #8) > I am still getting $ phpunit --list-groups AllTests.php > PHPUnit 3.3.17 by Sebastian Bergmann. > > File "AllTests.php" does not exist. > > after installation of php-ZendFramework-tests in mga1, so no regression. > BTW a lot of these test have a problem. This is why we have to put so many % > _define_exceptions into the spec files. > I will test mga2 tomorrow morning. Did you "/usr/share/php/Zend/tests/" first?
I'm having trouble getting the quickstart working on Mageia 2 i586. The procedure I'm following is ... urpmi task-lamp rpm -e --nodeps php-eaccelerator-admin php-eaccelerator urpmi php-pdo_sqlite urpmi -a php-Zend wget http://www.ody.ca/~dwhodgins/Zend.tar.gz tar -xf Zend.tar.gz cp -r css /var/www/html cp -r Zend /var/www/html chown -R apache:apache /var/www/html/Zend/data/db service httpd start Then go to http://127.0.0.1/Zend/public/index.php Click on guestbook in the top right, and sign the guestbook. The Zend.tar.gz is the same as the quickstart but with an added global.css file, and the database already loaded. This worked in Mageia 2 x86-64, but in i586, I just get An error occurred Application error How can I find out what the error is? There's nothing in /var/log/httpd/error_log.
(In reply to comment #9) > (In reply to comment #8) > > I am still getting $ phpunit --list-groups AllTests.php > > PHPUnit 3.3.17 by Sebastian Bergmann. > > > > File "AllTests.php" does not exist. > > > > after installation of php-ZendFramework-tests in mga1, so no regression. > > BTW a lot of these test have a problem. This is why we have to put so many % > > _define_exceptions into the spec files. > > I will test mga2 tomorrow morning. > > Did you "/usr/share/php/Zend/tests/" first? Arrgh. Meant to write Did you "cd /usr/share/php/Zend/tests/" first?
(In reply to comment #10) > > This worked in Mageia 2 x86-64, but in i586, I just get > An error occurred > Application error > > How can I find out what the error is? There's nothing in > /var/log/httpd/error_log. You need to enable php error logging, by setting log_errors=on in /etc/php.ini The other one that can be helpful in php debugging is setting display_errors=on, also in /etc/php.ini Both are disabled by default as they would flood logs with warnings (and errors). Remember to restart apache after changing the configs
CC: (none) => tmb
$ cd /usr/share/php/Zend/tests/ [spuhler@localhost tests]$ phpunit --list-groups AllTests.php This verison of PHPUnit is not supported in Zend Framework 1.x unit tests. add the update test repo do # urpmi php-ZendFramework -a The php-ZendFramework 1.11.11 1.1.mga2 packages get installed The do phpunit --list-groups AllTests.php This verison of PHPUnit is not supported in Zend Framework 1.x unit tests. This gives the same result, so again no regression
Thanks for the help. Figured out the problem. When I created the tar.gz file, I used file-roller, which defaults to following symlinks, so I had x86-64 php stuff in the 32 bit system. Testing complete on Mageia 2 32 bit. I'll test Mageia 1 shortly.
Whiteboard: MGA1TOO has_procedure MGA2-64-OK => MGA1TOO has_procedure MGA2-64-OK MGA2-32-OK
Created attachment 2605 [details] Zend.tar.gz Sample quickstart application. Attachment for use in future qa testing for Zend-Framework. Contains quickstart sample application ready for use.
Testing complete on Mageia 1 i586 using the procedure ... urpmi task-lamp rpm -e --nodeps php-eaccelerator-admin php-eaccelerator urpmi php-pdo_sqlite # Required for sample app, not Zend-Framework itself urpmi -a php-Zend wget https://bugs.mageia.org/attachment.cgi?id=2605 -O Zend.tar.gz tar -xf Zend.tar.gz cp -r css /var/www/html cp -r Zend /var/www/html chown -R apache:apache /var/www/html/Zend/data/db service httpd start Then go to http://127.0.0.1/Zend/public/index.php Click on guestbook in the top right, and sign the guestbook.
Whiteboard: MGA1TOO has_procedure MGA2-64-OK MGA2-32-OK => MGA1TOO has_procedure MGA2-64-OK MGA2-32-OK MGA1-32-OK
Testing complete on Mageia 1 x86-64. Could someone from the sysadmin team push the srpm php-ZendFramework-1.11.11-1.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm php-ZendFramework-1.11.0-1.1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated php-ZendFramework packages fix a security vulnerability: A file disclosure flaw was found in the way SimpleXMLElement class of Zend Framework, a PHP framework, processed XML data provided within certain XML-RPC requests (external XML entities were previously possible to specify by adding a specific DOCTYPE element to particular XML-RPC request). A remote attacker could use this flaw to obtain sensitive information by issuing a specially-crafted XML-RPC request to the Zend Framework based PHP application (CVE-2012-3363). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3363 http://framework.zend.com/security/advisory/ZF2012-01 https://bugzilla.redhat.com/show_bug.cgi?id=835560 http://www.debian.org/security/2012/dsa-2505 https://bugs.mageia.org/show_bug.cgi?id=6666
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO has_procedure MGA2-64-OK MGA2-32-OK MGA1-32-OK => MGA1TOO has_procedure MGA2-64-OK MGA2-32-OK MGA1-32-OK MGA1-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0200
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=13102
Running this update on x86_64 Installed the packages before enabling Updates Testing. Updated all the packages then followed the procedure in bug 6666#c16. $ sudo urpmi task-lamp Package task-lamp-3-4.mga5.noarch is already installed # rpm -e --nodeps php-eaccelerator-admin php-eaccelerator error: package php-eaccelerator-admin is not installed error: package php-eaccelerator is not installed # urpmi php-pdo_sqlite installing php-pdo_sqlite-5.6.21-1.mga5 # urpmi -a php-Zend No package named php-Zend # wget https://bugs.mageia.org/attachment.cgi?id=2605 -O Zend.tar.gz # ls css/ install list report update* Zend/ Zend.tar.gz # ls css global.css # ls Zend application/ data/ library/ public/ scripts/ tests/ # chown -R apache:apache /var/www/html/Zend/data/db # systemctl start httpd.service # systemctl status httpd.service รข httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) Active: active (running) since Fri 2016-05-06 08:23:16 BST; 1 weeks 3 days ago Pointed browser at localhost:/Zend/public/index.php and, nothing. Blank page. I guess this has something to do with missing package php-Zend. So, where can that be found, or has the name changed? urpmq comes up empty.
CC: (none) => tarazed25
Done it again!!! Wrong bug!