Bug 7083 - php-ZendFramework missing update for upstream security advisories ZF2011-01 and ZF2011-02
: php-ZendFramework missing update for upstream security advisories ZF2011-01 a...
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 1
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://framework.zend.com/security/ad...
: MGA1-32-OK MGA1-64-OK
: Security, validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-08-16 19:59 CEST by David Walser
Modified: 2014-08-04 19:12 CEST (History)
3 users (show)

See Also:
Source RPM: php-ZendFramework-1.11.0-1.mga1.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-08-16 19:59:17 CEST
Fedora issued updates to the newer versions (1.11.4 and 1.11.6) that fixed these during the course of early last year.  Here are the upstream advisories:
http://framework.zend.com/security/advisory/ZF2011-01
http://framework.zend.com/security/advisory/ZF2011-02

Mageia 2 is not affected, as we have 1.11.11 there.

Upstream advisory ZF2012-01 was fixed by our last update.

For that one I was able to find the affect source files and update them to the version where they were fixed (1.11.12).  How do you want to handle these other ones?
Comment 1 Thomas Spuhler 2012-09-29 19:15:37 CEST
ZendFramework recommends:
we strongly urge you to consider upgrading to at least PHP 5.3.6 and use Zend Framework version 1.11.6 or greater.
As we have version 1.11.11 in mga2. I am going to upgrade mga1 to this versions.
Comment 2 David Walser 2012-09-29 20:53:05 CEST
Thanks Thomas.

Here's the package list that was built.

Once we have an advisory and you're ready, we can assign to QA.

php-ZendFramework-1.11.11-1.mga1
php-ZendFramework-demos-1.11.11-1.mga1
php-ZendFramework-tests-1.11.11-1.mga1
php-ZendFramework-extras-1.11.11-1.mga1
php-ZendFramework-Cache-Backend-Apc-1.11.11-1.mga1
php-ZendFramework-Cache-Backend-Memcached-1.11.11-1.mga1
php-ZendFramework-Captcha-1.11.11-1.mga1
php-ZendFramework-Dojo-1.11.11-1.mga1
php-ZendFramework-Feed-1.11.11-1.mga1
php-ZendFramework-Gdata-1.11.11-1.mga1
php-ZendFramework-Pdf-1.11.11-1.mga1
php-ZendFramework-Search-Lucene-1.11.11-1.mga1
php-ZendFramework-Services-1.11.11-1.mga1

from php-ZendFramework-1.11.11-1.mga1.src.rpm
Comment 3 Thomas Spuhler 2012-09-30 22:52:36 CEST
I upgraded the package as in Comment 1. 
I upgraded my mga1 on my VM box using urpmi from upgrades/testing and the upgrade went fine.
I have not installation to test it nor do I have the knowledge what/how to test.
I am going to assign it to QA
Comment 4 Dave Hodgins 2012-10-01 23:46:48 CEST
Testing complete on Mageia 1 i586 and x86-64 using the procedure
https://bugs.mageia.org/show_bug.cgi?id=6666#c16
Just testing for regressions.

Could someone from the sysadmin team push the srpm
php-ZendFramework-1.11.11-1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: This security update for php-ZendFramework corrects
ZF2011-01: Potential XSS in Development Environment Error View Script
ZF2011-02: Potential SQL Injection Vector When Using PDO_MySql

https://bugs.mageia.org/show_bug.cgi?id=7083
Comment 6 Thomas Backlund 2012-10-06 18:01:23 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0285
Comment 7 David Walser 2014-08-04 19:12:15 CEST
ZF2011-02 appears to have CVE-2011-1939:
http://www.gentoo.org/security/en/glsa/glsa-201408-01.xml
http://lwn.net/Vulnerabilities/607576/

Note You need to log in before you can comment on or make changes to this bug.