Fedora issued updates to the newer versions (1.11.4 and 1.11.6) that fixed these during the course of early last year. Here are the upstream advisories: http://framework.zend.com/security/advisory/ZF2011-01 http://framework.zend.com/security/advisory/ZF2011-02 Mageia 2 is not affected, as we have 1.11.11 there. Upstream advisory ZF2012-01 was fixed by our last update. For that one I was able to find the affect source files and update them to the version where they were fixed (1.11.12). How do you want to handle these other ones?
ZendFramework recommends: we strongly urge you to consider upgrading to at least PHP 5.3.6 and use Zend Framework version 1.11.6 or greater. As we have version 1.11.11 in mga2. I am going to upgrade mga1 to this versions.
Status: NEW => ASSIGNED
Thanks Thomas. Here's the package list that was built. Once we have an advisory and you're ready, we can assign to QA. php-ZendFramework-1.11.11-1.mga1 php-ZendFramework-demos-1.11.11-1.mga1 php-ZendFramework-tests-1.11.11-1.mga1 php-ZendFramework-extras-1.11.11-1.mga1 php-ZendFramework-Cache-Backend-Apc-1.11.11-1.mga1 php-ZendFramework-Cache-Backend-Memcached-1.11.11-1.mga1 php-ZendFramework-Captcha-1.11.11-1.mga1 php-ZendFramework-Dojo-1.11.11-1.mga1 php-ZendFramework-Feed-1.11.11-1.mga1 php-ZendFramework-Gdata-1.11.11-1.mga1 php-ZendFramework-Pdf-1.11.11-1.mga1 php-ZendFramework-Search-Lucene-1.11.11-1.mga1 php-ZendFramework-Services-1.11.11-1.mga1 from php-ZendFramework-1.11.11-1.mga1.src.rpm
I upgraded the package as in Comment 1. I upgraded my mga1 on my VM box using urpmi from upgrades/testing and the upgrade went fine. I have not installation to test it nor do I have the knowledge what/how to test. I am going to assign it to QA
Assignee: thomas => qa-bugs
Testing complete on Mageia 1 i586 and x86-64 using the procedure https://bugs.mageia.org/show_bug.cgi?id=6666#c16 Just testing for regressions. Could someone from the sysadmin team push the srpm php-ZendFramework-1.11.11-1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: This security update for php-ZendFramework corrects ZF2011-01: Potential XSS in Development Environment Error View Script ZF2011-02: Potential SQL Injection Vector When Using PDO_MySql https://bugs.mageia.org/show_bug.cgi?id=7083
Keywords: (none) => Security, validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: (none) => MGA1-32-OK MGA1-64-OK
References: http://framework.zend.com/security/advisory/ZF2011-01 http://framework.zend.com/security/advisory/ZF2011-02
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0285
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
ZF2011-02 appears to have CVE-2011-1939: http://www.gentoo.org/security/en/glsa/glsa-201408-01.xml http://lwn.net/Vulnerabilities/607576/