Debian Bug report logs -
#754201
Potential SQL injection in the ORDER implementation of Zend_Db_Select (ZF2014-04)
Reported by: David Prévot <taffit@debian.org>
Date: Tue, 8 Jul 2014 16:33:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in versions zendframework/1.12.5-0.1, zendframework/1.11.13-1.1
Fixed in versions zendframework/1.12.7-0.1, zendframework/1.11.13-1.1+deb7u1
Done: David Prévot <taffit@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Frank Habermann <lordlamer@lordlamer.de>:
Bug#754201; Package zendframework.
(Tue, 08 Jul 2014 16:33:06 GMT) (full text, mbox, link).
Acknowledgement sent
to David Prévot <taffit@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Frank Habermann <lordlamer@lordlamer.de>.
(Tue, 08 Jul 2014 16:33:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: zendframework
Version: 1.12.5-0.1
Severity: grave
Tags: security upstream patch
Affected versions: v1.12.0 up to v1.12.6 (Squeeze and Wheezy are not
affected)
Upstream security issue:
http://framework.zend.com/security/advisory/ZF2014-04
Upstream patch:
https://github.com/zendframework/zf1/commit/da09186c60b9168520e994af4253fba9c19c2b3d
Regards
David
[signature.asc (application/pgp-signature, inline)]
Added tag(s) pending.
Request was from David Prévot <taffit@debian.org>
to control@bugs.debian.org.
(Tue, 08 Jul 2014 16:36:11 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Frank Habermann <lordlamer@lordlamer.de>:
Bug#754201; Package zendframework.
(Tue, 08 Jul 2014 17:39:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Frank Habermann <lordlamer@lordlamer.de>.
(Tue, 08 Jul 2014 17:39:08 GMT) (full text, mbox, link).
Message #12 received at 754201@bugs.debian.org (full text, mbox, reply):
Hi David,
On Tue, Jul 08, 2014 at 12:32:11PM -0400, David Prévot wrote:
> Package: zendframework
> Version: 1.12.5-0.1
> Severity: grave
> Tags: security upstream patch
>
> Affected versions: v1.12.0 up to v1.12.6 (Squeeze and Wheezy are not
> affected)
I have not looked in detail about the reason, but could you clarify if
this is true for wheezy and squeeze? It looks same code is present at
least in wheezy here[1].
[1] http://sources.debian.net/src/zendframework/1.11.13-1.1/library/Zend/Db/Select.php#L604
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Frank Habermann <lordlamer@lordlamer.de>:
Bug#754201; Package zendframework.
(Tue, 08 Jul 2014 18:06:08 GMT) (full text, mbox, link).
Acknowledgement sent
to David Prévot <taffit@debian.org>:
Extra info received and forwarded to list. Copy sent to Frank Habermann <lordlamer@lordlamer.de>.
(Tue, 08 Jul 2014 18:06:08 GMT) (full text, mbox, link).
Message #17 received at 754201@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 754201 + pending
thanks
Dear maintainer,
I've prepared an NMU for zendframework (versioned as 1.12.7-0.1) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should delay it longer.
Regards.
David
[zendframework-1.12.7-0.1-nmu.diff.xz (application/octet-stream, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Frank Habermann <lordlamer@lordlamer.de>:
Bug#754201; Package zendframework.
(Tue, 08 Jul 2014 18:12:09 GMT) (full text, mbox, link).
Acknowledgement sent
to "David Prévot" <taffit@debian.org>:
Extra info received and forwarded to list. Copy sent to Frank Habermann <lordlamer@lordlamer.de>.
(Tue, 08 Jul 2014 18:12:09 GMT) (full text, mbox, link).
Message #22 received at 754201@bugs.debian.org (full text, mbox, reply):
Control: found -1 1.11.13-1.1
Hi Salvatore,
> On Tue, Jul 08, 2014 at 12:32:11PM -0400, David Prévot wrote:
>> Package: zendframework
>> Version: 1.12.5-0.1
>> Affected versions: v1.12.0 up to v1.12.6 (Squeeze and Wheezy are not
>> affected)
>
> I have not looked in detail about the reason
Seems like I incorrectly trusted the following source without verifying
it, sorry about that, and thank you for your double check:
https://github.com/sensiolabs/security-advisories/commit/023c95824fc9991d1c6d56aaf54cb3cb485386b1
Regards
David
Marked as found in versions zendframework/1.11.13-1.1.
Request was from "David Prévot" <taffit@debian.org>
to 754201-submit@bugs.debian.org.
(Tue, 08 Jul 2014 18:12:09 GMT) (full text, mbox, link).
Reply sent
to David Prévot <taffit@debian.org>:
You have taken responsibility.
(Fri, 18 Jul 2014 17:51:11 GMT) (full text, mbox, link).
Notification sent
to David Prévot <taffit@debian.org>:
Bug acknowledged by developer.
(Fri, 18 Jul 2014 17:51:11 GMT) (full text, mbox, link).
Message #29 received at 754201-close@bugs.debian.org (full text, mbox, reply):
Source: zendframework
Source-Version: 1.12.7-0.1
We believe that the bug you reported is fixed in the latest version of
zendframework, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 754201@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated zendframework package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 08 Jul 2014 12:33:40 -0400
Source: zendframework
Binary: zendframework zendframework-bin zendframework-resources
Architecture: source all
Version: 1.12.7-0.1
Distribution: unstable
Urgency: medium
Maintainer: Frank Habermann <lordlamer@lordlamer.de>
Changed-By: David Prévot <taffit@debian.org>
Description:
zendframework - powerful PHP framework
zendframework-bin - binary scripts for zendframework
zendframework-resources - resource scripts for zendframework
Closes: 754201
Changes:
zendframework (1.12.7-0.1) unstable; urgency=medium
.
* Non-maintainer upload
* New upstream release, fixes a security issue (Closes: #754201):
- ZF2014-04: Potential SQL injection in the ORDER implementation of
Zend_Db_Select
http://framework.zend.com/security/advisory/ZF2014-04
Checksums-Sha1:
59a02a201241a9827d6d97510d3f8b7a1275dff1 1894 zendframework_1.12.7-0.1.dsc
01f49afc473bbaf9b192dff242f261d780420450 27254416 zendframework_1.12.7.orig.tar.gz
9a3a59d74e027395227d66ec18ecf9fa9491d81c 5216 zendframework_1.12.7-0.1.diff.gz
a3d4a0ea16662ce8611da864d4c84c1fec426ab4 4193596 zendframework_1.12.7-0.1_all.deb
c1bda537f4d0964c738f3d4b7677c3159581ab4d 9504 zendframework-bin_1.12.7-0.1_all.deb
c5784545ac7b85fff3ee0b12b734eebb392ed5c0 35828 zendframework-resources_1.12.7-0.1_all.deb
Checksums-Sha256:
a5dddd79035e66ad8da4f8690516d639908a5a354060ae7ff50a1bf1e94c4114 1894 zendframework_1.12.7-0.1.dsc
87a970b9eeea3e50b19446213ba715bb93dc3e581cf4532fb8e72c8a8c3973a8 27254416 zendframework_1.12.7.orig.tar.gz
3ff8565be0b4be963eeb18466ddf98904bbe8baefa4bd4f0c174398eff7004ed 5216 zendframework_1.12.7-0.1.diff.gz
cbaf366b27b95526a0e2261c8598c8941346279c68977d592d2fb0b0a3da6a47 4193596 zendframework_1.12.7-0.1_all.deb
82a291945fa121c242405af62d94c9210b62c32d11227847e9c709c212bdb2fa 9504 zendframework-bin_1.12.7-0.1_all.deb
57183679fdffa0b9629d732c9691d9fef2aa37ffc43066f4b7acf2bcb0159410 35828 zendframework-resources_1.12.7-0.1_all.deb
Files:
d793339a96a0e9889da2b0875a2276f9 4193596 web optional zendframework_1.12.7-0.1_all.deb
1f59dbb674cec240e87679016810d342 9504 web optional zendframework-bin_1.12.7-0.1_all.deb
eba49cfa6c7b6c52887d54cb3eb3ae92 35828 web optional zendframework-resources_1.12.7-0.1_all.deb
e8a9d1d20cba5ba63dd8952667082e15 1894 web optional zendframework_1.12.7-0.1.dsc
88f5b8612b15c57857345140c21fb7bc 27254416 web optional zendframework_1.12.7.orig.tar.gz
694f972438d260ad124d3ae630898d9e 5216 web optional zendframework_1.12.7-0.1.diff.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJTvB7zAAoJELgqIXr9/gnyrUAQALIVAFcNPoEGfE1uTjLWycnl
1Ho6bis2JDcFLz0vE25pSuCJvwnGWgiHMlEVYEHJJqxpheJsu5VJqVFThek1a8Uj
8Hfn8WMD67geUK/Kyal2MF2sIuYXJqo0NHYR3hY0440ZwWppcYruPUZJbESw6E8C
hh4ZqGry1cc04Fo6QqnV0c0vyJETAp44Xi011FhcX8oo5oSVTwXvDmrnfHIgdM/k
EHt8osiXvGP1VziOxYBwzokPzyIwFHs3IH7ddg4BNt47IyWVQXVWEss67YmHtD2x
FZ2erFWGpc+oUsim1EsRfmFkVBnGMxlODzkmBQnwi5QO1a4JALPp/0H6+LJW3QZe
2mBRgWzj8s63q0LHK64FaRW1T0yaHs8PffO3VDqOfypiE/JWogal25211SduHaMI
44EX3xpurCu30E3Gx7XqhF5KHaPG8Lqmg/mOFH5FJ6pq4K8KLiAqaZDVy/p618bS
fvIdZNc41qYqR7XlNNdyTzFoHeDs6hJBL92fJFLxkqA2f15PpGoQxWWl4j5QxGMG
ek6alwYU5wShdQ6Tj1MOtsWJGmQJB0q6oD5NTXPyMHJbVsRHazxXkh/AcfFOhsJX
9LDOTby5XotrjFKIGycvjiB40PgBf6FHZ/7J5ntRtCymxbt/M7loZwh7oLE6h67+
ESXXeaMcSAlTB1hxtxjl
=v191
-----END PGP SIGNATURE-----
Reply sent
to David Prévot <taffit@debian.org>:
You have taken responsibility.
(Fri, 22 May 2015 18:54:08 GMT) (full text, mbox, link).
Notification sent
to David Prévot <taffit@debian.org>:
Bug acknowledged by developer.
(Fri, 22 May 2015 18:54:08 GMT) (full text, mbox, link).
Message #34 received at 754201-close@bugs.debian.org (full text, mbox, reply):
Source: zendframework
Source-Version: 1.11.13-1.1+deb7u1
We believe that the bug you reported is fixed in the latest version of
zendframework, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 754201@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated zendframework package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 14 May 2015 11:50:05 -0400
Source: zendframework
Binary: zendframework zendframework-bin zendframework-resources
Architecture: source all
Version: 1.11.13-1.1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Frank Habermann <lordlamer@lordlamer.de>
Changed-By: David Prévot <taffit@debian.org>
Description:
zendframework - powerful PHP framework
zendframework-bin - binary scripts for zendframework
zendframework-resources - resource scripts for zendframework
Closes: 743175 754201
Changes:
zendframework (1.11.13-1.1+deb7u1) wheezy-security; urgency=high
.
* Track Wheezy updates in the wheezy branch
* Handle patches with gbp pq
* Fix ZF2014-01: Potential XXE/XEE attacks.
Numerous components utilizing PHP's DOMDocument, SimpleXML, and
xml_parse functionality were vulnerable.
http://framework.zend.com/security/advisory/ZF2014-01
[CVE-2014-2681] [CVE-2014-2682] [CVE-2014-2683] (Closes: #743175)
* Fix ZF2014-02: Security fix for OpenID.
Potential security issue in login mechanism of ZendOpenId and
Zend_OpenId consumer.
http://framework.zend.com/security/advisory/ZF2014-02
[CVE-2014-2684] [CVE-2014-2685] (Closes: #743175)
* Fix ZF2014-04: Potential SQL injection.
The implementation of the ORDER BY SQL statement in Zend_Db_Select of
Zend Framework 1 contains a potential SQL injection when the query
string passed contains parentheses.
http://framework.zend.com/security/advisory/ZF2014-04
[CVE-2014-4914] (Closes: #754201)
* Fix ZF2014-05: Potential XML eXternal Entity injection vectors
http://framework.zend.com/security/advisory/ZF2012-05
[CVE-2014-8088]
* Fix ZF2014-06: SQL injection vector when manually quoting values
http://framework.zend.com/security/advisory/ZF2014-06
[CVE-2014-8089]
* Fix ZF2015-04: CRLF injections in HTTP and Mail
http://framework.zend.com/security/advisory/ZF2015-04
[CVE-2015-3154]
Checksums-Sha1:
02d0223186e9c574e8437f77951beceb6abfe0d4 1586 zendframework_1.11.13-1.1+deb7u1.dsc
b0921984bd2edc64a238c0a8db2f5be57844a751 20217474 zendframework_1.11.13.orig.tar.gz
d698e345665c918ab97e4a38879133d84321a568 36049 zendframework_1.11.13-1.1+deb7u1.diff.gz
be9ee1a3a4e94418e909b0f312127b745070d4cc 3734178 zendframework_1.11.13-1.1+deb7u1_all.deb
990965b1df9f06e2bab92f127c27f5f7a5d3a185 10558 zendframework-bin_1.11.13-1.1+deb7u1_all.deb
8b281411d52c3e3187f9d7ab2b6babc648035616 38912 zendframework-resources_1.11.13-1.1+deb7u1_all.deb
Checksums-Sha256:
a1e351f7898b3cc30b1fc8846cb30924c0e75884ab364f521391fbbeaf43148f 1586 zendframework_1.11.13-1.1+deb7u1.dsc
2d7349ae9133bd4fee39c5c7ab605c70d3a6db89bca229b4105a9b53b6a12996 20217474 zendframework_1.11.13.orig.tar.gz
f64c6619a7ccb6603d3454816ea95c4a3584dbe453a6b8dde0349ff6d8009f94 36049 zendframework_1.11.13-1.1+deb7u1.diff.gz
5d04f52220bdd6c2f3e28505abcea4de222572a0f658f39b6f0822939ccd1770 3734178 zendframework_1.11.13-1.1+deb7u1_all.deb
29eacc71f3d35b5bdabd64d578afd1a47f2d342ecd11331880011a960eb98530 10558 zendframework-bin_1.11.13-1.1+deb7u1_all.deb
f7e8d6e2b980761481060d972d8ee44105fc8ec17627ad3c2b5e2b0007991c5d 38912 zendframework-resources_1.11.13-1.1+deb7u1_all.deb
Files:
d22165ce2e08e5d1006cf05c3ec748e2 1586 web optional zendframework_1.11.13-1.1+deb7u1.dsc
db77b24f2ad4dbaf36f2a5b517522780 20217474 web optional zendframework_1.11.13.orig.tar.gz
a43fc9d45858090df087f3dae3a113a8 36049 web optional zendframework_1.11.13-1.1+deb7u1.diff.gz
35bee7246dfdae19e4d4c54fa5a8b561 3734178 web optional zendframework_1.11.13-1.1+deb7u1_all.deb
ab5e9d4aabb8f3a215b48c3f75e1c125 10558 web optional zendframework-bin_1.11.13-1.1+deb7u1_all.deb
adff59c83b2454d0879865f2b986c820 38912 web optional zendframework-resources_1.11.13-1.1+deb7u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJVVMb/AAoJEAWMHPlE9r08VSMH/im0BMokSzAtuGQ/a+mxeEft
H3FVo96I4w8J/o3NKCAy2nfsLA9jTOiKHzfz/LQ4o0sBh4mzEqsZiovEuq9XYRH6
dfAPL8Av8TPTsPaMxUl4cAQc/rllp4OyeOILETw9xaeA+MEdyV/zNiBJKTxJIR8q
Nwt77M6AT3dyz1xQjq2/3zcMUSCRDnrlHIo0D09rNLKWHvjL3drJ1D6TFJwhRqq5
TAtGfUZ1dWfbicES7OHqDhQo2MBgsbtUtnNrCW1cHeLVUcQGbg7r8ozwpphpl7xY
cGv3QVnclzhV+r8nemPbB1dCpdK0mfc/rnL+Nsfc/ooUWRBIzX+VgOIJiW9WE4Q=
=4CgT
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 20 Jun 2015 07:25:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:34:20 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon