Debian Bug report logs -
#696483
zendframework: CVE-2012-5657
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Fri, 21 Dec 2012 11:57:03 UTC
Severity: grave
Tags: patch, security
Fixed in versions zendframework/1.11.13-1.1, zendframework/1.10.6-1squeeze2
Done: Frank Habermann <lordlamer@lordlamer.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Frank Habermann <lordlamer@lordlamer.de>
:
Bug#696483
; Package zendframework
.
(Fri, 21 Dec 2012 11:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Frank Habermann <lordlamer@lordlamer.de>
.
(Fri, 21 Dec 2012 11:57:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: zendframework
Severity: grave
Tags: security
Justification: user security hole
This was assigned CVE-2012-5657:
http://framework.zend.com/security/advisory/ZF2012-05
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Frank Habermann <lordlamer@lordlamer.de>
:
Bug#696483
; Package zendframework
.
(Tue, 25 Dec 2012 16:39:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Luca Falavigna <dktrkranz@debian.org>
:
Extra info received and forwarded to list. Copy sent to Frank Habermann <lordlamer@lordlamer.de>
.
(Tue, 25 Dec 2012 16:39:07 GMT) (full text, mbox, link).
Message #10 received at 696483@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags -1 path
Attached patch, taken from upstream SVN repository at
http://framework.zend.com/svn/framework/standard/branches/release-1.11/,
should fix this issue.
[1.11.13-1.1.debdiff (application/octet-stream, attachment)]
Added tag(s) patch.
Request was from Luca Falavigna <dktrkranz@debian.org>
to control@bugs.debian.org
.
(Tue, 25 Dec 2012 16:45:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Frank Habermann <lordlamer@lordlamer.de>
:
Bug#696483
; Package zendframework
.
(Fri, 28 Dec 2012 19:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Luca Falavigna <dktrkranz@debian.org>
:
Extra info received and forwarded to list. Copy sent to Frank Habermann <lordlamer@lordlamer.de>
.
(Fri, 28 Dec 2012 19:39:03 GMT) (full text, mbox, link).
Message #17 received at 696483@bugs.debian.org (full text, mbox, reply):
Control: tags -1 pending
I've uploaded a NMU with the patch above to DELAYED/7.
Added tag(s) pending.
Request was from Luca Falavigna <dktrkranz@debian.org>
to 696483-submit@bugs.debian.org
.
(Fri, 28 Dec 2012 19:39:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#696483
; Package zendframework
.
(Sat, 29 Dec 2012 22:12:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Frank Habermann <lordlamer@lordlamer.de>
:
Extra info received and forwarded to list.
(Sat, 29 Dec 2012 22:12:05 GMT) (full text, mbox, link).
Message #24 received at 696483@bugs.debian.org (full text, mbox, reply):
Hi,
> I've uploaded a NMU with the patch above to DELAYED/7.
Thanks for your patch and the work and sorry for delayed answer.
Christmas holidays and family ;)
Now, i am sitting on a patch for stable/squeeze.
regards,
Frank
Reply sent
to Luca Falavigna <dktrkranz@debian.org>
:
You have taken responsibility.
(Fri, 04 Jan 2013 21:00:11 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(Fri, 04 Jan 2013 21:00:11 GMT) (full text, mbox, link).
Message #29 received at 696483-close@bugs.debian.org (full text, mbox, reply):
Source: zendframework
Source-Version: 1.11.13-1.1
We believe that the bug you reported is fixed in the latest version of
zendframework, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 696483@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luca Falavigna <dktrkranz@debian.org> (supplier of updated zendframework package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 28 Dec 2012 20:24:22 +0100
Source: zendframework
Binary: zendframework zendframework-bin zendframework-resources
Architecture: source all
Version: 1.11.13-1.1
Distribution: unstable
Urgency: high
Maintainer: Frank Habermann <lordlamer@lordlamer.de>
Changed-By: Luca Falavigna <dktrkranz@debian.org>
Description:
zendframework - powerful PHP framework
zendframework-bin - binary scripts for zendframework
zendframework-resources - resource scripts for zendframework
Closes: 696483
Changes:
zendframework (1.11.13-1.1) unstable; urgency=high
.
* Non-maintainer upload.
* debian/patches/02-ZF2012-05:
- Fix for CVE-2012-5657: remove the XXE vector by calling
libxml_disable_entity_loader() before attempting to parse the
feed via DOMDocument::loadXML(). Patch taken from upstream SVN
repository, revision 25159 (Closes: #696483).
Checksums-Sha1:
6387ccc3e689e4f74a3d13cce7c1da24b149ff08 1918 zendframework_1.11.13-1.1.dsc
fe9277b415aa2013a522d33d039edb25799fef08 8005 zendframework_1.11.13-1.1.diff.gz
898a141c201c9db3a54d2fa835abc9daced39840 3723204 zendframework_1.11.13-1.1_all.deb
88ceff1e734099526a7bd94a1249565af5a13873 9994 zendframework-bin_1.11.13-1.1_all.deb
649625b4b6fbb0d076b706e449fd5aa0198a43c3 37876 zendframework-resources_1.11.13-1.1_all.deb
Checksums-Sha256:
95cc9d8f8b863d8be123d18945d06cab7b936cfe5f0632428f529894b43b96f1 1918 zendframework_1.11.13-1.1.dsc
fa01161c3f59173e613ba85ed4612752773ca867faeea795a10ac45dc9b05fe9 8005 zendframework_1.11.13-1.1.diff.gz
c12285c7e968b70f72fe16adbd2f7d28fe7d8cb88afb0dd2663ff8dfa3743adf 3723204 zendframework_1.11.13-1.1_all.deb
a4f1a4e408ded9bb81fd3d854d5d4bf136fcf96344754e370382b4ebda6d35ef 9994 zendframework-bin_1.11.13-1.1_all.deb
192ecb62288190f3826c46457800c3a890ef21085ae9c4c05518bce2b7befa8a 37876 zendframework-resources_1.11.13-1.1_all.deb
Files:
5419a8339eec6fcb115afc6f2d7b2744 1918 web optional zendframework_1.11.13-1.1.dsc
4206ee3b92d96f4d659cc5d14014892a 8005 web optional zendframework_1.11.13-1.1.diff.gz
92dc06937233b05d42bbba37f1839e11 3723204 web optional zendframework_1.11.13-1.1_all.deb
90f3c15a66e83015c7405bec8afef88b 9994 web optional zendframework-bin_1.11.13-1.1_all.deb
dfd14a09e00d9906205c008208a6f5ab 37876 web optional zendframework-resources_1.11.13-1.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJQ3fSvAAoJEEkIatPr4vMfAk0P/AnZ+UzviDqsCNjbnOpxHC7Z
W6C7U6Y18UEDqDpnf8pLs8pcamp7SDw4W1SvxZcClMiA1vOgo78lGqCWbZXsEcg6
lIBMB2jFgBOsWvuD+T2gyO6GSUmpkhwMKEqMKTRzVgCoPHnuoTqGx14yV2DvcmeK
UH7FAxP+wztMBTxi1OE+WBNVkSt17/wInA1r2eII8Ck6GwxcZ9gah6ulwVNzD1A6
BuLqzE3d7/q9YvPcQ9I2xnqHPzFWBmNtreBwpWVFvC6hF7Rq+tDwT5A65tjFYmXM
2WH78ScqCSrJ9y3Ve/vSbzNUhMpPM6QZQ/249xDm0g8sLeh/2m13UWbIJo3iekkX
WftQYwR6BIPFA7KOm65ivijrf1HOpyqDTTp7/D58nRKb96UQfy4HXLKn99654eeD
aMhk9JUXzrT2ZVLxS18707HzKoR/AezHVO+WwgxA+f0g0GKotN5q/6qNdTN+W94A
gLIez1dp7ZUrF0D0kvjNB7U8MHYjvORVog+CpzHvrp5EkyllAHwDAJ6MVJzV14ZQ
4SFOTaZW3snq3h4umSleMe/qGHULP9mZj5rAXD1r58mkxH+V8cyX2UreIFHgcnW3
Q0ufpdm1cpVrXH0TLvRXWRQkhcVLNTDCs5KnEchgZ0T4MK7R5h76fvNWViyDoQp3
563Km030B7E6O7WMwgmz
=iusZ
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#696483
; Package zendframework
.
(Mon, 07 Jan 2013 20:24:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Frank Habermann <lordlamer@lordlamer.de>
:
Extra info received and forwarded to list.
(Mon, 07 Jan 2013 20:24:09 GMT) (full text, mbox, link).
Message #34 received at 696483@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
i have prepared a package for squeeze:
http://debian.lordlamer.de/zendframework/1.10.6squeeze1/zendframework_1.10.6-1squeeze2.dsc
I also tested it and fixes the problem.
I will contact security team now.
regards,
Frank
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Frank Habermann <lordlamer@lordlamer.de>
:
You have taken responsibility.
(Tue, 08 Jan 2013 23:06:06 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(Tue, 08 Jan 2013 23:06:06 GMT) (full text, mbox, link).
Message #39 received at 696483-close@bugs.debian.org (full text, mbox, reply):
Source: zendframework
Source-Version: 1.10.6-1squeeze2
We believe that the bug you reported is fixed in the latest version of
zendframework, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 696483@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Frank Habermann <lordlamer@lordlamer.de> (supplier of updated zendframework package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 7 Jan 2013 20:52:00 +0200
Source: zendframework
Binary: zendframework zendframework-bin
Architecture: source all
Version: 1.10.6-1squeeze2
Distribution: squeeze-security
Urgency: high
Maintainer: Frank Habermann <lordlamer@lordlamer.de>
Changed-By: Frank Habermann <lordlamer@lordlamer.de>
Description:
zendframework - powerful PHP framework
zendframework-bin - binary scripts for zendframework
Closes: 696483
Changes:
zendframework (1.10.6-1squeeze2) squeeze-security; urgency=high
.
* Fix for CVE-2012-5657: remove the XXE vector by calling
libxml_disable_entity_loader() before attempting to parse the
feed via DOMDocument::loadXML() (Closes: #696483).
Checksums-Sha1:
09234307c972f5f337a7ebdb9d72cf7d8ad984d9 1411 zendframework_1.10.6-1squeeze2.dsc
feb258fe87a3916135ff51a29b90dbcb5a024c4a 6158 zendframework_1.10.6-1squeeze2.diff.gz
1bd1be2e64d8ccb868bd1ccc944128adf4854f4d 3591838 zendframework_1.10.6-1squeeze2_all.deb
803e190d8d39a08588c63d95465f2227e69fe713 9404 zendframework-bin_1.10.6-1squeeze2_all.deb
Checksums-Sha256:
962b9dd71e0fc975af49d2c832495645c3406d2a3fd699b3ea13f4baf7c55965 1411 zendframework_1.10.6-1squeeze2.dsc
df9949860966dd09bcb1a2735139fa5808366bbbbc4f72c6ab9d46a734750b8a 6158 zendframework_1.10.6-1squeeze2.diff.gz
adee482bf97618566f031c30dfadabb55513e385d3347a1a0ed2251f13d6257b 3591838 zendframework_1.10.6-1squeeze2_all.deb
74017cd2ffe721b096e88c7b8919d353b8b10c2a69710c79f4b30f6d28eb8c0d 9404 zendframework-bin_1.10.6-1squeeze2_all.deb
Files:
4a99cde76467b5ae4bc1a3e699454b60 1411 web optional zendframework_1.10.6-1squeeze2.dsc
64ac7a0e20dc9e5be0b6dea96f6a92e9 6158 web optional zendframework_1.10.6-1squeeze2.diff.gz
7a48bb70ce4aefa0e59fb6d8b98e61ef 3591838 web optional zendframework_1.10.6-1squeeze2_all.deb
5a9c6bbc371ad6a408f029fb152d6982 9404 web optional zendframework-bin_1.10.6-1squeeze2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJQ679oAAoJEL97/wQC1SS+1jgH/j0zT7K/5DMssZZoj0aaRTiJ
gXcRunCrZB+qT56Km9JZ8VCjsiafhPO/2mfMrbBXsGHfBKvX/kMobFbNPjh4Cvrf
w1XLuhMPOHTyOt/MGXWurtNqQqWdokwJ8GmMDPAmEgjmSB4j6HlOYni1NDInRizw
OUXSHqueFaqX7FuKrSPyhm6mjUfATWdY8bbEJf0eWIjnICb8TRvR3fVe8PnxK89q
5i4G+alsy5XggFYKe1xwrLlHt3e1BoRvUZJn/ATN2Flvd7GphQzH4/OwpiyHFmYT
bGkUwJVFAc94tNVcsk/tV1T3DhUTFtHH8Zm3dLw6+TEXgQL1zNfJ/g0Cqp9N/lM=
=12Ip
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 24 Feb 2013 07:29:55 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:01:07 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.