Debian Bug report logs -
#743175
zendframework: two security issues
Reported by: "Thijs Kinkhorst" <thijs@debian.org>
Date: Mon, 31 Mar 2014 08:33:01 UTC
Severity: serious
Tags: fixed-upstream, patch, security
Fixed in version zendframework/1.12.5-0.1
Done: David Prévot <taffit@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Frank Habermann <lordlamer@lordlamer.de>:
Bug#743175; Package zendframework.
(Mon, 31 Mar 2014 08:33:06 GMT) (full text, mbox, link).
Acknowledgement sent
to "Thijs Kinkhorst" <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to Frank Habermann <lordlamer@lordlamer.de>.
(Mon, 31 Mar 2014 08:33:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: zendframework
Severity: serious
Tags: security fixed-upstream patch
Hi,
Two new security advisories were published for the Zend Framework.
* ZF2014-01: Potential XXE/XEE attacks using PHP functions:
simplexml_load_*, DOMDocument::loadXML, and xml_parse
http://framework.zend.com/security/advisory/ZF2014-01
* ZF2014-02: Potential security issue in login mechanism of ZendOpenId and
Zend_OpenId consumer
http://framework.zend.com/security/advisory/ZF2014-02
Can you please see to it that these are addressed in Debian?
Cheers,
Thijs
Information forwarded
to debian-bugs-dist@lists.debian.org, Frank Habermann <lordlamer@lordlamer.de>:
Bug#743175; Package zendframework.
(Tue, 01 Apr 2014 08:30:09 GMT) (full text, mbox, link).
Acknowledgement sent
to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Frank Habermann <lordlamer@lordlamer.de>.
(Tue, 01 Apr 2014 08:30:09 GMT) (full text, mbox, link).
Message #10 received at 743175@bugs.debian.org (full text, mbox, reply):
Hi,
CVE names have been assigned for these issues. The assignment is rather
complicated. If you fix both issues in one upload it's ok to just mention
that it addresses the 5 CVE's named below.
http://framework.zend.com/security/advisory/ZF2014-01
CVE-2014-2681 - This CVE is for the lack of protection against XML
External Entity injection attacks in some functions, because of the
incomplete fix in CVE-2012-5657. It appears that this only affects
Zend Framework 1.x, although that isn't critical to determining the
number of CVE IDs.
CVE-2014-2682 - This CVE is for the failure to consider that the
libxml_disable_entity_loader setting is shared among threads in the
PHP-FPM case. Again, the existence of this CVE means that the
CVE-2012-5657 fix was incomplete. It appears that this affects more
than just Zend Framework 1.x, although that isn't critical to
determining the number of CVE IDs.
CVE-2014-2683 - This CVE is for the lack of protection against XML
Entity Expansion attacks in some functions, because of the incomplete
fix in CVE-2012-6532. It appears that this also affects more than just
Zend Framework 1.x, although that isn't critical to determining the
number of CVE IDs.
http://framework.zend.com/security/advisory/ZF2014-02
CVE-2014-2684 - This CVE is for the error in the consumer's verify
method that leads to acceptance of wrongly sourced tokens. The same
CVE is used for Zend Framework 1.x and ZendOpenId 2.x, even though the
code is not identical.
CVE-2014-2685 - This CVE is for the specification violation in which
signing of a single parameter is incorrectly considered sufficient.
Again, this CVE is for both Zend Framework 1.x and ZendOpenId 2.x.
Cheers,
Thijs
Added tag(s) pending.
Request was from David Prévot <taffit@debian.org>
to control@bugs.debian.org.
(Mon, 14 Apr 2014 15:51:15 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Frank Habermann <lordlamer@lordlamer.de>:
Bug#743175; Package zendframework.
(Mon, 14 Apr 2014 19:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to David Prévot <taffit@debian.org>:
Extra info received and forwarded to list. Copy sent to Frank Habermann <lordlamer@lordlamer.de>.
(Mon, 14 Apr 2014 19:27:05 GMT) (full text, mbox, link).
Message #17 received at 743175@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Dear maintainer,
I've prepared an NMU for zendframework (versioned as 1.12.5-0.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Event if the three upstream security-related commits apply cleanly to
the current version in Sid and Jessie, they do not apply properly to the
version in Wheezy, and some (minor) fixes have been committed after them
too, that’s why I’m proposing to upgrade the package to the latest
upstream version. The actual debdiff is huge (over 35MB), thus only
attaching the debian/ related changes.
Regards.
David
[zendframework-1.12.5-0.1-nmu_debian.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Reply sent
to David Prévot <taffit@debian.org>:
You have taken responsibility.
(Sat, 19 Apr 2014 19:51:09 GMT) (full text, mbox, link).
Notification sent
to "Thijs Kinkhorst" <thijs@debian.org>:
Bug acknowledged by developer.
(Sat, 19 Apr 2014 19:51:10 GMT) (full text, mbox, link).
Message #22 received at 743175-close@bugs.debian.org (full text, mbox, reply):
Source: zendframework
Source-Version: 1.12.5-0.1
We believe that the bug you reported is fixed in the latest version of
zendframework, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 743175@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated zendframework package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 14 Apr 2014 14:48:35 -0400
Source: zendframework
Binary: zendframework zendframework-bin zendframework-resources
Architecture: source all
Version: 1.12.5-0.1
Distribution: unstable
Urgency: medium
Maintainer: Frank Habermann <lordlamer@lordlamer.de>
Changed-By: David Prévot <taffit@debian.org>
Description:
zendframework - powerful PHP framework
zendframework-bin - binary scripts for zendframework
zendframework-resources - resource scripts for zendframework
Closes: 743175
Changes:
zendframework (1.12.5-0.1) unstable; urgency=medium
.
* Non-maintainer upload
* New upstream release, fixes several security issues (Closes: #743175):
- ZF2014-01: Potential XXE/XEE attacks using PHP functions:
simplexml_load_*, DOMDocument::loadXML, and xml_parse
http://framework.zend.com/security/advisory/ZF2014-01
[CVE-2014-2681] [CVE-2014-2682] [CVE-2014-2683]
- F2014-02: Potential security issue in login mechanism of ZendOpenId and
Zend_OpenId consumer
http://framework.zend.com/security/advisory/ZF2014-02
[CVE-2014-2684] [CVE-2014-2685]
* Update copyright years
Checksums-Sha1:
00de5e07954023e9368c964ec9d35dc97582b26a 1525 zendframework_1.12.5-0.1.dsc
e7473ef2fcbd3d3fbb30c2151385c431426f352b 27249981 zendframework_1.12.5.orig.tar.gz
17358423996a1d73764063a5dc21a30ccb42bd36 5214 zendframework_1.12.5-0.1.diff.gz
ea7dc07d6bc788883593de7b36de97e7f9684fef 4191072 zendframework_1.12.5-0.1_all.deb
53734e42cfa21305449f55dbbb3c1a43e9d82f73 9422 zendframework-bin_1.12.5-0.1_all.deb
d77c9d570c9b4c30a6021ea3288119acc45de7b5 35760 zendframework-resources_1.12.5-0.1_all.deb
Checksums-Sha256:
6a76916d56f809fe59ffff8ab21283f258d6ddcad063d8750d49ffad9048dbcc 1525 zendframework_1.12.5-0.1.dsc
9f9cd38f9f8f70061feadcd88e96b23a396ca9fcfd9a940cb948711503a39993 27249981 zendframework_1.12.5.orig.tar.gz
7ce3b642e2e01a8747ea8a8117ac56f55600bb2a75810c4dd433623c025c247e 5214 zendframework_1.12.5-0.1.diff.gz
65a7acee9286537139115b649cd1622114f92d00a7a4de3854344dcb23168b11 4191072 zendframework_1.12.5-0.1_all.deb
8a750ab5edb2e94e1bbc585bf50eaf8fa831e072198653b888bb8d99e2a9dd0f 9422 zendframework-bin_1.12.5-0.1_all.deb
40ba26ebe6101223f629e743fe5ff362796d3f03e18331144eef1e69516630e5 35760 zendframework-resources_1.12.5-0.1_all.deb
Files:
457f4d6c3f34eec8876eeba48ba93b53 1525 web optional zendframework_1.12.5-0.1.dsc
5a37c0f2e8e66ad07768a262f22b9913 27249981 web optional zendframework_1.12.5.orig.tar.gz
8b87ec13fd22fd48c723690acf62daa0 5214 web optional zendframework_1.12.5-0.1.diff.gz
823e116a1a9d479762d634e6c4976e3b 4191072 web optional zendframework_1.12.5-0.1_all.deb
f6af66c45071b8a2b100698565e8bcf0 9422 web optional zendframework-bin_1.12.5-0.1_all.deb
0a9e323142780e43809783b09585e593 35760 web optional zendframework-resources_1.12.5-0.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJTTC9cAAoJEAWMHPlE9r08I1YH/35EaxGsU6m6TnBemMsAFuzD
R4Dg5DNJZKSIZT/2mvSXT9yKk1mb0HTWfTP/NYRXSYgk4xdFxbQOwdKwrgeF9Tfh
dPeP1vJDvUbpAcssuxfro02OobiHvDU5kld5p+YJyQ9o43KMxhNw/XhBHoxnuyQ3
vOGzTcI3ooBTbHwVf2EAOItTv8kHmznmM56VnjK/JMRf5S/+4IFlahbSH6GdXaNj
wl8WT7ZwxwPBwurf3x8U0O9M2pTm6YVMSuB6UK3PavPCrQK4VP5dSmK5hyYTF8Uf
lYC9hBjY8JsNWn/u4JOheFzP/3iBUZzXjPYWeDHDaQdNpX94kgv+BawLdmfSPDU=
=9mKW
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 23 May 2014 07:33:42 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:03:24 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon