Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0633
zendframework security update
2 July 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: zendframework
Publisher: Debian
Operating System: Debian GNU/Linux 6
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2012-3363
Original Bulletin:
http://www.debian.org/security/2012/dsa-2505
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running zendframework check for an updated version of the software
for their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2505-1 security@debian.org
http://www.debian.org/security/ Florian Weimer
June 29, 2012 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : zendframework
Vulnerability : information disclosure
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-3363
Debian Bug : 679215
An XML External Entities inclusion vulnerability was discovered in
Zend Framework, a PHP library. This vulnerability may allow attackers
to access to local files, depending on how the framework is used.
For the stable distribution (squeeze), this problem has been fixed in
version 1.10.6-1squeeze1.
For the unstable distribution (sid), this problem has been fixed in
version 1.11.12-1.
We recommend that you upgrade your zendframework packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJP7gbWAAoJEL97/wQC1SS+6OEH/jkrMyTtmsitOAl2zutL6iLu
eMB755peBuBb+PWL6JxK9cnI+tiWl4R1USQ7bpZKm6d0ZzRZRk6phDatUR5HXPDn
DwzHF2J3hnxP4oaigpLZWSBM1vUP74ORyENSX8pznC46KZ3e/9eMCJ4Ueqw10jAD
P2fdjPhy96LNexOBtj5p0UGsiQ0tPVqVV8ZTmmIr56RKi9PJ9/9oZeI0WUO6YS8u
aqFKT48STxzmgXTxh8ImxTbsNaLjmxxIs407HxCEX0XG06tv2W7EaSDOxuwr2y7F
g9NQqubqj7l/QWBISzbjDZR3OhiPKlWySYJYcde0ZW/ewbweImTxb4t/n71mkgU=
=JrgU
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT/ELIe4yVqjM2NGpAQLQjxAAhba2gdbKWbPAs9w0kSL+vZ0+rvwpuF2J
lgse+TVOIDsdfiu6QB5ZryAsAuTdl0iplheCrgGkFcS/4RdQ3wFamLx0eg8cFkmJ
QTVYt1HNKbXggtEDFxa87gUM3tgC3Z327QVg2/mBjOpQ2cfuL8cuV7rqPewnCLvF
+xjh/BSmTQhD+X8ILg5m8v4vbY7lI0mwnqkIUysWrY1JBTuupn+pFugpyXpMcPwh
yDwT8Ji9f1Wxz87S4ruZUh1m12bQ84dl0tLg8tlAY7NPwzfu0TthpDJBdJEWcQ0K
1wm8re8Gg22LTWkVcobEzWN2Rkt0RAoxk8PVY3ZLvXZevOLTK306ECh+O56sAuUi
a8qNJhqqW3O0tvZ9FRvqk0kVyFzxwZmfejGcGLfHjUSwmtOv2fQKAK2CwBK46PZH
hq1FyEb82BjDysCSHlwjGeo1OSJxN7g7rRtLKLlC7T15eL1CU+YQwKVdjjCaFHma
PhIXD+krLNTnFjhlnGQepaOS8ITl2TuDGPysuiKy5JUG6hOP6B+00gMajDOex/Wi
4EPwKbyZU8Yuk/bzycQkpzRDCQgV9OXrqo+xwlMWQKvdfMFSe/fo6CwexF9w2KZj
IDhnleUI1KNTG7fOMoZjG3iBXfcqWbRd+Nl3j1izAdCxswhVT10L2ttxlcCjujip
4L0YzrwnVsk=
=ilWt
-----END PGP SIGNATURE-----