Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0050 zendframework security update 9 January 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: zendframework Publisher: Debian Operating System: Debian GNU/Linux 6 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Access Privileged Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-5657 Original Bulletin: http://www.debian.org/security/2013/dsa-2602 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running zendframework check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2602-1 security@debian.org http://www.debian.org/security/ Florian Weimer January 08, 2013 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : zendframework Vulnerability : XML external entity inclusion Problem type : remote Debian-specific: no CVE ID : CVE-2012-5657 Debian Bug : 696483 Yury Dyachenko discovered that Zend Framework uses the PHP XML parser in an insecure way, allowing attackers to open files and trigger HTTP requests, potentially accessing restricted information. For the stable distribution (squeeze), this problem has been fixed in version 1.10.6-1squeeze2. For the testing distribution (wheezy), this problem has been fixed in version 1.11.13-1.1. For the unstable distribution (sid), this problem has been fixed in version 1.11.13-1.1. We recommend that you upgrade your zendframework packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ7Gb6AAoJEL97/wQC1SS+4U0H/2jTQI7RX2qiMTouR63726zq apXl7/MH+DkXGxTzm+0gHAE5oPGv9xoSNw+TN9QS9ltGOnSJywEphDc5B3IthbSd aD4lHXlFdu4EZqKTUrCKcWcxFQxoPbHdCkt/yCujkUF+KljHVLdx5mm7/+416NBV KrZHr7ni9Cekp6wWMj3zYE+mSGeBhgElvBBWAdDudMbtS7RlpqMqO3UhSdbM1mXz 6sOzXCBWDEtCwrJM7LgCNZyJT8ZZPv/8A3l23r0uhA5Nw2sUs3k9GSUMd6aylJTe BgBKYYUiZRGoMxgBWyCgogTMh27G37A535haUUZGv93M0GyivlBVTkezZKwvzQs= =I6pV - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUO0RQO4yVqjM2NGpAQKatRAAvmEc03jQcYHiMVChi+j6cMWBlFEQTgCD 8QU7srCROqLmw8bkkemzm0SvT5GUX1RCJ9jv0FKSW5SuOTKum2pVgdpYHVsI/H2+ 0NcT6XlAwy38YgUm2HxfHLvnJ4LGjxv06k/B61sbnXSKhcgMbqILcJqJHqQgR3/6 UrQ4GLTWKTHJIAiSawqDtzn7WCZnJjaR+D6IsVr63qeVPc1oUGPUaqO9bnRtaF8O ZnDF9r1Vu4IomEw9ngJEXIaE/0ul9ZAqxkaCUTgt3EItrUQd816LhJ+xwTbSS8Qj fsgqbdyMORUyS29PNEofLPaWPblza4zlvUxsZz5Z4+7bI9EAQAoYFQURdmAi3Ctv 8w+x0H5oQ9c7YmQ2FSmGE+Ty2Z9eegn7IZDZ4rG4J1/GZifo/tU3z60RJXRfNknL tfThaidTpQDm5NcUTTJLxDuY556AyRr7WFoNqgwNdavoj8VYPbvyCGcL1z8de+xe KC0Ouevt/2HuMf/tnKZ+mBfzogl61tZHQlDbCS6980xgWlpMb8RTC7o2L6N7/FGB NvNwc+4Cn6rscu1JUT+E1o/jpLtL2vXe8r/VQ+3pa7h+lvFzc9gTc+h7wSBa2smj 8s8tJRl/NvNS/6S2mZA/+cWeEVOHcG8vDCCfp0zIeQX1HSAX/6ip2lWk4E5QV64z 5TNgMrIufsg= =ySsN -----END PGP SIGNATURE-----