Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.1355.2
zendframework security update
25 May 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: zendframework
Publisher: Debian
Operating System: Debian GNU/Linux 7
Debian GNU/Linux 8
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2015-3154 CVE-2014-8089 CVE-2014-8088
CVE-2014-4914 CVE-2014-2685 CVE-2014-2684
CVE-2014-2683 CVE-2014-2682 CVE-2014-2681
CVE-2012-6532 CVE-2012-5657
Reference: ESB-2013.0050
Original Bulletin:
http://www.debian.org/security/2015/dsa-3265
Revision History: May 25 2015: The update for zendframework issued as
DSA-3265-1 introduced a regression
May 21 2015: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3265-2 security@debian.org
http://www.debian.org/security/ Alessandro Ghedini
May 24, 2015 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : zendframework
The update for zendframework issued as DSA-3265-1 introduced a regression
preventing the use of non-string or non-stringable objects as header
values. A fix for this problem is now applied, along with the final patch
for CVE-2015-3154. For reference the original advisory text follows.
Multiple vulnerabilities were discovered in Zend Framework, a PHP
framework. Except for CVE-2015-3154, all these issues were already fixed
in the version initially shipped with Jessie.
CVE-2014-2681
Lukas Reschke reported a lack of protection against XML External
Entity injection attacks in some functions. This fix extends the
incomplete one from CVE-2012-5657.
CVE-2014-2682
Lukas Reschke reported a failure to consider that the
libxml_disable_entity_loader setting is shared among threads in the
PHP-FPM case. This fix extends the incomplete one from
CVE-2012-5657.
CVE-2014-2683
Lukas Reschke reported a lack of protection against XML Entity
Expansion attacks in some functions. This fix extends the incomplete
one from CVE-2012-6532.
CVE-2014-2684
Christian Mainka and Vladislav Mladenov from the Ruhr-University
Bochum reported an error in the consumer's verify method that lead
to acceptance of wrongly sourced tokens.
CVE-2014-2685
Christian Mainka and Vladislav Mladenov from the Ruhr-University
Bochum reported a specification violation in which signing of a
single parameter is incorrectly considered sufficient.
CVE-2014-4914
Cassiano Dal Pizzol discovered that the implementation of the ORDER
BY SQL statement in Zend_Db_Select contains a potential SQL
injection when the query string passed contains parentheses.
CVE-2014-8088
Yury Dyachenko at Positive Research Center identified potential XML
eXternal Entity injection vectors due to insecure usage of PHP's DOM
extension.
CVE-2014-8089
Jonas Sandström discovered an SQL injection vector when manually
quoting value for sqlsrv extension, using null byte.
CVE-2015-3154
Filippo Tessarotto and Maks3w reported potential CRLF injection
attacks in mail and HTTP headers.
For the oldstable distribution (wheezy), this problem has been fixed
in version 1.11.13-1.1+deb7u2.
For the stable distribution (jessie), this problem has been fixed in
version 1.12.9+dfsg-2+deb8u2.
For the testing distribution (stretch), this problem has been fixed
in version 1.12.13+dfsg-1.
For the unstable distribution (sid), this problem has been fixed in
version 1.12.13+dfsg-1.
We recommend that you upgrade your zendframework packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVYbwoAAoJEK+lG9bN5XPLp2kP/0UYC2HxoJFR0awEmIjsSIlg
FZ12hGDbisof4gOjpI3+3lbXx2VXbG91gx4YRPwJ6bPI+I1D9C8UdW119RwBXWQU
7FWKTUMihB63xlibMGunMZg6hshRrJFgFTrjCHQu+8SdKENLbn28dGUOeLMaZ3OP
99bkuygn1JO9jeOUipOpzfoSI4SROtfr/O3wBFQ+UdDq7I4Le4EUgibEvkorvg4Y
z697e8U6ale5+u0n76Nl6I8x2P3UsqR1OsGzxnu1Yp2rvdATrr+2A9QynLep3ONO
/kJHMtoouD2oiLnmL4kBLkotRZk6+IXSJUm2+q5pv36KEp1Nyt2ELQuvBXHcMXe7
LLhLsbN9ZR2RvHjP5JeKeP5SpO4WyHZtyhrvA+V3UrnXCaELeuxU9NwrdXRA9ddi
A079p/56yZcsVBPq/PpsrmCdyx//tfzx11iW48gbvay9inY7sZ6JBEk1bX8Z3Y/d
VBabBzt0ulT1XS6VOGLV5d8n332oHLoL0iKOKjQAIH3rlNPVaNkaneQwVWMbDWIF
NFfF/TvtiScdOH36xfzBTeo9inU8VIaBA3OxTrtAxz7WbyvMiICgKbLBjuThK/6h
6f8+zxg+tQVKYUHMfXUL7z2EHbsZcDNfClXNBw92DA8ttyRg5vpBDVOIv6m56Pso
FmtdkBeOUSwfOAssckP1
=ga4o
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVWJtARLndAQH1ShLAQL6tg//cR3rdDsvEwfw/hKruuLt5QbNTGPsBtzO
DVBFkhEparK8xraJ/jofFV20F4b6Z2KJYC9iW55FFKkzn7L4D0gJTWGAuTGEK1kl
h90RDaJ+jBxvWUuHvoi+A8VA7EpT9Svr7dVeG03zfeG9d0ndReiFeigYH7AGUEIK
4f0Ldixcp6sprmSYuNSEo+BgLFbKO2wcsMmb+lr7pg3ip7+reiDPXMGSL2vzO5iK
ba5mplFT1MUQ8wHGJip3nLVcwUF6psBNg07FkefXyMzEQegQmv3LtrMDmUFS55WL
8jTROjEiFHypI5rBtJF0KvJ1q2TshD/8+B/JsIDbyi7GBwy/jdgxcxxujo39udlG
y8596OLcIu4XQAd3xo+I5mnCKeIdG7y7EEfua2deQpDZkb4E77Gv7eVIaeFv4O53
fTgGARDkOsxPkuqVVhFEbZFb/PGu9rJybw2CMrpl6fiCnx00QvleDX2O1Be08nsy
UF5JMNS/j6gghQQvhVRzjfJkimeCfXsEG9HxthFViJcN6+RvFvxDpMzMaWFDAtU1
vNT0uoiDo1/76HfUD+WPb8YsrDM289BYUYf+mPA037bPmTuVxXejExYROTYwVnGW
aB+DV78W3cCX3DQ+QZWwz1cFPoN/gTZ99iXiG/BKQ0/tMfy138i/cSKXGpbZNIvQ
3wY5ciDmyac=
=m7WK
-----END PGP SIGNATURE-----