-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2015.1355.2
                       zendframework security update
                                25 May 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           zendframework
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   Debian GNU/Linux 8
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Provide Misleading Information  -- Remote/Unauthenticated
                   Unauthorised Access             -- Remote/Unauthenticated
                   Reduced Security                -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-3154 CVE-2014-8089 CVE-2014-8088
                   CVE-2014-4914 CVE-2014-2685 CVE-2014-2684
                   CVE-2014-2683 CVE-2014-2682 CVE-2014-2681
                   CVE-2012-6532 CVE-2012-5657 

Reference:         ESB-2013.0050

Original Bulletin: 
   http://www.debian.org/security/2015/dsa-3265

Revision History:  May 25 2015: The update for zendframework issued as 
                                DSA-3265-1 introduced a regression
                   May 21 2015: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3265-2                   security@debian.org
http://www.debian.org/security/                        Alessandro Ghedini
May 24, 2015                           http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : zendframework

The update for zendframework issued as DSA-3265-1 introduced a regression
preventing the use of non-string or non-stringable objects as header
values. A fix for this problem is now applied, along with the final patch
for CVE-2015-3154. For reference the original advisory text follows.

Multiple vulnerabilities were discovered in Zend Framework, a PHP
framework. Except for CVE-2015-3154, all these issues were already fixed
in the version initially shipped with Jessie.

CVE-2014-2681

    Lukas Reschke reported a lack of protection against XML External
    Entity injection attacks in some functions. This fix extends the
    incomplete one from CVE-2012-5657.

CVE-2014-2682

    Lukas Reschke reported a failure to consider that the
    libxml_disable_entity_loader setting is shared among threads in the
    PHP-FPM case. This fix extends the incomplete one from
    CVE-2012-5657.

CVE-2014-2683

    Lukas Reschke reported a lack of protection against XML Entity
    Expansion attacks in some functions. This fix extends the incomplete
    one from CVE-2012-6532.

CVE-2014-2684

    Christian Mainka and Vladislav Mladenov from the Ruhr-University
    Bochum reported an error in the consumer's verify method that lead
    to acceptance of wrongly sourced tokens.

CVE-2014-2685

    Christian Mainka and Vladislav Mladenov from the Ruhr-University
    Bochum reported a specification violation in which signing of a
    single parameter is incorrectly considered sufficient.

CVE-2014-4914

    Cassiano Dal Pizzol discovered that the implementation of the ORDER
    BY SQL statement in Zend_Db_Select contains a potential SQL
    injection when the query string passed contains parentheses.

CVE-2014-8088

    Yury Dyachenko at Positive Research Center identified potential XML
    eXternal Entity injection vectors due to insecure usage of PHP's DOM
    extension.

CVE-2014-8089

    Jonas Sandström discovered an SQL injection vector when manually
    quoting value for sqlsrv extension, using null byte.

CVE-2015-3154

    Filippo Tessarotto and Maks3w reported potential CRLF injection
    attacks in mail and HTTP headers.

For the oldstable distribution (wheezy), this problem has been fixed
in version 1.11.13-1.1+deb7u2.

For the stable distribution (jessie), this problem has been fixed in
version 1.12.9+dfsg-2+deb8u2.

For the testing distribution (stretch), this problem has been fixed
in version 1.12.13+dfsg-1.

For the unstable distribution (sid), this problem has been fixed in
version 1.12.13+dfsg-1.

We recommend that you upgrade your zendframework packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVYbwoAAoJEK+lG9bN5XPLp2kP/0UYC2HxoJFR0awEmIjsSIlg
FZ12hGDbisof4gOjpI3+3lbXx2VXbG91gx4YRPwJ6bPI+I1D9C8UdW119RwBXWQU
7FWKTUMihB63xlibMGunMZg6hshRrJFgFTrjCHQu+8SdKENLbn28dGUOeLMaZ3OP
99bkuygn1JO9jeOUipOpzfoSI4SROtfr/O3wBFQ+UdDq7I4Le4EUgibEvkorvg4Y
z697e8U6ale5+u0n76Nl6I8x2P3UsqR1OsGzxnu1Yp2rvdATrr+2A9QynLep3ONO
/kJHMtoouD2oiLnmL4kBLkotRZk6+IXSJUm2+q5pv36KEp1Nyt2ELQuvBXHcMXe7
LLhLsbN9ZR2RvHjP5JeKeP5SpO4WyHZtyhrvA+V3UrnXCaELeuxU9NwrdXRA9ddi
A079p/56yZcsVBPq/PpsrmCdyx//tfzx11iW48gbvay9inY7sZ6JBEk1bX8Z3Y/d
VBabBzt0ulT1XS6VOGLV5d8n332oHLoL0iKOKjQAIH3rlNPVaNkaneQwVWMbDWIF
NFfF/TvtiScdOH36xfzBTeo9inU8VIaBA3OxTrtAxz7WbyvMiICgKbLBjuThK/6h
6f8+zxg+tQVKYUHMfXUL7z2EHbsZcDNfClXNBw92DA8ttyRg5vpBDVOIv6m56Pso
FmtdkBeOUSwfOAssckP1
=ga4o
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVWJtARLndAQH1ShLAQL6tg//cR3rdDsvEwfw/hKruuLt5QbNTGPsBtzO
DVBFkhEparK8xraJ/jofFV20F4b6Z2KJYC9iW55FFKkzn7L4D0gJTWGAuTGEK1kl
h90RDaJ+jBxvWUuHvoi+A8VA7EpT9Svr7dVeG03zfeG9d0ndReiFeigYH7AGUEIK
4f0Ldixcp6sprmSYuNSEo+BgLFbKO2wcsMmb+lr7pg3ip7+reiDPXMGSL2vzO5iK
ba5mplFT1MUQ8wHGJip3nLVcwUF6psBNg07FkefXyMzEQegQmv3LtrMDmUFS55WL
8jTROjEiFHypI5rBtJF0KvJ1q2TshD/8+B/JsIDbyi7GBwy/jdgxcxxujo39udlG
y8596OLcIu4XQAd3xo+I5mnCKeIdG7y7EEfua2deQpDZkb4E77Gv7eVIaeFv4O53
fTgGARDkOsxPkuqVVhFEbZFb/PGu9rJybw2CMrpl6fiCnx00QvleDX2O1Be08nsy
UF5JMNS/j6gghQQvhVRzjfJkimeCfXsEG9HxthFViJcN6+RvFvxDpMzMaWFDAtU1
vNT0uoiDo1/76HfUD+WPb8YsrDM289BYUYf+mPA037bPmTuVxXejExYROTYwVnGW
aB+DV78W3cCX3DQ+QZWwz1cFPoN/gTZ99iXiG/BKQ0/tMfy138i/cSKXGpbZNIvQ
3wY5ciDmyac=
=m7WK
-----END PGP SIGNATURE-----