Bug 37002 - zendframework: Multiple issues (4.0)
zendframework: Multiple issues (4.0)
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.0
Other Linux
: P3 normal (vote)
: UCS 4.0-3-errata
Assigned To: Daniel Tröder
Philipp Hahn
Depends on:
Blocks: 42575
  Show dependency treegraph
Reported: 2014-11-25 14:54 CET by Moritz Muehlenhoff
Modified: 2017-10-26 13:54 CEST (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
requate: Patch_Available+


Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Muehlenhoff univentionstaff 2014-11-25 14:54:50 CET
Denial of service through XEE (CVE-2014-2681, CVE-2014-2682, CVE-2014-2683)
Incorrect validation of OpenID identity providers (CVE-2014-2684, CVE-2014-2685)
SQL injection in Zend_Db_Select (CVE-2014-4914) 
Incorrect NULL byte handling in LDAP authentication (CVE-2014-8088)
SQL injection in sqlsrv extension (CVE-2014-8089)
Comment 1 Arvid Requate univentionstaff 2015-05-20 14:25:28 CEST
Potential CRLF injection attacks in mail and HTTP headers (CVE-2015-3154)

This and all other issues are fixed in upstream Debian package 1.11.13-1.1+deb7u1
Comment 2 Daniel Tröder univentionstaff 2015-09-02 17:26:55 CEST
zendframework 1.11.13-1.1+deb7u3 (incl CVE-2015-5161) was imported and build to scope errata4.0-3.
YAML (r63409): 2015-09-02-.yaml
Comment 3 Philipp Hahn univentionstaff 2015-09-14 15:22:35 CEST
OK: DEBIAN_FRONTEND=noninteractive aptitude install -y '?source-package(^zendframework$)?not(?name(udeb))'
OK: /usr/share/doc/zendframework/changelog.Debian.gz

OK: r63409
OK: 2015-09-02-zendframework.yaml
OK: CVE-2014-2681, CVE-2014-2682, CVE-2014-2683
OK: CVE-2014-2684, CVE-2014-2685
OK: CVE-2014-4914
OK: CVE-2014-8088
OK: CVE-2014-8089
FAIL: CVE-2015-3154 missing in YAML, fixed by 1.11.13-1.1+deb7u1
OK: CVE-2015-5161
OK: errata-announce -V 2015-09-02-zendframework.yaml
Comment 4 Daniel Tröder univentionstaff 2015-09-15 08:39:49 CEST
(In reply to Philipp Hahn from comment #3)
> FAIL: CVE-2015-3154 missing in YAML, fixed by 1.11.13-1.1+deb7u1
Oh right… from the text I thought that 1.11 is not affected, but I understood it wrong…

fixed in r63686
Comment 5 Philipp Hahn univentionstaff 2015-09-15 09:13:43 CEST
OK: r63686
OK: 2015-09-02-zendframework.yaml
Comment 6 Janek Walkenhorst univentionstaff 2015-09-15 13:36:48 CEST