Univention Bugzilla – Bug 37002
zendframework: Multiple issues (4.0)
Last modified: 2017-10-26 13:54:48 CEST
Denial of service through XEE (CVE-2014-2681, CVE-2014-2682, CVE-2014-2683) Incorrect validation of OpenID identity providers (CVE-2014-2684, CVE-2014-2685) SQL injection in Zend_Db_Select (CVE-2014-4914) Incorrect NULL byte handling in LDAP authentication (CVE-2014-8088) SQL injection in sqlsrv extension (CVE-2014-8089)
Potential CRLF injection attacks in mail and HTTP headers (CVE-2015-3154) This and all other issues are fixed in upstream Debian package 1.11.13-1.1+deb7u1
zendframework 1.11.13-1.1+deb7u3 (incl CVE-2015-5161) was imported and build to scope errata4.0-3. YAML (r63409): 2015-09-02-.yaml
OK: DEBIAN_FRONTEND=noninteractive aptitude install -y '?source-package(^zendframework$)?not(?name(udeb))' OK: /usr/share/doc/zendframework/changelog.Debian.gz OK: r63409 OK: 2015-09-02-zendframework.yaml OK: CVE-2014-2681, CVE-2014-2682, CVE-2014-2683 OK: CVE-2014-2684, CVE-2014-2685 OK: CVE-2014-4914 OK: CVE-2014-8088 OK: CVE-2014-8089 FAIL: CVE-2015-3154 missing in YAML, fixed by 1.11.13-1.1+deb7u1 OK: CVE-2015-5161 OK: errata-announce -V 2015-09-02-zendframework.yaml
(In reply to Philipp Hahn from comment #3) > FAIL: CVE-2015-3154 missing in YAML, fixed by 1.11.13-1.1+deb7u1 Oh right… from the text I thought that 1.11 is not affected, but I understood it wrong… fixed in r63686
OK: r63686 OK: 2015-09-02-zendframework.yaml
<http://errata.software-univention.de/ucs/4.0/317.html>