Bug 37002 – zendframework: Multiple issues (4.0)

Bug 37002 - zendframework: Multiple issues (4.0)


Summary:	zendframework: Multiple issues (4.0)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.0
Hardware:	Other Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 4.0-3-errata
Assigned To:	Daniel Tröder
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:	42575
	Show dependency tree / graph

Reported:	2014-11-25 14:54 CET by Moritz Muehlenhoff
Modified:	2017-10-26 13:54 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Moritz Muehlenhoff

2014-11-25 14:54:50 CET

Denial of service through XEE (CVE-2014-2681, CVE-2014-2682, CVE-2014-2683)
Incorrect validation of OpenID identity providers (CVE-2014-2684, CVE-2014-2685)
SQL injection in Zend_Db_Select (CVE-2014-4914) 
Incorrect NULL byte handling in LDAP authentication (CVE-2014-8088)
SQL injection in sqlsrv extension (CVE-2014-8089)

Comment 1 Arvid Requate

2015-05-20 14:25:28 CEST

Potential CRLF injection attacks in mail and HTTP headers (CVE-2015-3154)

This and all other issues are fixed in upstream Debian package 1.11.13-1.1+deb7u1

Comment 2 Daniel Tröder

2015-09-02 17:26:55 CEST

zendframework 1.11.13-1.1+deb7u3 (incl CVE-2015-5161) was imported and build to scope errata4.0-3.
YAML (r63409): 2015-09-02-.yaml

Comment 3 Philipp Hahn

2015-09-14 15:22:35 CEST

OK: DEBIAN_FRONTEND=noninteractive aptitude install -y '?source-package(^zendframework$)?not(?name(udeb))'
OK: /usr/share/doc/zendframework/changelog.Debian.gz

OK: r63409
OK: 2015-09-02-zendframework.yaml
OK: CVE-2014-2681, CVE-2014-2682, CVE-2014-2683
OK: CVE-2014-2684, CVE-2014-2685
OK: CVE-2014-4914
OK: CVE-2014-8088
OK: CVE-2014-8089
FAIL: CVE-2015-3154 missing in YAML, fixed by 1.11.13-1.1+deb7u1
OK: CVE-2015-5161
OK: errata-announce -V 2015-09-02-zendframework.yaml

Comment 4 Daniel Tröder

2015-09-15 08:39:49 CEST

(In reply to Philipp Hahn from comment #3)
> FAIL: CVE-2015-3154 missing in YAML, fixed by 1.11.13-1.1+deb7u1
Oh right… from the text I thought that 1.11 is not affected, but I understood it wrong…

fixed in r63686

Comment 5 Philipp Hahn

2015-09-15 09:13:43 CEST

OK: r63686
OK: 2015-09-02-zendframework.yaml

Comment 6 Janek Walkenhorst

2015-09-15 13:36:48 CEST

<http://errata.software-univention.de/ucs/4.0/317.html>