MGASA-2012-0367
| Date: | December 27th, 2012 |
| Affected releases: | 2 |
Description:
Updated php-ZendFramework packages fix security vulnerabilities:
Zend_Dom, Zend_Feed, Zend_Soap, and Zend_XmlRpc in Zend Framework before
1.11.13 and 1.12.0 are vulnerable to XML Entity Expansion (XEE) vectors,
leading to Denial of Service vectors. XEE attacks occur when the XML
DOCTYPE declaration includes XML entity definitions that contain either
recursive or circular references; this leads to CPU and memory consumption,
making Denial of Service exploits trivial to implement (ZF2012-02).
A vulnerability was reported in Zend Framework versions prior to 1.11.15
and 1.12.1, which can be exploited to disclose certain sensitive
information. This flaw is caused due to an error in the "Zend_Feed_Rss"
and "Zend_Feed_Atom" classes of the "Zend_Feed" component, when
processing XML data. It can be used to disclose the contents of certain
local files by sending specially crafted XML data including external
entity references (CVE-2012-5657, ZF2012-05).
Updated Packages:
php-ZendFramework-1.12.1-1.1.mga2
php-ZendFramework-Cache-Backend-Apc-1.12.1-1.1.mga2
php-ZendFramework-Cache-Backend-Memcached-1.12.1-1.1.mga2
php-ZendFramework-Captcha-1.12.1-1.1.mga2
php-ZendFramework-demos-1.12.1-1.1.mga2
php-ZendFramework-Dojo-1.12.1-1.1.mga2
php-ZendFramework-extras-1.12.1-1.1.mga2
php-ZendFramework-Feed-1.12.1-1.1.mga2
php-ZendFramework-Gdata-1.12.1-1.1.mga2
php-ZendFramework-Pdf-1.12.1-1.1.mga2
php-ZendFramework-Search-Lucene-1.12.1-1.1.mga2
php-ZendFramework-Services-1.12.1-1.1.mga2
php-ZendFramework-tests-1.12.1-1.1.mga2
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5657
http://openwall.com/lists/oss-security/2012/12/20/2
http://framework.zend.com/security/advisory/ZF2012-02
http://framework.zend.com/security/advisory/ZF2012-05
https://bugs.mageia.org/show_bug.cgi?id=8456
