[Forgot Password]
Login  Register Subscribe

23631

 
 

126951

 
 

99536

 
 

909

 
 

80128

 
 

109

Paid content will be excluded from the download.


Download | Alert*
OVAL

DSA-3265-1 zendframework -- zendframework

ID: oval:org.secpod.oval:def:602096Date: (C)2015-05-28   (M)2018-01-05
Class: PATCHFamily: unix




Multiple vulnerabilities were discovered in Zend Framework, a PHP framework. Except for CVE-2015-3154, all these issues were already fixed in the version initially shipped with Jessie. CVE-2014-2681 Lukas Reschke reported a lack of protection against XML External Entity injection attacks in some functions. This fix extends the incomplete one from CVE-2012-5657. CVE-2014-2682 Lukas Reschke reported a failure to consider that the libxml_disable_entity_loader setting is shared among threads in the PHP-FPM case. This fix extends the incomplete one from CVE-2012-5657. CVE-2014-2683 Lukas Reschke reported a lack of protection against XML Entity Expansion attacks in some functions. This fix extends the incomplete one from CVE-2012-6532. CVE-2014-2684 Christian Mainka and Vladislav Mladenov from the Ruhr-University Bochum reported an error in the consumer"s verify method that lead to acceptance of wrongly sourced tokens. CVE-2014-2685 Christian Mainka and Vladislav Mladenov from the Ruhr-University Bochum reported a specification violation in which signing of a single parameter is incorrectly considered sufficient. CVE-2014-4914 Cassiano Dal Pizzol discovered that the implementation of the ORDER BY SQL statement in Zend_Db_Select contains a potential SQL injection when the query string passed contains parentheses. CVE-2014-8088 Yury Dyachenko at Positive Research Center identified potential XML eXternal Entity injection vectors due to insecure usage of PHP"s DOM extension. CVE-2014-8089 Jonas Sandström discovered an SQL injection vector when manually quoting value for sqlsrv extension, using null byte. CVE-2015-3154 Filippo Tessarotto and Maks3w reported potential CRLF injection attacks in mail and HTTP headers.

Platform:
Debian 8.x
Debian 7.x
Product:
zendframework
Reference:
DSA-3265-1
CVE-2014-2681
CVE-2014-2682
CVE-2014-2683
CVE-2014-2684
CVE-2014-2685
CVE-2014-4914
CVE-2014-8088
CVE-2014-8089
CVE-2015-3154
CVE-2012-5657
CVE-2012-6532
CVE    9
CVE-2012-6532
CVE-2014-2685
CVE-2014-2683
CVE-2014-2684
...
CPE    3
cpe:/a:zend:framework
cpe:/o:debian:debian_linux:7.x
cpe:/o:debian:debian_linux:8.x

© 2013 SecPod Technologies