Debian Local Security Checks : Debian Security Advisory DSA 3265-1 (zendframework

Búsqueda de Vulnerabilidad		Buscar 219043 Descripciones CVE y 99761 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.703265

Categoría: Debian Local Security Checks

Título: Debian Security Advisory DSA 3265-1 (zendframework - security update)

Resumen: Multiple vulnerabilities were;discovered in Zend Framework, a PHP framework. Except for CVE-2015-3154;, all these issues were already fixed;in the version initially shipped with Jessie.;;CVE-2014-2681Lukas Reschke reported a lack of protection against XML External;Entity injection attacks in some functions. This fix extends the;incomplete one from CVE-2012-5657;.;;CVE-2014-2682Lukas Reschke reported a failure to consider that the;libxml_disable_entity_loader setting is shared among threads in the;PHP-FPM case. This fix extends the incomplete one from;CVE-2012-5657;.;;CVE-2014-2683Lukas Reschke reported a lack of protection against XML Entity;Expansion attacks in some functions. This fix extends the incomplete;one from CVE-2012-6532;.;;CVE-2014-2684;Christian Mainka and Vladislav Mladenov from the Ruhr-University;Bochum reported an error in the consumer's verify method that lead;to acceptance of wrongly sourced tokens.;;CVE-2014-2685;Christian Mainka and Vladislav Mladenov from the Ruhr-University;Bochum reported a specification violation in which signing of a;single parameter is incorrectly considered sufficient.;;CVE-2014-4914;Cassiano Dal Pizzol discovered that the implementation of the ORDER;BY SQL statement in Zend_Db_Select contains a potential SQL;injection when the query string passed contains parentheses.;;CVE-2014-8088;Yury Dyachenko at Positive Research Center identified potential XML;eXternal Entity injection vectors due to insecure usage of PHP's DOM;extension.;;CVE-2014-8089;Jonas Sandstrm discovered an SQL injection vector when manually;quoting value for sqlsrv extension, using null byte.;;CVE-2015-3154;Filippo Tessarotto and Maks3w reported potential CRLF injection;attacks in mail and HTTP headers.

Descripción: Summary:
Multiple vulnerabilities were
discovered in Zend Framework, a PHP framework. Except for CVE-2015-3154
, all these issues were already fixed
in the version initially shipped with Jessie.

CVE-2014-2681Lukas Reschke reported a lack of protection against XML External
Entity injection attacks in some functions. This fix extends the
incomplete one from CVE-2012-5657
.

CVE-2014-2682Lukas Reschke reported a failure to consider that the
libxml_disable_entity_loader setting is shared among threads in the
PHP-FPM case. This fix extends the incomplete one from
CVE-2012-5657
.

CVE-2014-2683Lukas Reschke reported a lack of protection against XML Entity
Expansion attacks in some functions. This fix extends the incomplete
one from CVE-2012-6532
.

CVE-2014-2684
Christian Mainka and Vladislav Mladenov from the Ruhr-University
Bochum reported an error in the consumer's verify method that lead
to acceptance of wrongly sourced tokens.

CVE-2014-2685
Christian Mainka and Vladislav Mladenov from the Ruhr-University
Bochum reported a specification violation in which signing of a
single parameter is incorrectly considered sufficient.

CVE-2014-4914
Cassiano Dal Pizzol discovered that the implementation of the ORDER
BY SQL statement in Zend_Db_Select contains a potential SQL
injection when the query string passed contains parentheses.

CVE-2014-8088
Yury Dyachenko at Positive Research Center identified potential XML
eXternal Entity injection vectors due to insecure usage of PHP's DOM
extension.

CVE-2014-8089
Jonas Sandstrm discovered an SQL injection vector when manually
quoting value for sqlsrv extension, using null byte.

CVE-2015-3154
Filippo Tessarotto and Maks3w reported potential CRLF injection
attacks in mail and HTTP headers.

Affected Software/OS:
zendframework on Debian Linux

Solution:
For the oldstable distribution (wheezy),
these problems have been fixed in version 1.11.13-1.1+deb7u1.

For the stable distribution (jessie), these problems have been fixed in
version 1.12.9+dfsg-2+deb8u1.

For the testing distribution (stretch), these problems will be fixed
in version 1.12.12+dfsg-1.

For the unstable distribution (sid), these problems have been fixed in
version 1.12.12+dfsg-1.

We recommend that you upgrade your zendframework packages.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2012-5657
Debian Security Information: DSA-2602 (Google Search)
http://www.debian.org/security/2012/dsa-2602
http://www.mandriva.com/security/advisories?name=MDVSA-2013:115
http://openwall.com/lists/oss-security/2012/12/20/2
http://openwall.com/lists/oss-security/2012/12/20/4
http://secunia.com/advisories/51583
Common Vulnerability Exposure (CVE) ID: CVE-2012-6532
Common Vulnerability Exposure (CVE) ID: CVE-2014-2681
BugTraq ID: 66358
http://www.securityfocus.com/bid/66358
Debian Security Information: DSA-3265 (Google Search)
http://www.debian.org/security/2015/dsa-3265
http://www.mandriva.com/security/advisories?name=MDVSA-2014:072
http://seclists.org/oss-sec/2014/q2/0
Common Vulnerability Exposure (CVE) ID: CVE-2014-2682
Common Vulnerability Exposure (CVE) ID: CVE-2014-2683
Common Vulnerability Exposure (CVE) ID: CVE-2014-2684
Common Vulnerability Exposure (CVE) ID: CVE-2014-2685
Common Vulnerability Exposure (CVE) ID: CVE-2014-4914
BugTraq ID: 68031
http://www.securityfocus.com/bid/68031
https://www.debian.org/security/2015/dsa-3265
http://jvn.jp/en/jp/JVN71730320/index.html
http://openwall.com/lists/oss-security/2014/07/11/4
http://secunia.com/advisories/58847
Common Vulnerability Exposure (CVE) ID: CVE-2014-8088
BugTraq ID: 70378
http://www.securityfocus.com/bid/70378
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141070.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141106.html
http://www.openwall.com/lists/oss-security/2014/10/10/5
XForce ISS Database: zend-framework-cve20148088-sec-bypass(97038)
https://exchange.xforce.ibmcloud.com/vulnerabilities/97038
Common Vulnerability Exposure (CVE) ID: CVE-2014-8089
BugTraq ID: 70011
http://www.securityfocus.com/bid/70011
http://framework.zend.com/security/advisory/ZF2014-06
http://seclists.org/oss-sec/2014/q4/276
https://bugzilla.redhat.com/show_bug.cgi?id=1151277
Common Vulnerability Exposure (CVE) ID: CVE-2015-3154

Copyright Copyright (C) 2015 Greenbone Networks GmbH http://greenbone.net

Esta es sólo una de 99761 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.703265
Categoría:	Debian Local Security Checks
Título:	Debian Security Advisory DSA 3265-1 (zendframework - security update)
Resumen:	Multiple vulnerabilities were;discovered in Zend Framework, a PHP framework. Except for CVE-2015-3154;, all these issues were already fixed;in the version initially shipped with Jessie.;;CVE-2014-2681Lukas Reschke reported a lack of protection against XML External;Entity injection attacks in some functions. This fix extends the;incomplete one from CVE-2012-5657;.;;CVE-2014-2682Lukas Reschke reported a failure to consider that the;libxml_disable_entity_loader setting is shared among threads in the;PHP-FPM case. This fix extends the incomplete one from;CVE-2012-5657;.;;CVE-2014-2683Lukas Reschke reported a lack of protection against XML Entity;Expansion attacks in some functions. This fix extends the incomplete;one from CVE-2012-6532;.;;CVE-2014-2684;Christian Mainka and Vladislav Mladenov from the Ruhr-University;Bochum reported an error in the consumer's verify method that lead;to acceptance of wrongly sourced tokens.;;CVE-2014-2685;Christian Mainka and Vladislav Mladenov from the Ruhr-University;Bochum reported a specification violation in which signing of a;single parameter is incorrectly considered sufficient.;;CVE-2014-4914;Cassiano Dal Pizzol discovered that the implementation of the ORDER;BY SQL statement in Zend_Db_Select contains a potential SQL;injection when the query string passed contains parentheses.;;CVE-2014-8088;Yury Dyachenko at Positive Research Center identified potential XML;eXternal Entity injection vectors due to insecure usage of PHP's DOM;extension.;;CVE-2014-8089;Jonas Sandstrm discovered an SQL injection vector when manually;quoting value for sqlsrv extension, using null byte.;;CVE-2015-3154;Filippo Tessarotto and Maks3w reported potential CRLF injection;attacks in mail and HTTP headers.
Descripción:	Summary: Multiple vulnerabilities were discovered in Zend Framework, a PHP framework. Except for CVE-2015-3154 , all these issues were already fixed in the version initially shipped with Jessie. CVE-2014-2681Lukas Reschke reported a lack of protection against XML External Entity injection attacks in some functions. This fix extends the incomplete one from CVE-2012-5657 . CVE-2014-2682Lukas Reschke reported a failure to consider that the libxml_disable_entity_loader setting is shared among threads in the PHP-FPM case. This fix extends the incomplete one from CVE-2012-5657 . CVE-2014-2683Lukas Reschke reported a lack of protection against XML Entity Expansion attacks in some functions. This fix extends the incomplete one from CVE-2012-6532 . CVE-2014-2684 Christian Mainka and Vladislav Mladenov from the Ruhr-University Bochum reported an error in the consumer's verify method that lead to acceptance of wrongly sourced tokens. CVE-2014-2685 Christian Mainka and Vladislav Mladenov from the Ruhr-University Bochum reported a specification violation in which signing of a single parameter is incorrectly considered sufficient. CVE-2014-4914 Cassiano Dal Pizzol discovered that the implementation of the ORDER BY SQL statement in Zend_Db_Select contains a potential SQL injection when the query string passed contains parentheses. CVE-2014-8088 Yury Dyachenko at Positive Research Center identified potential XML eXternal Entity injection vectors due to insecure usage of PHP's DOM extension. CVE-2014-8089 Jonas Sandstrm discovered an SQL injection vector when manually quoting value for sqlsrv extension, using null byte. CVE-2015-3154 Filippo Tessarotto and Maks3w reported potential CRLF injection attacks in mail and HTTP headers. Affected Software/OS: zendframework on Debian Linux Solution: For the oldstable distribution (wheezy), these problems have been fixed in version 1.11.13-1.1+deb7u1. For the stable distribution (jessie), these problems have been fixed in version 1.12.9+dfsg-2+deb8u1. For the testing distribution (stretch), these problems will be fixed in version 1.12.12+dfsg-1. For the unstable distribution (sid), these problems have been fixed in version 1.12.12+dfsg-1. We recommend that you upgrade your zendframework packages. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2012-5657 Debian Security Information: DSA-2602 (Google Search) http://www.debian.org/security/2012/dsa-2602 http://www.mandriva.com/security/advisories?name=MDVSA-2013:115 http://openwall.com/lists/oss-security/2012/12/20/2 http://openwall.com/lists/oss-security/2012/12/20/4 http://secunia.com/advisories/51583 Common Vulnerability Exposure (CVE) ID: CVE-2012-6532 Common Vulnerability Exposure (CVE) ID: CVE-2014-2681 BugTraq ID: 66358 http://www.securityfocus.com/bid/66358 Debian Security Information: DSA-3265 (Google Search) http://www.debian.org/security/2015/dsa-3265 http://www.mandriva.com/security/advisories?name=MDVSA-2014:072 http://seclists.org/oss-sec/2014/q2/0 Common Vulnerability Exposure (CVE) ID: CVE-2014-2682 Common Vulnerability Exposure (CVE) ID: CVE-2014-2683 Common Vulnerability Exposure (CVE) ID: CVE-2014-2684 Common Vulnerability Exposure (CVE) ID: CVE-2014-2685 Common Vulnerability Exposure (CVE) ID: CVE-2014-4914 BugTraq ID: 68031 http://www.securityfocus.com/bid/68031 https://www.debian.org/security/2015/dsa-3265 http://jvn.jp/en/jp/JVN71730320/index.html http://openwall.com/lists/oss-security/2014/07/11/4 http://secunia.com/advisories/58847 Common Vulnerability Exposure (CVE) ID: CVE-2014-8088 BugTraq ID: 70378 http://www.securityfocus.com/bid/70378 http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141070.html http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141106.html http://www.openwall.com/lists/oss-security/2014/10/10/5 XForce ISS Database: zend-framework-cve20148088-sec-bypass(97038) https://exchange.xforce.ibmcloud.com/vulnerabilities/97038 Common Vulnerability Exposure (CVE) ID: CVE-2014-8089 BugTraq ID: 70011 http://www.securityfocus.com/bid/70011 http://framework.zend.com/security/advisory/ZF2014-06 http://seclists.org/oss-sec/2014/q4/276 https://bugzilla.redhat.com/show_bug.cgi?id=1151277 Common Vulnerability Exposure (CVE) ID: CVE-2015-3154
Copyright	Copyright (C) 2015 Greenbone Networks GmbH http://greenbone.net