{
  "schema_version": "1.7.0",
  "id": "MGASA-2014-0151",
  "published": "2014-04-03T00:43:46Z",
  "modified": "2014-04-03T00:43:33Z",
  "summary": "Updated php-ZendFramework packages fix multiple vulnerabilities",
  "details": "Updated php-ZendFramework packages fix security vulnerabilities:\n\nXML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws were\ndiscovered in the Zend Framework. An attacker could use these flaws to cause\na denial of service, access files accessible to the server process, or\npossibly perform other more advanced XML External Entity (XXE) attacks\n(CVE-2014-2681, CVE-2014-2682, CVE-2014-2683).\n\nUsing the Consumer component of Zend_OpenId, it is possible to login using an\narbitrary OpenID account (without knowing any secret information) by using a\nmalicious OpenID Provider. That means OpenID it is possible to login using\narbitrary OpenID Identity (MyOpenID, Google, etc), which are not under the\ncontrol of our own OpenID Provider. Thus, we are able to impersonate any\nOpenID Identity against the framework (CVE-2014-2684, CVE-2014-2685).\n",
  "upstream": [
    "CVE-2014-2681",
    "CVE-2014-2682",
    "CVE-2014-2683",
    "CVE-2014-2684",
    "CVE-2014-2685"
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://advisories.mageia.org/MGASA-2014-0151.html"
    },
    {
      "type": "ADVISORY",
      "url": "http://framework.zend.com/security/advisory/ZF2014-01"
    },
    {
      "type": "ADVISORY",
      "url": "http://framework.zend.com/security/advisory/ZF2014-02"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1081287"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1081288"
    },
    {
      "type": "ADVISORY",
      "url": "https://secunia.com/advisories/57276/"
    },
    {
      "type": "REPORT",
      "url": "https://bugs.mageia.org/show_bug.cgi?id=13102"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Mageia:3",
        "name": "php-ZendFramework",
        "purl": "pkg:rpm/mageia/php-ZendFramework?arch=source&distro=mageia-3"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.5-1.mga3"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    },
    {
      "package": {
        "ecosystem": "Mageia:4",
        "name": "php-ZendFramework",
        "purl": "pkg:rpm/mageia/php-ZendFramework?arch=source&distro=mageia-4"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.5-1.mga4"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    }
  ],
  "credits": [
    {
      "name": "Mageia",
      "type": "COORDINATOR",
      "contact": [
        "https://wiki.mageia.org/en/Packages_Security_Team"
      ]
    }
  ]
}
