Updated php-ZendFramework packages fix CVE-2015-5161
Publication date: 15 Sep 2015Modification date: 15 Sep 2015
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-5161
Description
Updated php-ZendFramework and php-ZendFramework2 packages fix security vulnerability: Dawid Golunski discovered that when running under PHP-FPM in a threaded environment, Zend Framework, a PHP framework, did not properly handle XML data in multibyte encoding. This could be used by remote attackers to perform an XML External Entity attack via crafted XML data (CVE-2015-5161).
References
- https://bugs.mageia.org/show_bug.cgi?id=16624
- http://framework.zend.com/blog/zend-framework-1-12-14-2-4-6-and-2-5-2-released.html
- http://framework.zend.com/blog/zend-framework-1-12-15-and-2-4-7-released.html
- http://framework.zend.com/security/advisory/ZF2015-06
- https://www.debian.org/security/2015/dsa-3340
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5161
SRPMS
5/core
- php-ZendFramework-1.12.15-1.mga5
- php-ZendFramework2-2.4.7-1.mga5