Updated php-ZendFramework/php-ZendFramework2 packages fixe security vulnerabilities
Publication date: 09 Oct 2015Modification date: 09 Oct 2015
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-5723
Description
Zend Framework contained several instances where it was using incorrect permissions masks, which could lead to local privilege escalation issues (CVE-2015-5723). The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection (ZF2015-08). Note that the ZF2015-08 issue did not affect Zend Framework 2.
References
- https://bugs.mageia.org/show_bug.cgi?id=16828
- http://framework.zend.com/security/advisory/ZF2015-07
- http://framework.zend.com/security/advisory/ZF2015-08
- https://lists.fedoraproject.org/pipermail/package-announce/2015-September/167698.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5723
SRPMS
5/core
- php-ZendFramework-1.12.16-1.mga5
- php-ZendFramework2-2.4.8-1.mga5