Advisories ยป MGASA-2015-0391

Updated php-ZendFramework/php-ZendFramework2 packages fixe security vulnerabilities

Publication date: 09 Oct 2015
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-5723

Description

Zend Framework contained several instances where it was using incorrect
permissions masks, which could lead to local privilege escalation issues
(CVE-2015-5723).

The PDO adapters of Zend Framework 1 do not filter null bytes values in
SQL statements. A PDO adapter can treat null bytes in a query as a string
terminator, allowing an attacker to add arbitrary SQL following a null
byte,  and thus create a SQL injection (ZF2015-08).

Note that the ZF2015-08 issue did not affect Zend Framework 2.
                

References

SRPMS

5/core