Advisories » MGASA-2015-0391

Updated php-ZendFramework/php-ZendFramework2 packages fixe security vulnerabilities

Publication date: 09 Oct 2015
Modification date: 09 Oct 2015
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-5723

Description

Zend Framework contained several instances where it was using incorrect
permissions masks, which could lead to local privilege escalation issues
(CVE-2015-5723).

The PDO adapters of Zend Framework 1 do not filter null bytes values in
SQL statements. A PDO adapter can treat null bytes in a query as a string
terminator, allowing an attacker to add arbitrary SQL following a null
byte,  and thus create a SQL injection (ZF2015-08).

Note that the ZF2015-08 issue did not affect Zend Framework 2.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=16828
• http://framework.zend.com/security/advisory/ZF2015-07
• http://framework.zend.com/security/advisory/ZF2015-08
• https://lists.fedoraproject.org/pipermail/package-announce/2015-September/167698.html
• https://www.cve.org/CVERecord?id=CVE-2015-5723

SRPMS

5/core

• php-ZendFramework-1.12.16-1.mga5
• php-ZendFramework2-2.4.8-1.mga5