Advisories » MGASA-2016-0196

Updated php-ZendFramework2 packages fix CVE-2015-7503

Publication date: 21 May 2016
Modification date: 21 May 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-7503

Description

Updated php-ZendFramework2 packages fix security vulnerability:

Zend\Crypt\PublicKey\Rsa\PublicKey has a call to openssl_public_encrypt() which
uses PHP's default $padding argument, which specifies OPENSSL_PKCS1_PADDING,
indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability,
the Bleichenbacher's chosen-ciphertext attack, which can be used to decrypt
arbitrary ciphertexts (CVE-2015-7503).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=18259
• http://framework.zend.com/security/advisory/ZF2015-10
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7503

SRPMS

5/core

• php-ZendFramework2-2.4.9-1.mga5