7.5 - DSA-3265

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	zendframework regression update

Informations
Name	DSA-3265	First vendor Publication	2015-05-20
Vendor	Debian	Last vendor Modification	2015-05-24
Severity (Vendor)	N/A	Revision	2

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score	7.5	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

The update for zendframework issued as DSA-3265-1 introduced a regression preventing the use of non-string or non-stringable objects as header values. A fix for this problem is now applied, along with the final patch for CVE-2015-3154. For reference the original advisory text follows.

Multiple vulnerabilities were discovered in Zend Framework, a PHP framework. Except for CVE-2015-3154, all these issues were already fixed in the version initially shipped with Jessie.

CVE-2014-2681

Lukas Reschke reported a lack of protection against XML External Entity injection attacks in some functions. This fix extends the incomplete one from CVE-2012-5657.

CVE-2014-2682

Lukas Reschke reported a failure to consider that the libxml_disable_entity_loader setting is shared among threads in the PHP-FPM case. This fix extends the incomplete one from CVE-2012-5657.

CVE-2014-2683

Lukas Reschke reported a lack of protection against XML Entity Expansion attacks in some functions. This fix extends the incomplete one from CVE-2012-6532.

CVE-2014-2684

Christian Mainka and Vladislav Mladenov from the Ruhr-University Bochum reported an error in the consumer's verify method that lead to acceptance of wrongly sourced tokens.

CVE-2014-2685

Christian Mainka and Vladislav Mladenov from the Ruhr-University Bochum reported a specification violation in which signing of a single parameter is incorrectly considered sufficient.

CVE-2014-4914

Cassiano Dal Pizzol discovered that the implementation of the ORDER BY SQL statement in Zend_Db_Select contains a potential SQL injection when the query string passed contains parentheses.

CVE-2014-8088

Yury Dyachenko at Positive Research Center identified potential XML eXternal Entity injection vectors due to insecure usage of PHP's DOM extension.

CVE-2014-8089

Jonas Sandström discovered an SQL injection vector when manually quoting value for sqlsrv extension, using null byte.

CVE-2015-3154

Filippo Tessarotto and Maks3w reported potential CRLF injection attacks in mail and HTTP headers.

For the oldstable distribution (wheezy), this problem has been fixed in version 1.11.13-1.1+deb7u2.

For the stable distribution (jessie), this problem has been fixed in version 1.12.9+dfsg-2+deb8u2.

For the testing distribution (stretch), this problem has been fixed in version 1.12.13+dfsg-1.

For the unstable distribution (sid), this problem has been fixed in version 1.12.13+dfsg-1.

We recommend that you upgrade your zendframework packages.

Original Source

Url : http://www.debian.org/security/2015/dsa-3265

CWE : Common Weakness Enumeration

%	Id	Name
22 %	CWE-287	Improper Authentication
22 %	CWE-19	Data Handling
11 %	CWE-399	Resource Management Errors
11 %	CWE-264	Permissions, Privileges, and Access Controls
11 %	CWE-200	Information Exposure
11 %	CWE-89	Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25)
11 %	CWE-17	Code

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:20156

Oval ID:	oval:org.mitre.oval:def:20156
Title:	DSA-2602-1 zendframework - XML external entity inclusion
Description:	Yury Dyachenko discovered that Zend Framework uses the PHP XML parser in an insecure way, allowing attackers to open files and trigger HTTP requests, potentially accessing restricted information.
Family:	unix	Class:	patch
Reference(s):	DSA-2602-1 CVE-2012-5657	Version:	5
Platform(s):	Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0	Product(s):	zendframework
Definition Synopsis:
Debian 6.0 is installed GNU/Linux or GNU/kFreeBSD kernel Debian GNU/Linux is installed AND Debian GNU/kFreeBSD is installed AND zendframework DPKG is earlier than 0:1.10.6-1squeeze2

CPE : Common Platform Enumeration

Type	Description	Count
Application	Zend Zend Framework cpe:2.3:a:zend:zend_framework:2.3.2:::::::* cpe:2.3:a:zend:zend_framework:2.3.1:::::::* cpe:2.3:a:zend:zend_framework:2.3.0:::::::* cpe:2.3:a:zend:zend_framework:2.2.7:::::::* cpe:2.3:a:zend:zend_framework:2.2.6:::::::* cpe:2.3:a:zend:zend_framework:2.2.5:::::::* cpe:2.3:a:zend:zend_framework:2.2.4:::::::* cpe:2.3:a:zend:zend_framework:2.2.3:::::::* cpe:2.3:a:zend:zend_framework:2.2.2:::::::* cpe:2.3:a:zend:zend_framework:2.2.1:::::::* cpe:2.3:a:zend:zend_framework:2.2.0:::::::* cpe:2.3:a:zend:zend_framework:2.1.6:::::::* cpe:2.3:a:zend:zend_framework:2.1.5:::::::* cpe:2.3:a:zend:zend_framework:2.1.4:::::::* cpe:2.3:a:zend:zend_framework:2.1.3:::::::* cpe:2.3:a:zend:zend_framework:2.1.2:::::::* cpe:2.3:a:zend:zend_framework:2.1.1:::::::* cpe:2.3:a:zend:zend_framework:2.1.0:::::::* cpe:2.3:a:zend:zend_framework:2.01:::::::* cpe:2.3:a:zend:zend_framework:2.0.7:::::::* cpe:2.3:a:zend:zend_framework:2.0.6:::::::* cpe:2.3:a:zend:zend_framework:2.0.5:::::::* cpe:2.3:a:zend:zend_framework:2.0.4:::::::* cpe:2.3:a:zend:zend_framework:2.0.3:::::::* cpe:2.3:a:zend:zend_framework:2.0.2:::::::* cpe:2.3:a:zend:zend_framework:2.0.1:::::::* cpe:2.3:a:zend:zend_framework:2.0.0:::::::* cpe:2.3:a:zend:zend_framework:2.0.0:rc1:::::: cpe:2.3:a:zend:zend_framework:2.0.0:rc2:::::: cpe:2.3:a:zend:zend_framework:2.0.0:rc3:::::: cpe:2.3:a:zend:zend_framework:2.0.0:rc4:::::: cpe:2.3:a:zend:zend_framework:2.0.0:rc5:::::: cpe:2.3:a:zend:zend_framework:2.0.0:rc6:::::: cpe:2.3:a:zend:zend_framework:2.0.0:rc7:::::: cpe:2.3:a:zend:zend_framework:1.9.8:::::::* cpe:2.3:a:zend:zend_framework:1.9.7:::::::* cpe:2.3:a:zend:zend_framework:1.9.6:::::::* cpe:2.3:a:zend:zend_framework:1.9.5:::::::* cpe:2.3:a:zend:zend_framework:1.9.4:::::::* cpe:2.3:a:zend:zend_framework:1.9.3:pl1:::::: cpe:2.3:a:zend:zend_framework:1.9.3:::::::* cpe:2.3:a:zend:zend_framework:1.9.2:::::::* cpe:2.3:a:zend:zend_framework:1.9.1:::::::* cpe:2.3:a:zend:zend_framework:1.9.0:b1:::::: cpe:2.3:a:zend:zend_framework:1.9.0:rc1:::::: cpe:2.3:a:zend:zend_framework:1.9.0:::::::* cpe:2.3:a:zend:zend_framework:1.9.0:a1:::::: cpe:2.3:a:zend:zend_framework:1.8.5:::::::* cpe:2.3:a:zend:zend_framework:1.8.4:pl1:::::: cpe:2.3:a:zend:zend_framework:1.8.4:::::::* cpe:2.3:a:zend:zend_framework:1.8.3:::::::* cpe:2.3:a:zend:zend_framework:1.8.2:::::::* cpe:2.3:a:zend:zend_framework:1.8.1:::::::* cpe:2.3:a:zend:zend_framework:1.8.0:::::::* cpe:2.3:a:zend:zend_framework:1.8.0:a1:::::: cpe:2.3:a:zend:zend_framework:1.8.0:b1:::::: cpe:2.3:a:zend:zend_framework:1.7.9:::::::* cpe:2.3:a:zend:zend_framework:1.7.8:::::::* cpe:2.3:a:zend:zend_framework:1.7.7:::::::* cpe:2.3:a:zend:zend_framework:1.7.6:::::::* cpe:2.3:a:zend:zend_framework:1.7.5:::::::* cpe:2.3:a:zend:zend_framework:1.7.4:::::::* cpe:2.3:a:zend:zend_framework:1.7.3:pl1:::::: cpe:2.3:a:zend:zend_framework:1.7.3:::::::* cpe:2.3:a:zend:zend_framework:1.7.2:::::::* cpe:2.3:a:zend:zend_framework:1.7.1:::::::* cpe:2.3:a:zend:zend_framework:1.7.0:pr:::::: cpe:2.3:a:zend:zend_framework:1.7.0:pl1:::::: cpe:2.3:a:zend:zend_framework:1.7.0:::::::* cpe:2.3:a:zend:zend_framework:1.6.2:::::::* cpe:2.3:a:zend:zend_framework:1.6.1:::::::* cpe:2.3:a:zend:zend_framework:1.6.0:rc1:::::: cpe:2.3:a:zend:zend_framework:1.6.0:rc2:::::: cpe:2.3:a:zend:zend_framework:1.6.0:rc3:::::: cpe:2.3:a:zend:zend_framework:1.6.0:::::::* cpe:2.3:a:zend:zend_framework:1.5.3:::::::* cpe:2.3:a:zend:zend_framework:1.5.2:::::::* cpe:2.3:a:zend:zend_framework:1.5.1:::::::* cpe:2.3:a:zend:zend_framework:1.5.0:rc1:::::: cpe:2.3:a:zend:zend_framework:1.5.0:rc2:::::: cpe:2.3:a:zend:zend_framework:1.5.0:pr:::::: cpe:2.3:a:zend:zend_framework:1.5.0:pl:::::: cpe:2.3:a:zend:zend_framework:1.5.0:rc3:::::: cpe:2.3:a:zend:zend_framework:1.5.0:::::::* cpe:2.3:a:zend:zend_framework:1.12.9:::::::* cpe:2.3:a:zend:zend_framework:1.12.8:::::::* cpe:2.3:a:zend:zend_framework:1.12.7:::::::* cpe:2.3:a:zend:zend_framework:1.12.6:::::::* cpe:2.3:a:zend:zend_framework:1.12.5:::::::* cpe:2.3:a:zend:zend_framework:1.12.4:::::::* cpe:2.3:a:zend:zend_framework:1.12.3:::::::* cpe:2.3:a:zend:zend_framework:1.12.2:::::::* cpe:2.3:a:zend:zend_framework:1.12.13:::::::* cpe:2.3:a:zend:zend_framework:1.12.12:::::::* cpe:2.3:a:zend:zend_framework:1.12.11:::::::* cpe:2.3:a:zend:zend_framework:1.12.10:::::::* cpe:2.3:a:zend:zend_framework:1.12.1:::::::* cpe:2.3:a:zend:zend_framework:1.12.0:rc3:::::: cpe:2.3:a:zend:zend_framework:1.12.0:rc4:::::: cpe:2.3:a:zend:zend_framework:1.12.0:rc1:::::: cpe:2.3:a:zend:zend_framework:1.12.0:rc2:::::: cpe:2.3:a:zend:zend_framework:1.12.0:::::::* cpe:2.3:a:zend:zend_framework:1.11.9:::::::* cpe:2.3:a:zend:zend_framework:1.11.8:::::::* cpe:2.3:a:zend:zend_framework:1.11.7:::::::* cpe:2.3:a:zend:zend_framework:1.11.6:::::::* cpe:2.3:a:zend:zend_framework:1.11.5:::::::* cpe:2.3:a:zend:zend_framework:1.11.4:::::::* cpe:2.3:a:zend:zend_framework:1.11.3:::::::* cpe:2.3:a:zend:zend_framework:1.11.2:::::::* cpe:2.3:a:zend:zend_framework:1.11.13:::::::* cpe:2.3:a:zend:zend_framework:1.11.12:::::::* cpe:2.3:a:zend:zend_framework:1.11.11:::::::* cpe:2.3:a:zend:zend_framework:1.11.10:::::::* cpe:2.3:a:zend:zend_framework:1.11.1:::::::* cpe:2.3:a:zend:zend_framework:1.11.0:rc1:::::: cpe:2.3:a:zend:zend_framework:1.11.0:::::::* cpe:2.3:a:zend:zend_framework:1.11.0:b1:::::: cpe:2.3:a:zend:zend_framework:1.10.9:::::::* cpe:2.3:a:zend:zend_framework:1.10.8:::::::* cpe:2.3:a:zend:zend_framework:1.10.7:::::::* cpe:2.3:a:zend:zend_framework:1.10.6:::::::* cpe:2.3:a:zend:zend_framework:1.10.5:::::::* cpe:2.3:a:zend:zend_framework:1.10.4:::::::* cpe:2.3:a:zend:zend_framework:1.10.3:::::::* cpe:2.3:a:zend:zend_framework:1.10.2:::::::* cpe:2.3:a:zend:zend_framework:1.10.1:::::::* cpe:2.3:a:zend:zend_framework:1.10.0:beta1:::::: cpe:2.3:a:zend:zend_framework:1.10.0:rc1:::::: cpe:2.3:a:zend:zend_framework:1.10.0:alpha1:::::: cpe:2.3:a:zend:zend_framework:1.10.0:::::::* cpe:2.3:a:zend:zend_framework:1.0.4:::::::* cpe:2.3:a:zend:zend_framework:1.0.3:::::::* cpe:2.3:a:zend:zend_framework:1.0.2:::::::* cpe:2.3:a:zend:zend_framework:1.0.1:::::::* cpe:2.3:a:zend:zend_framework:1.0.0:rc2a:::::: cpe:2.3:a:zend:zend_framework:1.0.0:rc2:::::: cpe:2.3:a:zend:zend_framework:1.0.0:rc3:::::: cpe:2.3:a:zend:zend_framework:1.0.0:rc1:::::: cpe:2.3:a:zend:zend_framework:1.0.0:::::::* cpe:2.3:a:zend:zend_framework::::::::	141
Os	Debian Debian Linux cpe:2.3:o:debian:debian_linux:8.0:::::::* cpe:2.3:o:debian:debian_linux:7.0:::::::*	2

Nessus® Vulnerability Scanner

Date	Description
2015-06-22	Name : The remote Debian host is missing a security update. File : debian_DLA-251.nasl - Type : ACT_GATHER_INFO
2015-05-21	Name : The remote Debian host is missing a security-related update. File : debian_DSA-3265.nasl - Type : ACT_GATHER_INFO
2015-03-30	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-097.nasl - Type : ACT_GATHER_INFO
2014-12-15	Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-460.nasl - Type : ACT_GATHER_INFO
2014-11-21	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-216.nasl - Type : ACT_GATHER_INFO
2014-11-11	Name : The remote Fedora host is missing a security update. File : fedora_2014-14043.nasl - Type : ACT_GATHER_INFO
2014-11-03	Name : The remote Fedora host is missing a security update. File : fedora_2014-12341.nasl - Type : ACT_GATHER_INFO
2014-10-29	Name : The remote Fedora host is missing a security update. File : fedora_2014-13302.nasl - Type : ACT_GATHER_INFO
2014-10-20	Name : The remote Fedora host is missing a security update. File : fedora_2014-12418.nasl - Type : ACT_GATHER_INFO
2014-10-20	Name : The remote Fedora host is missing a security update. File : fedora_2014-12344.nasl - Type : ACT_GATHER_INFO
2014-10-16	Name : The remote Fedora host is missing a security update. File : fedora_2014-12676.nasl - Type : ACT_GATHER_INFO
2014-10-12	Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-394.nasl - Type : ACT_GATHER_INFO
2014-10-12	Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-377.nasl - Type : ACT_GATHER_INFO
2014-08-01	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-145.nasl - Type : ACT_GATHER_INFO
2014-07-22	Name : The remote Fedora host is missing a security update. File : fedora_2014-8309.nasl - Type : ACT_GATHER_INFO
2014-07-22	Name : The remote Fedora host is missing a security update. File : fedora_2014-8308.nasl - Type : ACT_GATHER_INFO
2014-04-15	Name : The remote Fedora host is missing a security update. File : fedora_2014-4651.nasl - Type : ACT_GATHER_INFO
2014-04-15	Name : The remote Fedora host is missing a security update. File : fedora_2014-4636.nasl - Type : ACT_GATHER_INFO
2014-04-15	Name : The remote Fedora host is missing a security update. File : fedora_2014-4612.nasl - Type : ACT_GATHER_INFO
2014-04-15	Name : The remote Fedora host is missing a security update. File : fedora_2014-4603.nasl - Type : ACT_GATHER_INFO
2014-04-10	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-072.nasl - Type : ACT_GATHER_INFO
2013-09-04	Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-153.nasl - Type : ACT_GATHER_INFO
2013-04-20	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-115.nasl - Type : ACT_GATHER_INFO
2013-01-21	Name : The remote Fedora host is missing a security update. File : fedora_2013-0063.nasl - Type : ACT_GATHER_INFO
2013-01-21	Name : The remote Fedora host is missing a security update. File : fedora_2013-0061.nasl - Type : ACT_GATHER_INFO
2013-01-21	Name : The remote Fedora host is missing a security update. File : fedora_2013-0057.nasl - Type : ACT_GATHER_INFO
2013-01-09	Name : The remote Debian host is missing a security-related update. File : debian_DSA-2602.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2017-12-31 09:22:36	Multiple Updates
2015-05-24 17:25:30	Multiple Updates
2015-05-22 13:29:28	Multiple Updates
2015-05-20 13:26:49	First insertion

Global Informations

Type	Count
CWE ID(s)	9
Oval ID(s)	1
CPE ID(s)	143
Nessus® Exploit(s)	27

	Related
9.8	CVE-2014-4914
7.5	CVE-2014-2685
6.8	CVE-2014-2682
6.4	CVE-2014-2684
6.4	CVE-2014-2681
5	CVE-2014-8088
5	CVE-2014-2683
5	CVE-2012-6532
5	CVE-2012-5657
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 9 more Alert(s)

7.5 - DSA-3265

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU