Executive Summary
Summary | |
---|---|
Title | zendframework regression update |
Informations | |||
---|---|---|---|
Name | DSA-3265 | First vendor Publication | 2015-05-20 |
Vendor | Debian | Last vendor Modification | 2015-05-24 |
Severity (Vendor) | N/A | Revision | 2 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
The update for zendframework issued as DSA-3265-1 introduced a regression preventing the use of non-string or non-stringable objects as header values. A fix for this problem is now applied, along with the final patch for CVE-2015-3154. For reference the original advisory text follows. Multiple vulnerabilities were discovered in Zend Framework, a PHP framework. Except for CVE-2015-3154, all these issues were already fixed in the version initially shipped with Jessie. CVE-2014-2681 Lukas Reschke reported a lack of protection against XML External Entity injection attacks in some functions. This fix extends the incomplete one from CVE-2012-5657. CVE-2014-2682 Lukas Reschke reported a failure to consider that the libxml_disable_entity_loader setting is shared among threads in the PHP-FPM case. This fix extends the incomplete one from CVE-2012-5657. CVE-2014-2683 Lukas Reschke reported a lack of protection against XML Entity Expansion attacks in some functions. This fix extends the incomplete one from CVE-2012-6532. CVE-2014-2684 Christian Mainka and Vladislav Mladenov from the Ruhr-University Bochum reported an error in the consumer's verify method that lead to acceptance of wrongly sourced tokens. CVE-2014-2685 Christian Mainka and Vladislav Mladenov from the Ruhr-University Bochum reported a specification violation in which signing of a single parameter is incorrectly considered sufficient. CVE-2014-4914 Cassiano Dal Pizzol discovered that the implementation of the ORDER BY SQL statement in Zend_Db_Select contains a potential SQL injection when the query string passed contains parentheses. CVE-2014-8088 Yury Dyachenko at Positive Research Center identified potential XML eXternal Entity injection vectors due to insecure usage of PHP's DOM extension. CVE-2014-8089 Jonas Sandström discovered an SQL injection vector when manually quoting value for sqlsrv extension, using null byte. CVE-2015-3154 Filippo Tessarotto and Maks3w reported potential CRLF injection attacks in mail and HTTP headers. For the oldstable distribution (wheezy), this problem has been fixed in version 1.11.13-1.1+deb7u2. For the stable distribution (jessie), this problem has been fixed in version 1.12.9+dfsg-2+deb8u2. For the testing distribution (stretch), this problem has been fixed in version 1.12.13+dfsg-1. For the unstable distribution (sid), this problem has been fixed in version 1.12.13+dfsg-1. We recommend that you upgrade your zendframework packages. |
Original Source
Url : http://www.debian.org/security/2015/dsa-3265 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
22 % | CWE-287 | Improper Authentication |
22 % | CWE-19 | Data Handling |
11 % | CWE-399 | Resource Management Errors |
11 % | CWE-264 | Permissions, Privileges, and Access Controls |
11 % | CWE-200 | Information Exposure |
11 % | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25) |
11 % | CWE-17 | Code |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:20156 | |||
Oval ID: | oval:org.mitre.oval:def:20156 | ||
Title: | DSA-2602-1 zendframework - XML external entity inclusion | ||
Description: | Yury Dyachenko discovered that Zend Framework uses the PHP XML parser in an insecure way, allowing attackers to open files and trigger HTTP requests, potentially accessing restricted information. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2602-1 CVE-2012-5657 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | zendframework |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-06-22 | Name : The remote Debian host is missing a security update. File : debian_DLA-251.nasl - Type : ACT_GATHER_INFO |
2015-05-21 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3265.nasl - Type : ACT_GATHER_INFO |
2015-03-30 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-097.nasl - Type : ACT_GATHER_INFO |
2014-12-15 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-460.nasl - Type : ACT_GATHER_INFO |
2014-11-21 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-216.nasl - Type : ACT_GATHER_INFO |
2014-11-11 | Name : The remote Fedora host is missing a security update. File : fedora_2014-14043.nasl - Type : ACT_GATHER_INFO |
2014-11-03 | Name : The remote Fedora host is missing a security update. File : fedora_2014-12341.nasl - Type : ACT_GATHER_INFO |
2014-10-29 | Name : The remote Fedora host is missing a security update. File : fedora_2014-13302.nasl - Type : ACT_GATHER_INFO |
2014-10-20 | Name : The remote Fedora host is missing a security update. File : fedora_2014-12418.nasl - Type : ACT_GATHER_INFO |
2014-10-20 | Name : The remote Fedora host is missing a security update. File : fedora_2014-12344.nasl - Type : ACT_GATHER_INFO |
2014-10-16 | Name : The remote Fedora host is missing a security update. File : fedora_2014-12676.nasl - Type : ACT_GATHER_INFO |
2014-10-12 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-394.nasl - Type : ACT_GATHER_INFO |
2014-10-12 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-377.nasl - Type : ACT_GATHER_INFO |
2014-08-01 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-145.nasl - Type : ACT_GATHER_INFO |
2014-07-22 | Name : The remote Fedora host is missing a security update. File : fedora_2014-8309.nasl - Type : ACT_GATHER_INFO |
2014-07-22 | Name : The remote Fedora host is missing a security update. File : fedora_2014-8308.nasl - Type : ACT_GATHER_INFO |
2014-04-15 | Name : The remote Fedora host is missing a security update. File : fedora_2014-4651.nasl - Type : ACT_GATHER_INFO |
2014-04-15 | Name : The remote Fedora host is missing a security update. File : fedora_2014-4636.nasl - Type : ACT_GATHER_INFO |
2014-04-15 | Name : The remote Fedora host is missing a security update. File : fedora_2014-4612.nasl - Type : ACT_GATHER_INFO |
2014-04-15 | Name : The remote Fedora host is missing a security update. File : fedora_2014-4603.nasl - Type : ACT_GATHER_INFO |
2014-04-10 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-072.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-153.nasl - Type : ACT_GATHER_INFO |
2013-04-20 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-115.nasl - Type : ACT_GATHER_INFO |
2013-01-21 | Name : The remote Fedora host is missing a security update. File : fedora_2013-0063.nasl - Type : ACT_GATHER_INFO |
2013-01-21 | Name : The remote Fedora host is missing a security update. File : fedora_2013-0061.nasl - Type : ACT_GATHER_INFO |
2013-01-21 | Name : The remote Fedora host is missing a security update. File : fedora_2013-0057.nasl - Type : ACT_GATHER_INFO |
2013-01-09 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2602.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2017-12-31 09:22:36 |
|
2015-05-24 17:25:30 |
|
2015-05-22 13:29:28 |
|
2015-05-20 13:26:49 |
|