-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2013:115 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : php-ZendFramework Date : April 10, 2013 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated php-ZendFramework packages fix security vulnerabilities: Zend_Dom, Zend_Feed, Zend_Soap, and Zend_XmlRpc in Zend Framework before 1.11.13 and 1.12.0 are vulnerable to XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement (ZF2012-02). A vulnerability was reported in Zend Framework versions prior to 1.11.15 and 1.12.1, which can be exploited to disclose certain sensitive information. This flaw is caused due to an error in the Zend_Feed_Rss and Zend_Feed_Atom classes of the Zend_Feed component, when processing XML data. It can be used to disclose the contents of certain local files by sending specially crafted XML data including external entity references (CVE-2012-5657, ZF2012-05). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5657 https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0367 _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: 24028f63cdfc1cd6304d441156fad899 mbs1/x86_64/php-ZendFramework-1.12.1-1.1.mbs1.noarch.rpm df6a7e6d8e9237029ac465a347a88b90 mbs1/x86_64/php-ZendFramework-Cache-Backend-Apc-1.12.1-1.1.mbs1.noarch.rpm 2e6cfe5c461049ee56de1ef3cc04aabe mbs1/x86_64/php-ZendFramework-Cache-Backend-Memcached-1.12.1-1.1.mbs1.noarch.rpm 2be9447ec141ece3454048dc7e0c38e6 mbs1/x86_64/php-ZendFramework-Captcha-1.12.1-1.1.mbs1.noarch.rpm 063eb5dbad73a565cf930d173be9551c mbs1/x86_64/php-ZendFramework-demos-1.12.1-1.1.mbs1.noarch.rpm 25213d4c603b83610a21f7677578110b mbs1/x86_64/php-ZendFramework-Dojo-1.12.1-1.1.mbs1.noarch.rpm ca11b8d3cccbbce205d8dc5150d01d85 mbs1/x86_64/php-ZendFramework-extras-1.12.1-1.1.mbs1.noarch.rpm 774db46afd448e9819ca5d93187f8282 mbs1/x86_64/php-ZendFramework-Feed-1.12.1-1.1.mbs1.noarch.rpm d270baf04532a249946335a3aaed7a67 mbs1/x86_64/php-ZendFramework-Gdata-1.12.1-1.1.mbs1.noarch.rpm 43d00dcdce015dfef4f9043665741e78 mbs1/x86_64/php-ZendFramework-Pdf-1.12.1-1.1.mbs1.noarch.rpm 5cd58523a16de049f42a6e9785e3b1aa mbs1/x86_64/php-ZendFramework-Search-Lucene-1.12.1-1.1.mbs1.noarch.rpm f46f3e10469fc9446102d8f20204f3e7 mbs1/x86_64/php-ZendFramework-Services-1.12.1-1.1.mbs1.noarch.rpm 93e13dc568450349d8b89fc34561a018 mbs1/x86_64/php-ZendFramework-tests-1.12.1-1.1.mbs1.noarch.rpm 5851be0ec185d6d9f1e0e260aa7e7004 mbs1/SRPMS/php-ZendFramework-1.12.1-1.1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRZTlamqjQ0CJFipgRAr7YAJ9hTRDy8s5eZ0wSJhfVEX+2KWBwfgCcDnoG C7KF5hI4s9q9oeivH5Tojhg= =uvq5 -----END PGP SIGNATURE-----