Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 436
Alerts This Week
Warning Icon 1 436

Debian: DSA-3265-2 Critical: Zendframework Injection Attack Mitigation

debian
Calendar Grey May 24, 2015
Debian Logo
Debian Security Advisory DSA-4321-1 tackles a flaw in openssl, crucially fixing vulnerabilities that could be exploited.
The update for zendframework issued as DSA-3265-1 introduced a regression preventing the use of non-string or non-stringable objects as header values

Summary

Multiple vulnerabilities were discovered in Zend Framework, a PHP
framework. Except for CVE-2015-3154, all these issues were already fixed
in the version initially shipped with Jessie.

CVE-2014-2681

Lukas Reschke reported a lack of protection against XML External
Entity injection attacks in some functions. This fix extends the
incomplete one from CVE-2012-5657.

CVE-2014-2682

Lukas Reschke reported a failure to consider that the
libxml_disable_entity_loader setting is shared among threads in the
PHP-FPM case. This fix extends the incomplete one from
CVE-2012-5657.

CVE-2014-2683

Lukas Reschke reported a lack of protection against XML Entity
Expansion attacks in some functions. This fix extends the incomplete
one from CVE-2012-6532.

CVE-2014-2684

Christian Mainka and Vladislav Mladenov from the Ruhr-University
Bochum reported an error in the consumer's verify method that lead
to acceptance of wrongly sourced tokens.

CVE-2014-2685

Christian Mainka and ...

Read the Full Advisory

Severity
critical
Lowest
Low
Medium
High
Critical

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.