Stay Secure with the Latest Linux Advisories

security advisoryfedoramoderate threat

Fedora 27 PHP Zend Framework 1.8.4 Moderate Security Advisory

## 1.8.4 - 2018-08-01 ### Added - Nothing. ### Changed - This release modifies how `ServerRequestFactory` marshals the request URI. In prior releases, we would attempt to inspect the `X-Rewrite-Url` and `X-Original-Url` headers, using their values, if present. These headers are issued by the ISAPI_Rewrite module for IIS (developed by HeliconTech). However, we have no. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2018-dbb0d41078 2018-08-14 20:15:54.627619 --------------------------------------------------------------------------------Name : php-zendframework-zend-diactoros Product : Fedora 27 Version : 1.8.4 Release : 1.fc27 URL : https://zendframework.github.io/zend-diactoros/ Summary : PSR HTTP Message implementations Description : A PHP package containing implementations of the accepted PSR-7 HTTP message interfaces [1], as well as a "server" implementation similar to node's http.Server [2]. Documentation: https://zendframework.github.io/zend-diactoros/ Autoloader: /usr/share/php/Zend/Diactoros/autoload.php [1] https://www.php-fig.org/psr/psr-7/ [2] https://nodejs.org/api/http.html --------------------------------------------------------------------------------Update Information: ## 1.8.4 - 2018-08-01 ### Added - Nothing. ### Changed - This release modifies how `ServerRequestFactory` marshals the request URI. In prior releases, we would attempt to inspect the `X-Rewrite-Url` and `X-Original-Url` headers, using their values, if present. These headers are issued by the ISAPI_Rewrite module for IIS (developed by HeliconTech). However, we have no way of guaranteeing that the module is what issued the headers, making it an unreliable source for discovering the URI. As such, we have removed this feature in this release of Diactoros. If you are developing a middleware application, you can mimic the functionality via middleware as follows: ``` usePsr\Http\Message\ResponseInterface; use Psr\Http\Message\ServerRequestInterface; use Psr\Http\Server\RequestHandlerInterface; use Zend\Diactoros\Uri; public function process(ServerRequestInterface $request, RequestHandlerInterface $handler) : ResponseInterface { $requestUri = null; $httpXRewriteUrl = $request-> getHeaderLine('X-Rewrite-Url'); if ($httpXRewriteUrl !== null) { $requestUri = $httpXRewriteUrl; } $httpXOriginalUrl = $request-> getHeaderLine('X-Original-Url'); if ($httpXOriginalUrl !== null) { $requestUri = $httpXOriginalUrl; } if ($requestUri !== null) { $request = $request-> withUri(new Uri($requestUri)); } return $handler-> handle($request); } ``` If you use middleware such as the above, make sure you also instruct your web server to strip any incoming headers of the same name so that you can guarantee they are issued by the ISAPI_Rewrite module. ### Deprecated -Nothing. ### Removed - Nothing. ### Fixed - Nothing. ## 1.8.3 - 2018-07-24 ### Added - Nothing. ### Changed - Nothing. ### Deprecated - Nothing. ### Removed - Nothing. ### Fixed - [#321](https://github.com/zendframework/zend-diactoros/pull/321) updates the logic in `Uri::withPort()` to ensure that it checks that the value provided is either an integer or a string integer, as only those values may be cast to integer without data loss. -[#320](https://github.com/zendframework/zend-diactoros/pull/320) adds checking within `Response` to ensure that the provided reason phrase is a string; an `InvalidArgumentException` is now raised if it is not. This change ensures the class adheres strictly to the PSR-7 specification. -[#319](https://github.com/zendframework/zend-diactoros/pull/319) provides a fix to `Zend\Diactoros\Response` that ensures that the status code returned is _always_ an integer (and never a string containing an integer), thus ensuring it strictly adheres to the PSR-7 specification. ## 1.8.2 -2018-07-19 ### Added - Nothing. ### Changed - Nothing. ### Deprecated - Nothing. ### Removed - Nothing. ### Fixed - [#318](https://github.com/zendframework/zend-diactoros/pull/318) fixes the logic for discovering whether an HTTPS scheme is in play to be case insensitive when comparing header and SAPI values, ensuring no false negative lookups occur. - [#314](https://github.com/zendframework /zend-diactoros/pull/314) modifies error handling around opening a file resource within `Zend\Diactoros\Stream::setStream()` to no longer use the second argument to `set_error_handler()`, and instead check the error type in the handler itself; this fixes an issue when the handler is nested inside another error handler, which currently has buggy behavior within the PHP engine. ## 1.8.1 - 2018-07-09 ### Added - Nothing. ### Changed -[#313](https://github.com/zendframework/zend-diactoros/pull/313) changes the reason phrase associated with the status code 425 to "Too Early", corresponding to a new definition of the code as specified by the IANA. ### Deprecated - Nothing. ### Removed - Nothing. ### Fixed -[#312](https://github.com/zendframework/zend-diactoros/pull/312) fixes how the `normalizeUploadedFiles()` utility function handles nested trees of uploaded files, ensuring it detects them properly. ## 1.8.0 - 2018-06-27 ### Added -[#307](https://github.com/zendframework/zend-diactoros/pull/307) adds the following functions under the `Zend\Diactoros` namespace, each of which may be used to derive artifacts from SAPI supergloabls for the purposes of generating a `ServerRequest` instance: - `normalizeServer(array $server, callable $apacheRequestHeaderCallback = null) : array` (main purpose is to aggregate the `Authorization` header in the SAPI params when under Apache) -`marshalProtocolVersionFromSapi(array $server) : string` -`marshalMethodFromSapi(array $server) : string` - `marshalUriFromSapi(array $server, array $headers) : Uri` -`marshalHeadersFromSapi(array $server) : array` - `parseCookieHeader(string $header) : array` -`createUploadedFile(array $spec) : UploadedFile` (creates the instance from a normal `$_FILES` entry) - `normalizeUploadedFiles(array $files) : UploadedFileInterface[]` (traverses a potentially nested array of uploaded file instances and/or `$_FILES` entries, including those aggregated under mod_php, php-fpm, and php-cgi in order to create a flat array of `UploadedFileInterface` instances to use in a request) ### Changed -Nothing. ### Deprecated - [#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates `ServerRequestFactory::normalizeServer()`; the method is no longer used internally, and users should instead use `Zend\Diactoros\normalizeServer()`, to which it proxies. -[#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates `ServerRequestFactory::marshalHeaders()`; the method is no longer used internally, and users should instead use `Zend\Diactoros\marshalHeadersFromSapi()`, to which it proxies. -[#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates `ServerRequestFactory::marshalUriFromServer()`; the method is no longer used internally. Users should use `marshalUriFromSapi()` instead. -[#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates `ServerRequestFactory::marshalRequestUri()`. the method is no longer used internally, and currently proxies to `marshalUriFromSapi()`, pulling the discovered path from the `Uri` instance returned by that function. Users should use `marshalUriFromSapi()` instead. -[#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates `ServerRequestFactory::marshalHostAndPortFromHeaders()`; the method is no longer used internally, and currently proxies to `marshalUriFromSapi()`, pulling the discovered host and port from the `Uri` instance returned by that function. Users should use `marshalUriFromSapi()` instead. -[#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates `ServerRequestFactory::getHeader()`; the method is no longer used internally. Users should copy and paste the functionality into their own applications if needed, or rely on headers from a fully-populated `Uri` instance instead. -[#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates `ServerRequestFactory::stripQueryString()`; the method is no longer used internally, and users can mimic the functionality via the expression `$path explode('?', $path, 2)[0];`. - [#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates `ServerRequestFactory::normalizeFiles()`; the functionality is no longer used internally, and users can use `normalizeUploadedFiles()` as a replacement. -[#303](https://github.com/zendframework/zend-diactoros/pull/303) deprecates `Zend\Diactoros\Response\EmitterInterface` and its various implementations. These are now provided via the [zendframework/zend-httphandlerrunner](https://docs.zendframework.com/zend-httphandlerrunner/) package as 1:1 substitutions. - [#303](https://github.com/zendframework/zend-diactoros/pull/303) deprecates the `Zend\Diactoros\Server` class. Users are directed to the `RequestHandlerRunner` class from the [zendframework/zend-httphandlerrunner](https://docs.zendframework.com/zend-httphandlerrunner/) package as an alternative. ### Removed - Nothing. ### Fixed - Nothing. --------------------------------------------------------------------------------ChangeLog: * Thu Aug 2 2018 Shawn Iwinski - 1.8.4-1 - Update to 1.8.4 (RHBZ #1504401 / ZF2018-01 / CVE-2018-14773 / CVE-2018-14774) * Fri Jul 13 2018 Fedora Release Engineering - 1.7.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild * Wed May 30 2018 Remi Collet - 1.7.2-1 - update to 1.7.2 * Fri Mar 30 2018 Remi Collet - 1.7.1-1 - update to 1.7.1 - use range dependencies on F27+ * Fri Feb 9 2018 Fedora Release Engineering - 1.7.0-2 -Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild * Fri Jan 5 2018 Remi Collet - 1.7.0-1 - Update to 1.7.0 * Tue Dec 5 2017 Remi Collet - 1.6.1-2 - switch to classmap autoloader for consistency - provide php-autoloader(zendframework/zend-diactoros) * Thu Nov 2 2017 Remi Collet - 1.6.1-1 - Update to 1.6.1 - use phpunit6 on F26+ * Sun Oct 8 2017 Shawn Iwinski - 1.6.0-1 - Updated to 1.6.0 (RHBZ #1491486) --------------------------------------------------------------------------------References: [ 1 ] Bug #1504401 - php-zendframework-zend-diactoros-1.8.4 is available https://bugzilla.redhat.com/show_bug.cgi?id=1504401 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2018-dbb0d41078' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./message/2Q5NN4YKQFE3WLFLIS7AJTOJ6E5FNTRH/ . Keep informed about the newest security updates regarding php-zendframework-zend-diactoros version 1.8.4 from Fedora.. Fedora Security Update, PHP Zend Framework, PSR-7 Implementation. . LinuxSecurity.com Team

Aug 14, 2018 Fedora