Login
Login-Name Passwort


 
Newsletter
Werbung

Sicherheit: Preisgabe von Informationen in php-zendframework-zendxml
Aktuelle Meldungen Distributionen
Name: Preisgabe von Informationen in php-zendframework-zendxml
ID: FEDORA-2016-03c0ed3127
Distribution: Fedora
Plattformen: Fedora 22
Datum: Mi, 22. Juni 2016, 08:07
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7503

Originalnachricht

Name        : php-zendframework-zendxml
Product : Fedora 22
Version : 1.0.2
Release : 2.fc22
URL : http://framework.zend.com/
Summary : Zend Framework ZendXml component
Description :
An utility component for XML usage and best practices in PHP.

-------------------------------------------------------------------------------
-
Update Information:

## 2.4.10 (2016-05-09) - Fix HeaderValue throwing an exception on legal
characters ## 2.4.9 (2015-11-23) ### SECURITY UPDATES - **ZF2015-09**:
`Zend\Captcha\Word` generates a "word" for a CAPTCHA challenge by
selecting a
sequence of random letters from a character set. Prior to this vulnerability
announcement, the selection was performed using PHP's internal
`array_rand()`
function. This function does not generate sufficient entropy due to its usage
of `rand()` instead of more cryptographically secure methods such as
`openssl_pseudo_random_bytes()`. This could potentially lead to information
disclosure should an attacker be able to brute force the random number
generation. This release contains a patch that replaces the `array_rand()`
calls to use `Zend\Math\Rand::getInteger()`, which provides better RNG. -
**ZF2015-10**: `Zend\Crypt\PublicKey\Rsa\PublicKey` has a call to
`openssl_public_encrypt()` which used PHP's default `$padding` argument,
which
specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding.
This
padding has a known vulnerability, the [Bleichenbacher's
chosen-ciphertext
attack](http://crypto.stackexchange.com/questions/12688/can-you-explain-
bleichenbachers-cca-attack-on-pkcs1-v1-5), which can be used to recover an
RSA
private key. This release contains a patch that changes the padding argument
to use `OPENSSL_PKCS1_OAEP_PADDING`. Users upgrading to this version may
have
issues decrypting previously stored values, due to the change in padding. If
this occurs, you can pass the constant `OPENSSL_PKCS1_PADDING` to a new
`$padding` argument in `Zend\Crypt\PublicKey\Rsa::encrypt()` and `decrypt()`
(though typically this should only apply to the latter): ```php
$decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING); ```
where `$rsa` is an instance of `Zend\Crypt\PublicKey\Rsa`. (The `$key` and
`$mode` argument defaults are `null` and
`Zend\Crypt\PublicKey\Rsa::MODE_AUTO`, if you were not using them previously.)
We recommend re-encrypting any such values using the new defaults.
-------------------------------------------------------------------------------
-
References:

[ 1 ] Bug #1343990 - [epel7][security] php-ZendFramework2-2.4.10 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1343990
[ 2 ] Bug #1289318 - CVE-2015-7503 php-ZendFramework2: Usage of vulnerable
PKCS#1 v1.5 padding allows to recover RSA private key [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1289318
[ 3 ] Bug #1343995 - [f23][f22][security] php-ZendFramework2-2.4.10 is
available
https://bugzilla.redhat.com/show_bug.cgi?id=1343995
[ 4 ] Bug #1289317 - CVE-2015-7503 php-ZendFramework2: Usage of vulnerable
PKCS#1 v1.5 padding allows to recover RSA private key [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1289317
-------------------------------------------------------------------------------
-

This update can be installed with the "yum" update program. Use
su -c 'yum update php-zendframework-zendxml' at the command line.
For more information, refer to "Managing Software with yum",
available at https://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/package-announce@lists.fedoraproject.org
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung