Login
Newsletter
Werbung

Sicherheit: Preisgabe von Informationen in php-ZendFramework2
Aktuelle Meldungen Distributionen
Name: Preisgabe von Informationen in php-ZendFramework2
ID: FEDORA-2016-8952105d59
Distribution: Fedora
Plattformen: Fedora 23
Datum: Mi, 22. Juni 2016, 08:12
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7503
Applikationen: Zend Framework

Originalnachricht

Name        : php-ZendFramework2
Product : Fedora 23
Version : 2.4.10
Release : 1.fc23
URL : http://framework.zend.com
Summary : Zend Framework 2
Description :
Zend Framework 2 is an open source framework for developing web applications
and services using PHP 5.3+. Zend Framework 2 uses 100% object-oriented code
and utilizes most of the new features of PHP 5.3, namely namespaces, late
static binding, lambda functions and closures.

Zend Framework 2 evolved from Zend Framework 1, a successful PHP framework
with over 15 million downloads.

Note: This meta package installs all base Zend Framework component packages
(Authentication, Barcode, Cache, Captcha, Code, Config, Console, Crypt, Db,
Debug, Di, Dom, Escaper, EventManager, Feed, File, Filter, Form, Http, I18n,
InputFilter, Json, Ldap, Loader, Log, Mail, Math, Memory, Mime, ModuleManager,
Mvc, Navigation, Paginator, Permissions-Acl, Permissions-Rbac, ProgressBar,
Serializer, Server, ServiceManager, Session, Soap, Stdlib, Tag, Test, Text,
Uri, Validator, Version, View, XmlRpc) except the optional Cache-apc and
Cache-memcached packages.

-------------------------------------------------------------------------------
-
Update Information:

## 2.4.10 (2016-05-09) - Fix HeaderValue throwing an exception on legal
characters ## 2.4.9 (2015-11-23) ### SECURITY UPDATES - **ZF2015-09**:
`Zend\Captcha\Word` generates a "word" for a CAPTCHA challenge by
selecting a
sequence of random letters from a character set. Prior to this vulnerability
announcement, the selection was performed using PHP's internal
`array_rand()`
function. This function does not generate sufficient entropy due to its usage
of `rand()` instead of more cryptographically secure methods such as
`openssl_pseudo_random_bytes()`. This could potentially lead to information
disclosure should an attacker be able to brute force the random number
generation. This release contains a patch that replaces the `array_rand()`
calls to use `Zend\Math\Rand::getInteger()`, which provides better RNG. -
**ZF2015-10**: `Zend\Crypt\PublicKey\Rsa\PublicKey` has a call to
`openssl_public_encrypt()` which used PHP's default `$padding` argument,
which
specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding.
This
padding has a known vulnerability, the [Bleichenbacher's
chosen-ciphertext
attack](http://crypto.stackexchange.com/questions/12688/can-you-explain-
bleichenbachers-cca-attack-on-pkcs1-v1-5), which can be used to recover an
RSA
private key. This release contains a patch that changes the padding argument
to use `OPENSSL_PKCS1_OAEP_PADDING`. Users upgrading to this version may
have
issues decrypting previously stored values, due to the change in padding. If
this occurs, you can pass the constant `OPENSSL_PKCS1_PADDING` to a new
`$padding` argument in `Zend\Crypt\PublicKey\Rsa::encrypt()` and `decrypt()`
(though typically this should only apply to the latter): ```php
$decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING); ```
where `$rsa` is an instance of `Zend\Crypt\PublicKey\Rsa`. (The `$key` and
`$mode` argument defaults are `null` and
`Zend\Crypt\PublicKey\Rsa::MODE_AUTO`, if you were not using them previously.)
We recommend re-encrypting any such values using the new defaults.
-------------------------------------------------------------------------------
-
References:

[ 1 ] Bug #1343990 - [epel7][security] php-ZendFramework2-2.4.10 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1343990
[ 2 ] Bug #1289318 - CVE-2015-7503 php-ZendFramework2: Usage of vulnerable
PKCS#1 v1.5 padding allows to recover RSA private key [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1289318
[ 3 ] Bug #1343995 - [f23][f22][security] php-ZendFramework2-2.4.10 is
available
https://bugzilla.redhat.com/show_bug.cgi?id=1343995
[ 4 ] Bug #1289317 - CVE-2015-7503 php-ZendFramework2: Usage of vulnerable
PKCS#1 v1.5 padding allows to recover RSA private key [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1289317
-------------------------------------------------------------------------------
-

This update can be installed with the "yum" update program. Use
su -c 'yum update php-ZendFramework2' at the command line.
For more information, refer to "Managing Software with yum",
available at https://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/package-announce@lists.fedoraproject.org
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung