drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Preisgabe von Informationen in php-zendframework-zendxml
Name: |
Preisgabe von Informationen in php-zendframework-zendxml |
|
ID: |
FEDORA-2016-03c0ed3127 |
|
Distribution: |
Fedora |
|
Plattformen: |
Fedora 22 |
|
Datum: |
Mi, 22. Juni 2016, 08:07 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7503 |
|
Applikationen: |
php-zendframework-zendxml |
|
Originalnachricht |
Name : php-zendframework-zendxml Product : Fedora 22 Version : 1.0.2 Release : 2.fc22 URL : http://framework.zend.com/ Summary : Zend Framework ZendXml component Description : An utility component for XML usage and best practices in PHP.
------------------------------------------------------------------------------- - Update Information:
## 2.4.10 (2016-05-09) - Fix HeaderValue throwing an exception on legal characters ## 2.4.9 (2015-11-23) ### SECURITY UPDATES - **ZF2015-09**: `Zend\Captcha\Word` generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this vulnerability announcement, the selection was performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. This release contains a patch that replaces the `array_rand()` calls to use `Zend\Math\Rand::getInteger()`, which provides better RNG. - **ZF2015-10**: `Zend\Crypt\PublicKey\Rsa\PublicKey` has a call to `openssl_public_encrypt()` which used PHP's default `$padding` argument, which specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the [Bleichenbacher's chosen-ciphertext attack](http://crypto.stackexchange.com/questions/12688/can-you-explain- bleichenbachers-cca-attack-on-pkcs1-v1-5), which can be used to recover an RSA private key. This release contains a patch that changes the padding argument to use `OPENSSL_PKCS1_OAEP_PADDING`. Users upgrading to this version may have issues decrypting previously stored values, due to the change in padding. If this occurs, you can pass the constant `OPENSSL_PKCS1_PADDING` to a new `$padding` argument in `Zend\Crypt\PublicKey\Rsa::encrypt()` and `decrypt()` (though typically this should only apply to the latter): ```php $decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING); ``` where `$rsa` is an instance of `Zend\Crypt\PublicKey\Rsa`. (The `$key` and `$mode` argument defaults are `null` and `Zend\Crypt\PublicKey\Rsa::MODE_AUTO`, if you were not using them previously.) We recommend re-encrypting any such values using the new defaults. ------------------------------------------------------------------------------- - References:
[ 1 ] Bug #1343990 - [epel7][security] php-ZendFramework2-2.4.10 is available https://bugzilla.redhat.com/show_bug.cgi?id=1343990 [ 2 ] Bug #1289318 - CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1289318 [ 3 ] Bug #1343995 - [f23][f22][security] php-ZendFramework2-2.4.10 is available https://bugzilla.redhat.com/show_bug.cgi?id=1343995 [ 4 ] Bug #1289317 - CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1289317 ------------------------------------------------------------------------------- -
This update can be installed with the "yum" update program. Use su -c 'yum update php-zendframework-zendxml' at the command line. For more information, refer to "Managing Software with yum", available at https://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys ------------------------------------------------------------------------------- - _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/package-announce@lists.fedoraproject.org
|
|
|
|