Login
Newsletter
Werbung

Sicherheit: Zwei Probleme in php-zendframework-zend-diactoros
Aktuelle Meldungen Distributionen
Name: Zwei Probleme in php-zendframework-zend-diactoros
ID: FEDORA-2018-dbb0d41078
Distribution: Fedora
Plattformen: Fedora 27
Datum: Di, 14. August 2018, 23:45
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14773
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14774
Applikationen: php-zendframework-zend-diactoros

Originalnachricht

-------------------------------------------------------------------------------
-
Fedora Update Notification
FEDORA-2018-dbb0d41078
2018-08-14 20:15:54.627619
-------------------------------------------------------------------------------
-

Name : php-zendframework-zend-diactoros
Product : Fedora 27
Version : 1.8.4
Release : 1.fc27
URL : https://zendframework.github.io/zend-diactoros/
Summary : PSR HTTP Message implementations
Description :
A PHP package containing implementations of the accepted PSR-7 HTTP message
interfaces [1], as well as a "server" implementation similar to
node's
http.Server [2].

Documentation: https://zendframework.github.io/zend-diactoros/

Autoloader: /usr/share/php/Zend/Diactoros/autoload.php

[1] http://www.php-fig.org/psr/psr-7/
[2] http://nodejs.org/api/http.html

-------------------------------------------------------------------------------
-
Update Information:

## 1.8.4 - 2018-08-01 ### Added - Nothing. ### Changed - This release
modifies how `ServerRequestFactory` marshals the request URI. In prior
releases, we would attempt to inspect the `X-Rewrite-Url` and
`X-Original-Url`
headers, using their values, if present. These headers are issued by the
ISAPI_Rewrite module for IIS (developed by HeliconTech). However, we have no
way of guaranteeing that the module is what issued the headers, making it an
unreliable source for discovering the URI. As such, we have removed this
feature in this release of Diactoros. If you are developing a middleware
application, you can mimic the functionality via middleware as follows: ```
use Psr\Http\Message\ResponseInterface; use
Psr\Http\Message\ServerRequestInterface; use
Psr\Http\Server\RequestHandlerInterface; use Zend\Diactoros\Uri; public
function process(ServerRequestInterface $request, RequestHandlerInterface
$handler) : ResponseInterface { $requestUri = null;
$httpXRewriteUrl = $request->getHeaderLine('X-Rewrite-Url');
if
($httpXRewriteUrl !== null) { $requestUri = $httpXRewriteUrl; }
$httpXOriginalUrl = $request->getHeaderLine('X-Original-Url');
if
($httpXOriginalUrl !== null) { $requestUri = $httpXOriginalUrl;
} if ($requestUri !== null) { $request =
$request->withUri(new
Uri($requestUri)); } return $handler->handle($request); } ```
If you use middleware such as the above, make sure you also instruct your web
server to strip any incoming headers of the same name so that you can
guarantee they are issued by the ISAPI_Rewrite module. ### Deprecated -
Nothing. ### Removed - Nothing. ### Fixed - Nothing. ## 1.8.3 - 2018-07-24
### Added - Nothing. ### Changed - Nothing. ### Deprecated - Nothing. ###
Removed - Nothing. ### Fixed - [#321](https://github.com/zendframework/zend-
diactoros/pull/321) updates the logic in `Uri::withPort()` to ensure that it
checks that the value provided is either an integer or a string integer, as
only those values may be cast to integer without data loss. -
[#320](https://github.com/zendframework/zend-diactoros/pull/320) adds checking
within `Response` to ensure that the provided reason phrase is a string; an
`InvalidArgumentException` is now raised if it is not. This change ensures
the
class adheres strictly to the PSR-7 specification. -
[#319](https://github.com/zendframework/zend-diactoros/pull/319) provides a fix
to `Zend\Diactoros\Response` that ensures that the status code returned is
_always_ an integer (and never a string containing an integer), thus ensuring
it strictly adheres to the PSR-7 specification. ## 1.8.2 - 2018-07-19 ###
Added - Nothing. ### Changed - Nothing. ### Deprecated - Nothing. ###
Removed - Nothing. ### Fixed - [#318](https://github.com/zendframework/zend-
diactoros/pull/318) fixes the logic for discovering whether an HTTPS scheme is
in play to be case insensitive when comparing header and SAPI values,
ensuring
no false negative lookups occur. - [#314](https://github.com/zendframework
/zend-diactoros/pull/314) modifies error handling around opening a file
resource
within `Zend\Diactoros\Stream::setStream()` to no longer use the second
argument to `set_error_handler()`, and instead check the error type in the
handler itself; this fixes an issue when the handler is nested inside another
error handler, which currently has buggy behavior within the PHP engine. ##
1.8.1 - 2018-07-09 ### Added - Nothing. ### Changed -
[#313](https://github.com/zendframework/zend-diactoros/pull/313) changes the
reason phrase associated with the status code 425 to "Too Early",
corresponding to a new definition of the code as specified by the IANA. ###
Deprecated - Nothing. ### Removed - Nothing. ### Fixed -
[#312](https://github.com/zendframework/zend-diactoros/pull/312) fixes how the
`normalizeUploadedFiles()` utility function handles nested trees of uploaded
files, ensuring it detects them properly. ## 1.8.0 - 2018-06-27 ### Added -
[#307](https://github.com/zendframework/zend-diactoros/pull/307) adds the
following functions under the `Zend\Diactoros` namespace, each of which may
be
used to derive artifacts from SAPI supergloabls for the purposes of
generating
a `ServerRequest` instance: - `normalizeServer(array $server, callable
$apacheRequestHeaderCallback = null) : array` (main purpose is to aggregate
the `Authorization` header in the SAPI params when under Apache) -
`marshalProtocolVersionFromSapi(array $server) : string` -
`marshalMethodFromSapi(array $server) : string` - `marshalUriFromSapi(array
$server, array $headers) : Uri` - `marshalHeadersFromSapi(array $server) :
array` - `parseCookieHeader(string $header) : array` -
`createUploadedFile(array $spec) : UploadedFile` (creates the instance from
a normal `$_FILES` entry) - `normalizeUploadedFiles(array $files) :
UploadedFileInterface[]` (traverses a potentially nested array of uploaded
file instances and/or `$_FILES` entries, including those aggregated under
mod_php, php-fpm, and php-cgi in order to create a flat array of
`UploadedFileInterface` instances to use in a request) ### Changed -
Nothing. ### Deprecated - [#307](https://github.com/zendframework/zend-
diactoros/pull/307) deprecates `ServerRequestFactory::normalizeServer()`; the
method is no longer used internally, and users should instead use
`Zend\Diactoros\normalizeServer()`, to which it proxies. -
[#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates
`ServerRequestFactory::marshalHeaders()`; the method is no longer used
internally, and users should instead use
`Zend\Diactoros\marshalHeadersFromSapi()`, to which it proxies. -
[#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates
`ServerRequestFactory::marshalUriFromServer()`; the method is no longer used
internally. Users should use `marshalUriFromSapi()` instead. -
[#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates
`ServerRequestFactory::marshalRequestUri()`. the method is no longer used
internally, and currently proxies to `marshalUriFromSapi()`, pulling the
discovered path from the `Uri` instance returned by that function. Users
should use `marshalUriFromSapi()` instead. -
[#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates
`ServerRequestFactory::marshalHostAndPortFromHeaders()`; the method is no
longer used internally, and currently proxies to `marshalUriFromSapi()`,
pulling the discovered host and port from the `Uri` instance returned by that
function. Users should use `marshalUriFromSapi()` instead. -
[#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates
`ServerRequestFactory::getHeader()`; the method is no longer used internally.
Users should copy and paste the functionality into their own applications if
needed, or rely on headers from a fully-populated `Uri` instance instead. -
[#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates
`ServerRequestFactory::stripQueryString()`; the method is no longer used
internally, and users can mimic the functionality via the expression `$path =
explode('?', $path, 2)[0];`. - [#307](https://github.com/zendframework/zend-
diactoros/pull/307) deprecates `ServerRequestFactory::normalizeFiles()`; the
functionality is no longer used internally, and users can use
`normalizeUploadedFiles()` as a replacement. -
[#303](https://github.com/zendframework/zend-diactoros/pull/303) deprecates
`Zend\Diactoros\Response\EmitterInterface` and its various implementations.
These are now provided via the [zendframework/zend-
httphandlerrunner](https://docs.zendframework.com/zend-httphandlerrunner)
package as 1:1 substitutions. - [#303](https://github.com/zendframework/zend-
diactoros/pull/303) deprecates the `Zend\Diactoros\Server` class. Users are
directed to the `RequestHandlerRunner` class from the [zendframework/zend-
httphandlerrunner](https://docs.zendframework.com/zend-httphandlerrunner)
package as an alternative. ### Removed - Nothing. ### Fixed - Nothing.
-------------------------------------------------------------------------------
-
ChangeLog:

* Thu Aug 2 2018 Shawn Iwinski <shawn.iwinski@gmail.com> - 1.8.4-1
- Update to 1.8.4 (RHBZ #1504401 / ZF2018-01 / CVE-2018-14773 / CVE-2018-14774)
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> -
1.7.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed May 30 2018 Remi Collet <remi@remirepo.net> - 1.7.2-1
- update to 1.7.2
* Fri Mar 30 2018 Remi Collet <remi@remirepo.net> - 1.7.1-1
- update to 1.7.1
- use range dependencies on F27+
* Fri Feb 9 2018 Fedora Release Engineering <releng@fedoraproject.org> -
1.7.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Fri Jan 5 2018 Remi Collet <remi@remirepo.net> - 1.7.0-1
- Update to 1.7.0
* Tue Dec 5 2017 Remi Collet <remi@remirepo.net> - 1.6.1-2
- switch to classmap autoloader for consistency
- provide php-autoloader(zendframework/zend-diactoros)
* Thu Nov 2 2017 Remi Collet <remi@remirepo.net> - 1.6.1-1
- Update to 1.6.1
- use phpunit6 on F26+
* Sun Oct 8 2017 Shawn Iwinski <shawn.iwinski@gmail.com> - 1.6.0-1
- Updated to 1.6.0 (RHBZ #1491486)
-------------------------------------------------------------------------------
-
References:

[ 1 ] Bug #1504401 - php-zendframework-zend-diactoros-1.8.4 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1504401
-------------------------------------------------------------------------------
-

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2018-dbb0d41078' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Q5NN4YKQFE3WLFLIS7AJTOJ6E5FNTRH/
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung