2.4.10 (2016-05-09)

  • Fix HeaderValue throwing an exception on legal characters

2.4.9 (2015-11-23)

SECURITY UPDATES

  • ZF2015-09: Zend\Captcha\Word generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this vulnerability announcement, the selection was performed using PHP's internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. This release contains a patch that replaces the array_rand() calls to use Zend\Math\Rand::getInteger(), which provides better RNG.
  • ZF2015-10: Zend\Crypt\PublicKey\Rsa\PublicKey has a call to openssl_public_encrypt() which used PHP's default $padding argument, which specifies OPENSSL_PKCS1_PADDING, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, which can be used to recover an RSA private key. This release contains a patch that changes the padding argument to use OPENSSL_PKCS1_OAEP_PADDING.

Users upgrading to this version may have issues decrypting previously stored values, due to the change in padding. If this occurs, you can pass the constant OPENSSL_PKCS1_PADDING to a new $padding argument in Zend\Crypt\PublicKey\Rsa::encrypt() and decrypt() (though typically this should only apply to the latter):

php $decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING);

where $rsa is an instance of Zend\Crypt\PublicKey\Rsa.

(The $key and $mode argument defaults are null and Zend\Crypt\PublicKey\Rsa::MODE_AUTO, if you were not using them previously.)

We recommend re-encrypting any such values using the new defaults.

How to install

sudo dnf upgrade --advisory=FEDORA-2016-03c0ed3127

This update has been submitted for testing by siwinski.

5 years ago

This update has been pushed to testing.

5 years ago

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

5 years ago

This update has been submitted for stable by siwinski.

5 years ago

This update has been pushed to stable.

5 years ago

Please login to add feedback.

Metadata
Type
security
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
disabled
Dates
submitted
5 years ago
in testing
5 years ago
in stable
5 years ago
BZ#1289317 CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [fedora-all]
0
0
BZ#1289318 CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [epel-all]
0
0
BZ#1343990 [epel7][security] php-ZendFramework2-2.4.10 is available
0
0
BZ#1343995 [f23][f22][security] php-ZendFramework2-2.4.10 is available
0
0

Automated Test Results