stable

php-ZendFramework2-2.4.10-1.fc23 and php-zendframework-zendxml-1.0.2-2.fc23

FEDORA-2016-8952105d59 created by siwinski 8 years ago for Fedora 23

2.4.10 (2016-05-09)

  • Fix HeaderValue throwing an exception on legal characters

2.4.9 (2015-11-23)

SECURITY UPDATES

  • ZF2015-09: Zend\Captcha\Word generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this vulnerability announcement, the selection was performed using PHP's internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. This release contains a patch that replaces the array_rand() calls to use Zend\Math\Rand::getInteger(), which provides better RNG.
  • ZF2015-10: Zend\Crypt\PublicKey\Rsa\PublicKey has a call to openssl_public_encrypt() which used PHP's default $padding argument, which specifies OPENSSL_PKCS1_PADDING, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, which can be used to recover an RSA private key. This release contains a patch that changes the padding argument to use OPENSSL_PKCS1_OAEP_PADDING.

Users upgrading to this version may have issues decrypting previously stored values, due to the change in padding. If this occurs, you can pass the constant OPENSSL_PKCS1_PADDING to a new $padding argument in Zend\Crypt\PublicKey\Rsa::encrypt() and decrypt() (though typically this should only apply to the latter):

php $decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING);

where $rsa is an instance of Zend\Crypt\PublicKey\Rsa.

(The $key and $mode argument defaults are null and Zend\Crypt\PublicKey\Rsa::MODE_AUTO, if you were not using them previously.)

We recommend re-encrypting any such values using the new defaults.

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2016-8952105d59

This update has been submitted for testing by siwinski.

8 years ago

This update has been pushed to testing.

8 years ago

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

8 years ago

This update has been submitted for stable by siwinski.

8 years ago

This update has been pushed to stable.

8 years ago

Please login to add feedback.

Metadata
Type
security
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
disabled
Dates
submitted
8 years ago
in testing
8 years ago
in stable
8 years ago
BZ#1289317 CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [fedora-all]
0
0
BZ#1289318 CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [epel-all]
0
0
BZ#1343990 [epel7][security] php-ZendFramework2-2.4.10 is available
0
0
BZ#1343995 [f23][f22][security] php-ZendFramework2-2.4.10 is available
0
0

Automated Test Results