Zend\Captcha\Word
generates a "word" for a CAPTCHA challenge
by selecting a sequence of random letters from a character set. Prior to this
vulnerability announcement, the selection was performed using PHP's internal
array_rand()
function. This function does not generate sufficient entropy
due to its usage of rand()
instead of more cryptographically secure methods
such as openssl_pseudo_random_bytes()
. This could potentially lead to
information disclosure should an attacker be able to brute force the random
number generation. This release contains a patch that replaces the
array_rand()
calls to use Zend\Math\Rand::getInteger()
, which provides
better RNG.Zend\Crypt\PublicKey\Rsa\PublicKey
has a call to openssl_public_encrypt()
which used PHP's default $padding
argument, which specifies
OPENSSL_PKCS1_PADDING
, indicating usage of PKCS1v1.5 padding. This padding
has a known vulnerability, the
Bleichenbacher's chosen-ciphertext attack,
which can be used to recover an RSA private key. This release contains a patch
that changes the padding argument to use OPENSSL_PKCS1_OAEP_PADDING
.Users upgrading to this version may have issues decrypting previously stored
values, due to the change in padding. If this occurs, you can pass the
constant OPENSSL_PKCS1_PADDING
to a new $padding
argument in
Zend\Crypt\PublicKey\Rsa::encrypt()
and decrypt()
(though typically this
should only apply to the latter):
php
$decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING);
where $rsa
is an instance of Zend\Crypt\PublicKey\Rsa
.
(The $key
and $mode
argument defaults are null
and
Zend\Crypt\PublicKey\Rsa::MODE_AUTO
, if you were not using them previously.)
We recommend re-encrypting any such values using the new defaults.
Please login to add feedback.
This update has been submitted for testing by siwinski.
This update has been pushed to testing.
This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes
This update has been submitted for stable by siwinski.
This update has been pushed to stable.