Mandriva Linux Security Advisory : php-ZendFramework (MDVSA-2013:115)

This script is Copyright (C) 2013-2016 Tenable Network Security, Inc.


Synopsis :

The remote Mandriva Linux host is missing one or more security
updates.

Description :

Updated php-ZendFramework packages fix security vulnerabilities :

Zend_Dom, Zend_Feed, Zend_Soap, and Zend_XmlRpc in Zend Framework
before 1.11.13 and 1.12.0 are vulnerable to XML Entity Expansion (XEE)
vectors, leading to Denial of Service vectors. XEE attacks occur when
the XML DOCTYPE declaration includes XML entity definitions that
contain either recursive or circular references; this leads to CPU and
memory consumption, making Denial of Service exploits trivial to
implement (ZF2012-02).

A vulnerability was reported in Zend Framework versions prior to
1.11.15 and 1.12.1, which can be exploited to disclose certain
sensitive information. This flaw is caused due to an error in the
Zend_Feed_Rss and Zend_Feed_Atom classes of the Zend_Feed component,
when processing XML data. It can be used to disclose the contents of
certain local files by sending specially crafted XML data including
external entity references (CVE-2012-5657, ZF2012-05).

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Mandriva Local Security Checks

Nessus Plugin ID: 66127 ()

Bugtraq ID: 56982

CVE ID: CVE-2012-5657

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now