Debian DSA-3265-1 : zendframework - security update

critical Nessus Plugin ID 83748
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Debian host is missing a security-related update.

Description

Multiple vulnerabilities were discovered in Zend Framework, a PHP framework. Except for CVE-2015-3154, all these issues were already fixed in the version initially shipped with Jessie.

- CVE-2014-2681 Lukas Reschke reported a lack of protection against XML External Entity injection attacks in some functions.
This fix extends the incomplete one from CVE-2012-5657.

- CVE-2014-2682 Lukas Reschke reported a failure to consider that the libxml_disable_entity_loader setting is shared among threads in the PHP-FPM case. This fix extends the incomplete one from CVE-2012-5657.

- CVE-2014-2683 Lukas Reschke reported a lack of protection against XML Entity Expansion attacks in some functions. This fix extends the incomplete one from CVE-2012-6532.

- CVE-2014-2684 Christian Mainka and Vladislav Mladenov from the Ruhr-University Bochum reported an error in the consumer's verify method that lead to acceptance of wrongly sourced tokens.

- CVE-2014-2685 Christian Mainka and Vladislav Mladenov from the Ruhr-University Bochum reported a specification violation in which signing of a single parameter is incorrectly considered sufficient.

- CVE-2014-4914 Cassiano Dal Pizzol discovered that the implementation of the ORDER BY SQL statement in Zend_Db_Select contains a potential SQL injection when the query string passed contains parentheses.

- CVE-2014-8088 Yury Dyachenko at Positive Research Center identified potential XML eXternal Entity injection vectors due to insecure usage of PHP's DOM extension.

- CVE-2014-8089 Jonas Sandstrom discovered a SQL injection vector when manually quoting value for sqlsrv extension, using null byte.

- CVE-2015-3154 Filippo Tessarotto and Maks3w reported potential CRLF injection attacks in mail and HTTP headers.

Solution

Upgrade the zendframework packages.

For the oldstable distribution (wheezy), these problems have been fixed in version 1.11.13-1.1+deb7u1.

For the stable distribution (jessie), these problems have been fixed in version 1.12.9+dfsg-2+deb8u1.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743175

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754201

https://security-tracker.debian.org/tracker/CVE-2015-3154

https://security-tracker.debian.org/tracker/CVE-2014-2681

https://security-tracker.debian.org/tracker/CVE-2012-5657

https://security-tracker.debian.org/tracker/CVE-2014-2682

https://security-tracker.debian.org/tracker/CVE-2012-5657

https://security-tracker.debian.org/tracker/CVE-2014-2683

https://security-tracker.debian.org/tracker/CVE-2012-6532

https://security-tracker.debian.org/tracker/CVE-2014-2684

https://security-tracker.debian.org/tracker/CVE-2014-2685

https://security-tracker.debian.org/tracker/CVE-2014-4914

https://security-tracker.debian.org/tracker/CVE-2014-8088

https://security-tracker.debian.org/tracker/CVE-2014-8089

https://security-tracker.debian.org/tracker/CVE-2015-3154

https://packages.debian.org/source/wheezy/zendframework

https://packages.debian.org/source/jessie/zendframework

https://www.debian.org/security/2015/dsa-3265

Plugin Details

Severity: Critical

ID: 83748

File Name: debian_DSA-3265.nasl

Version: 2.10

Type: local

Agent: unix

Published: 5/21/2015

Updated: 1/11/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:zendframework, cpe:/o:debian:debian_linux:7.0, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 5/20/2015

Reference Information

CVE: CVE-2014-2681, CVE-2014-2682, CVE-2014-2683, CVE-2014-2684, CVE-2014-2685, CVE-2014-4914, CVE-2014-8088, CVE-2014-8089, CVE-2015-3154

BID: 66358, 68031, 70011, 70378, 74561

DSA: 3265