[SECURITY] Fedora 19 Update: php-ZendFramework2-2.2.8-2.fc19

Mon Nov 10 06:49:24 UTC 2014

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2014-14043
2014-11-01 00:30:00
--------------------------------------------------------------------------------

Name        : php-ZendFramework2
Product     : Fedora 19
Version     : 2.2.8
Release     : 2.fc19
URL         : http://framework.zend.com
Summary     : Zend Framework 2
Description :
Zend Framework 2 is an open source framework for developing web applications
and services using PHP 5.3+. Zend Framework 2 uses 100% object-oriented code
and utilizes most of the new features of PHP 5.3, namely namespaces, late
static binding, lambda functions and closures.

Zend Framework 2 evolved from Zend Framework 1, a successful PHP framework
with over 15 million downloads.

Note: This meta package installs all base Zend Framework component packages
(Authentication, Barcode, Cache, Captcha, Code, Config, Console, Crypt, Db,
Debug, Di, Dom, Escaper, EventManager, Feed, File, Filter, Form, Http, I18n,
InputFilter, Json, Ldap, Loader, Log, Mail, Math, Memory, Mime, ModuleManager,
Mvc, Navigation, Paginator, Permissions-Acl, Permissions-Rbac, ProgressBar,
Serializer, Server, ServiceManager, Session, Soap, Stdlib, Tag, Test, Text,
Uri, Validator, Version, View, XmlRpc) except the optional Cache-apc and
Cache-memcached packages.

--------------------------------------------------------------------------------
Update Information:

# Security Fixes

- **ZF2014-05**: Due to an issue that existed in PHP's LDAP extension, it is possible to perform an unauthenticated simple bind against a LDAP server by using a null byte for the password, regardless of whether or not the user normally requires a password. We have provided a patch in order to protect users of unpatched PHP versions (PHP 5.5 <= 5.5.11, PHP 5.4 <= 5.4.27, all versions of PHP 5.3 and below). If you use Zend\Ldap and are on an affected version of PHP, we recommend upgrading immediately.
- **ZF2014-06**: A potential SQL injection vector existed when using a SQL Server adapter to manually quote values due to the fact that it was not escaping null bytes. Code was added to ensure null bytes are escaped, and thus mitigate the SQLi vector. We do not recommend manually quoting values, but if you do, and use the SQL Server adapter without PDO, we recommend upgrading immediately.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1151276 - CVE-2014-8088 php-ZendFramework: null byte issue, connect to LDAP without knowing the password (ZF2014-05)
        https://bugzilla.redhat.com/show_bug.cgi?id=1151276
  [ 2 ] Bug #1151277 - CVE-2014-8089 php-ZendFramework: SQL injection issue when using the sqlsrv PHP extension (ZF2014-06)
        https://bugzilla.redhat.com/show_bug.cgi?id=1151277
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use
su -c 'yum update php-ZendFramework2' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------