[SECURITY] Fedora 20 Update: php-ZendFramework2-2.3.3-2.fc20

updates at fedoraproject.org updates at fedoraproject.org
Tue Oct 28 06:44:46 UTC 2014


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2014-13302
2014-10-20 09:01:42
--------------------------------------------------------------------------------

Name        : php-ZendFramework2
Product     : Fedora 20
Version     : 2.3.3
Release     : 2.fc20
URL         : http://framework.zend.com
Summary     : Zend Framework 2
Description :
Zend Framework 2 is an open source framework for developing web applications
and services using PHP 5.3+. Zend Framework 2 uses 100% object-oriented code
and utilizes most of the new features of PHP 5.3, namely namespaces, late
static binding, lambda functions and closures.

Zend Framework 2 evolved from Zend Framework 1, a successful PHP framework
with over 15 million downloads.

Note: This meta package installs all base Zend Framework component packages
(Authentication, Barcode, Cache, Captcha, Code, Config, Console, Crypt, Db,
Debug, Di, Dom, Escaper, EventManager, Feed, File, Filter, Form, Http, I18n,
InputFilter, Json, Ldap, Loader, Log, Mail, Math, Memory, Mime, ModuleManager,
Mvc, Navigation, Paginator, Permissions-Acl, Permissions-Rbac, ProgressBar,
Serializer, Server, ServiceManager, Session, Soap, Stdlib, Tag, Test, Text,
Uri, Validator, Version, View, XmlRpc) except the optional Cache-apc and
Cache-memcached packages.

--------------------------------------------------------------------------------
Update Information:

Security release

* ZF2014-05, which mititages null byte poisoning of the password provided for LDAP authentication, thus prevening unauthorized LDAP binding. This corrects for unpatched versions of PHP (versions 5.5.11 and below, 5.4.27 and below, and any prior releases).
* ZF2014-06, which mitigates null byte poisoning of quoted SQL values provided to the sqlsrv extension, thus preventing a potential SQL injection vector.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Oct 17 2014 Shawn Iwinski <shawn.iwinski at gmail.com> - 2.3.3-2
- Drop php-gmp dependency from Math component (BZ #1152440)
- Fix tests' autoloader
* Fri Oct 10 2014 Remi Collet <remi at fedoraproject.org> - 2.3.3-1
- Update to 2.3.3
- fix SQL injection with SqlSrv ZF2014-05 CVE-2014-8088 #1151276
- fix null byte issue on Ldap connect ZF2014-06 CVE-2014-8089 #1151277
* Wed Aug 20 2014 Remi Collet <remi at fedoraproject.org> - 2.3.2-1
- Update to 2.3.2
- tests from github
- run test suite during build
* Sun Jul 20 2014 Remi Collet <remi at fedoraproject.org> - 2.3.1-3
- composer dependencies
- add missing license
* Sat Jun  7 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.3.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Tue May 20 2014 Shawn Iwinski <shawn.iwinski at gmail.com> - 2.3.1-1
- Updated to 2.3.1
* Sun May 18 2014 Shawn Iwinski <shawn.iwinski at gmail.com> - 2.2.7-1
- Updated to 2.2.7 (security update for ZF2014-03)
* Tue Apr  1 2014 Remi Collet <remi at fedoraproject.org> - 2.2.6-1
- Updated to 2.2.6 for CVE-2014-2681 CVE-2014-2682
  CVE-2014-2683 CVE-2014-2684 CVE-2014-2685
- new package ZendXml
- fix for unversioned doc directory
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1151276 - CVE-2014-8088 php-ZendFramework: null byte issue, connect to LDAP without knowing the password (ZF2014-05)
        https://bugzilla.redhat.com/show_bug.cgi?id=1151276
  [ 2 ] Bug #1151277 - CVE-2014-8089 php-ZendFramework: SQL injection issue when using the sqlsrv PHP extension (ZF2014-06)
        https://bugzilla.redhat.com/show_bug.cgi?id=1151277
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use
su -c 'yum update php-ZendFramework2' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


More information about the package-announce mailing list