Mageia alert MGASA-2014-0434 (php-ZendFramework)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2014-0434: Updated php-ZendFramework packages fix security vulnerabilities 
Date:
    	     
 
Wed, 29 Oct 2014 12:31:01 +0100
Message-ID:
    	     
 
<20141029113101.5D78E5D442@valstar.mageia.org>
MGASA-2014-0434 - Updated php-ZendFramework packages fix security vulnerabilities

Publication date: 29 Oct 2014
URL: http://advisories.mageia.org/MGASA-2014-0434.html
Type: security
Affected Mageia releases: 3, 4
CVE: CVE-2014-8088,
     CVE-2014-8089

Description:
Due to a bug in PHP's LDAP extension, when ZendFramework's Zend_ldap class is
used for logins, an attacker can login as any user by using a null byte to
bypass the empty password check and perform an unauthenticated LDAP bind
(CVE-2014-8088).

The sqlsrv PHP extension, which provides the ability to connect to Microsoft
SQL Server from PHP, does not provide a built-in quoting mechanism for
manually quoting values to pass via SQL queries; developers are encouraged to
use prepared statements. Zend Framework provides quoting mechanisms via
Zend_Db_Adapter_Sqlsrv which uses the recommended "double single quote" ('')
as quoting delimiters. SQL Server treats null bytes in a query as a string
terminator, allowing an attacker to add arbitrary SQL following a null byte,
and thus create a SQL injection (CVE-2014-8089).

References:
- https://bugs.mageia.org/show_bug.cgi?id=14253
- http://framework.zend.com/security/advisory/ZF2014-05
- http://framework.zend.com/security/advisory/ZF2014-06
- http://framework.zend.com/blog/zend-framework-1-12-9-2-2-...
- https://lists.fedoraproject.org/pipermail/package-announc...
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8088
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8089

SRPMS:
- 4/core/php-ZendFramework-1.12.9-1.mga4
- 3/core/php-ZendFramework-1.12.9-1.mga3