Debian Bug report logs - #679215
CVE-2012-3363: Local file disclosure via XXE injection

version graph

Package: zendframework; Maintainer for zendframework is Frank Habermann <lordlamer@lordlamer.de>; Source for zendframework is src:zendframework.

Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>

Date: Wed, 27 Jun 2012 08:54:02 UTC

Severity: grave

Tags: security

Fixed in versions zendframework/1.10.6-1squeeze1, zendframework/1.11.12-1

Done: Frank Habermann <lordlamer@lordlamer.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Frank Habermann <lordlamer@lordlamer.de>:
Bug#679215; Package zendframework. (Wed, 27 Jun 2012 08:54:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Frank Habermann <lordlamer@lordlamer.de>. (Wed, 27 Jun 2012 08:54:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2012-3363: Local file disclosure via XXE injection
Date: Wed, 27 Jun 2012 10:52:11 +0200
Package: zendframework
Severity: grave
Tags: security

Please see 

http://framework.zend.com/security/advisory/ZF2012-01
https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt

Cheers,
        Moritz




Reply sent to Frank Habermann <lordlamer@lordlamer.de>:
You have taken responsibility. (Sat, 30 Jun 2012 09:50:01 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Sat, 30 Jun 2012 09:50:04 GMT) Full text and rfc822 format available.

Message #10 received at 679215-close@bugs.debian.org (full text, mbox):

From: Frank Habermann <lordlamer@lordlamer.de>
To: 679215-close@bugs.debian.org
Subject: Bug#679215: fixed in zendframework 1.10.6-1squeeze1
Date: Sat, 30 Jun 2012 09:48:47 +0000
Source: zendframework
Source-Version: 1.10.6-1squeeze1

We believe that the bug you reported is fixed in the latest version of
zendframework, which is due to be installed in the Debian FTP archive:

zendframework-bin_1.10.6-1squeeze1_all.deb
  to main/z/zendframework/zendframework-bin_1.10.6-1squeeze1_all.deb
zendframework_1.10.6-1squeeze1.diff.gz
  to main/z/zendframework/zendframework_1.10.6-1squeeze1.diff.gz
zendframework_1.10.6-1squeeze1.dsc
  to main/z/zendframework/zendframework_1.10.6-1squeeze1.dsc
zendframework_1.10.6-1squeeze1_all.deb
  to main/z/zendframework/zendframework_1.10.6-1squeeze1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 679215@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Frank Habermann <lordlamer@lordlamer.de> (supplier of updated zendframework package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 28 Jun 2012 21:42:00 +0200
Source: zendframework
Binary: zendframework zendframework-bin
Architecture: source all
Version: 1.10.6-1squeeze1
Distribution: squeeze-security
Urgency: high
Maintainer: Frank Habermann <lordlamer@lordlamer.de>
Changed-By: Frank Habermann <lordlamer@lordlamer.de>
Description: 
 zendframework - powerful PHP framework
 zendframework-bin - binary scripts for zendframework
Closes: 679215
Changes: 
 zendframework (1.10.6-1squeeze1) squeeze-security; urgency=high
 .
   * fixes Local file disclosure via XXE injection (Closes: #679215)
Checksums-Sha1: 
 67ee9deb96f50b83b09236e7e9452bc2d86cec3a 1411 zendframework_1.10.6-1squeeze1.dsc
 f0b219611c598310174a498c382e029e115adc4b 3593662 zendframework_1.10.6.orig.tar.gz
 478edd3ee11accfcb3705c5873e7a35b4cad0834 4752 zendframework_1.10.6-1squeeze1.diff.gz
 47297adf232b3a209cc57e8e5efb38e8b4dd2991 3590744 zendframework_1.10.6-1squeeze1_all.deb
 de769bae5717fd62cabcaf2a59f0331b91ee23a1 9240 zendframework-bin_1.10.6-1squeeze1_all.deb
Checksums-Sha256: 
 ad60eee4163e3fbc991c081ef6143f156a5dc97e931b4b69696cc8a902a8e5e4 1411 zendframework_1.10.6-1squeeze1.dsc
 c24cb6f1695141e5a683b5f25b2bfc08b7c333e52332acd67eb7b07e41793444 3593662 zendframework_1.10.6.orig.tar.gz
 22ba607a7fdd27cae20a328bdf494c33291efd2a289a28dd6ae5335b165b8cc4 4752 zendframework_1.10.6-1squeeze1.diff.gz
 cc41c7abae477a97b45da0a3a545bd0fb69cb5c94b6a5263ba10c1abd04797a1 3590744 zendframework_1.10.6-1squeeze1_all.deb
 db16cf342926f6cc44177542b1f15e96d0fb64948a58ca15c1dd6c1b02bf162a 9240 zendframework-bin_1.10.6-1squeeze1_all.deb
Files: 
 fc3fa1892d2ca9418db2730a4cbfcd1b 1411 web optional zendframework_1.10.6-1squeeze1.dsc
 20fe9a215d22821f49aa81609d9967be 3593662 web optional zendframework_1.10.6.orig.tar.gz
 95ee7f695e5b10bc5f2ba12c642e4dc1 4752 web optional zendframework_1.10.6-1squeeze1.diff.gz
 7814e9fdf429d623dcd81b94af08bb61 3590744 web optional zendframework_1.10.6-1squeeze1_all.deb
 de453159b0d00e39d70dfb1b1c9bca28 9240 web optional zendframework-bin_1.10.6-1squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJP7eexAAoJEL97/wQC1SS+5P8IAIguIDnDXDlHVd3iiSXc4ZP1
E0iI3kYXDOB1HG5n5enaFPS/Z5b3Xl5p67vrpn6TdGuFhcQdsep9QT7o0x9FU753
9Hj0eazY3Vq8RtZqOG5nnop5xLk2/fihCLKMAmSF/GUWg2DxIsg3a50XQ8FlKML+
Oi+3IXLaN0V95f6351HuR4g184rP1dRtQToTuncPZ9mzchMKlXefzFdQySUdkNxE
QDzkTaPOFrNecpvlKKq5qJC84b7YA5+kXLMy7Lc4t/e4sj2LvPm45ZAYxkCFDDHo
ioXqWD7Cv7+39KRqqAA5dLySabdAuYRxSJ5lek3/DMiYb8CMZeun4p/vEHa3VLQ=
=fEo+
-----END PGP SIGNATURE-----





Reply sent to Frank Habermann <lordlamer@lordlamer.de>:
You have taken responsibility. (Tue, 03 Jul 2012 23:27:23 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Tue, 03 Jul 2012 23:27:23 GMT) Full text and rfc822 format available.

Message #15 received at 679215-close@bugs.debian.org (full text, mbox):

From: Frank Habermann <lordlamer@lordlamer.de>
To: 679215-close@bugs.debian.org
Subject: Bug#679215: fixed in zendframework 1.11.12-1
Date: Tue, 03 Jul 2012 23:17:57 +0000
Source: zendframework
Source-Version: 1.11.12-1

We believe that the bug you reported is fixed in the latest version of
zendframework, which is due to be installed in the Debian FTP archive:

zendframework-bin_1.11.12-1_all.deb
  to main/z/zendframework/zendframework-bin_1.11.12-1_all.deb
zendframework-resources_1.11.12-1_all.deb
  to main/z/zendframework/zendframework-resources_1.11.12-1_all.deb
zendframework_1.11.12-1.diff.gz
  to main/z/zendframework/zendframework_1.11.12-1.diff.gz
zendframework_1.11.12-1.dsc
  to main/z/zendframework/zendframework_1.11.12-1.dsc
zendframework_1.11.12-1_all.deb
  to main/z/zendframework/zendframework_1.11.12-1_all.deb
zendframework_1.11.12.orig.tar.gz
  to main/z/zendframework/zendframework_1.11.12.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 679215@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Frank Habermann <lordlamer@lordlamer.de> (supplier of updated zendframework package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 27 Jun 2012 21:36:00 +0200
Source: zendframework
Binary: zendframework zendframework-bin zendframework-resources
Architecture: source all
Version: 1.11.12-1
Distribution: unstable
Urgency: high
Maintainer: Frank Habermann <lordlamer@lordlamer.de>
Changed-By: Frank Habermann <lordlamer@lordlamer.de>
Description: 
 zendframework - powerful PHP framework
 zendframework-bin - binary scripts for zendframework
 zendframework-resources - resource scripts for zendframework
Closes: 679215
Changes: 
 zendframework (1.11.12-1) unstable; urgency=high
 .
   * new upstream release
     - fixes Local file disclosure via XXE injection (Closes: #679215)
   * changed Standards-Version to 3.9.3
   * added DM-Upload-Allowed to control
Checksums-Sha1: 
 b76247ecb7701cb0087582e1b026962cfa442fff 1270 zendframework_1.11.12-1.dsc
 04c922c16be8acda31cbd3baa8d4f46157bcabcb 20224300 zendframework_1.11.12.orig.tar.gz
 6004c8924945be0474b4a7500797d55d1b50c927 4762 zendframework_1.11.12-1.diff.gz
 c2bf55558bd7255266b69a617b20612d05be06f6 3728994 zendframework_1.11.12-1_all.deb
 ec48029f8e87115718690c4e9f43737e911049ac 9682 zendframework-bin_1.11.12-1_all.deb
 07de559fbb81b617e7fc6adb90203f1c6e16e858 38234 zendframework-resources_1.11.12-1_all.deb
Checksums-Sha256: 
 47e584a5ffa7eb1c2ae7743b522955642ebd165bc1a04d8ccf7b5861c9e46bdb 1270 zendframework_1.11.12-1.dsc
 389c1093f257e3a780170d8a4fa02ada980d6d81a62908bb3e78c74118e43bad 20224300 zendframework_1.11.12.orig.tar.gz
 87aeab3a8e67e56c9f12b0273ddf788f6705e77efdfa53a4eb0f6c6281cc952c 4762 zendframework_1.11.12-1.diff.gz
 cd46a4054667656277fe7004ff8c89442f5fa6c18a130f3318160349acd4e42a 3728994 zendframework_1.11.12-1_all.deb
 5b31d16cc2b082c85699e75de8520f6ad78f9bba8282f82542abab09c51cc5f4 9682 zendframework-bin_1.11.12-1_all.deb
 e3533d836fd55f65f552d5a4f116442b908dd30c791dd6ded9d1f9407d5b6e57 38234 zendframework-resources_1.11.12-1_all.deb
Files: 
 edc90442b04b6129d1fdf1404d5f83db 1270 web optional zendframework_1.11.12-1.dsc
 78b426b30d75723fd54300c49f341077 20224300 web optional zendframework_1.11.12.orig.tar.gz
 6592eab1f6cbe963b64284ec7ba69c2b 4762 web optional zendframework_1.11.12-1.diff.gz
 c0de76563d8f688441a8e4a0b2d585aa 3728994 web optional zendframework_1.11.12-1_all.deb
 7e30835af14030d3e9508335b166a3bd 9682 web optional zendframework-bin_1.11.12-1_all.deb
 67fa9d1baaa9329326011c678849d580 38234 web optional zendframework-resources_1.11.12-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk/ze5sACgkQ+C5cwEsrK55AGACg4Wzevl4bRija/PmKG3xDKx0S
fRoAoIxmTx+qBDTU0z7aP30ju/uUcp3E
=IrDX
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 30 Sep 2012 07:26:32 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 02:37:33 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.