Debian Bug report logs - #696483
zendframework: CVE-2012-5657

version graph

Package: zendframework; Maintainer for zendframework is Frank Habermann <lordlamer@lordlamer.de>; Source for zendframework is src:zendframework.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Fri, 21 Dec 2012 11:57:03 UTC

Severity: grave

Tags: patch, security

Fixed in versions zendframework/1.11.13-1.1, zendframework/1.10.6-1squeeze2

Done: Frank Habermann <lordlamer@lordlamer.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Frank Habermann <lordlamer@lordlamer.de>:
Bug#696483; Package zendframework. (Fri, 21 Dec 2012 11:57:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Frank Habermann <lordlamer@lordlamer.de>. (Fri, 21 Dec 2012 11:57:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: zendframework: CVE-2012-5657
Date: Fri, 21 Dec 2012 12:52:34 +0100
Package: zendframework
Severity: grave
Tags: security
Justification: user security hole

This was assigned CVE-2012-5657:
http://framework.zend.com/security/advisory/ZF2012-05

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Frank Habermann <lordlamer@lordlamer.de>:
Bug#696483; Package zendframework. (Tue, 25 Dec 2012 16:39:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luca Falavigna <dktrkranz@debian.org>:
Extra info received and forwarded to list. Copy sent to Frank Habermann <lordlamer@lordlamer.de>. (Tue, 25 Dec 2012 16:39:07 GMT) Full text and rfc822 format available.

Message #10 received at 696483@bugs.debian.org (full text, mbox):

From: Luca Falavigna <dktrkranz@debian.org>
To: 696483@bugs.debian.org
Subject: Fix for CVE-2012-5657
Date: Tue, 25 Dec 2012 17:37:06 +0100
[Message part 1 (text/plain, inline)]
Control: tags -1 path

Attached patch, taken from upstream SVN repository at
http://framework.zend.com/svn/framework/standard/branches/release-1.11/,
should fix this issue.
[1.11.13-1.1.debdiff (application/octet-stream, attachment)]

Added tag(s) patch. Request was from Luca Falavigna <dktrkranz@debian.org> to control@bugs.debian.org. (Tue, 25 Dec 2012 16:45:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Frank Habermann <lordlamer@lordlamer.de>:
Bug#696483; Package zendframework. (Fri, 28 Dec 2012 19:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luca Falavigna <dktrkranz@debian.org>:
Extra info received and forwarded to list. Copy sent to Frank Habermann <lordlamer@lordlamer.de>. (Fri, 28 Dec 2012 19:39:03 GMT) Full text and rfc822 format available.

Message #17 received at 696483@bugs.debian.org (full text, mbox):

From: Luca Falavigna <dktrkranz@debian.org>
To: 696483@bugs.debian.org
Subject: Uploaded to DELAYED/7
Date: Fri, 28 Dec 2012 20:36:56 +0100
Control: tags -1 pending

I've uploaded a NMU with the patch above to DELAYED/7.



Added tag(s) pending. Request was from Luca Falavigna <dktrkranz@debian.org> to 696483-submit@bugs.debian.org. (Fri, 28 Dec 2012 19:39:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#696483; Package zendframework. (Sat, 29 Dec 2012 22:12:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Frank Habermann <lordlamer@lordlamer.de>:
Extra info received and forwarded to list. (Sat, 29 Dec 2012 22:12:05 GMT) Full text and rfc822 format available.

Message #24 received at 696483@bugs.debian.org (full text, mbox):

From: Frank Habermann <lordlamer@lordlamer.de>
To: Luca Falavigna <dktrkranz@debian.org>, 696483@bugs.debian.org
Subject: Re: Bug#696483: Uploaded to DELAYED/7
Date: Sat, 29 Dec 2012 23:01:01 +0100
Hi,

> I've uploaded a NMU with the patch above to DELAYED/7.
Thanks for your patch and the work and sorry for delayed answer.
Christmas holidays and family ;)
Now, i am sitting on a patch for stable/squeeze.

regards,
Frank



Reply sent to Luca Falavigna <dktrkranz@debian.org>:
You have taken responsibility. (Fri, 04 Jan 2013 21:00:11 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Fri, 04 Jan 2013 21:00:11 GMT) Full text and rfc822 format available.

Message #29 received at 696483-close@bugs.debian.org (full text, mbox):

From: Luca Falavigna <dktrkranz@debian.org>
To: 696483-close@bugs.debian.org
Subject: Bug#696483: fixed in zendframework 1.11.13-1.1
Date: Fri, 04 Jan 2013 20:49:47 +0000
Source: zendframework
Source-Version: 1.11.13-1.1

We believe that the bug you reported is fixed in the latest version of
zendframework, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 696483@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luca Falavigna <dktrkranz@debian.org> (supplier of updated zendframework package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 28 Dec 2012 20:24:22 +0100
Source: zendframework
Binary: zendframework zendframework-bin zendframework-resources
Architecture: source all
Version: 1.11.13-1.1
Distribution: unstable
Urgency: high
Maintainer: Frank Habermann <lordlamer@lordlamer.de>
Changed-By: Luca Falavigna <dktrkranz@debian.org>
Description: 
 zendframework - powerful PHP framework
 zendframework-bin - binary scripts for zendframework
 zendframework-resources - resource scripts for zendframework
Closes: 696483
Changes: 
 zendframework (1.11.13-1.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * debian/patches/02-ZF2012-05:
     - Fix for CVE-2012-5657: remove the XXE vector by calling
       libxml_disable_entity_loader() before attempting to parse the
       feed via DOMDocument::loadXML(). Patch taken from upstream SVN
       repository, revision 25159 (Closes: #696483).
Checksums-Sha1: 
 6387ccc3e689e4f74a3d13cce7c1da24b149ff08 1918 zendframework_1.11.13-1.1.dsc
 fe9277b415aa2013a522d33d039edb25799fef08 8005 zendframework_1.11.13-1.1.diff.gz
 898a141c201c9db3a54d2fa835abc9daced39840 3723204 zendframework_1.11.13-1.1_all.deb
 88ceff1e734099526a7bd94a1249565af5a13873 9994 zendframework-bin_1.11.13-1.1_all.deb
 649625b4b6fbb0d076b706e449fd5aa0198a43c3 37876 zendframework-resources_1.11.13-1.1_all.deb
Checksums-Sha256: 
 95cc9d8f8b863d8be123d18945d06cab7b936cfe5f0632428f529894b43b96f1 1918 zendframework_1.11.13-1.1.dsc
 fa01161c3f59173e613ba85ed4612752773ca867faeea795a10ac45dc9b05fe9 8005 zendframework_1.11.13-1.1.diff.gz
 c12285c7e968b70f72fe16adbd2f7d28fe7d8cb88afb0dd2663ff8dfa3743adf 3723204 zendframework_1.11.13-1.1_all.deb
 a4f1a4e408ded9bb81fd3d854d5d4bf136fcf96344754e370382b4ebda6d35ef 9994 zendframework-bin_1.11.13-1.1_all.deb
 192ecb62288190f3826c46457800c3a890ef21085ae9c4c05518bce2b7befa8a 37876 zendframework-resources_1.11.13-1.1_all.deb
Files: 
 5419a8339eec6fcb115afc6f2d7b2744 1918 web optional zendframework_1.11.13-1.1.dsc
 4206ee3b92d96f4d659cc5d14014892a 8005 web optional zendframework_1.11.13-1.1.diff.gz
 92dc06937233b05d42bbba37f1839e11 3723204 web optional zendframework_1.11.13-1.1_all.deb
 90f3c15a66e83015c7405bec8afef88b 9994 web optional zendframework-bin_1.11.13-1.1_all.deb
 dfd14a09e00d9906205c008208a6f5ab 37876 web optional zendframework-resources_1.11.13-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQ3fSvAAoJEEkIatPr4vMfAk0P/AnZ+UzviDqsCNjbnOpxHC7Z
W6C7U6Y18UEDqDpnf8pLs8pcamp7SDw4W1SvxZcClMiA1vOgo78lGqCWbZXsEcg6
lIBMB2jFgBOsWvuD+T2gyO6GSUmpkhwMKEqMKTRzVgCoPHnuoTqGx14yV2DvcmeK
UH7FAxP+wztMBTxi1OE+WBNVkSt17/wInA1r2eII8Ck6GwxcZ9gah6ulwVNzD1A6
BuLqzE3d7/q9YvPcQ9I2xnqHPzFWBmNtreBwpWVFvC6hF7Rq+tDwT5A65tjFYmXM
2WH78ScqCSrJ9y3Ve/vSbzNUhMpPM6QZQ/249xDm0g8sLeh/2m13UWbIJo3iekkX
WftQYwR6BIPFA7KOm65ivijrf1HOpyqDTTp7/D58nRKb96UQfy4HXLKn99654eeD
aMhk9JUXzrT2ZVLxS18707HzKoR/AezHVO+WwgxA+f0g0GKotN5q/6qNdTN+W94A
gLIez1dp7ZUrF0D0kvjNB7U8MHYjvORVog+CpzHvrp5EkyllAHwDAJ6MVJzV14ZQ
4SFOTaZW3snq3h4umSleMe/qGHULP9mZj5rAXD1r58mkxH+V8cyX2UreIFHgcnW3
Q0ufpdm1cpVrXH0TLvRXWRQkhcVLNTDCs5KnEchgZ0T4MK7R5h76fvNWViyDoQp3
563Km030B7E6O7WMwgmz
=iusZ
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#696483; Package zendframework. (Mon, 07 Jan 2013 20:24:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Frank Habermann <lordlamer@lordlamer.de>:
Extra info received and forwarded to list. (Mon, 07 Jan 2013 20:24:09 GMT) Full text and rfc822 format available.

Message #34 received at 696483@bugs.debian.org (full text, mbox):

From: Frank Habermann <lordlamer@lordlamer.de>
To: Luca Falavigna <dktrkranz@debian.org>, 696483@bugs.debian.org
Subject: Re: Bug#696483: Fix for CVE-2012-5657
Date: Mon, 7 Jan 2013 21:22:09 +0100
[Message part 1 (text/plain, inline)]
Hi,

i have prepared a package for squeeze:
http://debian.lordlamer.de/zendframework/1.10.6squeeze1/zendframework_1.10.6-1squeeze2.dsc

I also tested it and fixes the problem.

I will contact security team now.

regards,
Frank
[signature.asc (application/pgp-signature, inline)]

Reply sent to Frank Habermann <lordlamer@lordlamer.de>:
You have taken responsibility. (Tue, 08 Jan 2013 23:06:06 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Tue, 08 Jan 2013 23:06:06 GMT) Full text and rfc822 format available.

Message #39 received at 696483-close@bugs.debian.org (full text, mbox):

From: Frank Habermann <lordlamer@lordlamer.de>
To: 696483-close@bugs.debian.org
Subject: Bug#696483: fixed in zendframework 1.10.6-1squeeze2
Date: Tue, 08 Jan 2013 23:02:04 +0000
Source: zendframework
Source-Version: 1.10.6-1squeeze2

We believe that the bug you reported is fixed in the latest version of
zendframework, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 696483@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Frank Habermann <lordlamer@lordlamer.de> (supplier of updated zendframework package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 7 Jan 2013 20:52:00 +0200
Source: zendframework
Binary: zendframework zendframework-bin
Architecture: source all
Version: 1.10.6-1squeeze2
Distribution: squeeze-security
Urgency: high
Maintainer: Frank Habermann <lordlamer@lordlamer.de>
Changed-By: Frank Habermann <lordlamer@lordlamer.de>
Description: 
 zendframework - powerful PHP framework
 zendframework-bin - binary scripts for zendframework
Closes: 696483
Changes: 
 zendframework (1.10.6-1squeeze2) squeeze-security; urgency=high
 .
   * Fix for CVE-2012-5657: remove the XXE vector by calling
     libxml_disable_entity_loader() before attempting to parse the
     feed via DOMDocument::loadXML() (Closes: #696483).
Checksums-Sha1: 
 09234307c972f5f337a7ebdb9d72cf7d8ad984d9 1411 zendframework_1.10.6-1squeeze2.dsc
 feb258fe87a3916135ff51a29b90dbcb5a024c4a 6158 zendframework_1.10.6-1squeeze2.diff.gz
 1bd1be2e64d8ccb868bd1ccc944128adf4854f4d 3591838 zendframework_1.10.6-1squeeze2_all.deb
 803e190d8d39a08588c63d95465f2227e69fe713 9404 zendframework-bin_1.10.6-1squeeze2_all.deb
Checksums-Sha256: 
 962b9dd71e0fc975af49d2c832495645c3406d2a3fd699b3ea13f4baf7c55965 1411 zendframework_1.10.6-1squeeze2.dsc
 df9949860966dd09bcb1a2735139fa5808366bbbbc4f72c6ab9d46a734750b8a 6158 zendframework_1.10.6-1squeeze2.diff.gz
 adee482bf97618566f031c30dfadabb55513e385d3347a1a0ed2251f13d6257b 3591838 zendframework_1.10.6-1squeeze2_all.deb
 74017cd2ffe721b096e88c7b8919d353b8b10c2a69710c79f4b30f6d28eb8c0d 9404 zendframework-bin_1.10.6-1squeeze2_all.deb
Files: 
 4a99cde76467b5ae4bc1a3e699454b60 1411 web optional zendframework_1.10.6-1squeeze2.dsc
 64ac7a0e20dc9e5be0b6dea96f6a92e9 6158 web optional zendframework_1.10.6-1squeeze2.diff.gz
 7a48bb70ce4aefa0e59fb6d8b98e61ef 3591838 web optional zendframework_1.10.6-1squeeze2_all.deb
 5a9c6bbc371ad6a408f029fb152d6982 9404 web optional zendframework-bin_1.10.6-1squeeze2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQ679oAAoJEL97/wQC1SS+1jgH/j0zT7K/5DMssZZoj0aaRTiJ
gXcRunCrZB+qT56Km9JZ8VCjsiafhPO/2mfMrbBXsGHfBKvX/kMobFbNPjh2Cvrf
w1XLuhMPOHTyOt/MGXWurtNqQqWdokwJ8GmMDPAmEgjmSB4j6HlOYni1NDInRizw
OUXSHqueFaqX7FuKrSPyhm6mjUfATWdY8bbEJf0eWIjnICb8TRvR3fVe8PnxK89q
5i4G+alsy5XggFYKe1xwrLlHt3e1BoRvUZJn/ATN2Flvd7GphQzH4/OwpiyHFmYT
bGkUwJVFAc94tNVcsk/tV1T3DhUTFtHH8Zm3dLw6+TEXgQL1zNfJ/g0Cqp9N/lM=
=12Ip
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Feb 2013 07:29:55 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 19:16:28 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.