See http://weierophinney.net/matthew/archives/206-Zend-Framework-1.7.5-Released-Important-Note-Regarding-Zend_View.html "A user filed an issue report showing a potential Local File Inclusion vulnerability in Zend_View’s setScriptPath() method: if user input were used to specify the script path, then it was possible to trigger the LFI. The vulnerability was completely contrived; no sane developer should ever configure the view script paths using user input. However, it pointed out another very real LFI attack vector." Please bump to 1.7.5
I'm away from my devbox the next week or so. But please feel free to bump and stabelize as needed.
(In reply to comment #1) > I'm away from my devbox the next week or so. > But please feel free to bump and stabelize as needed. > Thanks. Added 1.7.5 (already stable for ppc), please mark as stable: =dev-php5/ZendFramework-1.7.5
ppc64 done
Stable for HPPA.
x86 stable
amd64 stable, all arches done.
As noted in the blog post, this vulnerability should be a non-issue with the updated version. If they turn off the default protection, they're responsible for the damage. However, for rating and voting i would call this C4, a form of information disclosure might be possible via directory traversal. tobi or security in general - if you disagree with the rating, please adjust and reopen. For C4 it's no glsa by default, so we're done and i will close this bug.