From ${URL} : The sqlsrv PHP extension, which provides the ability to connect to Microsoft SQL Server from PHP, does not provide a built-in quoting mechanism for manually quoting values to pass via SQL queries; developers are encouraged to use prepared statements. Zend Framework provides quoting mechanisms via Zend Framework 1's Zend_Db_Adapter_Sqlsrv and Zend Framework 2's Zend\Db\Adapter\Platform\SqlServer classes; these traditionally use the recommended "double single quote" ('') as quoting delimiters. SQL Server treats null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection. Developers using the relevant PDO_Sqlsrv adapter in any version of Zend Framework are not vulnerable to this attack, as PDO provides a native quoting mechanism that prevents the attack vector. Action Taken When quoting values for SQL server, we now pass them to PHP's addcslashes function to sanitize and properly quote null bytes: $value = addcslashes($value, "\000\032"); This action quotes null bytes, preventing SQL injection vectors. The following releases contain the fixes: Zend Framework 1.12.9 Zend Framework 2.2.8 Zend Framework 2.3.3 If you are using an affected version of PHP, and utilizing the sqlsrv PHP extensio within Zend Framework, we highly recommend upgrading immediately. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
+*ZendFramework-1.12.9 (07 Oct 2014) + + 07 Oct 2014; <grknight@gentoo.org> +ZendFramework-1.12.9.ebuild, + -ZendFramework-1.11.6.ebuild: + Version bump for wrt bug 448576 and security bugs 451060, 505276 and 523198 Should be OK to stable as it keeps backwards compatibility with the 1.11 series
Arches, please test and mark stable: =dev-php/ZendFramework-1.12.9 Target Keywords : "amd64 hppa x86"
CVE-2014-8088 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8088): The (1) Zend_Ldap class in Zend before 1.12.9 and (2) Zend\Ldap component in Zend 2.x before 2.2.8 and 2.3.x before 2.3.3 allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind.
(In reply to Yury German from comment #2) > Arches, please test and mark stable: > > =dev-php/ZendFramework-1.12.9 > > Target Keywords : "amd64 hppa x86" I believe blueknight meant to add arches. Adding now
Stable for HPPA.
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Old version dropped
GLSA vote: no.
GLSA Vote: No