Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 436210 (CVE-2012-4451)

Summary: dev-php/ZendFramework: Multiple Cross-Site Scripting Vulnerabilities (CVE-2012-4451)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: minor CC: gurligebis, php-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-09-25 12:15:08 UTC 
Description
Multiple vulnerabilities have been reported in Zend Framework, which can be exploited by malicious people to conduct cross-site scripting attacks.

Certain input passed to Zend\Feed\PubSubHubbub, Zend\Log\Formatter\Xml, Zend\Tag\Cloud\Decorator, Zend\Uri, Zend\View\Helper\HeadStyle, Zend\View\Helper\Navigation\Sitemap, and Zend\View\Helper\Placeholder\Container\AbstractStandalone is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerabilities are reported in versions prior to 2.0.1.


Solution
Update to version 2.0.1.
Comment 1 Agostino Sarubbo gentoo-dev 2012-09-25 12:15:48 UTC 
@maintainer:

Please check if version 1.x is affected too.
Comment 2 Matti Bickel (RETIRED) gentoo-dev 2013-01-09 20:20:52 UTC 
https://security-tracker.debian.org/tracker/CVE-2012-4451 Says ZF1 is not vulnerable.

I'm unsure if gurligebis is going to provide ZF2 in the tree but the php team has decided we won't.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2013-01-15 23:20:16 UTC 
(In reply to comment #2)
> https://security-tracker.debian.org/tracker/CVE-2012-4451 Says ZF1 is not
> vulnerable.
> 

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688946#10

Agreed.