Summary: | <dev-php/ZendFramework-1.12.9: SQL injection vector when manually quoting values for sqlsrv extension, using null byte (CVE-2014-8088) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | gurligebis, php-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://framework.zend.com/security/advisory/ZF2014-06 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-09-19 07:55:02 UTC
+*ZendFramework-1.12.9 (07 Oct 2014) + + 07 Oct 2014; <grknight@gentoo.org> +ZendFramework-1.12.9.ebuild, + -ZendFramework-1.11.6.ebuild: + Version bump for wrt bug 448576 and security bugs 451060, 505276 and 523198 Should be OK to stable as it keeps backwards compatibility with the 1.11 series Arches, please test and mark stable: =dev-php/ZendFramework-1.12.9 Target Keywords : "amd64 hppa x86" CVE-2014-8088 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8088): The (1) Zend_Ldap class in Zend before 1.12.9 and (2) Zend\Ldap component in Zend 2.x before 2.2.8 and 2.3.x before 2.3.3 allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind. (In reply to Yury German from comment #2) > Arches, please test and mark stable: > > =dev-php/ZendFramework-1.12.9 > > Target Keywords : "amd64 hppa x86" I believe blueknight meant to add arches. Adding now Stable for HPPA. amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. Old version dropped GLSA vote: no. GLSA Vote: No |