From secunia security advisory at $URL: Description SEC Consult has reported a vulnerability in Zend Framework, which can be exploited by malicious people to disclose sensitive information. The vulnerability is caused due to an error within the "Zend_XmlRpc" class when processing XML data, which can be exploited to e.g. disclose contents of certain local files by sending specially crafted XML data including external entity references. The vulnerability is reported in versions prior to 1.11.12 and 1.12.0. Solution Update to version 1.11.12 or 1.12.0.
@maintainer: is ok to stabilize?
Ok with me - please go ahead.
Thanks. Arches, please test and mark stable: =dev-php/ZendFramework-1.11.12 Target KEYWORDS : "amd64 hppa ppc ppc64 x86"
amd64 stable
x86 stable
Stable for HPPA.
ppc done
ppc/ppc64 keywords dropped
security please vote
(In reply to comment #9) > security please vote Yes, we know when to vote and we can do so with 1 less email if you would let us. GLSA vote: no.
(In reply to comment #10) > Yes, we know when to vote and we can do so with 1 less email if you would > let us. What is the difference for you between: 1)Change [stable] to [glsa?] 2)Change [stable] to [glsa?] and say: security please vote? You will receive in both cases 1 email.
(In reply to comment #11) > (In reply to comment #10) > > Yes, we know when to vote and we can do so with 1 less email if you would > > let us. > > What is the difference for you between: > 1)Change [stable] to [glsa?] > 2)Change [stable] to [glsa?] and say: security please vote? > > > You will receive in both cases 1 email. Two Email Method: 1. You change status from [stable] to [glsa?] and tell us to vote 2. We vote. One Email Method: 1. We change status from [stable] to [glsa?] and vote at the same time. Which do method you think the people watching security@, CC'd to bugs, and assigned to the bug would prefer?
Thanks, folks. GLSA Vote: no, closing.
CVE-2012-3363 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3363): Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.