Users login

Create an account »

JOIN XATRIX

Users login

Home » Security Advisories» Fedora » php-ZendFramework2 2.4.10 updates

php-ZendFramework2 2.4.10 updates

## 2.4.10 (2016-05-09) - Fix HeaderValue throwing an exception on legal characters ## 2.4.9 (2015-11-23) ### SECURITY UPDATES - **ZF2015-09**: `Zend\Captcha\Word` generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this vulnerability announcement, the selection was performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. This release contains a patch that replaces the `array_rand()` calls to use `Zend\Math\Rand::getInteger()`, which provides better RNG. - **ZF2015-10**: `Zend\Crypt\PublicKey\Rsa\PublicKey` has a call to `openssl_public_encrypt()` which used PHP's default `$padding` argument, which specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the [Bleichenbacher's chosen-ciphertext attack](http://crypto.stackexchange.com/questions/12688/can-you-e... bleichenbachers-cca-attack-on-pkcs1-v1-5), which can be used to recover an RSA private key. This release contains a patch that changes the padding argument to use `OPENSSL_PKCS1_OAEP_PADDING`. Users upgrading to this version may have issues decrypting previously stored values, due to the change in padding. If this occurs, you can pass the constant `OPENSSL_PKCS1_PADDING` to a new `$padding` argument in `Zend\Crypt\PublicKey\Rsa::encrypt()` and `decrypt()` (though typically this should only apply to the latter): ```php $decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING); ``` where `$rsa` is an instance of `Zend\Crypt\PublicKey\Rsa`. (The `$key` and `$mode` argument defaults are `null` and `Zend\Crypt\PublicKey\Rsa::MODE_AUTO`, if you were not using them previously.) We recommend re-encrypting any such values using the new defaults.

  • Vendor: Fedora
  • Vendor ID: FEDORA-2016-03c0ed3127
  • Date: June 22, 2016


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2016-03c0ed3127
2016-06-21 18:29:37.916857
--------------------------------------------------------------------------------

Name : php-ZendFramework2
Product : Fedora 22
Version : 2.4.10
Release : 1.fc22
URL : http://framework.zend.com
Summary : Zend Framework 2
Description :
Zend Framework 2 is an open source framework for developing web applications
and services using PHP 5.3+. Zend Framework 2 uses 100% object-oriented code
and utilizes most of the new features of PHP 5.3, namely namespaces, late
static binding, lambda functions and closures.

Zend Framework 2 evolved from Zend Framework 1, a successful PHP framework
with over 15 million downloads.

Note: This meta package installs all base Zend Framework component packages
(Authentication, Barcode, Cache, Captcha, Code, Config, Console, Crypt, Db,
Debug, Di, Dom, Escaper, EventManager, Feed, File, Filter, Form, Http, I18n,
InputFilter, Json, Ldap, Loader, Log, Mail, Math, Memory, Mime, ModuleManager,
Mvc, Navigation, Paginator, Permissions-Acl, Permissions-Rbac, ProgressBar,
Serializer, Server, ServiceManager, Session, Soap, Stdlib, Tag, Test, Text,
Uri, Validator, Version, View, XmlRpc) except the optional Cache-apc and
Cache-memcached packages.

--------------------------------------------------------------------------------
Update Information:

## 2.4.10 (2016-05-09) - Fix HeaderValue throwing an exception on legal
characters ## 2.4.9 (2015-11-23) ### SECURITY UPDATES - **ZF2015-09**:
`Zend\Captcha\Word` generates a "word" for a CAPTCHA challenge by selecting a
sequence of random letters from a character set. Prior to this vulnerability
announcement, the selection was performed using PHP's internal `array_rand()`
function. This function does not generate sufficient entropy due to its usage
of `rand()` instead of more cryptographically secure methods such as
`openssl_pseudo_random_bytes()`. This could potentially lead to information
disclosure should an attacker be able to brute force the random number
generation. This release contains a patch that replaces the `array_rand()`
calls to use `Zend\Math\Rand::getInteger()`, which provides better RNG. -
**ZF2015-10**: `Zend\Crypt\PublicKey\Rsa\PublicKey` has a call to
`openssl_public_encrypt()` which used PHP's default `$padding` argument, which
specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This
padding has a known vulnerability, the [Bleichenbacher's chosen-ciphertext
attack](http://crypto.stackexchange.com/questions/12688/can-you-e...
bleichenbachers-cca-attack-on-pkcs1-v1-5), which can be used to recover an RSA
private key. This release contains a patch that changes the padding argument
to use `OPENSSL_PKCS1_OAEP_PADDING`. Users upgrading to this version may have
issues decrypting previously stored values, due to the change in padding. If
this occurs, you can pass the constant `OPENSSL_PKCS1_PADDING` to a new
`$padding` argument in `Zend\Crypt\PublicKey\Rsa::encrypt()` and `decrypt()`
(though typically this should only apply to the latter): ```php
$decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING); ```
where `$rsa` is an instance of `Zend\Crypt\PublicKey\Rsa`. (The `$key` and
`$mode` argument defaults are `null` and
`Zend\Crypt\PublicKey\Rsa::MODE_AUTO`, if you were not using them previously.)
We recommend re-encrypting any such values using the new defaults.
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #1343990 - [epel7][security] php-ZendFramework2-2.4.10 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1343990
[ 2 ] Bug #1289318 - CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding
allows to recover RSA private key [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1289318
[ 3 ] Bug #1343995 - [f23][f22][security] php-ZendFramework2-2.4.10 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1343995
[ 4 ] Bug #1289317 - CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding
allows to recover RSA private key [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1289317
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program. Use
su -c 'yum update php-ZendFramework2' at the command line.
For more information, refer to "Managing Software with yum",
available at https://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
[email protected]
https://lists.fedoraproject.org/admin/lists/package-annou...

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »