Debian DSA-2602-1 : zendframework - XML external entity inclusion

medium Nessus Plugin ID 63433

Synopsis

The remote Debian host is missing a security-related update.

Description

Yury Dyachenko discovered that Zend Framework uses the PHP XML parser in an insecure way, allowing attackers to open files and trigger HTTP requests, potentially accessing restricted information.

Solution

Upgrade the zendframework packages.

For the stable distribution (squeeze), this problem has been fixed in version 1.10.6-1squeeze2.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696483

https://packages.debian.org/source/squeeze/zendframework

https://www.debian.org/security/2013/dsa-2602

Plugin Details

Severity: Medium

ID: 63433

File Name: debian_DSA-2602.nasl

Version: 1.12

Type: local

Agent: unix

Published: 1/9/2013

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:6.0, p-cpe:/a:debian:debian_linux:zendframework

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 1/8/2013

Reference Information

CVE: CVE-2012-5657

BID: 56982

DSA: 2602