Detections
Analytics

Fedora 20 : php-ZendFramework-1.12.13-1.fc20 (2015-8714)

medium Nessus Plugin ID 83934

Language:

Synopsis

The remote Fedora host is missing a security update.

Description

**Zend Framework 1.12.13**

 - 567: Cast int and float to string when creating headers

**Zend Framework 1.12.12**

 - 493: PHPUnit not being installed

 - 511: Add PATCH to the list of allowed methods in Zend_Controller_Request_HttpTestCase

 - 513: Save time and space when cloning PHPUnit

 - 515: !IE conditional comments bug

 - 516: Zend_Locale does not honor parentLocale configuration

 - 518: Run travis build also on PHP 7 builds

 - 534: Failing unit test:
 Zend_Validate_EmailAddressTest::testIdnHostnameInEmail lAddress

 - 536: Zend_Measure_Number convert some decimal numbers to roman with space char

 - 537: Extend view renderer controller fix (#440)

 - 540: Fix PHP 7 BC breaks in Zend_XmlRpc/Amf_Server

 - 541: Fixed errors in tests on PHP7

 - 542: Correctly reset the sub-path when processing routes

 - 545: Fixed path delimeters being stripped by chain routes affecting later routes

 - 546: TravisCI: Skip memcache(d) on PHP 5.2

 - 547: Session Validators throw 'general' Session Exception during Session start

 - 550: Notice 'Undefined index: browser_version'

 - 557: doc: Zend Framework Dependencies table unreadable

 - 559: Fixes a typo in Zend_Validate messages for SK

 - 561: Zend_Date not expected year

 - 564: Zend_Application tries to load ZendX_Application_Resource_FrontController during instantiation

**Security**

 - **ZF2015-04**: Zend_Mail and Zend_Http were both susceptible to CRLF Injection Attack vectors (for HTTP, this is often referred to as HTTP Response Splitting).
 Both components were updated to perform header value validations to ensure no values contain characters not detailed in their corresponding specifications, and will raise exceptions on detection. Each also provides new facilities for both validating and filtering header values prior to injecting them into header classes. If you use either Zend_Mail or Zend_Http, we recommend upgrading immediately.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected php-ZendFramework package.

See Also

https://bugzilla.redhat.com/show_bug.cgi?id=1215712

http://www.nessus.org/u?1957dfce

Plugin Details

Severity: Medium

ID: 83934

File Name: fedora_2015-8714.nasl

Version: 2.4

Type: local

Agent: unix

Published: 6/2/2015

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:php-zendframework, cpe:/o:fedoraproject:fedora:20

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 5/22/2015

Reference Information

CVE: CVE-2015-3154

FEDORA: 2015-8714