ID FEDORA_2014-4603.NASL Type nessus Reporter This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2019-12-02T00:00:00
Description
update to 1.12.5 fixes
http://framework.zend.com/security/advisory/ZF2014-01 fixes
http://framework.zend.com/security/advisory/ZF2014-02 removed:
InfoCards, Services/Nirvanix
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Fedora Security Advisory 2014-4603.
#
include("compat.inc");
if (description)
{
script_id(73502);
script_version("1.4");
script_cvs_date("Date: 2018/11/20 11:04:17");
script_cve_id("CVE-2014-2681", "CVE-2014-2682", "CVE-2014-2683", "CVE-2014-2684", "CVE-2014-2685");
script_xref(name:"FEDORA", value:"2014-4603");
script_name(english:"Fedora 19 : php-ZendFramework-1.12.5-1.fc19 (2014-4603)");
script_summary(english:"Checks rpm output for the updated package.");
script_set_attribute(
attribute:"synopsis",
value:"The remote Fedora host is missing a security update."
);
script_set_attribute(
attribute:"description",
value:
"update to 1.12.5 fixes
http://framework.zend.com/security/advisory/ZF2014-01 fixes
http://framework.zend.com/security/advisory/ZF2014-02 removed:
InfoCards, Services/Nirvanix
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
);
# http://framework.zend.com/security/advisory/ZF2014-01
script_set_attribute(
attribute:"see_also",
value:"https://framework.zend.com/security/advisory/ZF2014-01"
);
# http://framework.zend.com/security/advisory/ZF2014-02
script_set_attribute(
attribute:"see_also",
value:"https://framework.zend.com/security/advisory/ZF2014-02"
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.redhat.com/show_bug.cgi?id=1081287"
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.redhat.com/show_bug.cgi?id=1081288"
);
# https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131341.html
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?88b9a90c"
);
script_set_attribute(
attribute:"solution",
value:"Update the affected php-ZendFramework package."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-ZendFramework");
script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:19");
script_set_attribute(attribute:"patch_publication_date", value:"2014/04/02");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/04/15");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Fedora Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^19([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 19.x", "Fedora " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
flag = 0;
if (rpm_check(release:"FC19", reference:"php-ZendFramework-1.12.5-1.fc19")) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
else security_hole(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php-ZendFramework");
}
{"id": "FEDORA_2014-4603.NASL", "bulletinFamily": "scanner", "title": "Fedora 19 : php-ZendFramework-1.12.5-1.fc19 (2014-4603)", "description": "update to 1.12.5 fixes\nhttp://framework.zend.com/security/advisory/ZF2014-01 fixes\nhttp://framework.zend.com/security/advisory/ZF2014-02 removed:\nInfoCards, Services/Nirvanix\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "published": "2014-04-15T00:00:00", "modified": "2019-12-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/73502", "reporter": "This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://framework.zend.com/security/advisory/ZF2014-01", "https://bugzilla.redhat.com/show_bug.cgi?id=1081287", "http://www.nessus.org/u?88b9a90c", "https://framework.zend.com/security/advisory/ZF2014-02", "https://bugzilla.redhat.com/show_bug.cgi?id=1081288"], "cvelist": ["CVE-2014-2685", "CVE-2014-2682", "CVE-2014-2684", "CVE-2014-2683", "CVE-2014-2681"], "type": "nessus", "lastseen": "2019-12-13T07:03:59", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:fedoraproject:fedora:19", "p-cpe:/a:fedoraproject:fedora:php-ZendFramework"], "cvelist": ["CVE-2014-2685", "CVE-2014-2682", "CVE-2014-2684", "CVE-2014-2683", "CVE-2014-2681"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "update to 1.12.5 fixes http://framework.zend.com/security/advisory/ZF2014-01 fixes http://framework.zend.com/security/advisory/ZF2014-02 removed:\nInfoCards, Services/Nirvanix\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 4, "enchantments": {"score": {"value": 2.1, "vector": "NONE"}}, "hash": "8bd61557ed84603fa73d19b09786e1b923ef28673013cf9fbf96ab9d30bd7cf4", "hashmap": [{"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "359795a75d574c1d830884093e3b8e95", "key": "description"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "b9873c530cea7db5e92a6fdc756c4841", "key": "cpe"}, {"hash": "8168229805ac673ef3577a1af234c323", "key": "pluginID"}, {"hash": "b194cedd8e4ce340d338d684fbed2348", "key": "href"}, {"hash": "e9097bd9d626d9ff14d2a4c3344f5f12", "key": "title"}, {"hash": "9a00910eeedb8c835c4637a953896665", "key": "modified"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "0cfdaa3479b9950bcb7a71be95c6a0c4", "key": "references"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "11159a5c99354f09132948d2e8c7ca2c", "key": "sourceData"}, {"hash": "91a222bb1150aecb4099787c2d7f68e4", "key": "published"}, {"hash": "6ea4198dbe687b75d3c7147979ad3325", "key": "cvelist"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=73502", "id": "FEDORA_2014-4603.NASL", "lastseen": "2018-09-02T00:04:16", "modified": "2015-10-19T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "73502", "published": "2014-04-15T00:00:00", "references": ["https://bugzilla.redhat.com/show_bug.cgi?id=1081287", "http://www.nessus.org/u?88b9a90c", "http://framework.zend.com/security/advisory/ZF2014-01", "http://framework.zend.com/security/advisory/ZF2014-02", "https://bugzilla.redhat.com/show_bug.cgi?id=1081288"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-4603.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73502);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/10/19 22:32:18 $\");\n\n script_cve_id(\"CVE-2014-2681\", \"CVE-2014-2682\", \"CVE-2014-2683\", \"CVE-2014-2684\", \"CVE-2014-2685\");\n script_xref(name:\"FEDORA\", value:\"2014-4603\");\n\n script_name(english:\"Fedora 19 : php-ZendFramework-1.12.5-1.fc19 (2014-4603)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"update to 1.12.5 fixes\nhttp://framework.zend.com/security/advisory/ZF2014-01 fixes\nhttp://framework.zend.com/security/advisory/ZF2014-02 removed:\nInfoCards, Services/Nirvanix\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://framework.zend.com/security/advisory/ZF2014-01\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://framework.zend.com/security/advisory/ZF2014-02\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1081287\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1081288\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131341.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?88b9a90c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-ZendFramework package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-ZendFramework\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"php-ZendFramework-1.12.5-1.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-ZendFramework\");\n}\n", "title": "Fedora 19 : php-ZendFramework-1.12.5-1.fc19 (2014-4603)", "type": "nessus", "viewCount": 0}, "differentElements": ["references", "modified", "sourceData"], "edition": 4, "lastseen": "2018-09-02T00:04:16"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2014-2685", "CVE-2014-2682", "CVE-2014-2684", "CVE-2014-2683", "CVE-2014-2681"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "update to 1.12.5 fixes http://framework.zend.com/security/advisory/ZF2014-01 fixes http://framework.zend.com/security/advisory/ZF2014-02 removed:\nInfoCards, Services/Nirvanix\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 1, "enchantments": {}, "hash": "4e21d3894c65992c7769a43d615b51c650809981cae3bb6d1cb72532097432d5", "hashmap": [{"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "359795a75d574c1d830884093e3b8e95", "key": "description"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "8168229805ac673ef3577a1af234c323", "key": "pluginID"}, {"hash": "b194cedd8e4ce340d338d684fbed2348", "key": "href"}, {"hash": "e9097bd9d626d9ff14d2a4c3344f5f12", "key": "title"}, {"hash": "9a00910eeedb8c835c4637a953896665", "key": "modified"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "0cfdaa3479b9950bcb7a71be95c6a0c4", "key": "references"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "11159a5c99354f09132948d2e8c7ca2c", "key": "sourceData"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "91a222bb1150aecb4099787c2d7f68e4", "key": "published"}, {"hash": "6ea4198dbe687b75d3c7147979ad3325", "key": "cvelist"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=73502", "id": "FEDORA_2014-4603.NASL", "lastseen": "2016-09-26T17:26:09", "modified": "2015-10-19T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.2", "pluginID": "73502", "published": "2014-04-15T00:00:00", "references": ["https://bugzilla.redhat.com/show_bug.cgi?id=1081287", "http://www.nessus.org/u?88b9a90c", "http://framework.zend.com/security/advisory/ZF2014-01", "http://framework.zend.com/security/advisory/ZF2014-02", "https://bugzilla.redhat.com/show_bug.cgi?id=1081288"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-4603.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73502);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/10/19 22:32:18 $\");\n\n script_cve_id(\"CVE-2014-2681\", \"CVE-2014-2682\", \"CVE-2014-2683\", \"CVE-2014-2684\", \"CVE-2014-2685\");\n script_xref(name:\"FEDORA\", value:\"2014-4603\");\n\n script_name(english:\"Fedora 19 : php-ZendFramework-1.12.5-1.fc19 (2014-4603)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"update to 1.12.5 fixes\nhttp://framework.zend.com/security/advisory/ZF2014-01 fixes\nhttp://framework.zend.com/security/advisory/ZF2014-02 removed:\nInfoCards, Services/Nirvanix\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://framework.zend.com/security/advisory/ZF2014-01\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://framework.zend.com/security/advisory/ZF2014-02\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1081287\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1081288\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131341.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?88b9a90c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-ZendFramework package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-ZendFramework\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"php-ZendFramework-1.12.5-1.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-ZendFramework\");\n}\n", "title": "Fedora 19 : php-ZendFramework-1.12.5-1.fc19 (2014-4603)", "type": "nessus", "viewCount": 0}, "differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:26:09"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:fedoraproject:fedora:19", "p-cpe:/a:fedoraproject:fedora:php-ZendFramework"], "cvelist": ["CVE-2014-2685", "CVE-2014-2682", "CVE-2014-2684", "CVE-2014-2683", "CVE-2014-2681"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "description": "update to 1.12.5 fixes\nhttp://framework.zend.com/security/advisory/ZF2014-01 fixes\nhttp://framework.zend.com/security/advisory/ZF2014-02 removed:\nInfoCards, Services/Nirvanix\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 8, "enchantments": {"dependencies": {"modified": "2019-10-28T20:11:38", "references": [{"idList": ["DEBIAN:DSA-3265-2:03C60", "DEBIAN:DLA-251-1:7D839", "DEBIAN:DLA-251-2:CDAD6", "DEBIAN:DSA-3265-1:1C648"], "type": "debian"}, {"idList": ["ALA_ALAS-2014-377.NASL", "DEBIAN_DSA-3265.NASL", "MANDRIVA_MDVSA-2014-072.NASL", "FEDORA_2014-4636.NASL", "FEDORA_2014-4612.NASL", "DEBIAN_DLA-251.NASL", "MANDRIVA_MDVSA-2015-097.NASL", "FEDORA_2014-4651.NASL"], "type": "nessus"}, {"idList": ["SECURITYVULNS:VULN:13733", "SECURITYVULNS:DOC:32176", "SECURITYVULNS:DOC:32109", "SECURITYVULNS:DOC:30618", "SECURITYVULNS:VULN:14479"], "type": "securityvulns"}, {"idList": ["CVE-2014-2685", "CVE-2014-2682", "CVE-2014-2684", "CVE-2014-2683", "CVE-2014-2681"], "type": "cve"}, {"idList": ["ALAS-2014-377"], "type": "amazon"}, {"idList": ["OPENVAS:1361412562310867689", "OPENVAS:1361412562310867845", "OPENVAS:1361412562310867685", "OPENVAS:1361412562310120576", "OPENVAS:1361412562310867684", "OPENVAS:867684", "OPENVAS:1361412562310867686", "OPENVAS:867686", "OPENVAS:867689", "OPENVAS:867685"], "type": "openvas"}]}, "score": {"modified": "2019-10-28T20:11:38", "value": 5.9, "vector": "NONE"}}, "hash": "881d99130cf31b35bb62bb62768847e04ee4e6cb1223db12e19929703b5d5e38", "hashmap": [{"hash": "5085e5b33bdf9ff050606bb459861fe0", "key": "sourceData"}, {"hash": "b9873c530cea7db5e92a6fdc756c4841", "key": "cpe"}, {"hash": "8168229805ac673ef3577a1af234c323", "key": "pluginID"}, {"hash": "e9097bd9d626d9ff14d2a4c3344f5f12", "key": "title"}, {"hash": "1d9ef87ab773b65f81bb11473a12892c", "key": "references"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "0bafb6325bcaf483a25404f785191cc5", "key": "modified"}, {"hash": "a9f0216dcd072088affed853490cd8f5", "key": "description"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "5ef1d712dfe6999e8474551ebeb8ed43", "key": "href"}, {"hash": "0b053db5674b87efff89989a8a720df3", "key": "cvss"}, {"hash": "3ac27814e21dbbdbed6b1f79a83eb599", "key": "reporter"}, {"hash": "91a222bb1150aecb4099787c2d7f68e4", "key": "published"}, {"hash": "6ea4198dbe687b75d3c7147979ad3325", "key": "cvelist"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/73502", "id": "FEDORA_2014-4603.NASL", "lastseen": "2019-10-28T20:11:38", "modified": "2019-10-02T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "73502", "published": "2014-04-15T00:00:00", "references": ["https://framework.zend.com/security/advisory/ZF2014-01", "https://bugzilla.redhat.com/show_bug.cgi?id=1081287", "http://www.nessus.org/u?88b9a90c", "https://framework.zend.com/security/advisory/ZF2014-02", "https://bugzilla.redhat.com/show_bug.cgi?id=1081288"], "reporter": "This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-4603.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73502);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/11/20 11:04:17\");\n\n script_cve_id(\"CVE-2014-2681\", \"CVE-2014-2682\", \"CVE-2014-2683\", \"CVE-2014-2684\", \"CVE-2014-2685\");\n script_xref(name:\"FEDORA\", value:\"2014-4603\");\n\n script_name(english:\"Fedora 19 : php-ZendFramework-1.12.5-1.fc19 (2014-4603)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"update to 1.12.5 fixes\nhttp://framework.zend.com/security/advisory/ZF2014-01 fixes\nhttp://framework.zend.com/security/advisory/ZF2014-02 removed:\nInfoCards, Services/Nirvanix\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://framework.zend.com/security/advisory/ZF2014-01\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://framework.zend.com/security/advisory/ZF2014-01\"\n );\n # http://framework.zend.com/security/advisory/ZF2014-02\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://framework.zend.com/security/advisory/ZF2014-02\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1081287\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1081288\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131341.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?88b9a90c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-ZendFramework package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-ZendFramework\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"php-ZendFramework-1.12.5-1.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-ZendFramework\");\n}\n", "title": "Fedora 19 : php-ZendFramework-1.12.5-1.fc19 (2014-4603)", "type": "nessus", "viewCount": 0}, "differentElements": ["modified"], "edition": 8, "lastseen": "2019-10-28T20:11:38"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:fedoraproject:fedora:19", "p-cpe:/a:fedoraproject:fedora:php-ZendFramework"], "cvelist": ["CVE-2014-2685", "CVE-2014-2682", "CVE-2014-2684", "CVE-2014-2683", "CVE-2014-2681"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "update to 1.12.5 fixes\nhttp://framework.zend.com/security/advisory/ZF2014-01 fixes\nhttp://framework.zend.com/security/advisory/ZF2014-02 removed:\nInfoCards, Services/Nirvanix\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 6, "enchantments": {"dependencies": {"modified": "2019-01-16T20:18:15", "references": [{"idList": ["DEBIAN:DSA-3265-2:03C60", "DEBIAN:DLA-251-1:7D839", "DEBIAN:DLA-251-2:CDAD6", "DEBIAN:DSA-3265-1:1C648"], "type": "debian"}, {"idList": ["ALA_ALAS-2014-377.NASL", "DEBIAN_DSA-3265.NASL", "MANDRIVA_MDVSA-2014-072.NASL", "FEDORA_2014-4636.NASL", "FEDORA_2014-4612.NASL", "DEBIAN_DLA-251.NASL", "MANDRIVA_MDVSA-2015-097.NASL", "FEDORA_2014-4651.NASL"], "type": "nessus"}, {"idList": ["SECURITYVULNS:VULN:13733", "SECURITYVULNS:DOC:32176", "SECURITYVULNS:DOC:32109", "SECURITYVULNS:DOC:30618", "SECURITYVULNS:VULN:14479"], "type": "securityvulns"}, {"idList": ["CVE-2014-2685", "CVE-2014-2682", "CVE-2014-2684", "CVE-2014-2683", "CVE-2014-2681"], "type": "cve"}, {"idList": ["ALAS-2014-377"], "type": "amazon"}, {"idList": ["OPENVAS:1361412562310867689", "OPENVAS:1361412562310867845", "OPENVAS:1361412562310867685", "OPENVAS:1361412562310120576", "OPENVAS:1361412562310867684", "OPENVAS:867684", "OPENVAS:1361412562310867686", "OPENVAS:867686", "OPENVAS:867689", "OPENVAS:867685"], "type": "openvas"}]}, "score": {"value": 2.1, "vector": "NONE"}}, "hash": "7766819e2ad0d9b4720b9d5d74240f8cf4df8edaab3f66a93ed5a5eeb59c80f1", "hashmap": [{"hash": "5085e5b33bdf9ff050606bb459861fe0", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "e145933baf60ff34e77ad35c77d74478", "key": "modified"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "b9873c530cea7db5e92a6fdc756c4841", "key": "cpe"}, {"hash": "8168229805ac673ef3577a1af234c323", "key": "pluginID"}, {"hash": "b194cedd8e4ce340d338d684fbed2348", "key": "href"}, {"hash": "e9097bd9d626d9ff14d2a4c3344f5f12", "key": "title"}, {"hash": "1d9ef87ab773b65f81bb11473a12892c", "key": "references"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "a9f0216dcd072088affed853490cd8f5", "key": "description"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "91a222bb1150aecb4099787c2d7f68e4", "key": "published"}, {"hash": "6ea4198dbe687b75d3c7147979ad3325", "key": "cvelist"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=73502", "id": "FEDORA_2014-4603.NASL", "lastseen": "2019-01-16T20:18:15", "modified": "2018-11-20T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "73502", "published": "2014-04-15T00:00:00", "references": ["https://framework.zend.com/security/advisory/ZF2014-01", "https://bugzilla.redhat.com/show_bug.cgi?id=1081287", "http://www.nessus.org/u?88b9a90c", "https://framework.zend.com/security/advisory/ZF2014-02", "https://bugzilla.redhat.com/show_bug.cgi?id=1081288"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-4603.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73502);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/11/20 11:04:17\");\n\n script_cve_id(\"CVE-2014-2681\", \"CVE-2014-2682\", \"CVE-2014-2683\", \"CVE-2014-2684\", \"CVE-2014-2685\");\n script_xref(name:\"FEDORA\", value:\"2014-4603\");\n\n script_name(english:\"Fedora 19 : php-ZendFramework-1.12.5-1.fc19 (2014-4603)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"update to 1.12.5 fixes\nhttp://framework.zend.com/security/advisory/ZF2014-01 fixes\nhttp://framework.zend.com/security/advisory/ZF2014-02 removed:\nInfoCards, Services/Nirvanix\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://framework.zend.com/security/advisory/ZF2014-01\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://framework.zend.com/security/advisory/ZF2014-01\"\n );\n # http://framework.zend.com/security/advisory/ZF2014-02\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://framework.zend.com/security/advisory/ZF2014-02\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1081287\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1081288\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131341.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?88b9a90c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-ZendFramework package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-ZendFramework\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"php-ZendFramework-1.12.5-1.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-ZendFramework\");\n}\n", "title": "Fedora 19 : php-ZendFramework-1.12.5-1.fc19 (2014-4603)", "type": "nessus", "viewCount": 0}, "differentElements": ["description"], "edition": 6, "lastseen": "2019-01-16T20:18:15"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:fedoraproject:fedora:19", "p-cpe:/a:fedoraproject:fedora:php-ZendFramework"], "cvelist": ["CVE-2014-2685", "CVE-2014-2682", "CVE-2014-2684", "CVE-2014-2683", "CVE-2014-2681"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "description": "update to 1.12.5 fixes\nhttp://framework.zend.com/security/advisory/ZF2014-01 fixes\nhttp://framework.zend.com/security/advisory/ZF2014-02 removed:\nInfoCards, Services/Nirvanix\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 9, "enchantments": {"dependencies": {"modified": "2019-11-01T02:27:15", "references": [{"idList": ["DEBIAN:DSA-3265-2:03C60", "DEBIAN:DLA-251-1:7D839", "DEBIAN:DLA-251-2:CDAD6", "DEBIAN:DSA-3265-1:1C648"], "type": "debian"}, {"idList": ["ALA_ALAS-2014-377.NASL", "DEBIAN_DSA-3265.NASL", "MANDRIVA_MDVSA-2014-072.NASL", "FEDORA_2014-4636.NASL", "FEDORA_2014-4612.NASL", "DEBIAN_DLA-251.NASL", "MANDRIVA_MDVSA-2015-097.NASL", "FEDORA_2014-4651.NASL"], "type": "nessus"}, {"idList": ["SECURITYVULNS:VULN:13733", "SECURITYVULNS:DOC:32176", "SECURITYVULNS:DOC:32109", "SECURITYVULNS:DOC:30618", "SECURITYVULNS:VULN:14479"], "type": "securityvulns"}, {"idList": ["CVE-2014-2685", "CVE-2014-2682", "CVE-2014-2684", "CVE-2014-2683", "CVE-2014-2681"], "type": "cve"}, {"idList": ["ALAS-2014-377"], "type": "amazon"}, {"idList": ["OPENVAS:1361412562310867689", "OPENVAS:1361412562310867845", "OPENVAS:1361412562310867685", "OPENVAS:1361412562310120576", "OPENVAS:1361412562310867684", "OPENVAS:867684", "OPENVAS:1361412562310867686", "OPENVAS:867686", "OPENVAS:867689", "OPENVAS:867685"], "type": "openvas"}]}, "score": {"modified": "2019-11-01T02:27:15", "value": 5.9, "vector": "NONE"}}, "hash": "8aa63a6342aec0ab0876817a621f263ee93bee6d7dd8befdfb27b5b5317f1b21", "hashmap": [{"hash": "5085e5b33bdf9ff050606bb459861fe0", "key": "sourceData"}, {"hash": "abcf9266f425f12dda38f529cd4a94bc", "key": "modified"}, {"hash": "b9873c530cea7db5e92a6fdc756c4841", "key": "cpe"}, {"hash": "8168229805ac673ef3577a1af234c323", "key": "pluginID"}, {"hash": "e9097bd9d626d9ff14d2a4c3344f5f12", "key": "title"}, {"hash": "1d9ef87ab773b65f81bb11473a12892c", "key": "references"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "a9f0216dcd072088affed853490cd8f5", "key": "description"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "5ef1d712dfe6999e8474551ebeb8ed43", "key": "href"}, {"hash": "0b053db5674b87efff89989a8a720df3", "key": "cvss"}, {"hash": "3ac27814e21dbbdbed6b1f79a83eb599", "key": "reporter"}, {"hash": "91a222bb1150aecb4099787c2d7f68e4", "key": "published"}, {"hash": "6ea4198dbe687b75d3c7147979ad3325", "key": "cvelist"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/73502", "id": "FEDORA_2014-4603.NASL", "lastseen": "2019-11-01T02:27:15", "modified": "2019-11-02T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "73502", "published": "2014-04-15T00:00:00", "references": ["https://framework.zend.com/security/advisory/ZF2014-01", "https://bugzilla.redhat.com/show_bug.cgi?id=1081287", "http://www.nessus.org/u?88b9a90c", "https://framework.zend.com/security/advisory/ZF2014-02", "https://bugzilla.redhat.com/show_bug.cgi?id=1081288"], "reporter": "This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-4603.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73502);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/11/20 11:04:17\");\n\n script_cve_id(\"CVE-2014-2681\", \"CVE-2014-2682\", \"CVE-2014-2683\", \"CVE-2014-2684\", \"CVE-2014-2685\");\n script_xref(name:\"FEDORA\", value:\"2014-4603\");\n\n script_name(english:\"Fedora 19 : php-ZendFramework-1.12.5-1.fc19 (2014-4603)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"update to 1.12.5 fixes\nhttp://framework.zend.com/security/advisory/ZF2014-01 fixes\nhttp://framework.zend.com/security/advisory/ZF2014-02 removed:\nInfoCards, Services/Nirvanix\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://framework.zend.com/security/advisory/ZF2014-01\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://framework.zend.com/security/advisory/ZF2014-01\"\n );\n # http://framework.zend.com/security/advisory/ZF2014-02\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://framework.zend.com/security/advisory/ZF2014-02\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1081287\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1081288\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131341.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?88b9a90c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-ZendFramework package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-ZendFramework\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"php-ZendFramework-1.12.5-1.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-ZendFramework\");\n}\n", "title": "Fedora 19 : php-ZendFramework-1.12.5-1.fc19 (2014-4603)", "type": "nessus", "viewCount": 0}, "differentElements": ["modified"], "edition": 9, "lastseen": "2019-11-01T02:27:15"}], "edition": 10, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "b9873c530cea7db5e92a6fdc756c4841"}, {"key": "cvelist", "hash": "6ea4198dbe687b75d3c7147979ad3325"}, {"key": "cvss", "hash": "0b053db5674b87efff89989a8a720df3"}, {"key": "description", "hash": "a9f0216dcd072088affed853490cd8f5"}, {"key": "href", "hash": "5ef1d712dfe6999e8474551ebeb8ed43"}, {"key": "modified", "hash": "5a7504dfe859a7ccbaf560628f6442ad"}, {"key": "naslFamily", "hash": "be931514784f88df80712740ad2723e7"}, {"key": "pluginID", "hash": "8168229805ac673ef3577a1af234c323"}, {"key": "published", "hash": "91a222bb1150aecb4099787c2d7f68e4"}, {"key": "references", "hash": "1d9ef87ab773b65f81bb11473a12892c"}, {"key": "reporter", "hash": "3ac27814e21dbbdbed6b1f79a83eb599"}, {"key": "sourceData", "hash": "5085e5b33bdf9ff050606bb459861fe0"}, {"key": "title", "hash": "e9097bd9d626d9ff14d2a4c3344f5f12"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "2f4d7c33605dc1c8256c20dae64fcf896c95c85ef53274300354313feb5e187e", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310867689", "OPENVAS:1361412562310867684", "OPENVAS:1361412562310120576", "OPENVAS:867686", "OPENVAS:867685", "OPENVAS:867684", "OPENVAS:867689", "OPENVAS:1361412562310867686", "OPENVAS:1361412562310867685", "OPENVAS:1361412562310867845"]}, {"type": "nessus", "idList": ["FEDORA_2014-4651.NASL", "FEDORA_2014-4612.NASL", "ALA_ALAS-2014-377.NASL", "MANDRIVA_MDVSA-2014-072.NASL", "FEDORA_2014-4636.NASL", "MANDRIVA_MDVSA-2015-097.NASL", "DEBIAN_DSA-3265.NASL", "DEBIAN_DLA-251.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:30618", "SECURITYVULNS:DOC:32109", "SECURITYVULNS:DOC:32176", "SECURITYVULNS:VULN:14479", "SECURITYVULNS:VULN:13733"]}, {"type": "amazon", "idList": ["ALAS-2014-377"]}, {"type": "cve", "idList": ["CVE-2014-2682", "CVE-2014-2681", "CVE-2014-2683", "CVE-2014-2685", "CVE-2014-2684"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3265-2:03C60", "DEBIAN:DLA-251-1:7D839", "DEBIAN:DSA-3265-1:1C648", "DEBIAN:DLA-251-2:CDAD6"]}], "modified": "2019-12-13T07:03:59"}, "score": {"value": 5.9, "vector": "NONE", "modified": "2019-12-13T07:03:59"}, "vulnersScore": 5.9}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-4603.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73502);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/11/20 11:04:17\");\n\n script_cve_id(\"CVE-2014-2681\", \"CVE-2014-2682\", \"CVE-2014-2683\", \"CVE-2014-2684\", \"CVE-2014-2685\");\n script_xref(name:\"FEDORA\", value:\"2014-4603\");\n\n script_name(english:\"Fedora 19 : php-ZendFramework-1.12.5-1.fc19 (2014-4603)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"update to 1.12.5 fixes\nhttp://framework.zend.com/security/advisory/ZF2014-01 fixes\nhttp://framework.zend.com/security/advisory/ZF2014-02 removed:\nInfoCards, Services/Nirvanix\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://framework.zend.com/security/advisory/ZF2014-01\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://framework.zend.com/security/advisory/ZF2014-01\"\n );\n # http://framework.zend.com/security/advisory/ZF2014-02\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://framework.zend.com/security/advisory/ZF2014-02\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1081287\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1081288\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131341.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?88b9a90c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-ZendFramework package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-ZendFramework\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"php-ZendFramework-1.12.5-1.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-ZendFramework\");\n}\n", "naslFamily": "Fedora Local Security Checks", "pluginID": "73502", "cpe": ["cpe:/o:fedoraproject:fedora:19", "p-cpe:/a:fedoraproject:fedora:php-ZendFramework"], "scheme": null}
{"openvas": [{"lastseen": "2019-05-29T18:37:19", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-04-15T00:00:00", "id": "OPENVAS:1361412562310867689", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867689", "title": "Fedora Update for php-ZendFramework2 FEDORA-2014-4612", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for php-ZendFramework2 FEDORA-2014-4612\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867689\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-04-15 09:42:08 +0530 (Tue, 15 Apr 2014)\");\n script_cve_id(\"CVE-2014-2681\", \"CVE-2014-2682\", \"CVE-2014-2683\", \"CVE-2014-2684\", \"CVE-2014-2685\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for php-ZendFramework2 FEDORA-2014-4612\");\n script_tag(name:\"affected\", value:\"php-ZendFramework2 on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-4612\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131406.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-ZendFramework2'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-ZendFramework2\", rpm:\"php-ZendFramework2~2.2.6~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:14", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-04-15T00:00:00", "id": "OPENVAS:1361412562310867684", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867684", "title": "Fedora Update for php-ZendFramework FEDORA-2014-4651", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for php-ZendFramework FEDORA-2014-4651\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867684\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-04-15 09:41:38 +0530 (Tue, 15 Apr 2014)\");\n script_cve_id(\"CVE-2014-2681\", \"CVE-2014-2682\", \"CVE-2014-2683\", \"CVE-2014-2684\", \"CVE-2014-2685\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for php-ZendFramework FEDORA-2014-4651\");\n script_tag(name:\"affected\", value:\"php-ZendFramework on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-4651\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131347.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-ZendFramework'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-ZendFramework\", rpm:\"php-ZendFramework~1.12.5~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:47", "bulletinFamily": "scanner", "description": "Amazon Linux Local Security Checks", "modified": "2018-10-01T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120576", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120576", "title": "Amazon Linux Local Check: ALAS-2014-377", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: alas-2014-377.nasl 6637 2017-07-10 09:58:13Z teissa$\n#\n# Amazon Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@iki.fi>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://ping-viini.org\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120576\");\n script_version(\"$Revision: 11711 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:29:54 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-01 14:30:57 +0200 (Mon, 01 Oct 2018) $\");\n script_name(\"Amazon Linux Local Check: ALAS-2014-377\");\n script_tag(name:\"insight\", value:\"Multiple flaws were found in the PHP ZendFramework. Please see the references for more information.\");\n script_tag(name:\"solution\", value:\"Run yum update php-ZendFramework to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2014-377.html\");\n script_cve_id(\"CVE-2014-2684\", \"CVE-2014-2685\", \"CVE-2014-2681\", \"CVE-2014-2682\", \"CVE-2014-2683\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Amazon Linux Local Security Checks\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"AMAZON\")\n{\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Pdf\", rpm:\"php-ZendFramework-Pdf~1.12.5~1.8.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Search-Lucene\", rpm:\"php-ZendFramework-Search-Lucene~1.12.5~1.8.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Serializer-Adapter-Igbinary\", rpm:\"php-ZendFramework-Serializer-Adapter-Igbinary~1.12.5~1.8.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Db-Adapter-Pdo-Pgsql\", rpm:\"php-ZendFramework-Db-Adapter-Pdo-Pgsql~1.12.5~1.8.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Cache-Backend-Libmemcached\", rpm:\"php-ZendFramework-Cache-Backend-Libmemcached~1.12.5~1.8.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework\", rpm:\"php-ZendFramework~1.12.5~1.8.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Db-Adapter-Pdo-Mssql\", rpm:\"php-ZendFramework-Db-Adapter-Pdo-Mssql~1.12.5~1.8.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Services\", rpm:\"php-ZendFramework-Services~1.12.5~1.8.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Captcha\", rpm:\"php-ZendFramework-Captcha~1.12.5~1.8.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Db-Adapter-Pdo\", rpm:\"php-ZendFramework-Db-Adapter-Pdo~1.12.5~1.8.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-extras\", rpm:\"php-ZendFramework-extras~1.12.5~1.8.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Ldap\", rpm:\"php-ZendFramework-Ldap~1.12.5~1.8.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-full\", rpm:\"php-ZendFramework-full~1.12.5~1.8.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Auth-Adapter-Ldap\", rpm:\"php-ZendFramework-Auth-Adapter-Ldap~1.12.5~1.8.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Cache-Backend-Memcached\", rpm:\"php-ZendFramework-Cache-Backend-Memcached~1.12.5~1.8.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Soap\", rpm:\"php-ZendFramework-Soap~1.12.5~1.8.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Feed\", rpm:\"php-ZendFramework-Feed~1.12.5~1.8.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Db-Adapter-Pdo-Mysql\", rpm:\"php-ZendFramework-Db-Adapter-Pdo-Mysql~1.12.5~1.8.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Dojo\", rpm:\"php-ZendFramework-Dojo~1.12.5~1.8.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Cache-Backend-Apc\", rpm:\"php-ZendFramework-Cache-Backend-Apc~1.12.5~1.8.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-demos\", rpm:\"php-ZendFramework-demos~1.12.5~1.8.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Db-Adapter-Mysqli\", rpm:\"php-ZendFramework-Db-Adapter-Mysqli~1.12.5~1.8.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework\", rpm:\"php-ZendFramework~1.12.5~1.8.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-25T10:48:36", "bulletinFamily": "scanner", "description": "Check for the Version of php-ZendFramework2", "modified": "2017-07-10T00:00:00", "published": "2014-04-15T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=867686", "id": "OPENVAS:867686", "title": "Fedora Update for php-ZendFramework2 FEDORA-2014-4636", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for php-ZendFramework2 FEDORA-2014-4636\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(867686);\n script_version(\"$Revision: 6629 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:33:41 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-04-15 09:41:52 +0530 (Tue, 15 Apr 2014)\");\n script_cve_id(\"CVE-2014-2681\", \"CVE-2014-2682\", \"CVE-2014-2683\", \"CVE-2014-2684\", \"CVE-2014-2685\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for php-ZendFramework2 FEDORA-2014-4636\");\n\n tag_insight = \"Zend Framework 2 is an open source framework for developing web applications\nand services using PHP 5.3+. Zend Framework 2 uses 100% object-oriented code\nand utilizes most of the new features of PHP 5.3, namely namespaces, late\nstatic binding, lambda functions and closures.\n\nZend Framework 2 evolved from Zend Framework 1, a successful PHP framework\nwith over 15 million downloads.\n\nNote: This meta package installs all base Zend Framework component packages\n(Authentication, Barcode, Cache, Captcha, Code, Config, Console, Crypt, Db,\nDebug, Di, Dom, Escaper, EventManager, Feed, File, Filter, Form, Http, I18n,\nInputFilter, Json, Ldap, Loader, Log, Mail, Math, Memory, Mime, ModuleManager,\nMvc, Navigation, Paginator, Permissions-Acl, Permissions-Rbac, ProgressBar,\nSerializer, Server, ServiceManager, Session, Soap, Stdlib, Tag, Test, Text,\nUri, Validator, Version, View, XmlRpc) except the optional Cache-apc and\nCache-memcached packages.\n\";\n\n tag_affected = \"php-ZendFramework2 on Fedora 19\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2014-4636\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131373.html\");\n script_summary(\"Check for the Version of php-ZendFramework2\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-ZendFramework2\", rpm:\"php-ZendFramework2~2.2.6~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:48:48", "bulletinFamily": "scanner", "description": "Check for the Version of php-ZendFramework", "modified": "2017-07-10T00:00:00", "published": "2014-04-15T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=867685", "id": "OPENVAS:867685", "title": "Fedora Update for php-ZendFramework FEDORA-2014-4603", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for php-ZendFramework FEDORA-2014-4603\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(867685);\n script_version(\"$Revision: 6629 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:33:41 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-04-15 09:41:45 +0530 (Tue, 15 Apr 2014)\");\n script_cve_id(\"CVE-2014-2681\", \"CVE-2014-2682\", \"CVE-2014-2683\", \"CVE-2014-2684\", \"CVE-2014-2685\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for php-ZendFramework FEDORA-2014-4603\");\n\n tag_insight = \"Extending the art & spirit of PHP, Zend Framework is based on simplicity,\nobject-oriented best practices, corporate friendly licensing, and a rigorously\ntested agile code base. Zend Framework is focused on building more secure,\nreliable, and modern Web 2.0 applications & web services, and consuming widely\navailable APIs from leading vendors like Google, Amazon, Yahoo!, Flickr, as\nwell as API providers and catalogers like StrikeIron and ProgrammableWeb.\n\";\n\n tag_affected = \"php-ZendFramework on Fedora 19\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2014-4603\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131341.html\");\n script_summary(\"Check for the Version of php-ZendFramework\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-ZendFramework\", rpm:\"php-ZendFramework~1.12.5~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:48:50", "bulletinFamily": "scanner", "description": "Check for the Version of php-ZendFramework", "modified": "2017-07-10T00:00:00", "published": "2014-04-15T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=867684", "id": "OPENVAS:867684", "title": "Fedora Update for php-ZendFramework FEDORA-2014-4651", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for php-ZendFramework FEDORA-2014-4651\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(867684);\n script_version(\"$Revision: 6629 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:33:41 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-04-15 09:41:38 +0530 (Tue, 15 Apr 2014)\");\n script_cve_id(\"CVE-2014-2681\", \"CVE-2014-2682\", \"CVE-2014-2683\", \"CVE-2014-2684\", \"CVE-2014-2685\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for php-ZendFramework FEDORA-2014-4651\");\n\n tag_insight = \"Extending the art & spirit of PHP, Zend Framework is based on simplicity,\nobject-oriented best practices, corporate friendly licensing, and a rigorously\ntested agile code base. Zend Framework is focused on building more secure,\nreliable, and modern Web 2.0 applications & web services, and consuming widely\navailable APIs from leading vendors like Google, Amazon, Yahoo!, Flickr, as\nwell as API providers and catalogers like StrikeIron and ProgrammableWeb.\n\";\n\n tag_affected = \"php-ZendFramework on Fedora 20\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2014-4651\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131347.html\");\n script_summary(\"Check for the Version of php-ZendFramework\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-ZendFramework\", rpm:\"php-ZendFramework~1.12.5~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:37:37", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-04-15T00:00:00", "id": "OPENVAS:1361412562310867685", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867685", "title": "Fedora Update for php-ZendFramework FEDORA-2014-4603", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for php-ZendFramework FEDORA-2014-4603\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867685\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-04-15 09:41:45 +0530 (Tue, 15 Apr 2014)\");\n script_cve_id(\"CVE-2014-2681\", \"CVE-2014-2682\", \"CVE-2014-2683\", \"CVE-2014-2684\", \"CVE-2014-2685\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for php-ZendFramework FEDORA-2014-4603\");\n script_tag(name:\"affected\", value:\"php-ZendFramework on Fedora 19\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-4603\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131341.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-ZendFramework'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC19\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-ZendFramework\", rpm:\"php-ZendFramework~1.12.5~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:25", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-06-02T00:00:00", "id": "OPENVAS:1361412562310867845", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867845", "title": "Fedora Update for php-ZendFramework2 FEDORA-2014-6540", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for php-ZendFramework2 FEDORA-2014-6540\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867845\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-06-02 13:23:15 +0530 (Mon, 02 Jun 2014)\");\n script_cve_id(\"CVE-2014-2681\", \"CVE-2014-2682\", \"CVE-2014-2683\", \"CVE-2014-2684\", \"CVE-2014-2685\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for php-ZendFramework2 FEDORA-2014-6540\");\n script_tag(name:\"affected\", value:\"php-ZendFramework2 on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-6540\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-May/133763.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-ZendFramework2'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-ZendFramework2\", rpm:\"php-ZendFramework2~2.2.7~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-25T10:48:33", "bulletinFamily": "scanner", "description": "Check for the Version of php-ZendFramework2", "modified": "2017-07-10T00:00:00", "published": "2014-04-15T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=867689", "id": "OPENVAS:867689", "title": "Fedora Update for php-ZendFramework2 FEDORA-2014-4612", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for php-ZendFramework2 FEDORA-2014-4612\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(867689);\n script_version(\"$Revision: 6629 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:33:41 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-04-15 09:42:08 +0530 (Tue, 15 Apr 2014)\");\n script_cve_id(\"CVE-2014-2681\", \"CVE-2014-2682\", \"CVE-2014-2683\", \"CVE-2014-2684\", \"CVE-2014-2685\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for php-ZendFramework2 FEDORA-2014-4612\");\n\n tag_insight = \"Zend Framework 2 is an open source framework for developing web applications\nand services using PHP 5.3+. Zend Framework 2 uses 100% object-oriented code\nand utilizes most of the new features of PHP 5.3, namely namespaces, late\nstatic binding, lambda functions and closures.\n\nZend Framework 2 evolved from Zend Framework 1, a successful PHP framework\nwith over 15 million downloads.\n\nNote: This meta package installs all base Zend Framework component packages\n(Authentication, Barcode, Cache, Captcha, Code, Config, Console, Crypt, Db,\nDebug, Di, Dom, Escaper, EventManager, Feed, File, Filter, Form, Http, I18n,\nInputFilter, Json, Ldap, Loader, Log, Mail, Math, Memory, Mime, ModuleManager,\nMvc, Navigation, Paginator, Permissions-Acl, Permissions-Rbac, ProgressBar,\nSerializer, Server, ServiceManager, Session, Soap, Stdlib, Tag, Test, Text,\nUri, Validator, Version, View, XmlRpc) except the optional Cache-apc and\nCache-memcached packages.\n\";\n\n tag_affected = \"php-ZendFramework2 on Fedora 20\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2014-4612\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131406.html\");\n script_summary(\"Check for the Version of php-ZendFramework2\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-ZendFramework2\", rpm:\"php-ZendFramework2~2.2.6~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:37:13", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-04-15T00:00:00", "id": "OPENVAS:1361412562310867686", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867686", "title": "Fedora Update for php-ZendFramework2 FEDORA-2014-4636", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for php-ZendFramework2 FEDORA-2014-4636\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867686\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-04-15 09:41:52 +0530 (Tue, 15 Apr 2014)\");\n script_cve_id(\"CVE-2014-2681\", \"CVE-2014-2682\", \"CVE-2014-2683\", \"CVE-2014-2684\", \"CVE-2014-2685\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for php-ZendFramework2 FEDORA-2014-4636\");\n script_tag(name:\"affected\", value:\"php-ZendFramework2 on Fedora 19\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-4636\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131373.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-ZendFramework2'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC19\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-ZendFramework2\", rpm:\"php-ZendFramework2~2.2.6~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-12-13T07:03:59", "bulletinFamily": "scanner", "description": "update to 1.12.5 fixes\nhttp://framework.zend.com/security/advisory/ZF2014-01 fixes\nhttp://framework.zend.com/security/advisory/ZF2014-02 removed:\nInfoCards, Services/Nirvanix\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-12-02T00:00:00", "id": "FEDORA_2014-4651.NASL", "href": "https://www.tenable.com/plugins/nessus/73506", "published": "2014-04-15T00:00:00", "title": "Fedora 20 : php-ZendFramework-1.12.5-1.fc20 (2014-4651)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-4651.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73506);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/11/20 11:04:17\");\n\n script_cve_id(\"CVE-2014-2681\", \"CVE-2014-2682\", \"CVE-2014-2683\", \"CVE-2014-2684\", \"CVE-2014-2685\");\n script_xref(name:\"FEDORA\", value:\"2014-4651\");\n\n script_name(english:\"Fedora 20 : php-ZendFramework-1.12.5-1.fc20 (2014-4651)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"update to 1.12.5 fixes\nhttp://framework.zend.com/security/advisory/ZF2014-01 fixes\nhttp://framework.zend.com/security/advisory/ZF2014-02 removed:\nInfoCards, Services/Nirvanix\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://framework.zend.com/security/advisory/ZF2014-01\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://framework.zend.com/security/advisory/ZF2014-01\"\n );\n # http://framework.zend.com/security/advisory/ZF2014-02\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://framework.zend.com/security/advisory/ZF2014-02\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1081287\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1081288\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131347.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?88b85319\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-ZendFramework package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-ZendFramework\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"php-ZendFramework-1.12.5-1.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-ZendFramework\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T06:38:59", "bulletinFamily": "scanner", "description": "The GenericConsumer class in the Consumer component in ZendOpenId\nbefore 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1\nbefore 1.12.4 violate the OpenID 2.0 protocol by ensuring only that at\nleast one field is signed, which allows remote attackers to bypass\nauthentication by leveraging an assertion from an OpenID provider.\n\nXML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws were\ndiscovered in the Zend Framework. An attacker could use these flaws to\ncause a denial of service, access files accessible to the server\nprocess, or possibly perform other more advanced XML External Entity\n(XXE) attacks.\n\nUsing the Consumer component of ZendOpenId (or Zend_OpenId in ZF1), it\nis possible to login using an arbitrary OpenID account (without\nknowing any secret information) by using a malicious OpenID Provider.\nThat means OpenID it is possible to login using arbitrary OpenID\nIdentity (MyOpenID, Google, etc), which are not under the control of\nour own OpenID Provider. Thus, we are able to impersonate any OpenID\nIdentity against the framework.\n\nMoreover, the Consumer accepts OpenID tokens with arbitrary signed\nelements. The framework does not check if, for example, both\nopenid.claimed_id and openid.endpoint_url are signed. It is just\nsufficient to sign one parameter. According to\nhttps://openid.net/specs/openid-authentication-2_0.html#positive_asser\ntions, at least op_endpoint, return_to, response_nonce, assoc_handle,\nand, if present in the response, claimed_id and identity, must be\nsigned.", "modified": "2019-12-02T00:00:00", "id": "ALA_ALAS-2014-377.NASL", "href": "https://www.tenable.com/plugins/nessus/78320", "published": "2014-10-12T00:00:00", "title": "Amazon Linux AMI : php-ZendFramework (ALAS-2014-377)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2014-377.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78320);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2014-2681\", \"CVE-2014-2682\", \"CVE-2014-2683\", \"CVE-2014-2684\", \"CVE-2014-2685\");\n script_xref(name:\"ALAS\", value:\"2014-377\");\n\n script_name(english:\"Amazon Linux AMI : php-ZendFramework (ALAS-2014-377)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The GenericConsumer class in the Consumer component in ZendOpenId\nbefore 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1\nbefore 1.12.4 violate the OpenID 2.0 protocol by ensuring only that at\nleast one field is signed, which allows remote attackers to bypass\nauthentication by leveraging an assertion from an OpenID provider.\n\nXML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws were\ndiscovered in the Zend Framework. An attacker could use these flaws to\ncause a denial of service, access files accessible to the server\nprocess, or possibly perform other more advanced XML External Entity\n(XXE) attacks.\n\nUsing the Consumer component of ZendOpenId (or Zend_OpenId in ZF1), it\nis possible to login using an arbitrary OpenID account (without\nknowing any secret information) by using a malicious OpenID Provider.\nThat means OpenID it is possible to login using arbitrary OpenID\nIdentity (MyOpenID, Google, etc), which are not under the control of\nour own OpenID Provider. Thus, we are able to impersonate any OpenID\nIdentity against the framework.\n\nMoreover, the Consumer accepts OpenID tokens with arbitrary signed\nelements. The framework does not check if, for example, both\nopenid.claimed_id and openid.endpoint_url are signed. It is just\nsufficient to sign one parameter. According to\nhttps://openid.net/specs/openid-authentication-2_0.html#positive_asser\ntions, at least op_endpoint, return_to, response_nonce, assoc_handle,\nand, if present in the response, claimed_id and identity, must be\nsigned.\"\n );\n # https://openid.net/specs/openid-authentication-2_0.html#positive_assertions\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?acf9f182\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2014-377.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update php-ZendFramework' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Auth-Adapter-Ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Cache-Backend-Apc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Cache-Backend-Libmemcached\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Cache-Backend-Memcached\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Captcha\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Db-Adapter-Mysqli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Db-Adapter-Pdo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Db-Adapter-Pdo-Mssql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Db-Adapter-Pdo-Mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Db-Adapter-Pdo-Pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Dojo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Feed\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Pdf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Search-Lucene\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Serializer-Adapter-Igbinary\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Services\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Soap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-demos\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-extras\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-full\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-1.12.5-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Auth-Adapter-Ldap-1.12.5-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Cache-Backend-Apc-1.12.5-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Cache-Backend-Libmemcached-1.12.5-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Cache-Backend-Memcached-1.12.5-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Captcha-1.12.5-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Db-Adapter-Mysqli-1.12.5-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Db-Adapter-Pdo-1.12.5-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Db-Adapter-Pdo-Mssql-1.12.5-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Db-Adapter-Pdo-Mysql-1.12.5-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Db-Adapter-Pdo-Pgsql-1.12.5-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Dojo-1.12.5-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Feed-1.12.5-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Ldap-1.12.5-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Pdf-1.12.5-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Search-Lucene-1.12.5-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Serializer-Adapter-Igbinary-1.12.5-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Services-1.12.5-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Soap-1.12.5-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-demos-1.12.5-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-extras-1.12.5-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-full-1.12.5-1.8.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-ZendFramework / php-ZendFramework-Auth-Adapter-Ldap / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T07:03:59", "bulletinFamily": "scanner", "description": "Upstream release notes:\nhttps://github.com/zendframework/zf2/releases/tag/release-2.2.6\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-12-02T00:00:00", "id": "FEDORA_2014-4612.NASL", "href": "https://www.tenable.com/plugins/nessus/73503", "published": "2014-04-15T00:00:00", "title": "Fedora 20 : php-ZendFramework2-2.2.6-1.fc20 (2014-4612)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-4612.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73503);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/12/24 10:14:27\");\n\n script_cve_id(\"CVE-2014-2681\", \"CVE-2014-2682\", \"CVE-2014-2683\", \"CVE-2014-2684\", \"CVE-2014-2685\");\n script_xref(name:\"FEDORA\", value:\"2014-4612\");\n\n script_name(english:\"Fedora 20 : php-ZendFramework2-2.2.6-1.fc20 (2014-4612)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Upstream release notes:\nhttps://github.com/zendframework/zf2/releases/tag/release-2.2.6\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1081287\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1081288\"\n );\n # https://github.com/zendframework/zf2/releases/tag/release-2.2.6\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cc21b67a\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131406.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3d4fe175\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-ZendFramework2 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-ZendFramework2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"php-ZendFramework2-2.2.6-1.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-ZendFramework2\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T07:03:59", "bulletinFamily": "scanner", "description": "Upstream release notes:\nhttps://github.com/zendframework/zf2/releases/tag/release-2.2.6\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-12-02T00:00:00", "id": "FEDORA_2014-4636.NASL", "href": "https://www.tenable.com/plugins/nessus/73505", "published": "2014-04-15T00:00:00", "title": "Fedora 19 : php-ZendFramework2-2.2.6-1.fc19 (2014-4636)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-4636.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73505);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/12/24 10:14:27\");\n\n script_cve_id(\"CVE-2014-2681\", \"CVE-2014-2682\", \"CVE-2014-2683\", \"CVE-2014-2684\", \"CVE-2014-2685\");\n script_xref(name:\"FEDORA\", value:\"2014-4636\");\n\n script_name(english:\"Fedora 19 : php-ZendFramework2-2.2.6-1.fc19 (2014-4636)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Upstream release notes:\nhttps://github.com/zendframework/zf2/releases/tag/release-2.2.6\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1081287\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1081288\"\n );\n # https://github.com/zendframework/zf2/releases/tag/release-2.2.6\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cc21b67a\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131373.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?15b34049\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-ZendFramework2 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-ZendFramework2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"php-ZendFramework2-2.2.6-1.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-ZendFramework2\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T08:05:52", "bulletinFamily": "scanner", "description": "Updated php-ZendFramework packages fix security vulnerabilities :\n\nXML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws were\ndiscovered in the Zend Framework. An attacker could use these flaws to\ncause a denial of service, access files accessible to the server\nprocess, or possibly perform other more advanced XML External Entity\n(XXE) attacks (CVE-2014-2681, CVE-2014-2682, CVE-2014-2683).\n\nUsing the Consumer component of Zend_OpenId, it is possible to login\nusing an arbitrary OpenID account (without knowing any secret\ninformation) by using a malicious OpenID Provider. That means OpenID\nit is possible to login using arbitrary OpenID Identity (MyOpenID,\nGoogle, etc), which are not under the control of our own OpenID\nProvider. Thus, we are able to impersonate any OpenID Identity against\nthe framework (CVE-2014-2684, CVE-2014-2685).", "modified": "2019-12-02T00:00:00", "id": "MANDRIVA_MDVSA-2014-072.NASL", "href": "https://www.tenable.com/plugins/nessus/73447", "published": "2014-04-10T00:00:00", "title": "Mandriva Linux Security Advisory : php-ZendFramework (MDVSA-2014:072)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2014:072. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73447);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/08/02 13:32:55\");\n\n script_cve_id(\"CVE-2014-2681\", \"CVE-2014-2682\", \"CVE-2014-2683\", \"CVE-2014-2684\", \"CVE-2014-2685\");\n script_bugtraq_id(66358);\n script_xref(name:\"MDVSA\", value:\"2014:072\");\n\n script_name(english:\"Mandriva Linux Security Advisory : php-ZendFramework (MDVSA-2014:072)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated php-ZendFramework packages fix security vulnerabilities :\n\nXML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws were\ndiscovered in the Zend Framework. An attacker could use these flaws to\ncause a denial of service, access files accessible to the server\nprocess, or possibly perform other more advanced XML External Entity\n(XXE) attacks (CVE-2014-2681, CVE-2014-2682, CVE-2014-2683).\n\nUsing the Consumer component of Zend_OpenId, it is possible to login\nusing an arbitrary OpenID account (without knowing any secret\ninformation) by using a malicious OpenID Provider. That means OpenID\nit is possible to login using arbitrary OpenID Identity (MyOpenID,\nGoogle, etc), which are not under the control of our own OpenID\nProvider. Thus, we are able to impersonate any OpenID Identity against\nthe framework (CVE-2014-2684, CVE-2014-2685).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0151.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Cache-Backend-Apc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Cache-Backend-Memcached\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Captcha\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Dojo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Feed\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Gdata\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Pdf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Search-Lucene\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Services\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-demos\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-extras\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-1.12.5-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-Cache-Backend-Apc-1.12.5-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-Cache-Backend-Memcached-1.12.5-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-Captcha-1.12.5-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-Dojo-1.12.5-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-Feed-1.12.5-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-Gdata-1.12.5-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-Pdf-1.12.5-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-Search-Lucene-1.12.5-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-Services-1.12.5-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-demos-1.12.5-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-extras-1.12.5-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-tests-1.12.5-1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T08:05:57", "bulletinFamily": "scanner", "description": "Updated php-ZendFramework packages fix multiple vulnerabilities :\n\nXML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws were\ndiscovered in the Zend Framework. An attacker could use these flaws to\ncause a denial of service, access files accessible to the server\nprocess, or possibly perform other more advanced XML External Entity\n(XXE) attacks (CVE-2014-2681, CVE-2014-2682, CVE-2014-2683).\n\nUsing the Consumer component of Zend_OpenId, it is possible to login\nusing an arbitrary OpenID account (without knowing any secret\ninformation) by using a malicious OpenID Provider. That means OpenID\nit is possible to login using arbitrary OpenID Identity (MyOpenID,\nGoogle, etc), which are not under the control of our own OpenID\nProvider. Thus, we are able to impersonate any OpenID Identity against\nthe framework (CVE-2014-2684, CVE-2014-2685).\n\nThe implementation of the ORDER BY SQL statement in Zend_Db_Select of\nZend Framework 1 contains a potential SQL injection when the query\nstring passed contains parentheses (CVE-2014-4914).\n\nDue to a bug in PHP", "modified": "2019-12-02T00:00:00", "id": "MANDRIVA_MDVSA-2015-097.NASL", "href": "https://www.tenable.com/plugins/nessus/82350", "published": "2015-03-30T00:00:00", "title": "Mandriva Linux Security Advisory : php-ZendFramework (MDVSA-2015:097)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2015:097. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82350);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/08/02 13:32:56\");\n\n script_cve_id(\"CVE-2014-2681\", \"CVE-2014-2682\", \"CVE-2014-2683\", \"CVE-2014-2684\", \"CVE-2014-2685\", \"CVE-2014-4914\", \"CVE-2014-8088\", \"CVE-2014-8089\");\n script_xref(name:\"MDVSA\", value:\"2015:097\");\n\n script_name(english:\"Mandriva Linux Security Advisory : php-ZendFramework (MDVSA-2015:097)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated php-ZendFramework packages fix multiple vulnerabilities :\n\nXML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws were\ndiscovered in the Zend Framework. An attacker could use these flaws to\ncause a denial of service, access files accessible to the server\nprocess, or possibly perform other more advanced XML External Entity\n(XXE) attacks (CVE-2014-2681, CVE-2014-2682, CVE-2014-2683).\n\nUsing the Consumer component of Zend_OpenId, it is possible to login\nusing an arbitrary OpenID account (without knowing any secret\ninformation) by using a malicious OpenID Provider. That means OpenID\nit is possible to login using arbitrary OpenID Identity (MyOpenID,\nGoogle, etc), which are not under the control of our own OpenID\nProvider. Thus, we are able to impersonate any OpenID Identity against\nthe framework (CVE-2014-2684, CVE-2014-2685).\n\nThe implementation of the ORDER BY SQL statement in Zend_Db_Select of\nZend Framework 1 contains a potential SQL injection when the query\nstring passed contains parentheses (CVE-2014-4914).\n\nDue to a bug in PHP's LDAP extension, when ZendFramework's Zend_ldap\nclass is used for logins, an attacker can login as any user by using a\nnull byte to bypass the empty password check and perform an\nunauthenticated LDAP bind (CVE-2014-8088).\n\nThe sqlsrv PHP extension, which provides the ability to connect to\nMicrosoft SQL Server from PHP, does not provide a built-in quoting\nmechanism for manually quoting values to pass via SQL queries;\ndevelopers are encouraged to use prepared statements. Zend Framework\nprovides quoting mechanisms via Zend_Db_Adapter_Sqlsrv which uses the\nrecommended double single quote ('') as quoting delimiters. SQL Server\ntreats null bytes in a query as a string terminator, allowing an\nattacker to add arbitrary SQL following a null byte, and thus create a\nSQL injection (CVE-2014-8089).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0151.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0311.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0434.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Cache-Backend-Apc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Cache-Backend-Memcached\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Captcha\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Dojo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Feed\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Gdata\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Pdf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Search-Lucene\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Services\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-demos\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-extras\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS2\", reference:\"php-ZendFramework-1.12.9-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", reference:\"php-ZendFramework-Cache-Backend-Apc-1.12.9-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", reference:\"php-ZendFramework-Cache-Backend-Memcached-1.12.9-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", reference:\"php-ZendFramework-Captcha-1.12.9-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", reference:\"php-ZendFramework-Dojo-1.12.9-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", reference:\"php-ZendFramework-Feed-1.12.9-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", reference:\"php-ZendFramework-Gdata-1.12.9-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", reference:\"php-ZendFramework-Pdf-1.12.9-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", reference:\"php-ZendFramework-Search-Lucene-1.12.9-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", reference:\"php-ZendFramework-Services-1.12.9-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", reference:\"php-ZendFramework-demos-1.12.9-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", reference:\"php-ZendFramework-extras-1.12.9-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", reference:\"php-ZendFramework-tests-1.12.9-1.mbs2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T06:51:26", "bulletinFamily": "scanner", "description": "Multiple vulnerabilities were discovered in Zend Framework, a PHP\nframework. Except for CVE-2015-3154, all these issues were already\nfixed in the version initially shipped with Jessie.\n\n - CVE-2014-2681\n Lukas Reschke reported a lack of protection against XML\n External Entity injection attacks in some functions.\n This fix extends the incomplete one from CVE-2012-5657.\n\n - CVE-2014-2682\n Lukas Reschke reported a failure to consider that the\n libxml_disable_entity_loader setting is shared among\n threads in the PHP-FPM case. This fix extends the\n incomplete one from CVE-2012-5657.\n\n - CVE-2014-2683\n Lukas Reschke reported a lack of protection against XML\n Entity Expansion attacks in some functions. This fix\n extends the incomplete one from CVE-2012-6532.\n\n - CVE-2014-2684\n Christian Mainka and Vladislav Mladenov from the\n Ruhr-University Bochum reported an error in the\n consumer", "modified": "2019-12-02T00:00:00", "id": "DEBIAN_DSA-3265.NASL", "href": "https://www.tenable.com/plugins/nessus/83748", "published": "2015-05-21T00:00:00", "title": "Debian DSA-3265-1 : zendframework - security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3265. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(83748);\n script_version(\"2.8\");\n script_cvs_date(\"Date: 2018/11/10 11:49:37\");\n\n script_cve_id(\"CVE-2014-2681\", \"CVE-2014-2682\", \"CVE-2014-2683\", \"CVE-2014-2684\", \"CVE-2014-2685\", \"CVE-2014-4914\", \"CVE-2014-8088\", \"CVE-2014-8089\", \"CVE-2015-3154\");\n script_bugtraq_id(66358, 68031, 70011, 70378, 74561);\n script_xref(name:\"DSA\", value:\"3265\");\n\n script_name(english:\"Debian DSA-3265-1 : zendframework - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities were discovered in Zend Framework, a PHP\nframework. Except for CVE-2015-3154, all these issues were already\nfixed in the version initially shipped with Jessie.\n\n - CVE-2014-2681\n Lukas Reschke reported a lack of protection against XML\n External Entity injection attacks in some functions.\n This fix extends the incomplete one from CVE-2012-5657.\n\n - CVE-2014-2682\n Lukas Reschke reported a failure to consider that the\n libxml_disable_entity_loader setting is shared among\n threads in the PHP-FPM case. This fix extends the\n incomplete one from CVE-2012-5657.\n\n - CVE-2014-2683\n Lukas Reschke reported a lack of protection against XML\n Entity Expansion attacks in some functions. This fix\n extends the incomplete one from CVE-2012-6532.\n\n - CVE-2014-2684\n Christian Mainka and Vladislav Mladenov from the\n Ruhr-University Bochum reported an error in the\n consumer's verify method that lead to acceptance of\n wrongly sourced tokens.\n\n - CVE-2014-2685\n Christian Mainka and Vladislav Mladenov from the\n Ruhr-University Bochum reported a specification\n violation in which signing of a single parameter is\n incorrectly considered sufficient.\n\n - CVE-2014-4914\n Cassiano Dal Pizzol discovered that the implementation\n of the ORDER BY SQL statement in Zend_Db_Select contains\n a potential SQL injection when the query string passed\n contains parentheses.\n\n - CVE-2014-8088\n Yury Dyachenko at Positive Research Center identified\n potential XML eXternal Entity injection vectors due to\n insecure usage of PHP's DOM extension.\n\n - CVE-2014-8089\n Jonas Sandstrom discovered a SQL injection vector when\n manually quoting value for sqlsrv extension, using null\n byte.\n\n - CVE-2015-3154\n Filippo Tessarotto and Maks3w reported potential CRLF\n injection attacks in mail and HTTP headers.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743175\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754201\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2015-3154\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2014-2681\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2012-5657\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2014-2682\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2012-5657\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2014-2683\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2012-6532\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2014-2684\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2014-2685\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2014-4914\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2014-8088\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2014-8089\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2015-3154\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/zendframework\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/zendframework\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2015/dsa-3265\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the zendframework packages.\n\nFor the oldstable distribution (wheezy), these problems have been\nfixed in version 1.11.13-1.1+deb7u1.\n\nFor the stable distribution (jessie), these problems have been fixed\nin version 1.12.9+dfsg-2+deb8u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:zendframework\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/05/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/05/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"zendframework\", reference:\"1.11.13-1.1+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"zendframework-bin\", reference:\"1.11.13-1.1+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"zendframework-resources\", reference:\"1.11.13-1.1+deb7u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"zendframework\", reference:\"1.12.9+dfsg-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"zendframework-bin\", reference:\"1.12.9+dfsg-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"zendframework-resources\", reference:\"1.12.9+dfsg-2+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T06:50:22", "bulletinFamily": "scanner", "description": "The previous zendframework upload incorrectly fixes CVE-2015-3154,\ncausing a regression. This update corrects this problem. Thanks to\nЕвгений\nСмолин (Evgeny Smolin)\n<esmolin@inbox.ru>.\n\nCVE-2012-6531\n\nPádraic Brady identified a weakness to handle the\nSimpleXMLElement zendframework class, allowing to remote attackers to\nread arbitrary files or create TCP connections via an XML external\nentity (XXE) injection attack.\n\nCVE-2012-6532\n\nPádraic Brady found that remote attackers could cause a denial\nof service by CPU consumption, via recursive or circular references\nthrough an XML entity expansion (XEE) attack.\n\nCVE-2014-2681\n\nLukas Reschke reported a lack of protection against XML External\nEntity injection attacks in some functions. This fix extends the\nincomplete one from CVE-2012-5657.\n\nCVE-2014-2682\n\nLukas Reschke reported a failure to consider that the\nlibxml_disable_entity_loader setting is shared among threads in the\nPHP-FPM case. This fix extends the incomplete one from CVE-2012-5657.\n\nCVE-2014-2683\n\nLukas Reschke reported a lack of protection against XML Entity\nExpansion attacks in some functions. This fix extends the incomplete\none from CVE-2012-6532.\n\nCVE-2014-2684\n\nChristian Mainka and Vladislav Mladenov from the Ruhr-University\nBochum reported an error in the consumer", "modified": "2019-12-02T00:00:00", "id": "DEBIAN_DLA-251.NASL", "href": "https://www.tenable.com/plugins/nessus/84297", "published": "2015-06-22T00:00:00", "title": "Debian DLA-251-2 : zendframework regression update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-251-2. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84297);\n script_version(\"2.8\");\n script_cvs_date(\"Date: 2018/07/06 11:26:06\");\n\n script_cve_id(\"CVE-2012-6531\", \"CVE-2012-6532\", \"CVE-2014-2681\", \"CVE-2014-2682\", \"CVE-2014-2683\", \"CVE-2014-2684\", \"CVE-2014-2685\", \"CVE-2014-4914\", \"CVE-2014-8088\", \"CVE-2014-8089\", \"CVE-2015-3154\");\n script_bugtraq_id(57977, 66358, 68031, 70011, 70378, 74561);\n\n script_name(english:\"Debian DLA-251-2 : zendframework regression update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The previous zendframework upload incorrectly fixes CVE-2015-3154,\ncausing a regression. This update corrects this problem. Thanks to\nЕвгений\nСмолин (Evgeny Smolin)\n<esmolin@inbox.ru>.\n\nCVE-2012-6531\n\nPádraic Brady identified a weakness to handle the\nSimpleXMLElement zendframework class, allowing to remote attackers to\nread arbitrary files or create TCP connections via an XML external\nentity (XXE) injection attack.\n\nCVE-2012-6532\n\nPádraic Brady found that remote attackers could cause a denial\nof service by CPU consumption, via recursive or circular references\nthrough an XML entity expansion (XEE) attack.\n\nCVE-2014-2681\n\nLukas Reschke reported a lack of protection against XML External\nEntity injection attacks in some functions. This fix extends the\nincomplete one from CVE-2012-5657.\n\nCVE-2014-2682\n\nLukas Reschke reported a failure to consider that the\nlibxml_disable_entity_loader setting is shared among threads in the\nPHP-FPM case. This fix extends the incomplete one from CVE-2012-5657.\n\nCVE-2014-2683\n\nLukas Reschke reported a lack of protection against XML Entity\nExpansion attacks in some functions. This fix extends the incomplete\none from CVE-2012-6532.\n\nCVE-2014-2684\n\nChristian Mainka and Vladislav Mladenov from the Ruhr-University\nBochum reported an error in the consumer's verify method that lead to\nacceptance of wrongly sourced tokens.\n\nCVE-2014-2685\n\nChristian Mainka and Vladislav Mladenov from the Ruhr-University\nBochum reported a specification violation in which signing of a single\nparameter is incorrectly considered sufficient.\n\nCVE-2014-4914\n\nCassiano Dal Pizzol discovered that the implementation of the ORDER BY\nSQL statement in Zend_Db_Select contains a potential SQL injection\nwhen the query string passed contains parentheses.\n\nCVE-2014-8088\n\nYury Dyachenko at Positive Research Center identified potential XML\neXternal Entity injection vectors due to insecure usage of PHP's DOM\nextension.\n\nCVE-2014-8089\n\nJonas Sandström discovered a SQL injection vector when manually\nquoting value for sqlsrv extension, using null byte.\n\nCVE-2015-3154\n\nFilippo Tessarotto and Maks3w reported potential CRLF injection\nattacks in mail and HTTP headers.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2015/06/msg00019.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze-lts/zendframework\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected zendframework, and zendframework-bin packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:zendframework\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:zendframework-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"zendframework\", reference:\"1.10.6-1squeeze4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"zendframework-bin\", reference:\"1.10.6-1squeeze4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:52", "bulletinFamily": "software", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n\r\n Mandriva Linux Security Advisory MDVSA-2014:072\r\n http://www.mandriva.com/en/support/security/\r\n _______________________________________________________________________\r\n\r\n Package : php-ZendFramework\r\n Date : April 9, 2014\r\n Affected: Business Server 1.0\r\n _______________________________________________________________________\r\n\r\n Problem Description:\r\n\r\n Updated php-ZendFramework packages fix security vulnerabilities:\r\n \r\n XML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws were\r\n discovered in the Zend Framework. An attacker could use these flaws\r\n to cause a denial of service, access files accessible to the server\r\n process, or possibly perform other more advanced XML External Entity\r\n (XXE) attacks (CVE-2014-2681, CVE-2014-2682, CVE-2014-2683).\r\n \r\n Using the Consumer component of Zend_OpenId, it is possible to\r\n login using an arbitrary OpenID account (without knowing any secret\r\n information) by using a malicious OpenID Provider. That means OpenID it\r\n is possible to login using arbitrary OpenID Identity (MyOpenID, Google,\r\n etc), which are not under the control of our own OpenID Provider. Thus,\r\n we are able to impersonate any OpenID Identity against the framework\r\n (CVE-2014-2684, CVE-2014-2685).\r\n _______________________________________________________________________\r\n\r\n References:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2681\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2682\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2683\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2684\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2685\r\n http://advisories.mageia.org/MGASA-2014-0151.html\r\n _______________________________________________________________________\r\n\r\n Updated Packages:\r\n\r\n Mandriva Business Server 1/X86_64:\r\n daec0e08b71f11804e6ae6c46990ff68 mbs1/x86_64/php-ZendFramework-1.12.5-1.mbs1.noarch.rpm\r\n 8a378258f1ef34423497180b908fc59a mbs1/x86_64/php-ZendFramework-Cache-Backend-Apc-1.12.5-1.mbs1.noarch.rpm\r\n 699d7ad6685da1f41690eda58a10c745 mbs1/x86_64/php-ZendFramework-Cache-Backend-Memcached-1.12.5-1.mbs1.noarch.rpm\r\n 15e8f700fbf3477ba76764a83d5f25d2 mbs1/x86_64/php-ZendFramework-Captcha-1.12.5-1.mbs1.noarch.rpm\r\n cc13a31e7cdd0e6e18d01784d42e55cc mbs1/x86_64/php-ZendFramework-demos-1.12.5-1.mbs1.noarch.rpm\r\n e036048df929d5af5957d40767502660 mbs1/x86_64/php-ZendFramework-Dojo-1.12.5-1.mbs1.noarch.rpm\r\n a4a878736578d71f8e5d7f634f6ddfa2 mbs1/x86_64/php-ZendFramework-extras-1.12.5-1.mbs1.noarch.rpm\r\n 764b94ae3f46dcfa1f1774fe1abc9e43 mbs1/x86_64/php-ZendFramework-Feed-1.12.5-1.mbs1.noarch.rpm\r\n e80078b9860f220a785c2ae55cbc7e21 mbs1/x86_64/php-ZendFramework-Gdata-1.12.5-1.mbs1.noarch.rpm\r\n bd34d61adf9621ec5862025d4bba47af mbs1/x86_64/php-ZendFramework-Pdf-1.12.5-1.mbs1.noarch.rpm\r\n 493e97715e39f8a6cda6c95440b2bcd0 mbs1/x86_64/php-ZendFramework-Search-Lucene-1.12.5-1.mbs1.noarch.rpm\r\n 4659d9e8e7696c27cfabb97fd0c62062 mbs1/x86_64/php-ZendFramework-Services-1.12.5-1.mbs1.noarch.rpm\r\n 6f9bbc7e92928387702f18f722525995 mbs1/x86_64/php-ZendFramework-tests-1.12.5-1.mbs1.noarch.rpm \r\n db74e7b765379fa76b525fa90862bb2c mbs1/SRPMS/php-ZendFramework-1.12.5-1.mbs1.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandriva for security. You can obtain the\r\n GPG public key of the Mandriva Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandriva Linux at:\r\n\r\n http://www.mandriva.com/en/support/security/advisories/\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_(at)_mandriva.com\r\n _______________________________________________________________________\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\r\n <security*mandriva.com>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.12 (GNU/Linux)\r\n\r\niD8DBQFTRR6LmqjQ0CJFipgRAjlMAJ4yUsYmr7RY5H6q4kOwht5gHN22WwCg33bk\r\ntRNhhwVRShNQdBig2bFjMXY=\r\n=u3e7\r\n-----END PGP SIGNATURE-----\r\n\r\n", "modified": "2014-05-05T00:00:00", "published": "2014-05-05T00:00:00", "id": "SECURITYVULNS:DOC:30618", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30618", "title": "[ MDVSA-2014:072 ] php-ZendFramework", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:59", "bulletinFamily": "software", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n\r\n Mandriva Linux Security Advisory MDVSA-2015:097\r\n http://www.mandriva.com/en/support/security/\r\n _______________________________________________________________________\r\n\r\n Package : php-ZendFramework\r\n Date : March 28, 2015\r\n Affected: Business Server 2.0\r\n _______________________________________________________________________\r\n\r\n Problem Description:\r\n\r\n Updated php-ZendFramework packages fix multiple vulnerabilities:\r\n \r\n XML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws were\r\n discovered in the Zend Framework. An attacker could use these flaws\r\n to cause a denial of service, access files accessible to the server\r\n process, or possibly perform other more advanced XML External Entity\r\n (XXE) attacks (CVE-2014-2681, CVE-2014-2682, CVE-2014-2683).\r\n \r\n Using the Consumer component of Zend_OpenId, it is possible to\r\n login using an arbitrary OpenID account (without knowing any secret\r\n information) by using a malicious OpenID Provider. That means OpenID it\r\n is possible to login using arbitrary OpenID Identity (MyOpenID, Google,\r\n etc), which are not under the control of our own OpenID Provider. Thus,\r\n we are able to impersonate any OpenID Identity against the framework\r\n (CVE-2014-2684, CVE-2014-2685).\r\n \r\n The implementation of the ORDER BY SQL statement in Zend_Db_Select\r\n of Zend Framework 1 contains a potential SQL injection when the query\r\n string passed contains parentheses (CVE-2014-4914).\r\n \r\n Due to a bug in PHP's LDAP extension, when ZendFramework's Zend_ldap\r\n class is used for logins, an attacker can login as any user by\r\n using a null byte to bypass the empty password check and perform an\r\n unauthenticated LDAP bind (CVE-2014-8088).\r\n \r\n The sqlsrv PHP extension, which provides the ability to connect to\r\n Microsoft SQL Server from PHP, does not provide a built-in quoting\r\n mechanism for manually quoting values to pass via SQL queries;\r\n developers are encouraged to use prepared statements. Zend Framework\r\n provides quoting mechanisms via Zend_Db_Adapter_Sqlsrv which uses\r\n the recommended double single quote ('') as quoting delimiters. SQL\r\n Server treats null bytes in a query as a string terminator, allowing\r\n an attacker to add arbitrary SQL following a null byte, and thus\r\n create a SQL injection (CVE-2014-8089).\r\n _______________________________________________________________________\r\n\r\n References:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2681\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2682\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2683\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2684\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2685\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8088\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8089\r\n http://advisories.mageia.org/MGASA-2014-0151.html\r\n http://advisories.mageia.org/MGASA-2014-0311.html\r\n http://advisories.mageia.org/MGASA-2014-0434.html\r\n _______________________________________________________________________\r\n\r\n Updated Packages:\r\n\r\n Mandriva Business Server 2/X86_64:\r\n 02c3b9ebdbe452af6df77ddaf6ca70f4 mbs2/x86_64/php-ZendFramework-1.12.9-1.mbs2.noarch.rpm\r\n 7ee9abec95d67fac97b10885f2dfd177 mbs2/x86_64/php-ZendFramework-Cache-Backend-Apc-1.12.9-1.mbs2.noarch.rpm\r\n f2350b242c7b25969be3c4d3bfc46bd0 mbs2/x86_64/php-ZendFramework-Cache-Backend-Memcached-1.12.9-1.mbs2.noarch.rpm\r\n c6635e6de414967f9f0b412a8b9ff952 mbs2/x86_64/php-ZendFramework-Captcha-1.12.9-1.mbs2.noarch.rpm\r\n 177c35ecd6b3fff97533e8420ba61ba0 mbs2/x86_64/php-ZendFramework-demos-1.12.9-1.mbs2.noarch.rpm\r\n 55d294c2c615919e2510e92f3ba75a97 mbs2/x86_64/php-ZendFramework-Dojo-1.12.9-1.mbs2.noarch.rpm\r\n 7746384bf97f55a83d2496704576efed mbs2/x86_64/php-ZendFramework-extras-1.12.9-1.mbs2.noarch.rpm\r\n aac972c659c681b0334a98c5d2999134 mbs2/x86_64/php-ZendFramework-Feed-1.12.9-1.mbs2.noarch.rpm\r\n f2675cbbeabf8da77e51e9bb155dad67 mbs2/x86_64/php-ZendFramework-Gdata-1.12.9-1.mbs2.noarch.rpm\r\n cde54247acb864f63e957c55e3688c42 mbs2/x86_64/php-ZendFramework-Pdf-1.12.9-1.mbs2.noarch.rpm\r\n 525f594e3b2d939163d898debd94a77e mbs2/x86_64/php-ZendFramework-Search-Lucene-1.12.9-1.mbs2.noarch.rpm\r\n f90cc7d553dc697b77c4ece07b53ce71 mbs2/x86_64/php-ZendFramework-Services-1.12.9-1.mbs2.noarch.rpm\r\n 22be7f86bf806cca47ab64edd9d2d2eb mbs2/x86_64/php-ZendFramework-tests-1.12.9-1.mbs2.noarch.rpm \r\n 2b72d33582d8ec662cebcad5ba58fce7 mbs2/SRPMS/php-ZendFramework-1.12.9-1.mbs2.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandriva for security. You can obtain the\r\n GPG public key of the Mandriva Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandriva Linux at:\r\n\r\n http://www.mandriva.com/en/support/security/advisories/\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_(at)_mandriva.com\r\n _______________________________________________________________________\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\r\n <security*mandriva.com>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.12 (GNU/Linux)\r\n\r\niD8DBQFVFnlJmqjQ0CJFipgRAjaEAKDzxIBZeklYyKqSbiDpdO3pLGPxugCgkJ8t\r\nPwkLG01bbegH7ISNqzJezXU=\r\n=IXGe\r\n-----END PGP SIGNATURE-----\r\n\r\n", "modified": "2015-05-12T00:00:00", "published": "2015-05-12T00:00:00", "id": "SECURITYVULNS:DOC:32109", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32109", "title": "[ MDVSA-2015:097 ] php-ZendFramework", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:59", "bulletinFamily": "software", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA512\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-3265-1 security@debian.org\r\nhttp://www.debian.org/security/ David PrA\u00a9vot\r\nMay 20, 2015 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : zendframework\r\nCVE ID : CVE-2014-2681 CVE-2014-2682 CVE-2014-2683 CVE-2014-2684 \r\n CVE-2014-2685 CVE-2014-4914 CVE-2014-8088 CVE-2014-8089 \r\n CVE-2015-3154\r\nDebian Bug : 743175 754201\r\n\r\nMultiple vulnerabilities were discovered in Zend Framework, a PHP\r\nframework. Except for CVE-2015-3154, all these issues were already fixed\r\nin the version initially shipped with Jessie.\r\n\r\nCVE-2014-2681\r\n\r\n Lukas Reschke reported a lack of protection against XML External\r\n Entity injection attacks in some functions. This fix extends the\r\n incomplete one from CVE-2012-5657.\r\n\r\nCVE-2014-2682\r\n\r\n Lukas Reschke reported a failure to consider that the\r\n libxml_disable_entity_loader setting is shared among threads in the\r\n PHP-FPM case. This fix extends the incomplete one from\r\n CVE-2012-5657.\r\n\r\nCVE-2014-2683\r\n\r\n Lukas Reschke reported a lack of protection against XML Entity\r\n Expansion attacks in some functions. This fix extends the incomplete\r\n one from CVE-2012-6532.\r\n\r\nCVE-2014-2684\r\n\r\n Christian Mainka and Vladislav Mladenov from the Ruhr-University\r\n Bochum reported an error in the consumer's verify method that lead\r\n to acceptance of wrongly sourced tokens.\r\n\r\nCVE-2014-2685\r\n\r\n Christian Mainka and Vladislav Mladenov from the Ruhr-University\r\n Bochum reported a specification violation in which signing of a\r\n single parameter is incorrectly considered sufficient.\r\n\r\nCVE-2014-4914\r\n\r\n Cassiano Dal Pizzol discovered that the implementation of the ORDER\r\n BY SQL statement in Zend_Db_Select contains a potential SQL\r\n injection when the query string passed contains parentheses.\r\n\r\nCVE-2014-8088\r\n\r\n Yury Dyachenko at Positive Research Center identified potential XML\r\n eXternal Entity injection vectors due to insecure usage of PHP's DOM\r\n extension.\r\n\r\nCVE-2014-8089\r\n\r\n Jonas SandstrA\u00b6m discovered an SQL injection vector when manually\r\n quoting value for sqlsrv extension, using null byte.\r\n\r\nCVE-2015-3154\r\n\r\n Filippo Tessarotto and Maks3w reported potential CRLF injection\r\n attacks in mail and HTTP headers.\r\n\r\nFor the oldstable distribution (wheezy), these problems have been fixed\r\nin version 1.11.13-1.1+deb7u1.\r\n\r\nFor the stable distribution (jessie), these problems have been fixed in\r\nversion 1.12.9+dfsg-2+deb8u1.\r\n\r\nFor the testing distribution (stretch), these problems will be fixed\r\nin version 1.12.12+dfsg-1.\r\n\r\nFor the unstable distribution (sid), these problems have been fixed in\r\nversion 1.12.12+dfsg-1.\r\n\r\nWe recommend that you upgrade your zendframework packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: https://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1\r\n\r\niQIcBAEBCgAGBQJVXFXVAAoJEK+lG9bN5XPLIDIP/1ebw6gwJq+uzc/FNeGben3Q\r\nZqbp2akoh4wVVaLBUUWlUSohzpoW48GgTje2eRxBAIasneZHmOwcwjzdpgAdwFhe\r\nh0Xj3Pi0PMvdo9jQIBLWD/GQe8bD9YXlaEvq1D6OayEE0h27k6mrplfG7rwWsmdS\r\nG1o7P8Tnh27PifkVCzSyB43bHTgInRGfmrjoid9AWmOOYnTjuq47oexOaqgE/mQh\r\nXKKKtxlv6ru4ac+XRv06aUJmYQG4LQZJpL3wJ+d0CqIlCsSVP7pDP2X/1/Pqmdms\r\nWLBX4C4N/AM7+C/7P54rPn6uHBemhLBwJLH78cM+3kcEJ6wDuuWk7NYovv4hzXkz\r\n7CDC6nGgi5+YUaUzaiWM+VuwMWDckFAzGIg22wP/moJzSeqG/GfwVpA5AAD0XosV\r\nWW7iPgwnJFj/WWr5doBZ7LVBj/Pd56eAUJY9q4aY7GeDIFf65VD2Zd2jMIleVjSW\r\nq4I/hCElJgMiBza/066ToIfa7TB+Cutj/Fofpdq+Um7mP2GCdYPsMcxPzz6QRbt8\r\nBqcNWVKgktp/9T/yaTkPKkSWn9o1lSSV1urVWCNPg7pgrh9OVC8Ov0fqD0qOvnd4\r\nN4xAuKWnOtyn7Zwbz+vDwBzc47cbAlhx/y1M0v10D2Kf32kXdgC3C0PzK8wUcYvY\r\nXBGbffEaDb86ez3TbNmy\r\n=T2BR\r\n-----END PGP SIGNATURE-----\r\n\r\n", "modified": "2015-06-08T00:00:00", "published": "2015-06-08T00:00:00", "id": "SECURITYVULNS:DOC:32176", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32176", "title": "[SECURITY] [DSA 3265-1] zendframework security update", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:00", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2015-05-12T00:00:00", "published": "2015-05-12T00:00:00", "id": "SECURITYVULNS:VULN:14479", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14479", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:55", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2014-05-05T00:00:00", "published": "2014-05-05T00:00:00", "id": "SECURITYVULNS:VULN:13733", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13733", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "amazon": [{"lastseen": "2019-05-29T17:22:41", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nThe GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 violate the OpenID 2.0 protocol by ensuring only that at least one field is signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider. \n\nXML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws were discovered in the Zend Framework. An attacker could use these flaws to cause a denial of service, access files accessible to the server process, or possibly perform other more advanced XML External Entity (XXE) attacks.\n\nUsing the Consumer component of ZendOpenId (or Zend_OpenId in ZF1), it is possible to login using an arbitrary OpenID account (without knowing any secret information) by using a malicious OpenID Provider. That means OpenID it is possible to login using arbitrary OpenID Identity (MyOpenID, Google, etc), which are not under the control of our own OpenID Provider. Thus, we are able to impersonate any OpenID Identity against the framework.\n\nMoreover, the Consumer accepts OpenID tokens with arbitrary signed elements. The framework does not check if, for example, both openid.claimed_id and openid.endpoint_url are signed. It is just sufficient to sign one parameter. According to <https://openid.net/specs/openid-authentication-2_0.html#positive_assertions>, at least op_endpoint, return_to, response_nonce, assoc_handle, and, if present in the response, claimed_id and identity, must be signed.\n\n \n**Affected Packages:** \n\n\nphp-ZendFramework\n\n \n**Issue Correction:** \nRun _yum update php-ZendFramework_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n noarch: \n php-ZendFramework-Pdf-1.12.5-1.8.amzn1.noarch \n php-ZendFramework-Search-Lucene-1.12.5-1.8.amzn1.noarch \n php-ZendFramework-Serializer-Adapter-Igbinary-1.12.5-1.8.amzn1.noarch \n php-ZendFramework-Db-Adapter-Pdo-Pgsql-1.12.5-1.8.amzn1.noarch \n php-ZendFramework-Cache-Backend-Libmemcached-1.12.5-1.8.amzn1.noarch \n php-ZendFramework-1.12.5-1.8.amzn1.noarch \n php-ZendFramework-Db-Adapter-Pdo-Mssql-1.12.5-1.8.amzn1.noarch \n php-ZendFramework-Services-1.12.5-1.8.amzn1.noarch \n php-ZendFramework-Captcha-1.12.5-1.8.amzn1.noarch \n php-ZendFramework-Db-Adapter-Pdo-1.12.5-1.8.amzn1.noarch \n php-ZendFramework-extras-1.12.5-1.8.amzn1.noarch \n php-ZendFramework-Ldap-1.12.5-1.8.amzn1.noarch \n php-ZendFramework-full-1.12.5-1.8.amzn1.noarch \n php-ZendFramework-Auth-Adapter-Ldap-1.12.5-1.8.amzn1.noarch \n php-ZendFramework-Cache-Backend-Memcached-1.12.5-1.8.amzn1.noarch \n php-ZendFramework-Soap-1.12.5-1.8.amzn1.noarch \n php-ZendFramework-Feed-1.12.5-1.8.amzn1.noarch \n php-ZendFramework-Db-Adapter-Pdo-Mysql-1.12.5-1.8.amzn1.noarch \n php-ZendFramework-Dojo-1.12.5-1.8.amzn1.noarch \n php-ZendFramework-Cache-Backend-Apc-1.12.5-1.8.amzn1.noarch \n php-ZendFramework-demos-1.12.5-1.8.amzn1.noarch \n php-ZendFramework-Db-Adapter-Mysqli-1.12.5-1.8.amzn1.noarch \n \n src: \n php-ZendFramework-1.12.5-1.8.amzn1.src \n \n \n", "modified": "2014-09-19T10:49:00", "published": "2014-09-19T10:49:00", "id": "ALAS-2014-377", "href": "https://alas.aws.amazon.com/ALAS-2014-377.html", "title": "Important: php-ZendFramework", "type": "amazon", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2019-07-17T11:34:25", "bulletinFamily": "NVD", "description": "Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.", "modified": "2019-07-16T12:21:00", "id": "CVE-2014-2682", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2682", "published": "2014-11-16T00:59:00", "title": "CVE-2014-2682", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-17T11:34:25", "bulletinFamily": "NVD", "description": "Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.", "modified": "2019-07-16T12:21:00", "id": "CVE-2014-2681", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2681", "published": "2014-11-16T00:59:00", "title": "CVE-2014-2681", "type": "cve", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2019-07-17T11:34:25", "bulletinFamily": "NVD", "description": "Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to cause a denial of service (CPU consumption) via (1) recursive or (2) circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-6532.", "modified": "2019-07-16T12:21:00", "id": "CVE-2014-2683", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2683", "published": "2014-11-16T00:59:00", "title": "CVE-2014-2683", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:13:45", "bulletinFamily": "NVD", "description": "The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 violate the OpenID 2.0 protocol by ensuring only that at least one field is signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.", "modified": "2017-11-04T01:29:00", "id": "CVE-2014-2685", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2685", "published": "2014-09-04T17:55:00", "title": "CVE-2014-2685", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:13:45", "bulletinFamily": "NVD", "description": "The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 does not verify that the openid_op_endpoint value identifies the same Identity Provider as the provider used in the association handle, which allows remote attackers to bypass authentication and spoof arbitrary OpenID identities by using a malicious OpenID Provider that generates OpenID tokens with arbitrary identifier and claimed_id values.", "modified": "2017-11-04T01:29:00", "id": "CVE-2014-2684", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2684", "published": "2014-11-16T00:59:00", "title": "CVE-2014-2684", "type": "cve", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "debian": [{"lastseen": "2019-06-25T02:21:00", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3265-2 security@debian.org\nhttp://www.debian.org/security/ Alessandro Ghedini\nMay 24, 2015 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : zendframework\n\nThe update for zendframework issued as DSA-3265-1 introduced a regression\npreventing the use of non-string or non-stringable objects as header\nvalues. A fix for this problem is now applied, along with the final patch\nfor CVE-2015-3154. For reference the original advisory text follows.\n\nMultiple vulnerabilities were discovered in Zend Framework, a PHP\nframework. Except for CVE-2015-3154, all these issues were already fixed\nin the version initially shipped with Jessie.\n\nCVE-2014-2681\n\n Lukas Reschke reported a lack of protection against XML External\n Entity injection attacks in some functions. This fix extends the\n incomplete one from CVE-2012-5657.\n\nCVE-2014-2682\n\n Lukas Reschke reported a failure to consider that the\n libxml_disable_entity_loader setting is shared among threads in the\n PHP-FPM case. This fix extends the incomplete one from\n CVE-2012-5657.\n\nCVE-2014-2683\n\n Lukas Reschke reported a lack of protection against XML Entity\n Expansion attacks in some functions. This fix extends the incomplete\n one from CVE-2012-6532.\n\nCVE-2014-2684\n\n Christian Mainka and Vladislav Mladenov from the Ruhr-University\n Bochum reported an error in the consumer's verify method that lead\n to acceptance of wrongly sourced tokens.\n\nCVE-2014-2685\n\n Christian Mainka and Vladislav Mladenov from the Ruhr-University\n Bochum reported a specification violation in which signing of a\n single parameter is incorrectly considered sufficient.\n\nCVE-2014-4914\n\n Cassiano Dal Pizzol discovered that the implementation of the ORDER\n BY SQL statement in Zend_Db_Select contains a potential SQL\n injection when the query string passed contains parentheses.\n\nCVE-2014-8088\n\n Yury Dyachenko at Positive Research Center identified potential XML\n eXternal Entity injection vectors due to insecure usage of PHP's DOM\n extension.\n\nCVE-2014-8089\n\n Jonas Sandstr\u00c3\u00b6m discovered an SQL injection vector when manually\n quoting value for sqlsrv extension, using null byte.\n\nCVE-2015-3154\n\n Filippo Tessarotto and Maks3w reported potential CRLF injection\n attacks in mail and HTTP headers.\n\nFor the oldstable distribution (wheezy), this problem has been fixed\nin version 1.11.13-1.1+deb7u2.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.12.9+dfsg-2+deb8u2.\n\nFor the testing distribution (stretch), this problem has been fixed\nin version 1.12.13+dfsg-1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.12.13+dfsg-1.\n\nWe recommend that you upgrade your zendframework packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2015-05-24T11:55:45", "published": "2015-05-24T11:55:45", "id": "DEBIAN:DSA-3265-2:03C60", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00164.html", "title": "[SECURITY] [DSA 3265-2] zendframework regression update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:22:38", "bulletinFamily": "unix", "description": "Package : zendframework\nVersion : 1.10.6-1squeeze3\nCVE ID : CVE-2012-6531 CVE-2012-6532 CVE-2014-2681 CVE-2014-2682\n CVE-2014-2683 CVE-2014-2684 CVE-2014-2685 CVE-2014-4914\n CVE-2014-8088 CVE-2014-8089 CVE-2015-3154\nDebian Bug : 743175 754201\n\nSeveral vulnerabilities were found in the Zend PHP framework:\n\nCVE-2012-6531\n\n P\u00e1draic Brady identified a weakness to handle the SimpleXMLElement\n zendframework class, allowing to remote attackers to read arbitrary\n files or create TCP connections via an XML external entity (XXE)\n injection attack.\n\nCVE-2012-6532\n\n P\u00e1draic Brady found that remote attackers could cause a denial of\n service by CPU consumption, via recursive or circular references\n through an XML entity expansion (XEE) attack.\n\nCVE-2014-2681\n\n Lukas Reschke reported a lack of protection against XML External\n Entity injection attacks in some functions. This fix extends the\n incomplete one from CVE-2012-5657.\n\nCVE-2014-2682\n\n Lukas Reschke reported a failure to consider that the\n libxml_disable_entity_loader setting is shared among threads in the\n PHP-FPM case. This fix extends the incomplete one from\n CVE-2012-5657.\n\nCVE-2014-2683\n\n Lukas Reschke reported a lack of protection against XML Entity\n Expansion attacks in some functions. This fix extends the incomplete\n one from CVE-2012-6532.\n\nCVE-2014-2684\n\n Christian Mainka and Vladislav Mladenov from the Ruhr-University\n Bochum reported an error in the consumer's verify method that lead\n to acceptance of wrongly sourced tokens.\n\nCVE-2014-2685\n\n Christian Mainka and Vladislav Mladenov from the Ruhr-University\n Bochum reported a specification violation in which signing of a\n single parameter is incorrectly considered sufficient.\n\nCVE-2014-4914\n\n Cassiano Dal Pizzol discovered that the implementation of the ORDER\n BY SQL statement in Zend_Db_Select contains a potential SQL\n injection when the query string passed contains parentheses.\n\nCVE-2014-8088\n\n Yury Dyachenko at Positive Research Center identified potential XML\n eXternal Entity injection vectors due to insecure usage of PHP's DOM\n extension.\n\nCVE-2014-8089\n\n Jonas Sandstr\u00f6m discovered an SQL injection vector when manually\n quoting value for sqlsrv extension, using null byte.\n\nCVE-2015-3154\n\n Filippo Tessarotto and Maks3w reported potential CRLF injection\n attacks in mail and HTTP headers.\n\nFor Debian 6 "Squeeze", these issues have been fixed in zendframework\nversion 1.10.6-1squeeze3.\n", "modified": "2015-06-20T18:41:19", "published": "2015-06-20T18:41:19", "id": "DEBIAN:DLA-251-1:7D839", "href": "https://lists.debian.org/debian-lts-announce/2015/debian-lts-announce-201506/msg00017.html", "title": "[SECURITY] [DLA 251-1] zendframework security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-24T22:37:49", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3265-1 security@debian.org\nhttp://www.debian.org/security/ David Pr\u00c3\u00a9vot\nMay 20, 2015 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : zendframework\nCVE ID : CVE-2014-2681 CVE-2014-2682 CVE-2014-2683 CVE-2014-2684 \n CVE-2014-2685 CVE-2014-4914 CVE-2014-8088 CVE-2014-8089 \n CVE-2015-3154\nDebian Bug : 743175 754201\n\nMultiple vulnerabilities were discovered in Zend Framework, a PHP\nframework. Except for CVE-2015-3154, all these issues were already fixed\nin the version initially shipped with Jessie.\n\nCVE-2014-2681\n\n Lukas Reschke reported a lack of protection against XML External\n Entity injection attacks in some functions. This fix extends the\n incomplete one from CVE-2012-5657.\n\nCVE-2014-2682\n\n Lukas Reschke reported a failure to consider that the\n libxml_disable_entity_loader setting is shared among threads in the\n PHP-FPM case. This fix extends the incomplete one from\n CVE-2012-5657.\n\nCVE-2014-2683\n\n Lukas Reschke reported a lack of protection against XML Entity\n Expansion attacks in some functions. This fix extends the incomplete\n one from CVE-2012-6532.\n\nCVE-2014-2684\n\n Christian Mainka and Vladislav Mladenov from the Ruhr-University\n Bochum reported an error in the consumer's verify method that lead\n to acceptance of wrongly sourced tokens.\n\nCVE-2014-2685\n\n Christian Mainka and Vladislav Mladenov from the Ruhr-University\n Bochum reported a specification violation in which signing of a\n single parameter is incorrectly considered sufficient.\n\nCVE-2014-4914\n\n Cassiano Dal Pizzol discovered that the implementation of the ORDER\n BY SQL statement in Zend_Db_Select contains a potential SQL\n injection when the query string passed contains parentheses.\n\nCVE-2014-8088\n\n Yury Dyachenko at Positive Research Center identified potential XML\n eXternal Entity injection vectors due to insecure usage of PHP's DOM\n extension.\n\nCVE-2014-8089\n\n Jonas Sandstr\u00c3\u00b6m discovered an SQL injection vector when manually\n quoting value for sqlsrv extension, using null byte.\n\nCVE-2015-3154\n\n Filippo Tessarotto and Maks3w reported potential CRLF injection\n attacks in mail and HTTP headers.\n\nFor the oldstable distribution (wheezy), these problems have been fixed\nin version 1.11.13-1.1+deb7u1.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 1.12.9+dfsg-2+deb8u1.\n\nFor the testing distribution (stretch), these problems will be fixed\nin version 1.12.12+dfsg-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.12.12+dfsg-1.\n\nWe recommend that you upgrade your zendframework packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2015-05-20T09:37:45", "published": "2015-05-20T09:37:45", "id": "DEBIAN:DSA-3265-1:1C648", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00155.html", "title": "[SECURITY] [DSA 3265-1] zendframework security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:21:37", "bulletinFamily": "unix", "description": "Package : zendframework\nVersion : 1.10.6-1squeeze4\nCVE ID : CVE-2012-6531 CVE-2012-6532 CVE-2014-2681 CVE-2014-2682\n CVE-2014-2683 CVE-2014-2684 CVE-2014-2685 CVE-2014-4914\n CVE-2014-8088 CVE-2014-8089 CVE-2015-3154\nDebian Bug : 743175 754201\n\nThe previous zendframework upload incorrectly fixes CVE-2015-3154,\ncausing a regression. This update corrects this problem. Thanks to\n\u0415\u0432\u0433\u0435\u043d\u0438\u0439 \u0421\u043c\u043e\u043b\u0438\u043d (Evgeny Smolin) <esmolin@inbox.ru>.\n\nCVE-2012-6531\n\n P\u00e1draic Brady identified a weakness to handle the SimpleXMLElement\n zendframework class, allowing to remote attackers to read arbitrary\n files or create TCP connections via an XML external entity (XXE)\n injection attack.\n\nCVE-2012-6532\n\n P\u00e1draic Brady found that remote attackers could cause a denial of\n service by CPU consumption, via recursive or circular references\n through an XML entity expansion (XEE) attack.\n\nCVE-2014-2681\n\n Lukas Reschke reported a lack of protection against XML External\n Entity injection attacks in some functions. This fix extends the\n incomplete one from CVE-2012-5657.\n\nCVE-2014-2682\n\n Lukas Reschke reported a failure to consider that the\n libxml_disable_entity_loader setting is shared among threads in the\n PHP-FPM case. This fix extends the incomplete one from\n CVE-2012-5657.\n\nCVE-2014-2683\n\n Lukas Reschke reported a lack of protection against XML Entity\n Expansion attacks in some functions. This fix extends the incomplete\n one from CVE-2012-6532.\n\nCVE-2014-2684\n\n Christian Mainka and Vladislav Mladenov from the Ruhr-University\n Bochum reported an error in the consumer's verify method that lead\n to acceptance of wrongly sourced tokens.\n\nCVE-2014-2685\n\n Christian Mainka and Vladislav Mladenov from the Ruhr-University\n Bochum reported a specification violation in which signing of a\n single parameter is incorrectly considered sufficient.\n\nCVE-2014-4914\n\n Cassiano Dal Pizzol discovered that the implementation of the ORDER\n BY SQL statement in Zend_Db_Select contains a potential SQL\n injection when the query string passed contains parentheses.\n\nCVE-2014-8088\n\n Yury Dyachenko at Positive Research Center identified potential XML\n eXternal Entity injection vectors due to insecure usage of PHP's DOM\n extension.\n\nCVE-2014-8089\n\n Jonas Sandstr\u00f6m discovered an SQL injection vector when manually\n quoting value for sqlsrv extension, using null byte.\n\nCVE-2015-3154\n\n Filippo Tessarotto and Maks3w reported potential CRLF injection\n attacks in mail and HTTP headers.\n", "modified": "2015-06-23T20:27:21", "published": "2015-06-23T20:27:21", "id": "DEBIAN:DLA-251-2:CDAD6", "href": "https://lists.debian.org/debian-lts-announce/2015/debian-lts-announce-201506/msg00019.html", "title": "[SECURITY] [DLA 251-2] zendframework regression update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}