zend-framework 1.9.4-0ubuntu2.1 source package in Ubuntu
Changelog
zend-framework (1.9.4-0ubuntu2.1) karmic-security; urgency=low * The security update fixes the following security issues: (LP: #506304) + ZF2010-03: Potential XSS vector in Zend_Filter_StripTags when comments allowed Zend_Filter_StripTags contained an optional setting to allow whitelisting HTML comments in filtered text. Microsoft Internet Explorer and several other browsers allow developers to create conditional functionality via HTML comments, including execution of script events and rendering of additional commented markup. By allowing whitelisting of HTML comments, a malicious user could potentially include XSS exploits within HTML comments that would then be rendered in the final output. http://framework.zend.com/security/advisory/ZF2010-03 + ZF2010-04: Potential MIME-type Injection in Zend_File_Transfer Zend_File_Transfer had a potential MIME type injection vulnerability for file uploads. In certain situations where either PHP's ext/finfo extension is not installed and the mime_content_type() function was not available on a system, Zend_File_Transfer would use the user provided value for the type embedded inside the $_FILES superglobal. Additionally, in cases where the functionality was available, but where a type could not be determined by one of them, Zend_File_Transfer would also fallback on the user provided type. Using user provided information for a file's MIME type in uploads is considered an insecure practice, as it provides attack vectors by malicious users. http://framework.zend.com/security/advisory/ZF2010-04 + ZF2010-06: Potential XSS or HTML Injection vector in Zend_Json Zend_Json_Encoder was not taking into account the solidus character ("/") during encoding, leading to incompatibilities with the JSON specification, and opening the potential for XSS or HTML injection attacks when returning HTML within a JSON string. * debian/patches/99_ZF2010-03_Zend_Filter_Striptags.patch: + Patch was found at: http://framework.zend.com/issues/browse/ZF-8743 * debian/patches/99_ZF2010-04_Zend_File_Transfer.patch: + Patch was found at: http://framework.zend.com/issues/browse/ZF-8733 * debian/patches/99_ZF2010-06_Zend_Json.patch + Patch was found: http://framework.zend.com/issues/browse/ZF-8663 -- Stephan Hermann <email address hidden> Tue, 12 Jan 2010 10:30:47 +0000
Upload details
- Uploaded by:
- Stephan RĂ¼gamer
- Sponsored by:
- Marc Deslauriers
- Uploaded to:
- Karmic
- Original maintainer:
- MOTU
- Architectures:
- all
- Section:
- web
- Urgency:
- Low Urgency
See full publishing history Publishing
| Series | Published | Component | Section |
|---|
Downloads
| File | Size | SHA-256 Checksum |
|---|---|---|
| zend-framework_1.9.4.orig.tar.gz | 6.4 MiB | d497daf3acebbba887fc125add5f7ea5b9c1ad2e57f5c1c71fc8da3bf978de6c |
| zend-framework_1.9.4-0ubuntu2.1.diff.gz | 12.2 KiB | 88768886bafe2c7082b450a1dc1dd5f1a1e51f991ff3da43239bbeac78aa9948 |
| zend-framework_1.9.4-0ubuntu2.1.dsc | 1.1 KiB | f52fe30490b00adeaff0a14abdad1c10b4dcd299a0efb85193c053ff1c9189b4 |
Available diffs
Binary packages built by this source
- libzend-framework-php: No summary available for libzend-framework-php in ubuntu karmic.
No description available for libzend-
framework- php in ubuntu karmic.
- zend-framework: No summary available for zend-framework in ubuntu karmic.
No description available for zend-framework in ubuntu karmic.
- zend-framework-bin: No summary available for zend-framework-bin in ubuntu karmic.
No description available for zend-framework-bin in ubuntu karmic.
