——————————————————————————–
Fedora Update Notification
FEDORA-2016-8952105d59
2016-06-21 18:29:40.658194
——————————————————————————–
Name : php-ZendFramework2
Product : Fedora 23
Version : 2.4.10
Release : 1.fc23
URL : http://framework.zend.com
Summary : Zend Framework 2
Description :
Zend Framework 2 is an open source framework for developing web applications
and services using PHP 5.3+. Zend Framework 2 uses 100% object-oriented code
and utilizes most of the new features of PHP 5.3, namely namespaces, late
static binding, lambda functions and closures.
Zend Framework 2 evolved from Zend Framework 1, a successful PHP framework
with over 15 million downloads.
Note: This meta package installs all base Zend Framework component packages
(Authentication, Barcode, Cache, Captcha, Code, Config, Console, Crypt, Db,
Debug, Di, Dom, Escaper, EventManager, Feed, File, Filter, Form, Http, I18n,
InputFilter, Json, Ldap, Loader, Log, Mail, Math, Memory, Mime, ModuleManager,
Mvc, Navigation, Paginator, Permissions-Acl, Permissions-Rbac, ProgressBar,
Serializer, Server, ServiceManager, Session, Soap, Stdlib, Tag, Test, Text,
Uri, Validator, Version, View, XmlRpc) except the optional Cache-apc and
Cache-memcached packages.
——————————————————————————–
Update Information:
## 2.4.10 (2016-05-09) – Fix HeaderValue throwing an exception on legal
characters ## 2.4.9 (2015-11-23) ### SECURITY UPDATES – **ZF2015-09**:
`Zend\Captcha\Word` generates a “word” for a CAPTCHA challenge by selecting a
sequence of random letters from a character set. Prior to this vulnerability
announcement, the selection was performed using PHP’s internal `array_rand()`
function. This function does not generate sufficient entropy due to its usage
of `rand()` instead of more cryptographically secure methods such as
`openssl_pseudo_random_bytes()`. This could potentially lead to information
disclosure should an attacker be able to brute force the random number
generation. This release contains a patch that replaces the `array_rand()`
calls to use `Zend\Math\Rand::getInteger()`, which provides better RNG. –
**ZF2015-10**: `Zend\Crypt\PublicKey\Rsa\PublicKey` has a call to
`openssl_public_encrypt()` which used PHP’s default `$padding` argument, which
specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This
padding has a known vulnerability, the [Bleichenbacher’s chosen-ciphertext
attack](http://crypto.stackexchange.com/questions/12688/can-you-explain-
bleichenbachers-cca-attack-on-pkcs1-v1-5), which can be used to recover an RSA
private key. This release contains a patch that changes the padding argument
to use `OPENSSL_PKCS1_OAEP_PADDING`. Users upgrading to this version may have
issues decrypting previously stored values, due to the change in padding. If
this occurs, you can pass the constant `OPENSSL_PKCS1_PADDING` to a new
`$padding` argument in `Zend\Crypt\PublicKey\Rsa::encrypt()` and `decrypt()`
(though typically this should only apply to the latter): “`php
$decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING); “`
where `$rsa` is an instance of `Zend\Crypt\PublicKey\Rsa`. (The `$key` and
`$mode` argument defaults are `null` and
`Zend\Crypt\PublicKey\Rsa::MODE_AUTO`, if you were not using them previously.)
We recommend re-encrypting any such values using the new defaults.
——————————————————————————–
References:
[ 1 ] Bug #1343990 – [epel7][security] php-ZendFramework2-2.4.10 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1343990
[ 2 ] Bug #1289318 – CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1289318
[ 3 ] Bug #1343995 – [f23][f22][security] php-ZendFramework2-2.4.10 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1343995
[ 4 ] Bug #1289317 – CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1289317
——————————————————————————–
This update can be installed with the “yum” update program. Use
su -c ‘yum update php-ZendFramework2’ at the command line.
For more information, refer to “Managing Software with yum”,
available at https://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/package-announce@lists.fedoraproject.org
——————————————————————————–
Fedora Update Notification
FEDORA-2016-8952105d59
2016-06-21 18:29:40.658194
——————————————————————————–
Name : php-zendframework-zendxml
Product : Fedora 23
Version : 1.0.2
Release : 2.fc23
URL : http://framework.zend.com/
Summary : Zend Framework ZendXml component
Description :
An utility component for XML usage and best practices in PHP.
——————————————————————————–
Update Information:
## 2.4.10 (2016-05-09) – Fix HeaderValue throwing an exception on legal
characters ## 2.4.9 (2015-11-23) ### SECURITY UPDATES – **ZF2015-09**:
`Zend\Captcha\Word` generates a “word” for a CAPTCHA challenge by selecting a
sequence of random letters from a character set. Prior to this vulnerability
announcement, the selection was performed using PHP’s internal `array_rand()`
function. This function does not generate sufficient entropy due to its usage
of `rand()` instead of more cryptographically secure methods such as
`openssl_pseudo_random_bytes()`. This could potentially lead to information
disclosure should an attacker be able to brute force the random number
generation. This release contains a patch that replaces the `array_rand()`
calls to use `Zend\Math\Rand::getInteger()`, which provides better RNG. –
**ZF2015-10**: `Zend\Crypt\PublicKey\Rsa\PublicKey` has a call to
`openssl_public_encrypt()` which used PHP’s default `$padding` argument, which
specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This
padding has a known vulnerability, the [Bleichenbacher’s chosen-ciphertext
attack](http://crypto.stackexchange.com/questions/12688/can-you-explain-
bleichenbachers-cca-attack-on-pkcs1-v1-5), which can be used to recover an RSA
private key. This release contains a patch that changes the padding argument
to use `OPENSSL_PKCS1_OAEP_PADDING`. Users upgrading to this version may have
issues decrypting previously stored values, due to the change in padding. If
this occurs, you can pass the constant `OPENSSL_PKCS1_PADDING` to a new
`$padding` argument in `Zend\Crypt\PublicKey\Rsa::encrypt()` and `decrypt()`
(though typically this should only apply to the latter): “`php
$decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING); “`
where `$rsa` is an instance of `Zend\Crypt\PublicKey\Rsa`. (The `$key` and
`$mode` argument defaults are `null` and
`Zend\Crypt\PublicKey\Rsa::MODE_AUTO`, if you were not using them previously.)
We recommend re-encrypting any such values using the new defaults.
——————————————————————————–
References:
[ 1 ] Bug #1343990 – [epel7][security] php-ZendFramework2-2.4.10 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1343990
[ 2 ] Bug #1289318 – CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1289318
[ 3 ] Bug #1343995 – [f23][f22][security] php-ZendFramework2-2.4.10 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1343995
[ 4 ] Bug #1289317 – CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1289317
——————————————————————————–
This update can be installed with the “yum” update program. Use
su -c ‘yum update php-zendframework-zendxml’ at the command line.
For more information, refer to “Managing Software with yum”,
available at https://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/package-announce@lists.fedoraproject.org
——————————————————————————–
Fedora Update Notification
FEDORA-2016-03c0ed3127
2016-06-21 18:29:37.916857
——————————————————————————–
Name : php-zendframework-zendxml
Product : Fedora 22
Version : 1.0.2
Release : 2.fc22
URL : http://framework.zend.com/
Summary : Zend Framework ZendXml component
Description :
An utility component for XML usage and best practices in PHP.
——————————————————————————–
Update Information:
## 2.4.10 (2016-05-09) – Fix HeaderValue throwing an exception on legal
characters ## 2.4.9 (2015-11-23) ### SECURITY UPDATES – **ZF2015-09**:
`Zend\Captcha\Word` generates a “word” for a CAPTCHA challenge by selecting a
sequence of random letters from a character set. Prior to this vulnerability
announcement, the selection was performed using PHP’s internal `array_rand()`
function. This function does not generate sufficient entropy due to its usage
of `rand()` instead of more cryptographically secure methods such as
`openssl_pseudo_random_bytes()`. This could potentially lead to information
disclosure should an attacker be able to brute force the random number
generation. This release contains a patch that replaces the `array_rand()`
calls to use `Zend\Math\Rand::getInteger()`, which provides better RNG. –
**ZF2015-10**: `Zend\Crypt\PublicKey\Rsa\PublicKey` has a call to
`openssl_public_encrypt()` which used PHP’s default `$padding` argument, which
specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This
padding has a known vulnerability, the [Bleichenbacher’s chosen-ciphertext
attack](http://crypto.stackexchange.com/questions/12688/can-you-explain-
bleichenbachers-cca-attack-on-pkcs1-v1-5), which can be used to recover an RSA
private key. This release contains a patch that changes the padding argument
to use `OPENSSL_PKCS1_OAEP_PADDING`. Users upgrading to this version may have
issues decrypting previously stored values, due to the change in padding. If
this occurs, you can pass the constant `OPENSSL_PKCS1_PADDING` to a new
`$padding` argument in `Zend\Crypt\PublicKey\Rsa::encrypt()` and `decrypt()`
(though typically this should only apply to the latter): “`php
$decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING); “`
where `$rsa` is an instance of `Zend\Crypt\PublicKey\Rsa`. (The `$key` and
`$mode` argument defaults are `null` and
`Zend\Crypt\PublicKey\Rsa::MODE_AUTO`, if you were not using them previously.)
We recommend re-encrypting any such values using the new defaults.
——————————————————————————–
References:
[ 1 ] Bug #1343990 – [epel7][security] php-ZendFramework2-2.4.10 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1343990
[ 2 ] Bug #1289318 – CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1289318
[ 3 ] Bug #1343995 – [f23][f22][security] php-ZendFramework2-2.4.10 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1343995
[ 4 ] Bug #1289317 – CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1289317
——————————————————————————–
This update can be installed with the “yum” update program. Use
su -c ‘yum update php-zendframework-zendxml’ at the command line.
For more information, refer to “Managing Software with yum”,
available at https://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/package-announce@lists.fedoraproject.org
——————————————————————————–
Fedora Update Notification
FEDORA-2016-03c0ed3127
2016-06-21 18:29:37.916857
——————————————————————————–
Name : php-ZendFramework2
Product : Fedora 22
Version : 2.4.10
Release : 1.fc22
URL : http://framework.zend.com
Summary : Zend Framework 2
Description :
Zend Framework 2 is an open source framework for developing web applications
and services using PHP 5.3+. Zend Framework 2 uses 100% object-oriented code
and utilizes most of the new features of PHP 5.3, namely namespaces, late
static binding, lambda functions and closures.
Zend Framework 2 evolved from Zend Framework 1, a successful PHP framework
with over 15 million downloads.
Note: This meta package installs all base Zend Framework component packages
(Authentication, Barcode, Cache, Captcha, Code, Config, Console, Crypt, Db,
Debug, Di, Dom, Escaper, EventManager, Feed, File, Filter, Form, Http, I18n,
InputFilter, Json, Ldap, Loader, Log, Mail, Math, Memory, Mime, ModuleManager,
Mvc, Navigation, Paginator, Permissions-Acl, Permissions-Rbac, ProgressBar,
Serializer, Server, ServiceManager, Session, Soap, Stdlib, Tag, Test, Text,
Uri, Validator, Version, View, XmlRpc) except the optional Cache-apc and
Cache-memcached packages.
——————————————————————————–
Update Information:
## 2.4.10 (2016-05-09) – Fix HeaderValue throwing an exception on legal
characters ## 2.4.9 (2015-11-23) ### SECURITY UPDATES – **ZF2015-09**:
`Zend\Captcha\Word` generates a “word” for a CAPTCHA challenge by selecting a
sequence of random letters from a character set. Prior to this vulnerability
announcement, the selection was performed using PHP’s internal `array_rand()`
function. This function does not generate sufficient entropy due to its usage
of `rand()` instead of more cryptographically secure methods such as
`openssl_pseudo_random_bytes()`. This could potentially lead to information
disclosure should an attacker be able to brute force the random number
generation. This release contains a patch that replaces the `array_rand()`
calls to use `Zend\Math\Rand::getInteger()`, which provides better RNG. –
**ZF2015-10**: `Zend\Crypt\PublicKey\Rsa\PublicKey` has a call to
`openssl_public_encrypt()` which used PHP’s default `$padding` argument, which
specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This
padding has a known vulnerability, the [Bleichenbacher’s chosen-ciphertext
attack](http://crypto.stackexchange.com/questions/12688/can-you-explain-
bleichenbachers-cca-attack-on-pkcs1-v1-5), which can be used to recover an RSA
private key. This release contains a patch that changes the padding argument
to use `OPENSSL_PKCS1_OAEP_PADDING`. Users upgrading to this version may have
issues decrypting previously stored values, due to the change in padding. If
this occurs, you can pass the constant `OPENSSL_PKCS1_PADDING` to a new
`$padding` argument in `Zend\Crypt\PublicKey\Rsa::encrypt()` and `decrypt()`
(though typically this should only apply to the latter): “`php
$decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING); “`
where `$rsa` is an instance of `Zend\Crypt\PublicKey\Rsa`. (The `$key` and
`$mode` argument defaults are `null` and
`Zend\Crypt\PublicKey\Rsa::MODE_AUTO`, if you were not using them previously.)
We recommend re-encrypting any such values using the new defaults.
——————————————————————————–
References:
[ 1 ] Bug #1343990 – [epel7][security] php-ZendFramework2-2.4.10 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1343990
[ 2 ] Bug #1289318 – CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1289318
[ 3 ] Bug #1343995 – [f23][f22][security] php-ZendFramework2-2.4.10 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1343995
[ 4 ] Bug #1289317 – CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1289317
——————————————————————————–
This update can be installed with the “yum” update program. Use
su -c ‘yum update php-ZendFramework2’ at the command line.
For more information, refer to “Managing Software with yum”,
available at https://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/package-announce@lists.fedoraproject.org