Control: tags -1 + confirmed Apologies for the delay in getting back to you.
On Thu, 2016-04-14 at 18:15 -0400, David Prévot wrote: > As agreed with the security team, I’d like to fix another potential > entropy vulnerability that has been fixed in zendframework. > > The fix also gets rid of openssl_random_pseudo_bytes() introduced in the > previous ZF2015-09 fix, and I also added a regression fix from the > CVE-2015-7695 (ZF2015-08) patch (this one was introduced in DSA-3369-1). > > Please find attached the proposed debdiff for Wheezy, it’s pretty > similar to the one from #821042. > > zendframework (1.11.13-1.1+deb7u6) wheezy; urgency=medium > > * Fix regression from ZF2015-08: binary data corruption > * Backport security fix from 1.12.18: > - ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1 > http://framework.zend.com/security/advisory/ZF2016-01 Given that we're working towards EOLing wheezy after wheezy-lts started up, my general inclination is to NACK accepting further updates. However, given that this fixes a regression in an earlier update to the package in wheezy, I'm prepared to bend that stance a little. Assuming that the resulting package has been tested on wheezy, please go ahead. Regards, Adam
