The Zend Framework community announces the immediate availability of
both 1.11.13 and 1.12.0rc4.
Downloads for both versions are available at:
http://framework.zend.com/downloads/latest
SECURITY NOTICE FOR 1.11.13 AND 1.12.0RC4
-----------------------------------------
Several components were found to contain additional XML eXternal Entity
(XXE) injection vulnerabilities (in addition to the XML-RPC component
patched in 1.11.12). Additionally, we identified several potential XML
Entity Expansion (XEE) vectors. XEE attacks occur when the XML doctype
declaration contains XML entity definitions; these attacks usually result
in recursion, which consumes CPU and memory resources, making Denial of
Service (DoS) attacks easier to implement.
The patches in 1.11.13 and 1.12.0rc4 close both XXE and XEE
vulnerabilities found in the framework. The former are mitigated by
ensuring libxml_disable_entity_loader is called before any SimpleXML
calls are executed; the latter are mitigated by looping through the
DOMDocument instance and checking for XML_DOCUMENT_TYPE_NODE children,
raising an exception if any are found (in cases where SimpleXML is used,
loading the XML via DOMDocument first, and then passing the object to
simplexml_import_dom).
The following components were patched:
- Zend_Dom
- Zend_Feed
- Zend_Soap
- Zend_XmlRpc
Thanks goes to Pádraic Brady for identifying and patching these vectors.
If you are using any of the above components, we highly recommend
upgrading to 1.11.13 or later immediately.
--
Matthew Weier O'Phinney
Project Lead | [email protected]
Zend Framework | http://framework.zend.com/
PGP key: http://framework.zend.com/zf-matthew-pgp-key.asc
--
List: [email protected]
Info: http://framework.zend.com/archives
Unsubscribe: [email protected]
