[fw-general] Re: [zf-contributors] Zend Framework 1.11.13 and 1.12.0rc4 Security Releases

Mon, 20 Aug 2012 15:14:43 -0700 

The download URL was incorrect -- correct URL is

    http://framework.zend.com/download/latest 

-- Matthew Weier O'Phinney <[email protected]> wrote
(on Monday, 20 August 2012, 04:21 PM -0500):
> The Zend Framework community announces the immediate availability of
> both 1.11.13 and 1.12.0rc4.
> 
> Downloads for both versions are available at:
> 
>     http://framework.zend.com/downloads/latest
> 
> 
> SECURITY NOTICE FOR 1.11.13 AND 1.12.0RC4
> -----------------------------------------
> 
> Several components were found to contain additional XML eXternal Entity
> (XXE) injection vulnerabilities (in addition to the XML-RPC component
> patched in 1.11.12). Additionally, we identified several potential XML
> Entity Expansion (XEE) vectors. XEE attacks occur when the XML doctype
> declaration contains XML entity definitions; these attacks usually result
> in recursion, which consumes CPU and memory resources, making Denial of
> Service (DoS) attacks easier to implement.
> 
> The patches in 1.11.13 and 1.12.0rc4 close both XXE and XEE
> vulnerabilities found in the framework. The former are mitigated by
> ensuring libxml_disable_entity_loader is called before any SimpleXML
> calls are executed; the latter are mitigated by looping through the
> DOMDocument instance and checking for XML_DOCUMENT_TYPE_NODE children,
> raising an exception if any are found (in cases where SimpleXML is used,
> loading the XML via DOMDocument first, and then passing the object to
> simplexml_import_dom). 
> 
> The following components were patched:
> 
>  - Zend_Dom
>  - Zend_Feed
>  - Zend_Soap
>  - Zend_XmlRpc
> 
> Thanks goes to Pádraic Brady for identifying and patching these vectors.
> 
> If you are using any of the above components, we highly recommend
> upgrading to 1.11.13 or later immediately.
> 
> -- 
> Matthew Weier O'Phinney
> Project Lead            | [email protected]
> Zend Framework          | http://framework.zend.com/
> PGP key: http://framework.zend.com/zf-matthew-pgp-key.asc
> 

-- 
Matthew Weier O'Phinney
Project Lead            | [email protected]
Zend Framework          | http://framework.zend.com/
PGP key: http://framework.zend.com/zf-matthew-pgp-key.asc

--
List: [email protected]
Info: http://framework.zend.com/archives
Unsubscribe: [email protected]

Reply via email to