Dear maintainer, I've prepared an NMU for zendframework (versioned as 1.12.5-0.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer.
Event if the three upstream security-related commits apply cleanly to the current version in Sid and Jessie, they do not apply properly to the version in Wheezy, and some (minor) fixes have been committed after them too, that’s why I’m proposing to upgrade the package to the latest upstream version. The actual debdiff is huge (over 35MB), thus only attaching the debian/ related changes. Regards. David
diff --git a/debian/changelog b/debian/changelog index ca03fde..a2a7f79 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,19 @@ +zendframework (1.12.5-0.1) unstable; urgency=medium + + * Non-maintainer upload + * New upstream release, fixes several security issues (Closes: #743175): + - ZF2014-01: Potential XXE/XEE attacks using PHP functions: + simplexml_load_*, DOMDocument::loadXML, and xml_parse + http://framework.zend.com/security/advisory/ZF2014-01 + [CVE-2014-2681] [CVE-2014-2682] [CVE-2014-2683] + - F2014-02: Potential security issue in login mechanism of ZendOpenId and + Zend_OpenId consumer + http://framework.zend.com/security/advisory/ZF2014-02 + [CVE-2014-2684] [CVE-2014-2685] + * Update copyright years + + -- David Prévot <taf...@debian.org> Mon, 14 Apr 2014 14:48:35 -0400 + zendframework (1.12.3-1) unstable; urgency=low * new upstream release diff --git a/debian/copyright b/debian/copyright index 502f3b0..64c084f 100644 --- a/debian/copyright +++ b/debian/copyright @@ -3,7 +3,7 @@ Sun, 23 Aug 2009 20:48:00 +0200. It was downloaded from <http://framework.zend.com>. -Copyright (c) 2005-2009, Zend Technologies USA, Inc. +Copyright (c) 2005-2014, Zend Technologies USA, Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification,
signature.asc
Description: Digital signature