Security Issues in Zend-Framework

zend-framework (1.9.7-0ubuntu1) lucid; urgency=low

  * New upstream bugfix release
    + Upstream changelog for all fixed issues you can find here:
      http://framework.zend.com/changelog/1.9.7
    + This release fixes also the security issues:
      ZF2010-06: Potential XSS or HTML Injection vector in Zend_Json
      ZF2010-05: Potential XSS vector in Zend_Service_ReCaptcha_MailHide
      ZF2010-04: Potential MIME-type Injection in Zend_File_Transfer
      ZF2010-03: Potential XSS vector in Zend_Filter_StripTags when comments allowed
      ZF2010-02: Potential XSS vector in Zend_Dojo_View_Helper_Editor
      ZF2010-01: Potential XSS vectors due to inconsistent encodings

Date: Tue, 12 Jan 2010 08:51:07 +0000
Changed-By: Stephan Hermann <email address hidden>
Maintainer: Ubuntu MOTU Developers <email address hidden>
https://launchpad.net/ubuntu/lucid/+source/zend-framework/1.9.7-0ubuntu1

I have uploaded jaunty and karmic, they should come out today.

This bug was fixed in the package zend-framework - 1.9.4-0ubuntu2.1

---------------
zend-framework (1.9.4-0ubuntu2.1) karmic-security; urgency=low

  * The security update fixes the following security issues: (LP: #506304)
    + ZF2010-03: Potential XSS vector in Zend_Filter_StripTags when comments allowed
      Zend_Filter_StripTags contained an optional setting to allow whitelisting
      HTML comments in filtered text. Microsoft Internet Explorer and several other
      browsers allow developers to create conditional functionality via HTML comments,
      including execution of script events and rendering of additional commented markup.
      By allowing whitelisting of HTML comments, a malicious user could potentially
      include XSS exploits within HTML comments that would then be rendered in the final output.
      http://framework.zend.com/security/advisory/ZF2010-03
    + ZF2010-04: Potential MIME-type Injection in Zend_File_Transfer
      Zend_File_Transfer had a potential MIME type injection vulnerability for file uploads.
      In certain situations where either PHP's ext/finfo extension is not installed and
      the mime_content_type() function was not available on a system, Zend_File_Transfer would
      use the user provided value for the type embedded inside the $_FILES superglobal.
      Additionally, in cases where the functionality was available, but where a type could not
      be determined by one of them, Zend_File_Transfer would also fallback on the user provided type.
      Using user provided information for a file's MIME type in uploads is considered an insecure
      practice, as it provides attack vectors by malicious users.
      http://framework.zend.com/security/advisory/ZF2010-04
    + ZF2010-06: Potential XSS or HTML Injection vector in Zend_Json
      Zend_Json_Encoder was not taking into account the solidus character ("/") during encoding,
      leading to incompatibilities with the JSON specification, and opening the potential for XSS
      or HTML injection attacks when returning HTML within a JSON string.
  * debian/patches/99_ZF2010-03_Zend_Filter_Striptags.patch:
    + Patch was found at: http://framework.zend.com/issues/browse/ZF-8743
  * debian/patches/99_ZF2010-04_Zend_File_Transfer.patch:
    + Patch was found at: http://framework.zend.com/issues/browse/ZF-8733
  * debian/patches/99_ZF2010-06_Zend_Json.patch
    + Patch was found: http://framework.zend.com/issues/browse/ZF-8663
 -- Stephan Hermann <email address hidden> Tue, 12 Jan 2010 10:30:47 +0000

This bug was fixed in the package zend-framework - 1.7.5-0ubuntu2.2

---------------
zend-framework (1.7.5-0ubuntu2.2) jaunty-security; urgency=low

  * The security update fixes the following security issues: (LP: #506304)
    + ZF2010-03: Potential XSS vector in Zend_Filter_StripTags when comments allowed
      Zend_Filter_StripTags contained an optional setting to allow whitelisting
      HTML comments in filtered text. Microsoft Internet Explorer and several other
      browsers allow developers to create conditional functionality via HTML comments,
      including execution of script events and rendering of additional commented markup.
      By allowing whitelisting of HTML comments, a malicious user could potentially
      include XSS exploits within HTML comments that would then be rendered in the final output.
      http://framework.zend.com/security/advisory/ZF2010-03
    + ZF2010-06: Potential XSS or HTML Injection vector in Zend_Json
      Zend_Json_Encoder was not taking into account the solidus character ("/") during encoding,
      leading to incompatibilities with the JSON specification, and opening the potential for XSS
      or HTML injection attacks when returning HTML within a JSON string.
    + ZF2010-02: Potential XSS vector in Zend_Dojo_View_Helper_Editor
      Zend_Dojo_View_Helper_Editor was incorrectly decorating a TEXTAREA instead of a DIV.
      The Dojo team has reported that this has security implications as the rich
      text editor they use is unable to escape content for a TEXTAREA.
  * debian/patches/99_ZF2010-03_Zend_Filter_Striptags.patch:
    + Patch was found at: http://framework.zend.com/issues/browse/ZF-8743
  * debian/patches/99_ZF2010-06_Zend_Json.patch
    + Patch was found: http://framework.zend.com/issues/browse/ZF-8663
  * debian/patches/99_ZF2010-02_Zend_Dojo.patch:
    + Patch was found: http://framework.zend.com/issues/browse/ZF-6753
 -- Stephan Hermann <email address hidden> Tue, 12 Jan 2010 11:14:21 +0000