{"id":"MGASA-2014-0434","summary":"Updated php-ZendFramework packages fix security vulnerabilities","details":"Due to a bug in PHP's LDAP extension, when ZendFramework's Zend_ldap class is\nused for logins, an attacker can login as any user by using a null byte to\nbypass the empty password check and perform an unauthenticated LDAP bind\n(CVE-2014-8088).\n\nThe sqlsrv PHP extension, which provides the ability to connect to Microsoft\nSQL Server from PHP, does not provide a built-in quoting mechanism for\nmanually quoting values to pass via SQL queries; developers are encouraged to\nuse prepared statements. Zend Framework provides quoting mechanisms via\nZend_Db_Adapter_Sqlsrv which uses the recommended \"double single quote\" ('')\nas quoting delimiters. SQL Server treats null bytes in a query as a string\nterminator, allowing an attacker to add arbitrary SQL following a null byte,\nand thus create a SQL injection (CVE-2014-8089).\n","modified":"2026-04-16T06:26:03.326308500Z","published":"2014-10-29T11:30:40Z","upstream":["CVE-2014-8088","CVE-2014-8089"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2014-0434.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=14253"},{"type":"ADVISORY","url":"http://framework.zend.com/security/advisory/ZF2014-05"},{"type":"ADVISORY","url":"http://framework.zend.com/security/advisory/ZF2014-06"},{"type":"WEB","url":"http://framework.zend.com/blog/zend-framework-1-12-9-2-2-8-and-2-3-3-released.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141106.html"}],"affected":[{"package":{"name":"php-ZendFramework","ecosystem":"Mageia:3","purl":"pkg:rpm/mageia/php-ZendFramework?arch=source&distro=mageia-3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.12.9-1.mga3"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0434.json"}},{"package":{"name":"php-ZendFramework","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/php-ZendFramework?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.12.9-1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0434.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}