{"id":"MGASA-2015-0391","summary":"Updated php-ZendFramework/php-ZendFramework2 packages fixe security vulnerabilities","details":"Zend Framework contained several instances where it was using incorrect\npermissions masks, which could lead to local privilege escalation issues\n(CVE-2015-5723).\n\nThe PDO adapters of Zend Framework 1 do not filter null bytes values in\nSQL statements. A PDO adapter can treat null bytes in a query as a string\nterminator, allowing an attacker to add arbitrary SQL following a null\nbyte,  and thus create a SQL injection (ZF2015-08).\n\nNote that the ZF2015-08 issue did not affect Zend Framework 2.\n","modified":"2026-04-16T06:25:12.306021136Z","published":"2015-10-09T18:47:39Z","upstream":["CVE-2015-5723"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2015-0391.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=16828"},{"type":"ADVISORY","url":"http://framework.zend.com/security/advisory/ZF2015-07"},{"type":"ADVISORY","url":"http://framework.zend.com/security/advisory/ZF2015-08"},{"type":"WEB","url":"https://lists.fedoraproject.org/pipermail/package-announce/2015-September/167698.html"}],"affected":[{"package":{"name":"php-ZendFramework","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/php-ZendFramework?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.12.16-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2015-0391.json"}},{"package":{"name":"php-ZendFramework2","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/php-ZendFramework2?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.8-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2015-0391.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}