| Name | CVE-2015-5161 |
| Description | The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-302-1, DSA-3340-1 |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| php-zend-xml | source | (unstable) | 1.0.1-1 | |||
| zendframework | source | squeeze | 1.10.6-1squeeze5 | DLA-302-1 | ||
| zendframework | source | wheezy | 1.11.13-1.1+deb7u3 | DSA-3340-1 | ||
| zendframework | source | jessie | 1.12.9+dfsg-2+deb8u3 | DSA-3340-1 | ||
| zendframework | source | (unstable) | 1.12.14+dfsg-1 |
http://framework.zend.com/security/advisory/ZF2015-06
Root issue already fixed in PHP 5.6.6, so this one is not relevant starting with Jessie