CVE-2015-5161

NameCVE-2015-5161
DescriptionThe Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-302-1, DSA-3340-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zendframework (PTS)wheezy1.11.13-1.1+deb7u6fixed
wheezy (security)1.11.13-1.1+deb7u5fixed
jessie1.12.9+dfsg-2+deb8u6fixed
jessie (security)1.12.9+dfsg-2+deb8u4fixed
sid1.12.20+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php-zend-xmlsource(unstable)1.0.1-1medium
zendframeworksource(unstable)1.12.14+dfsg-1medium
zendframeworksourcejessie1.12.9+dfsg-2+deb8u3mediumDSA-3340-1
zendframeworksourcesqueeze1.10.6-1squeeze5mediumDLA-302-1
zendframeworksourcewheezy1.11.13-1.1+deb7u3mediumDSA-3340-1

Notes

http://framework.zend.com/security/advisory/ZF2015-06
Root issue already fixed in PHP 5.6.6, so this one is not relevant starting with Jessie

Search for package or bug name: Reporting problems