[ubuntu/jaunty-security] zend-framework_1.7.5-0ubuntu2.2_i386_translations.tar.gz (delayed), zend-framework 1.7.5-0ubuntu2.2 (Accepted)
Ubuntu Installer
archive at ubuntu.com
Tue Jan 12 16:03:30 GMT 2010
- Previous message: [ubuntu/jaunty-security] gimp_2.6.6-0ubuntu1.1_hppa_translations.tar.gz, gimp_2.6.6-0ubuntu1.1_ia64_translations.tar.gz, gimp_2.6.6-0ubuntu1.1_i386_translations.tar.gz, gimp_2.6.6-0ubuntu1.1_amd64_translations.tar.gz, gimp_2.6.6-0ubuntu1.1_sparc_translations.tar.gz (delayed), gimp_2.6.6-0ubuntu1.1_armel_translations.tar.gz, gimp_2.6.6-0ubuntu1.1_powerpc_translations.tar.gz, gimp_2.6.6-0ubuntu1.1_lpia_translations.tar.gz, gimp 2.6.6-0ubuntu1.1 (Accepted)
- Next message: [ubuntu/jaunty-security] krb5, krb5_1.6.dfsg.4~beta1-5ubuntu2.2_amd64_translations.tar.gz, krb5_1.6.dfsg.4~beta1-5ubuntu2.2_ia64_translations.tar.gz, krb5_1.6.dfsg.4~beta1-5ubuntu2.2_sparc_translations.tar.gz (delayed), krb5_1.6.dfsg.4~beta1-5ubuntu2.2_lpia_translations.tar.gz, krb5_1.6.dfsg.4~beta1-5ubuntu2.2_hppa_translations.tar.gz, krb5_1.6.dfsg.4~beta1-5ubuntu2.2_i386_translations.tar.gz, krb5_1.6.dfsg.4~beta1-5ubuntu2.2_powerpc_translations.tar.gz, krb5_1.6.dfsg.4~beta1-5ubuntu2.2_armel_translations.tar.gz 1.6.dfsg.4~beta1-5ubuntu2.2 (Accepted)
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
zend-framework (1.7.5-0ubuntu2.2) jaunty-security; urgency=low
* The security update fixes the following security issues: (LP: #506304)
+ ZF2010-03: Potential XSS vector in Zend_Filter_StripTags when comments allowed
Zend_Filter_StripTags contained an optional setting to allow whitelisting
HTML comments in filtered text. Microsoft Internet Explorer and several other
browsers allow developers to create conditional functionality via HTML comments,
including execution of script events and rendering of additional commented markup.
By allowing whitelisting of HTML comments, a malicious user could potentially
include XSS exploits within HTML comments that would then be rendered in the final output.
http://framework.zend.com/security/advisory/ZF2010-03
+ ZF2010-06: Potential XSS or HTML Injection vector in Zend_Json
Zend_Json_Encoder was not taking into account the solidus character ("/") during encoding,
leading to incompatibilities with the JSON specification, and opening the potential for XSS
or HTML injection attacks when returning HTML within a JSON string.
+ ZF2010-02: Potential XSS vector in Zend_Dojo_View_Helper_Editor
Zend_Dojo_View_Helper_Editor was incorrectly decorating a TEXTAREA instead of a DIV.
The Dojo team has reported that this has security implications as the rich
text editor they use is unable to escape content for a TEXTAREA.
* debian/patches/99_ZF2010-03_Zend_Filter_Striptags.patch:
+ Patch was found at: http://framework.zend.com/issues/browse/ZF-8743
* debian/patches/99_ZF2010-06_Zend_Json.patch
+ Patch was found: http://framework.zend.com/issues/browse/ZF-8663
* debian/patches/99_ZF2010-02_Zend_Dojo.patch:
+ Patch was found: http://framework.zend.com/issues/browse/ZF-6753
Date: Tue, 12 Jan 2010 11:14:21 +0000
Changed-By: Stephan Hermann <sh at sourcecode.de>
Maintainer: Ubuntu MOTU Developers <ubuntu-motu at lists.ubuntu.com>
https://launchpad.net/ubuntu/jaunty/+source/zend-framework/1.7.5-0ubuntu2.2
-------------- next part --------------
Format: 1.8
Date: Tue, 12 Jan 2010 11:14:21 +0000
Source: zend-framework
Binary: libzend-framework-php zend-framework
Architecture: source
Version: 1.7.5-0ubuntu2.2
Distribution: jaunty-security
Urgency: low
Maintainer: Ubuntu MOTU Developers <ubuntu-motu at lists.ubuntu.com>
Changed-By: Stephan Hermann <sh at sourcecode.de>
Description:
libzend-framework-php - a simple, straightforward, open-source software framework for PHP
zend-framework - a simple, straightforward, open-source software framework for PHP
Launchpad-Bugs-Fixed: 506304
Changes:
zend-framework (1.7.5-0ubuntu2.2) jaunty-security; urgency=low
.
* The security update fixes the following security issues: (LP: #506304)
+ ZF2010-03: Potential XSS vector in Zend_Filter_StripTags when comments allowed
Zend_Filter_StripTags contained an optional setting to allow whitelisting
HTML comments in filtered text. Microsoft Internet Explorer and several other
browsers allow developers to create conditional functionality via HTML comments,
including execution of script events and rendering of additional commented markup.
By allowing whitelisting of HTML comments, a malicious user could potentially
include XSS exploits within HTML comments that would then be rendered in the final output.
http://framework.zend.com/security/advisory/ZF2010-03
+ ZF2010-06: Potential XSS or HTML Injection vector in Zend_Json
Zend_Json_Encoder was not taking into account the solidus character ("/") during encoding,
leading to incompatibilities with the JSON specification, and opening the potential for XSS
or HTML injection attacks when returning HTML within a JSON string.
+ ZF2010-02: Potential XSS vector in Zend_Dojo_View_Helper_Editor
Zend_Dojo_View_Helper_Editor was incorrectly decorating a TEXTAREA instead of a DIV.
The Dojo team has reported that this has security implications as the rich
text editor they use is unable to escape content for a TEXTAREA.
* debian/patches/99_ZF2010-03_Zend_Filter_Striptags.patch:
+ Patch was found at: http://framework.zend.com/issues/browse/ZF-8743
* debian/patches/99_ZF2010-06_Zend_Json.patch
+ Patch was found: http://framework.zend.com/issues/browse/ZF-8663
* debian/patches/99_ZF2010-02_Zend_Dojo.patch:
+ Patch was found: http://framework.zend.com/issues/browse/ZF-6753
Checksums-Sha1:
6556b8c265c657b67195dc7bc52b6d6e948c7448 1148 zend-framework_1.7.5-0ubuntu2.2.dsc
b6b62de09685dfe0cc39c32716a0195d23ce4223 38828 zend-framework_1.7.5-0ubuntu2.2.diff.gz
Checksums-Sha256:
d38db90f4f359fc8b3eaf7e85b2c403efb5b4770e035e93212ddae57514b0830 1148 zend-framework_1.7.5-0ubuntu2.2.dsc
dcf4608f2dcdf1247aa0dd90616383a1771f93c099880bea0c13aa14617ad5e2 38828 zend-framework_1.7.5-0ubuntu2.2.diff.gz
Files:
539072ab2db76c09ec86d432e4bbdb2f 1148 web extra zend-framework_1.7.5-0ubuntu2.2.dsc
3b42497dc806561fd91241068c556d47 38828 web extra zend-framework_1.7.5-0ubuntu2.2.diff.gz
Original-Maintainer: Stephan Hermann <sh at sourcecode.de>
- Previous message: [ubuntu/jaunty-security] gimp_2.6.6-0ubuntu1.1_hppa_translations.tar.gz, gimp_2.6.6-0ubuntu1.1_ia64_translations.tar.gz, gimp_2.6.6-0ubuntu1.1_i386_translations.tar.gz, gimp_2.6.6-0ubuntu1.1_amd64_translations.tar.gz, gimp_2.6.6-0ubuntu1.1_sparc_translations.tar.gz (delayed), gimp_2.6.6-0ubuntu1.1_armel_translations.tar.gz, gimp_2.6.6-0ubuntu1.1_powerpc_translations.tar.gz, gimp_2.6.6-0ubuntu1.1_lpia_translations.tar.gz, gimp 2.6.6-0ubuntu1.1 (Accepted)
- Next message: [ubuntu/jaunty-security] krb5, krb5_1.6.dfsg.4~beta1-5ubuntu2.2_amd64_translations.tar.gz, krb5_1.6.dfsg.4~beta1-5ubuntu2.2_ia64_translations.tar.gz, krb5_1.6.dfsg.4~beta1-5ubuntu2.2_sparc_translations.tar.gz (delayed), krb5_1.6.dfsg.4~beta1-5ubuntu2.2_lpia_translations.tar.gz, krb5_1.6.dfsg.4~beta1-5ubuntu2.2_hppa_translations.tar.gz, krb5_1.6.dfsg.4~beta1-5ubuntu2.2_i386_translations.tar.gz, krb5_1.6.dfsg.4~beta1-5ubuntu2.2_powerpc_translations.tar.gz, krb5_1.6.dfsg.4~beta1-5ubuntu2.2_armel_translations.tar.gz 1.6.dfsg.4~beta1-5ubuntu2.2 (Accepted)
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Jaunty-changes
mailing list