Branches for Jaunty

Author: Stephan Rügamer
Revision Date: 2009-03-04 08:44:28 UTC

debian/patches/zf_176_fixes.patch:
Added library/ and tests/ fixes from ZendFramework 1.7.6 to 1.7.5 package version
A complete list of fixes you can find here:
http://framework.zend.com/issues/secure/IssueNavigator.jspa?requestId=10953

Author: Stephan Rügamer
Revision Date: 2010-01-12 11:14:21 UTC

* The security update fixes the following security issues: (LP: #506304)
  + ZF2010-03: Potential XSS vector in Zend_Filter_StripTags when comments allowed
    Zend_Filter_StripTags contained an optional setting to allow whitelisting
    HTML comments in filtered text. Microsoft Internet Explorer and several other
    browsers allow developers to create conditional functionality via HTML comments,
    including execution of script events and rendering of additional commented markup.
    By allowing whitelisting of HTML comments, a malicious user could potentially
    include XSS exploits within HTML comments that would then be rendered in the final output.
    http://framework.zend.com/security/advisory/ZF2010-03
  + ZF2010-06: Potential XSS or HTML Injection vector in Zend_Json
    Zend_Json_Encoder was not taking into account the solidus character ("/") during encoding,
    leading to incompatibilities with the JSON specification, and opening the potential for XSS
    or HTML injection attacks when returning HTML within a JSON string.
  + ZF2010-02: Potential XSS vector in Zend_Dojo_View_Helper_Editor
    Zend_Dojo_View_Helper_Editor was incorrectly decorating a TEXTAREA instead of a DIV.
    The Dojo team has reported that this has security implications as the rich
    text editor they use is unable to escape content for a TEXTAREA.
* debian/patches/99_ZF2010-03_Zend_Filter_Striptags.patch:
  + Patch was found at: http://framework.zend.com/issues/browse/ZF-8743
* debian/patches/99_ZF2010-06_Zend_Json.patch
  + Patch was found: http://framework.zend.com/issues/browse/ZF-8663
* debian/patches/99_ZF2010-02_Zend_Dojo.patch:
  + Patch was found: http://framework.zend.com/issues/browse/ZF-6753

Author: Stephan Rügamer
Revision Date: 2010-01-12 11:14:21 UTC

* The security update fixes the following security issues: (LP: #506304)
  + ZF2010-03: Potential XSS vector in Zend_Filter_StripTags when comments allowed
    Zend_Filter_StripTags contained an optional setting to allow whitelisting
    HTML comments in filtered text. Microsoft Internet Explorer and several other
    browsers allow developers to create conditional functionality via HTML comments,
    including execution of script events and rendering of additional commented markup.
    By allowing whitelisting of HTML comments, a malicious user could potentially
    include XSS exploits within HTML comments that would then be rendered in the final output.
    http://framework.zend.com/security/advisory/ZF2010-03
  + ZF2010-06: Potential XSS or HTML Injection vector in Zend_Json
    Zend_Json_Encoder was not taking into account the solidus character ("/") during encoding,
    leading to incompatibilities with the JSON specification, and opening the potential for XSS
    or HTML injection attacks when returning HTML within a JSON string.
  + ZF2010-02: Potential XSS vector in Zend_Dojo_View_Helper_Editor
    Zend_Dojo_View_Helper_Editor was incorrectly decorating a TEXTAREA instead of a DIV.
    The Dojo team has reported that this has security implications as the rich
    text editor they use is unable to escape content for a TEXTAREA.
* debian/patches/99_ZF2010-03_Zend_Filter_Striptags.patch:
  + Patch was found at: http://framework.zend.com/issues/browse/ZF-8743
* debian/patches/99_ZF2010-06_Zend_Json.patch
  + Patch was found: http://framework.zend.com/issues/browse/ZF-8663
* debian/patches/99_ZF2010-02_Zend_Dojo.patch:
  + Patch was found: http://framework.zend.com/issues/browse/ZF-6753