lp:ubuntu/jaunty-security/zend-framework
- Get this branch:
- bzr branch lp:ubuntu/jaunty-security/zend-framework
Branch merges
Branch information
Recent revisions
- 17. By Stephan Rügamer
-
* The security update fixes the following security issues: (LP: #506304)
+ ZF2010-03: Potential XSS vector in Zend_Filter_StripTags when comments allowed
Zend_Filter_ StripTags contained an optional setting to allow whitelisting
HTML comments in filtered text. Microsoft Internet Explorer and several other
browsers allow developers to create conditional functionality via HTML comments,
including execution of script events and rendering of additional commented markup.
By allowing whitelisting of HTML comments, a malicious user could potentially
include XSS exploits within HTML comments that would then be rendered in the final output.
http://framework. zend.com/ security/ advisory/ ZF2010- 03
+ ZF2010-06: Potential XSS or HTML Injection vector in Zend_Json
Zend_Json_Encoder was not taking into account the solidus character ("/") during encoding,
leading to incompatibilities with the JSON specification, and opening the potential for XSS
or HTML injection attacks when returning HTML within a JSON string.
+ ZF2010-02: Potential XSS vector in Zend_Dojo_View_Helper_ Editor
Zend_Dojo_View_ Helper_ Editor was incorrectly decorating a TEXTAREA instead of a DIV.
The Dojo team has reported that this has security implications as the rich
text editor they use is unable to escape content for a TEXTAREA.
* debian/patches/ 99_ZF2010- 03_Zend_ Filter_ Striptags. patch:
+ Patch was found at: http://framework. zend.com/ issues/ browse/ ZF-8743
* debian/patches/ 99_ZF2010- 06_Zend_ Json.patch
+ Patch was found: http://framework. zend.com/ issues/ browse/ ZF-8663
* debian/patches/ 99_ZF2010- 02_Zend_ Dojo.patch:
+ Patch was found: http://framework. zend.com/ issues/ browse/ ZF-6753 - 16. By Stephan Rügamer
-
* SECURITY UPDATE: (LP: #345682)
Announcement: http://www.nabble. com/SECURITY- ADVISORY- tp22609193p2260 9193.html
From Zend PHP FW Mailing List:
The Zend Framework team was recently notified of an XSS attack vector in its Zend_Filter_StripTags class.
Zend_Filter_ StripTags offers the ability to strip HTML tags from text, but also to selectively choose
which tags and specific attributes of those tags to keep.
The XSS attack vector was due to a bug in matching HTML tag attributes to retain.
If whitespace was introduced surrounding the attribute assignment operator or the value included newline characters,
the attribute would always be included in the final output- even if it was not marked to retain.
A security fix has been created and released with Zend Framework 1.7.7.
Additionally, the fix has been back-ported to the 1.6, 1.5, and 1.0 release branches.
* debian/patches/ zf_Zend_ Filter_ security_ fix.patch:
Fixes security issue according to
http://framework. zend.com/ svn/framework/ standard/ branches/ release- 1.7/library/ Zend/Filter/ StripTags. php - 15. By Stephan Rügamer
-
debian/
patches/ zf_176_ fixes.patch:
Added library/ and tests/ fixes from ZendFramework 1.7.6 to 1.7.5 package version
A complete list of fixes you can find here:
http://framework. zend.com/ issues/ secure/ IssueNavigator. jspa?requestId= 10953 - 14. By Stephan Rügamer
-
* New Upstream version
- Bugfix / Security Release
- A list of fixes you can find here:
http://framework. zend.com/ issues/ secure/ IssueNavigator. jspa?requestId= 10951 - 13. By Stephan Rügamer
-
* New Upstream version
- Bugfix Release
- A list of fixes you can find here:
http://framework. zend.com/ issues/ secure/ IssueNavigator. jspa?requestId= 10944
* cleaned debian/patches - 11. By Stephan Rügamer
-
* New Upstream Version
- Bug Fix Release
- A list of fixes you can find here:
http://framework. zend.com/ issues/ secure/ IssueNavigator. jspa?requestId= 10934 - 10. By Stephan Rügamer
-
* New Upstream Version
- Bug Fix Release
- A list of fixes you can find here:
http://framework. zend.com/ issues/ secure/ IssueNavigator. jspa?requestId= 10923 - 9. By Stephan Rügamer
-
* New Upstream version
* New features and components:
+ Zend_Amf with support for AMF0 and AMF3 protocols
+ Dojo Toolkit 1.2.1 (Not installed in Ubuntu Package)
+ Support for dijit editor available in the Dojo Toolkit
+ Zend_Service_Twitter
+ ZendX_JQuery in extras library
+ Metadata API in Zend_Cache
+ Google book search API in Zend_Gdata
+ Preliminary support for GData Protocol v2 in Zend_Gdata
+ Support for skip data processing in Zend_Search_Lucene
+ Support for Open Office XML documents in Zend_Search_Lucene indexer
+ Performance enhancements in Zend_Loader, Zend_Controller, and server components
+ Zend_Mail_Storage_ Writable_ Maildir enhancements for mail delivery
+ Zend_Tool in incubator
+ Zend_Text_Table for formatting table using characters
+ Zend_ProgressBar
+ Zend_Config_Writer
+ ZendX_Console_Unix_Process in the extras library
+ Zend_Db_Table_Select support for Zend_Paginator
+ Global parameters for routes
+ Using Chain-Routes for Hostname-Routes via Zend_Config
+ I18N improvements
- Application wide locale for all classes
- Data retrieving methods are now static
- Additional cache handling methods in all I18N classes
- Zend_Translate API simplified
+ File transfer enhancements
- Support for file elements in subforms
- Support for multifile elements
- Support for MAX_FILES_SIZE in form
- Support for breaking validation chain
- Support for translation of failure ,messages
- New IsCompressed, IsImage, ExcludeMimeType, ExcludeExtension validators
- Support for FileInfo extension in MimeType validator
+ Zend_Db_Table_Select adapater for Zend_Paginator
+ Support for custom adapters in Zend_Paginator
+ More flexible handling of complex types in Zend_Soap
+ All bugs which are fixed you can find here:
- http://framework. zend.com/ issues/ secure/ IssueNavigator. jspa?requestId= 10903
* Do not install the dojo toolkit which is being shipped inside the original tarball of Zend
* Do not install the incubator which is being shipped inside the original tarball of Zend
* debian/control: remove quilt from build-depends, not needed anymore
* debian/rules:
- remove all quilt relevant patch rules and includes
- copy debian/zend-framework. ini to the right location (/etc/php5/conf.d/)
* added debian/zend-framework. ini (LP: #220719)
* debian/README. Debian:
- Updated to the new world order for enabling zend-framework - 8. By Stephan Rügamer
-
* debian/
patches/ ubuntu_ 01_fix_ mail.diff:
+ Fixes upstream bugs:
- ZF-3912
- ZF-3641
- ZF-3865
* debian/control:
+ added quilt to b-d
* debian/rules:
+ added quilt targets to patch source
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/karmic/zend-framework