Bug#821044: wheezy-pu: package zendframework/1.11.13-1.1+deb7u6
Control: tags -1 + confirmed
Apologies for the delay in getting back to you.
On Thu, 2016-04-14 at 18:15 -0400, David Prévot wrote:
> As agreed with the security team, I’d like to fix another potential
> entropy vulnerability that has been fixed in zendframework.
>
> The fix also gets rid of openssl_random_pseudo_bytes() introduced in the
> previous ZF2015-09 fix, and I also added a regression fix from the
> CVE-2015-7695 (ZF2015-08) patch (this one was introduced in DSA-3369-1).
>
> Please find attached the proposed debdiff for Wheezy, it’s pretty
> similar to the one from #821042.
>
> zendframework (1.11.13-1.1+deb7u6) wheezy; urgency=medium
>
> * Fix regression from ZF2015-08: binary data corruption
> * Backport security fix from 1.12.18:
> - ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1
> http://framework.zend.com/security/advisory/ZF2016-01
Given that we're working towards EOLing wheezy after wheezy-lts started
up, my general inclination is to NACK accepting further updates.
However, given that this fixes a regression in an earlier update to the
package in wheezy, I'm prepared to bend that stance a little.
Assuming that the resulting package has been tested on wheezy, please go
ahead.
Regards,
Adam
Reply to: