ALAS-2015-560


Amazon Linux AMI Security Advisory: ALAS-2015-560
Advisory Release Date: 2015-07-07 22:29 Pacific
Severity: Medium
References: CVE-2015-3154 

Issue Overview:

Upstream reported a vulnerability in the Zend\Mail component in Zend Framework 2, specifically in how it handles headers. Headers are not correctly filtered for newlines, allowing the ability to send additional, unrelated headers and to bypass additional headers by emitting the header/body separator sequence.


Affected Packages:

php-ZendFramework


Issue Correction:
Run yum update php-ZendFramework to update your system.

New Packages:
noarch:
    php-ZendFramework-extras-1.12.13-1.11.amzn1.noarch
    php-ZendFramework-demos-1.12.13-1.11.amzn1.noarch
    php-ZendFramework-Db-Adapter-Pdo-Mssql-1.12.13-1.11.amzn1.noarch
    php-ZendFramework-Pdf-1.12.13-1.11.amzn1.noarch
    php-ZendFramework-Cache-Backend-Libmemcached-1.12.13-1.11.amzn1.noarch
    php-ZendFramework-Cache-Backend-Memcached-1.12.13-1.11.amzn1.noarch
    php-ZendFramework-Serializer-Adapter-Igbinary-1.12.13-1.11.amzn1.noarch
    php-ZendFramework-Db-Adapter-Pdo-Pgsql-1.12.13-1.11.amzn1.noarch
    php-ZendFramework-Db-Adapter-Pdo-1.12.13-1.11.amzn1.noarch
    php-ZendFramework-Captcha-1.12.13-1.11.amzn1.noarch
    php-ZendFramework-Ldap-1.12.13-1.11.amzn1.noarch
    php-ZendFramework-Search-Lucene-1.12.13-1.11.amzn1.noarch
    php-ZendFramework-Dojo-1.12.13-1.11.amzn1.noarch
    php-ZendFramework-Db-Adapter-Mysqli-1.12.13-1.11.amzn1.noarch
    php-ZendFramework-Auth-Adapter-Ldap-1.12.13-1.11.amzn1.noarch
    php-ZendFramework-Feed-1.12.13-1.11.amzn1.noarch
    php-ZendFramework-full-1.12.13-1.11.amzn1.noarch
    php-ZendFramework-Cache-Backend-Apc-1.12.13-1.11.amzn1.noarch
    php-ZendFramework-Soap-1.12.13-1.11.amzn1.noarch
    php-ZendFramework-1.12.13-1.11.amzn1.noarch
    php-ZendFramework-Services-1.12.13-1.11.amzn1.noarch
    php-ZendFramework-Db-Adapter-Pdo-Mysql-1.12.13-1.11.amzn1.noarch

src:
    php-ZendFramework-1.12.13-1.11.amzn1.src