Amazon Linux 1 Security Advisory: ALAS-2015-560
Advisory Release Date: 2015-07-07 12:35 Pacific
Advisory Updated Date: 2015-07-07 22:29 Pacific
Upstream reported (http://framework.zend.com/security/advisory/ZF2015-04) a vulnerability in the Zend\Mail component in Zend Framework 2, specifically in how it handles headers. Headers are not correctly filtered for newlines, allowing the ability to send additional, unrelated headers and to bypass additional headers by emitting the header/body separator sequence.
Affected Packages:
php-ZendFramework
Issue Correction:
Run yum update php-ZendFramework to update your system.
noarch:
php-ZendFramework-extras-1.12.13-1.11.amzn1.noarch
php-ZendFramework-demos-1.12.13-1.11.amzn1.noarch
php-ZendFramework-Db-Adapter-Pdo-Mssql-1.12.13-1.11.amzn1.noarch
php-ZendFramework-Pdf-1.12.13-1.11.amzn1.noarch
php-ZendFramework-Cache-Backend-Libmemcached-1.12.13-1.11.amzn1.noarch
php-ZendFramework-Cache-Backend-Memcached-1.12.13-1.11.amzn1.noarch
php-ZendFramework-Serializer-Adapter-Igbinary-1.12.13-1.11.amzn1.noarch
php-ZendFramework-Db-Adapter-Pdo-Pgsql-1.12.13-1.11.amzn1.noarch
php-ZendFramework-Db-Adapter-Pdo-1.12.13-1.11.amzn1.noarch
php-ZendFramework-Captcha-1.12.13-1.11.amzn1.noarch
php-ZendFramework-Ldap-1.12.13-1.11.amzn1.noarch
php-ZendFramework-Search-Lucene-1.12.13-1.11.amzn1.noarch
php-ZendFramework-Dojo-1.12.13-1.11.amzn1.noarch
php-ZendFramework-Db-Adapter-Mysqli-1.12.13-1.11.amzn1.noarch
php-ZendFramework-Auth-Adapter-Ldap-1.12.13-1.11.amzn1.noarch
php-ZendFramework-Feed-1.12.13-1.11.amzn1.noarch
php-ZendFramework-full-1.12.13-1.11.amzn1.noarch
php-ZendFramework-Cache-Backend-Apc-1.12.13-1.11.amzn1.noarch
php-ZendFramework-Soap-1.12.13-1.11.amzn1.noarch
php-ZendFramework-1.12.13-1.11.amzn1.noarch
php-ZendFramework-Services-1.12.13-1.11.amzn1.noarch
php-ZendFramework-Db-Adapter-Pdo-Mysql-1.12.13-1.11.amzn1.noarch
src:
php-ZendFramework-1.12.13-1.11.amzn1.src