From the ZF2014-02 advisory: "Using the Consumer component of ZendOpenId (or Zend_OpenId in ZF1), it is possible to login using an arbitrary OpenID account (without knowing any secret information) by using a malicious OpenID Provider. That means OpenID it is possible to login using arbitrary OpenID Identity (MyOpenID, Google, etc), which are not under the control of our own OpenID Provider. Thus, we are able to impersonate any OpenID Identity against the framework. Moreover, the Consumer accepts OpenID tokens with arbitrary signed elements. The framework does not check if, for example, both openid.claimed_id and openid.endpoint_url are signed. It is just sufficient to sign one parameter. According to https://openid.net/specs/openid-authentication-2_0.html#positive_assertions, at least op_endpoint, return_to, response_nonce, assoc_handle, and, if present in the response, claimed_id and identity, must be signed." This issue has been fixed in version 1.12.4. External References: http://framework.zend.com/security/advisory/ZF2014-02
Created php-ZendFramework tracking bugs for this issue: Affects: fedora-all [bug 1081294] Affects: epel-6 [bug 1081295]
CVE request: http://www.openwall.com/lists/oss-security/2014/03/27/1
MITRE assigned two CVEs. Quoting from http://seclists.org/oss-sec/2014/q2/0 "" CVE-2014-2684 - This CVE is for the error in the consumer's verify method that leads to acceptance of wrongly sourced tokens. The same CVE is used for Zend Framework 1.x and ZendOpenId 2.x, even though the code is not identical. CVE-2014-2685 - This CVE is for the specification violation in which signing of a single parameter is incorrectly considered sufficient. Again, this CVE is for both Zend Framework 1.x and ZendOpenId 2.x. ""
php-ZendFramework-1.12.5-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
php-ZendFramework-1.12.5-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
php-ZendFramework2-2.2.6-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
php-ZendFramework2-2.2.6-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
php-ZendFramework2-2.2.6-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.