Zend Framework upstream reported the below issue: """ Title: ZF2015-04: Potential header and mail injection vulnerability Type: Bypass We have confirmed a vulnerability reported against the Zend\Mail component in Zend Framework 2, specifically in how it handles headers. Headers are not correctly filtered for newlines, allowing the ability to: - send additional, unrelated headers - bypass additional headers by emitting the header/body separator sequence We are in the process of reviewing a patch, and plan to release the following new ZF2 versions with the patch in the next 1-2 weeks: - Zend Framework 2.3.8 - Zend Framework 2.4.1 """
This is now public: http://framework.zend.com/security/advisory/ZF2015-04
Created php-ZendFramework tracking bugs for this issue: Affects: fedora-all [bug 1223762] Affects: epel-all [bug 1223763]
Created php-ZendFramework2 tracking bugs for this issue: Affects: fedora-all [bug 1223871] Affects: epel-all [bug 1223872]
php-ZendFramework-1.12.13-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
php-ZendFramework-1.12.13-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
php-ZendFramework-1.12.13-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
php-ZendFramework-1.12.13-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
php-ZendFramework2-2.3.9-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
php-ZendFramework-1.12.13-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
All dependent bugs are closed, can this tracking bug be closed as well?
Absolutely, Shawn. Closing this.