Zend Framework 2 v2.4.9 Release Notes
Release Date: 2015-11-23 // over 8 years ago-
⚡️ SECURITY UPDATES
ZF2015-09 :
Zend\Captcha\Word
generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this vulnerability announcement, the selection was performed using PHP's internalarray_rand()
function. This function does not generate sufficient entropy due to its usage ofrand()
instead of more cryptographically secure methods such asopenssl_pseudo_random_bytes()
. This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. This release contains a patch that replaces thearray_rand()
calls to useZend\Math\Rand::getInteger()
, which provides better RNG.ZF2015-10 :
Zend\Crypt\PublicKey\Rsa\PublicKey
has a call toopenssl_public_encrypt()
which used PHP's default$padding
argument, which specifiesOPENSSL_PKCS1_PADDING
, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, which can be used to recover an RSA private key. This release contains a patch that changes the padding argument to useOPENSSL_PKCS1_OAEP_PADDING
.Users upgrading to this version may have issues decrypting previously stored values, due to the change in padding. If this occurs, you can pass the constant
OPENSSL_PKCS1_PADDING
to a new$padding
argument inZend\Crypt\PublicKey\Rsa::encrypt()
anddecrypt()
(though typically this should only apply to the latter):$decrypted = $rsa-\>decrypt($data, $key, $mode, OPENSSL\_PKCS1\_PADDING);
where
$rsa
is an instance ofZend\Crypt\PublicKey\Rsa
.0️⃣ (The
$key
and$mode
argument defaults arenull
andZend\Crypt\PublicKey\Rsa::MODE_AUTO
, if you were not using them previously.)