XSS attack vector in Zend_Filter_StripTags

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityUpdateProcedures

Kees Cook wrote:
> Thanks for taking the time to report this bug and helping to make Ubuntu
> better. Since the package referred to in this bug is in universe or
> multiverse, it is community maintained. If you are able, I suggest
> posting a debdiff for this issue. When a debdiff is available, members
> of the security team will review it and publish the package. See the
> following link for more information:
> https://wiki.ubuntu.com/SecurityUpdateProcedures
>
> ** Changed in: zend-framework (Ubuntu)
> Status: New => Confirmed
>
>
Am I allowed to just patch this one bug or can I upgrade the package to
the lastest version as well?

Thanks,
Micah

I'll create some security bugfix packages ...

I've also added patch tags to the patch, as detailed here: https://wiki.ubuntu.com/UbuntuDevelopment/PatchTaggingGuidelines

Everything is building in the security queue now. It should be published shortly. Thanks!

This bug was fixed in the package zend-framework - 1.5.1-0ubuntu1.1

---------------
zend-framework (1.5.1-0ubuntu1.1) hardy-security; urgency=low

  * SECURITY UPDATE: (LP: #345682)
    Announcement: http://www.nabble.com/SECURITY-ADVISORY-tp22609193p22609193.html
    From Zend PHP FW Mailing List:
    The Zend Framework team was recently notified of an XSS attack vector in its Zend_Filter_StripTags class.
    Zend_Filter_StripTags offers the ability to strip HTML tags from text, but also to selectively choose
    which tags and specific attributes of those tags to keep.
    The XSS attack vector was due to a bug in matching HTML tag attributes to retain.
    If whitespace was introduced surrounding the attribute assignment operator or the value included newline characters,
    the attribute would always be included in the final output- even if it was not marked to retain.
    A security fix has been created and released with Zend Framework 1.7.7.
    Additionally, the fix has been back-ported to the 1.6, 1.5, and 1.0 release branches.
  * debian/patches/zf_Zend_Filter_security_fix.patch:
    Fixes security issue according to
    http://framework.zend.com/svn/framework/standard/branches/release-1.7/library/Zend/Filter/StripTags.php
  * debian/control: added quilt as build dependency
  * debian/rules: include quilt.mk and call patch/unpatch targets

 -- Stephan Hermann <email address hidden> Thu, 14 May 2009 12:39:55 +0000

This bug was fixed in the package zend-framework - 1.5.3-0ubuntu2.1

---------------
zend-framework (1.5.3-0ubuntu2.1) intrepid-security; urgency=low

  * SECURITY UPDATE: (LP: #345682)
    Announcement: http://www.nabble.com/SECURITY-ADVISORY-tp22609193p22609193.html
    From Zend PHP FW Mailing List:
    The Zend Framework team was recently notified of an XSS attack vector in its Zend_Filter_StripTags class.
    Zend_Filter_StripTags offers the ability to strip HTML tags from text, but also to selectively choose
    which tags and specific attributes of those tags to keep.
    The XSS attack vector was due to a bug in matching HTML tag attributes to retain.
    If whitespace was introduced surrounding the attribute assignment operator or the value included newline characters,
    the attribute would always be included in the final output- even if it was not marked to retain.
    A security fix has been created and released with Zend Framework 1.7.7.
    Additionally, the fix has been back-ported to the 1.6, 1.5, and 1.0 release branches.
  * debian/patches/zf_Zend_Filter_security_fix.patch:
    Fixes security issue according to
    http://framework.zend.com/svn/framework/standard/branches/release-1.7/library/Zend/Filter/StripTags.php

 -- Stephan Hermann <email address hidden> Thu, 14 May 2009 12:31:49 +0000

This bug was fixed in the package zend-framework - 1.7.5-0ubuntu2.1

---------------
zend-framework (1.7.5-0ubuntu2.1) jaunty-security; urgency=low

  * SECURITY UPDATE: (LP: #345682)
    Announcement: http://www.nabble.com/SECURITY-ADVISORY-tp22609193p22609193.html
    From Zend PHP FW Mailing List:
    The Zend Framework team was recently notified of an XSS attack vector in its Zend_Filter_StripTags class.
    Zend_Filter_StripTags offers the ability to strip HTML tags from text, but also to selectively choose
    which tags and specific attributes of those tags to keep.
    The XSS attack vector was due to a bug in matching HTML tag attributes to retain.
    If whitespace was introduced surrounding the attribute assignment operator or the value included newline characters,
    the attribute would always be included in the final output- even if it was not marked to retain.
    A security fix has been created and released with Zend Framework 1.7.7.
    Additionally, the fix has been back-ported to the 1.6, 1.5, and 1.0 release branches.
  * debian/patches/zf_Zend_Filter_security_fix.patch:
    Fixes security issue according to
    http://framework.zend.com/svn/framework/standard/branches/release-1.7/library/Zend/Filter/StripTags.php

 -- Stephan Hermann <email address hidden> Thu, 14 May 2009 12:13:41 +0000